{ "id": "d8e5676e-9919-4638-ad69-d622070d003b", "created_at": "2026-04-06T00:12:12.066554Z", "updated_at": "2026-04-10T13:11:39.121257Z", "deleted_at": null, "sha1_hash": "d7d2a4583ea183aba4de64ef0306395fe305c0ae", "title": "Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 15323716, "plain_text": "Threat Actor Groups Tracked by Palo Alto Networks Unit 42\r\n(Updated Aug. 1, 2025)\r\nBy Unit 42\r\nPublished: 2025-08-01 · Archived: 2026-04-02 12:38:37 UTC\r\nNation-State Threat Actor Groups\r\nUnit 42 considers the following groups to have a motivation that is primarily state-backed rather than financial.\r\nThere can also be some cybercrime motivation for threat groups in this category, but we believe their main\r\nmotivation is in furthering the interest of their sponsoring nation.\r\nDraco – Pakistan\r\nDraco, the dragon, is the constellation chosen for threat actor groups from Pakistan. These groups have been seen\r\ntargeting India and other South Asian countries.\r\nMocking Draco\r\nAlso Known As\r\nG1008, sidecopy, unc2269, white dev 55\r\nSummary\r\nMocking Draco is a Pakistan-based threat actor that has been operating since at least 2019, mainly targeting South\r\nAsian countries and more specifically India and Afghanistan. Their malware’s common name, Sidecopy, comes\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 1 of 62\n\nfrom its infection chain that tries to mimic the malware SideWinder. This actor has reported similarities with\r\nOpaque Draco and is possibly a subdivision of this actor.\r\nSectors Impacted\r\nMocking Draco has previously impacted organizations in the following sectors:\r\nGovernment\r\nOpaque Draco\r\nAlso Known As\r\nAPT36, C-Major, Cmajor, COPPER FIELDSTONE, Fast-Cargo, G0134, Green Halvidar, Havildar Team, Lapis,\r\nMythic Leopard, ProjectM, Transparent Tribe\r\nSummary\r\nOpaque Draco is a Pakistan-based threat group that has been active since 2013. They primarily target Indian\r\ngovernmental, military and educational sectors.\r\nSectors Impacted\r\nOpaque Draco has previously impacted organizations in the following sectors:\r\nEducation\r\nGovernment\r\nMilitary\r\nLynx – Belarus\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 2 of 62\n\nBelarusian threat groups are named for the constellation Lynx.\r\nWhite Lynx\r\nAlso Known As\r\nGhostwriter, Storm-0257, UNC1151\r\nSummary\r\nWhite Lynx is a nation-state threat actor assessed with high confidence to be linked with the Belarusian\r\ngovernment. Their main focus is on countries neighboring Belarus, such as Ukraine, Lithuania, Latvia, Poland and\r\nGermany. Their targeting also includes Belarusian dissidents, media entities and journalists.\r\nSectors Impacted\r\nWhite Lynx has previously impacted organizations in the following sectors:\r\nConstruction\r\nEducation\r\nFederal Government\r\nHealthcare\r\nHigh Technology\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nWholesale and Retail\r\nPisces – North Korea\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 3 of 62\n\nThreat actor groups attributed to North Korea are represented by the constellation Pisces. These groups have\r\nimpacted many industries with a focus on cyberespionage and financial crime.\r\nJumpy Pisces\r\nAlso Known As\r\nAndariel, Black Artemis, COVELLITE, Onyx Sleet, PLUTONIUM, Silent Chollima, Stonefly, UNC614, Lazarus,\r\nLazarus Group\r\nSummary\r\nJumpy Pisces is a nation-state threat actor associated with the notorious Lazarus Group and the Democratic\r\nPeople’s Republic of Korea (DPRK). Jumpy Pisces is believed to be a subgroup of the Lazarus group that\r\nbranched out around 2013. The group has demonstrated a high degree of adaptability, complexity and technical\r\nexpertise in its operations, with a focus on cyber espionage, financial crime and ransomware attacks.\r\nJumpy Pisces primarily targets South Korean entities with a variety of attack vectors, including spear phishing,\r\nwatering hole attacks and supply chain attacks. They have been observed exploiting vulnerabilities in various\r\nsoftware, including asset management programs and known but unpatched public services, to distribute its\r\nmalware. The group also abuses legitimate software and proxy and tunneling tools for its malicious activities.\r\nSectors Impacted\r\nJumpy Pisces has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nFinancial Services\r\nGovernment\r\nHealthcare\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 4 of 62\n\nIT Services\r\nManufacturing\r\nPharma and Life Sciences\r\nUtilities and Energy\r\nSlow Pisces\r\nAlso Known As\r\nDark River, DEV-0954, Jade Sleet, Storm-0954, Trader Traitor, TraderTraitor, UNC4899, Lazarus, Lazarus Group\r\nSummary\r\nSlow Pisces is North Korea's nation state threat group under Reconnaissance General Bureau (RGB) of DPRK. It's\r\nbelieved to be a spin-off from the Lazarus group with focus on financial gathering and crypto industry targeting\r\ngoals. Their primary task since 2020 is generating revenue for the DPRK regime and they do so by targeting\r\norganizations that handle large volumes of cryptocurrency. They have reportedly stolen in excess of $1 billion in\r\n2023 alone.\r\nSecondary to revenue generation, Slow Pisces has also compromised aerospace, defense and industrial\r\norganizations, likely with the aim of espionage to advance DPRK’s military capabilities.\r\nSectors Impacted\r\nSlow Pisces has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nCryptocurrency Industry\r\nFinancial Services\r\nHigh Technology\r\nSerpens – Iran\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 5 of 62\n\nIranian-attributed groups are named for the constellation Serpens, the snake. Our research on these groups\r\nhighlights their targets and TTPs as they evolve.\r\nAcademic Serpens\r\nAlso Known As\r\nCOBALT DICKENS, DEV-0118, Mabna Institute, Silent Librarian, Yellow Nabu\r\nSummary\r\nAcademic Serpens is a state-sponsored group active since at least 2013 that is attributed to Iran, which has\r\ntraditionally focused on Middle Eastern targets and Nordic universities in the EU. Members of Academic Serpens\r\nare affiliated with the Iran-based Mabna Institute, which has conducted cyber intrusions at the behest of the\r\ngovernment of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). They have targeted research and\r\nproprietary data at universities, government agencies and private sector companies worldwide. There has been a\r\nnotable decrease in activity from this group since the international COVID crisis in 2020.\r\nSectors Impacted\r\nAcademic Serpens has previously impacted organizations in the following sectors:\r\nEducation\r\nGovernment\r\nAgent Serpens\r\nAlso Known As\r\nMint Sandstorm (Microsoft), Charming Kitten (Crowdstrike)\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 6 of 62\n\nAPT35, Ballistic Bobcat, Cobalt Illusion, Damselfly, Direfate, G0059, Greycatfish, Group 83, Iridium Group,\r\nITG18, Magic Hound, Newscaster, Phosphorus, Saffron Rose, TA453, White Phosphorous, Yellow Garuda\r\nSummary\r\nAgent Serpens is a suspected nation-state threat actor the threat intelligence community attributes to Iran, with\r\nlinks to the Islamic Revolutionary Guard Corps (IRGC). It has been active since at least 2015.\r\nAgent Serpens is known for sophisticated social engineering (especially spear phishing), malware development\r\nand persistent, adaptive tactics. The group uses a diverse and evolving toolkit to facilitate all stages of their\r\nattacks, from initial access to command and control (C2). This includes custom-developed backdoors like\r\nSnailResin, SlugResin and Sponsor, which the threat actors designed to be used for gaining persistent access and\r\ndata exfiltration.\r\nThe group's arsenal also features credential harvesting kits such as GCollection and DWP, which enable the theft\r\nof email user accounts. Agonizing Serpens abuses legitimate tools like PowerShell to deploy tools like AnvilEcho,\r\nTAMECAT and CharmPower that enable malicious activities within compromised environments.\r\nThe group's use of Android malware like PINEFLOWER demonstrates an interest in mobile surveillance, likely\r\nfor monitoring targets and gathering intelligence. Additionally, Agent Serpens incorporates readily available open-source tools like Mimikatz, Chisel and Plink to augment their capabilities and support different phases of their\r\noperations.\r\nSectors Impacted\r\nAgent Serpens has previously impacted organizations in the following sectors:\r\nAutomotive\r\nCivil Engineering\r\nColleges And Universities\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigher Education\r\nHigh Technology\r\nManufacturing\r\nMedia and Entertainment\r\nNoncommercial\r\nResearch Organizations\r\nPharmaceutical and Life Sciences\r\nTelecommunications\r\nAgonizing Serpens\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 7 of 62\n\nAlso Known As\r\nPink Sandstrom (Microsoft), Spectral Kitten (CrowdStrike)\r\nAgrius, Americium, Black Shadow, Blackshadow, Cobalt Shadow, Darkrypt, UNC2428, Yellow Dev 21\r\nSummary\r\nAgonizing Serpens is a suspected nation-state threat actor attributed to Iran. This group has primarily disrupted\r\nIsraeli organizations since 2020, and is linked to attacks throughout the Middle East. The group’s modus operandi\r\ninvolves strategically exfiltrating sensitive data before deploying destructive ransomware and wiper malware to\r\ndisrupt systems and cover their tracks. This group has targeted organizations in the education, technology and\r\nfinancial sectors.\r\nSectors Impacted\r\nAgonizing Serpens has previously impacted organizations in the following sectors:\r\nEducation\r\nFinancial Services\r\nInsurance\r\nIT Services\r\nNonclassifiable Establishments\r\nProfessional and Legal Services\r\nWholesale and Retail\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 8 of 62\n\nBoggy Serpens\r\nAlso Known As\r\nMango Sandstorm (Microsoft), Static Kitten (CrowdStrike)\r\nCobalt Ulster, Earth Vetala, G0069, Mercury, Muddywater, Seedworm, Temp.Zagros, Yellow Nix\r\nSummary\r\nActive since at least 2017, Boggy Serpens is an Iranian, state-sponsored, cyberespionage group that US Cyber\r\nCommand has attributed to Iran’s Ministry of Intelligence and Security (MOIS).\r\nThe group’s primary objective is cyberespionage aligned with Iranian government interests. This includes\r\nintelligence gathering, operational disruption and responding to regional conflicts, particularly those involving\r\nIsrael.\r\nSectors Impacted\r\nBoggy Serpens has previously impacted organizations in the following sectors:\r\nFinancial Services\r\nHealthcare\r\nInsurance\r\nTelecommunications\r\nTransportation and Logistics\r\nDevious Serpens\r\nAlso Known As\r\nCobalt Fireside, Curium, G1012, Imperial Kitten, Tortoiseshell, Yellow Liderc\r\nSummary\r\nDevious Serpens are an Iranian-based threat actor known for using social engineering tactics as well as malware\r\nthat communicates via IMAP. Their attacks use watering hole attacks as well as their own controlled sites meant to\r\nimpersonate employment opportunities that might interest their victims.\r\nThe malware that they have built often uses IMAP with specific email addresses for command and control (C2).\r\nWith such tools, communication typically occurs via specific folders and message protocols on the C2 email\r\naddress.\r\nSectors Impacted\r\nDevious Serpens has previously impacted organizations in the following sectors:\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 9 of 62\n\nAerospace and Defense\r\nInformation Technology Services\r\nEvasive Serpens\r\nAlso Known As\r\nAlibaba, APT34, Chrysene, Cobalt Gypsy, Crambus, Europium, G0049, Group 41, Hazel Sandstorm, Helix\r\nKitten, IRN2, OilRig, Powbat, TEMP.Akapav, Twisted Kitten, Yossi\r\nSummary\r\nEvasive Serpens is a threat group Unit 42 discovered in May 2016. They are a nation-state threat group attributed\r\nto Iran. This threat group is extremely persistent and relies heavily on spear phishing as their initial attack vector.\r\nHowever, they have also been associated with other more complex attacks such as credential harvesting\r\ncampaigns and DNS hijacking.\r\nIn their spear phishing attacks, Evasive Serpens preferred macro-enabled Microsoft Office (Word and Excel)\r\ndocuments to install their custom payloads that came as portable executables (PE), PowerShell and VBScripts.\r\nThe group’s custom payloads frequently used DNS tunneling as a C2 channel.\r\nSectors Impacted\r\nEvasive Serpens has previously impacted organizations in the following sectors:\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 10 of 62\n\nChemical Manufacturing\r\nFinancial Services\r\nGovernment\r\nTelecommunications\r\nUtilities and Energy\r\nTaurus – China\r\nChinese threat actor groups take their name from the constellation Taurus – the bull. Due to the long history and\r\nmultiplicity of Chinese APTs, there is a lot to be discovered about these groups in our research archives.\r\nAlloy Taurus\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 11 of 62\n\nAlso Known As\r\nGranite Typhoon (Microsoft), Phantom Panda (CrowdStrike)\r\nG0093, Gallium, Operation Soft Cell, Othorene, Red Dev 4\r\nSummary\r\nAlloy Taurus has been active since at least 2012 and is a suspected nation-state threat actor group attributed to\r\nChina.\r\nThe group is known for its long-term cyberespionage campaigns, primarily targeting telecommunications\r\ncompanies, government entities and financial institutions across Southeast Asia, Europe and Africa. Their\r\noperations are characterized by multi-wave intrusions aimed at establishing persistent footholds within\r\ncompromised networks.\r\nAlloy Taurus gains initial access by exploiting vulnerabilities in internet-facing applications.\r\nAlloy Taurus employs a range of custom and modified malware for multiple operating systems to enhance their\r\nespionage capabilities, move laterally and evade detection. This includes backdoors, web shells, credential\r\nharvesting tools as well as legitimate applications, such as VPN and remote management tools.\r\nSectors Impacted\r\nAlloy Taurus has previously impacted organizations in the following sectors:\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 12 of 62\n\nFederal Government\r\nFinancial Services\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nCharging Taurus\r\nAlso Known As\r\nCircle Typhoon, DEV-0322, TGR-STA-0027, Tilted Temple\r\nSummary\r\nCharging Taurus is a state-sponsored cyberespionage group attributed to China, active since 2021. The group's\r\ngoal is to steal intellectual property aligned with China's national interests. The group is capable of exploiting\r\nundisclosed zero-day vulnerabilities. The group has a possible tie to Insidious Taurus.\r\nSectors Impacted\r\nCharging Taurus has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nBiotechnology\r\nHigh Technology\r\nSemiconductor Industry\r\nDicing Taurus\r\nAlso Known As\r\nJackpot Panda\r\nSummary\r\nDicing Taurus is a state-sponsored group attributed to China. They focus on the illegal online gambling sector in\r\nSoutheast Asia, particularly emphasizing data collection for monitoring and countering related activities in China.\r\nThe i-Soon leak in February 2024 revealed that i-Soon was likely involved in Dicing Taurus's operations, along\r\nwith the Ministry of Public Security of China.\r\nThe group is also responsible for distributing a trojanized installer for CloudChat, a chat application popular with\r\nChinese-speaking illegal gambling communities in mainland China. The trojanized installer served from\r\nCloudChat’s website contained the first stage of a multi-step process.\r\nSectors Impacted\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 13 of 62\n\nDicing Taurus has previously impacted organizations in the following sectors:\r\nOnline Gambling\r\nSoftware and Technology\r\nDigging Taurus\r\nAlso Known As\r\nBRONZE HIGHLAND, Daggerfly, Evasive Panda, StormBamboo\r\nSummary\r\nDigging Taurus is a suspected nation-state threat group attributed to China, which has been active since at least\r\n2012. The group targets organizations from around the world, including those in Taiwan, Hong Kong, Mainland\r\nChina, India and Africa. Their activities, including intelligence collection, align with Chinese interests. This group\r\nhas targeted organizations with advanced malware frameworks like MgBot and CloudScout. They strategically\r\nuse different initial access vectors, including supply-chain attacks and DNS poisoning.\r\nSectors Impacted\r\nDigging Taurus has previously impacted organizations in the following sectors:\r\nComputer Integrated Systems Design\r\nExecutive Offices\r\nGeneral Government Administration\r\nLocal Government\r\nNonprofit\r\nTelecommunications\r\nInsidious Taurus\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 14 of 62\n\nAlso Known As\r\nBRONZE SILHOUETTE, DEV-0391, UNC3236, Vanguard Panda, Volt Typhoon, Voltzite, G1017\r\nSummary\r\nInsidious Taurus is a Chinese state-sponsored actor typically focusing on espionage and information gathering,\r\nactive since 2021. Insidious Taurus evades detection by using various living-off-the-land (LotL) techniques, using\r\nin-built system tools to perform their objectives and blend in with regular system noise.\r\nThe actor leverages compromised small office/home office (SOHO) network devices as intermediate\r\ninfrastructure to further obscure their activity. Insidious Taurus exploits vulnerabilities in internet-facing devices\r\nand systems as an initial access vector.\r\nSectors Impacted\r\nInsidious Taurus has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nInformation Technology Services\r\nManufacturing\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities\r\nJumper Taurus\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 15 of 62\n\nAlso Known As\r\nAPT40, BRONZE MOHAWK, Electric Panda, Gadolinium, Gingham Typhoon, IslandDreams, Kryptonite Panda,\r\nLadon, Leviathon, Pickleworm, Red Ladon, TEMP.Jumper, TEMP.Periscope\r\nSummary\r\nJumper Taurus is a state-sponsored cyberespionage group believed to be linked to the Chinese government. Active\r\nsince at least 2013, the group has consistently demonstrated advanced tactics, techniques and procedures (TTPs),\r\nsupporting China's strategic objectives in sensitive research or holding strategic geopolitical relationships.\r\nThe group's operations use phishing emails and exploit web server vulnerabilities for initial access. The group has\r\nshown a particular interest in maritime-related targets, those associated with China's naval modernization efforts\r\nand the Belt and Road Initiative.\r\nSectors Impacted\r\nJumper Taurus has previously impacted organizations in the following sectors:\r\nEducation\r\nFinancial Services\r\nGovernment\r\nHealthcare\r\nUtilities and Energy\r\nNuclear Taurus\r\nAlso Known As\r\nBronze Vapor, Chimera, G0114, Red Charon, THORIUM, Tumbleweed Typhoon\r\nSummary\r\nNuclear Taurus is a suspected nation-state threat actor attributed to China. Active since at least 2017, the group has\r\nconsistently conducted stealthy, long-term intrusions into organizations, focusing on espionage operations\r\ntargeting high-technology companies.\r\nSectors Impacted\r\nNuclear Taurus has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nHigh Technology\r\nSemiconductor\r\nTransportation and Logistics\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 16 of 62\n\nPlayful Taurus\r\nAlso Known As\r\nNylon Typhoon (Microsoft), Vixen Panda (CrowdStrike)\r\nAPT15, Backdoor Diplomacy, BRONZE PALACE, Buck09, Bumble Bee, G0004, Gref, Ke3chang, Mirage,\r\nNickel, Playful Dragon, Red Hera, RoyalAPT\r\nSummary\r\nPlayful Taurus is a Chinese state-sponsored threat actor with a history of cyber espionage activity dating back to at\r\nleast 2010. Primarily targeting government entities, diplomatic organizations, and NGOs across Southeast Asia,\r\nEurope, and Latin America, Playful Taurus focuses on intelligence gathering and data exfiltration to support\r\nChinese political and economic interests.\r\nSectors Impacted\r\nPlayful Taurus has previously impacted organizations in the following sectors:\r\nGovernment\r\nNonprofits\r\nTelecommunications\r\nSentinel Taurus\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 17 of 62\n\nAlso Known As\r\nEarth Empusa, Evil Eye, EvilBamboo, Poison Carp\r\nSummary\r\nSentinel Taurus is a state-sponsored threat group that has shown significant interest in Tibetan, Uyghur and\r\nTaiwanese targets. The group reportedly used spear phishing and watering hole techniques to deliver iOS and\r\nAndroid mobile malware payloads to their targets.\r\nSectors Impacted\r\nSentinel Taurus has previously impacted organizations in the following sectors:\r\nEducation\r\nState and Local Government\r\nStarchy Taurus\r\nAlso Known As\r\nBARIUM, Winnti Group\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 18 of 62\n\nActive since at least 2012, Starchy Taurus is a threat group that researchers have assessed as a Chinese state-sponsored espionage group that also conducts financially-motivated operations in over 14 countries.\r\nSectors Impacted\r\nStarchy Taurus has previously impacted organizations in the following sectors:\r\nHealthcare\r\nTechnology\r\nTelecoms\r\nVideo games\r\nStately Taurus\r\nAlso Known As\r\nTwill Typhoon (Microsoft), Mustang Panda (CrowdStrike)\r\nBronze Fillmore, BRONZE PRESIDENT, DEV-0117, Earth Preta, G0129, HoneyMyte, Luminous Moth,\r\nPKPLUG, Red Lich, RedDelta, TA416, Tantalum, TEMP.Hex\r\nSummary\r\nStately Taurus is a nation-state threat actor attributed to China. The group has been active since at least 2012.\r\nTheir campaigns are designed to gather sensitive information and exert political influence, aligning with Chinese\r\nstate interests. This includes monitoring and influencing political developments in regions of strategic importance,\r\nsuch as the South China Sea and areas involved in the global 5G rollout.\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 19 of 62\n\nSectors Impacted\r\nStately Taurus has previously impacted organizations in the following sectors:\r\nEducation\r\nFederal Government\r\nMedia and Entertainment\r\nNational Security\r\nProfessional and Legal services\r\nUrsa – Russia\r\nRussian threat groups tracked by Unit 42 are named for the Ursa constellation. We report on these groups\r\nregularly and have a significant archive of material.\r\nCloaked Ursa\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 20 of 62\n\nAlso Known As\r\nMidnight Blizzard (Microsoft), Cozy Bear (CrowdStrike)\r\nAPT29, Backswimmer, Blue Kitsune, Blue Nova, Cozy, CozyDuke, Dark Halo, DEV-0473, Dukes, Eurostrike,\r\nG0016, Group 100, Hagensia, Iron Hemlock, Iron Ritual, Nobelium, Noblebaron, Office Monkeys, Office Space,\r\nSolarstorm, TAG-11, The Dukes, UAC-0029, UNC2452, UNC3524, YTTRIUM\r\nSummary\r\nCloaked Ursa is a nation-state threat actor attributed to Russia's Foreign Intelligence Service (SVR) that has been\r\nactive since at least 2008. This group targets government, diplomatic, and critical infrastructure entities worldwide\r\nacross regions such as North America, Europe, and countries opposing Russian geopolitical objectives. Cloaked\r\nUrsa's primary focus is intelligence gathering and data exfiltration to support Russian foreign policy goals, gain\r\nstrategic advantage in geopolitical conflicts, and monitor and disrupt the activities of perceived adversaries.\r\nSectors Impacted\r\nCloaked Ursa has previously impacted organizations in the following sectors:\r\nFederal Government\r\nGovernment\r\nHigh Technology\r\nManufacturing\r\nUtilities and Energy\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 21 of 62\n\nFighting Ursa\r\nAlso Known As\r\nAPT28, Fancy Bear, G0007, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, Sednit,\r\nSNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, Tsar Team, TsarTeam,\r\nUAC-0028\r\nSummary\r\nFighting Ursa is a nation-state threat group attributed to Russia’s General Staff Main Intelligence Directorate\r\n(GRU), 85th special Service Centre (GTsSS) military intelligence Unit 26165. They are well known for their focus\r\non targets of Russian interest, especially those of military interest. They are known as one of the two Russian\r\ngroups that compromised the Democratic National Committee (DNC) and Democratic Congressional Campaign\r\nCommittee (DCCC) during the 2016 election cycle.\r\nSectors Impacted\r\nFighting Ursa has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nEducation\r\nFederal Government\r\nGovernment\r\nIT Services\r\nMedia\r\nTelecommunications\r\nTransportation\r\nTransportation and Logistics\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 22 of 62\n\nUtilities and Energy\r\nMythic Ursa\r\nAlso Known As\r\nBlue Callisto, Callisto, Callisto Group, COLDRIVER, Dancing Salome, Grey Pro, IRON FRONTIER, Reuse\r\nTeam, SEABORGIUM, Star Blizzard\r\nSummary\r\nMythic Ursa is a Russian group linked to Russia’s “Centre 18” Federal Security Service (FSB) division, focused\r\non credential harvesting from high-profile individuals. This group often uses fake accounts to establish rapport\r\nwith their targets and eventually sends a phishing link to gather credentials. This group was last observed using\r\ncustom malware in November 2022.\r\nSectors Impacted\r\nMythic Ursa has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nFederal Government\r\nHigher Education\r\nInternational Affairs\r\nTransportation and Logistics\r\nPensive Ursa\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 23 of 62\n\nAlso Known As\r\nTurla, Uroburos, Snake, BELUGASTURGEON, Boulder Bear, G0010, Group 88, IRON HUNTER, Iron Pioneer,\r\nKrypton, Minime, Popeye, Turla Team, Venomous Bear, Waterbug, White Atlas, WhiteBear, Witchcoven\r\nSummary\r\nPensive Ursa is a Russian-based threat group operating since at least 2004, which is linked to Russia’s “Centre 18”\r\nFederal Security Service (FSB).\r\nSectors Impacted\r\nPensive Ursa has previously impacted organizations in the following sectors:\r\nDefense Systems and Equipment\r\nEducation\r\nGovernment\r\nHealthcare\r\nNonprofit\r\nPharmaceutical Preparations\r\nResearch\r\nRazing Ursa\r\nAlso Known As\r\nBlackEnergy, Blue Echidna, Cyclops Blink, ELECTRUM, G0034, Grey Tornado, IRIDIUM, IRON VIKING,\r\nOlympicDestroyer, Quedagh, Sandworm, Sandworm Team, Telebots, UAC-0082, Voodoo Bear\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 24 of 62\n\nRazing Ursa is a nation-state group attributed to a subgroup of the Russian General Staff Main Intelligence\r\nDirectorate (GRU). They use spear phishing and vulnerabilities to access systems with the goal of espionage or\r\ndestruction. This group's activities have targeted industrial control systems or use distributed denial of service\r\n(DDoS) attacks to disrupt critical infrastructure.\r\nSectors Impacted\r\nRazing Ursa has previously impacted organizations in the following sectors:\r\nFederal Government\r\nFinancial Services\r\nMedia and Entertainment\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nTrident Ursa\r\nAlso Known As\r\nActinium, Armageddon, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Primitive Bear, Shuckworm,\r\nUAC-0010\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 25 of 62\n\nTrident Ursa is a nation-state threat group that has been active since at least 2013. This group has targeted\r\nindividuals likely related to the Ukrainian government and military and is likely the actor behind the 2015\r\nOperation Armageddon that delivered remote access tools, such as UltraVNC and Remote Manipulator System\r\n(RMS). The group previously used commodity tools but began using custom-developed tools in 2016.\r\nSectors Impacted\r\nTrident Ursa has previously impacted organizations in the following sectors:\r\nFinance\r\nWholesale and Retail\r\nCybercrime Threat Actor Groups\r\nUnit 42 considers the following groups to have a motivation that is primarily financial rather than political. There\r\ncan be some political motivation for threat groups in this category, but we consider their main motivation to be\r\nperpetrating cybercrime. This category is split into two groups: cybercrime in general, and then ransomware.\r\nLibra – Cybercrime\r\nCybercrime is represented by the constellation Libra – a fitting choice, using the imagery of scales of justice.\r\nBling Libra\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 26 of 62\n\nAlso Known As\r\nShiny Hunters, ShinyCorp, ShinyHunters, UNC5537\r\nSummary\r\nBling Libra is an extortionist group and data broker active since at least 2020. Initially operating on RaidForums,\r\na key member now holds an administrative role on BreachForums.\r\nThe group publishes stolen data, particularly after failed extortion attempts, to bolster its reputation. Bling Libra\r\ntargets industries worldwide, including telecommunications, financial services, entertainment and high\r\ntechnology, across the U.S., Europe, Asia, the Middle East and Latin America.\r\nThe group gains access through stolen credentials obtained via infostealer malware and phishing campaigns. Its\r\ntactics include exploiting unsecured cloud storage, weak security configurations, and using custom tools like\r\nFROSTBITE along with publicly available tools.\r\nSectors Impacted\r\nBling Libra has previously impacted organizations in the following sectors:\r\nFinancial Services\r\nHigh Technology\r\nHospitality\r\nMedia and Entertainment\r\nReal Estate\r\nTelecommunications\r\nWholesale and Retail\r\nMuddled Libra\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 27 of 62\n\nAlso Known As\r\nOcto Tempest (Microsoft), Scattered Spider (CrowdStrike)\r\nG1015, Roasted 0ktapus, Scatter Swine, Star Fraud, UNC3944\r\nSummary\r\nMuddled Libra is a financially motivated cyberthreat group active since at least May 2022.\r\nThe group is composed of English-speaking members, some as young as 16. The group initially engaged in SIM\r\nswapping and credential harvesting, primarily targeting individuals for cryptocurrency theft. They have since\r\nevolved their operations to include data theft and ransomware deployment, aiming to extort large organizations for\r\nfinancial gain. Primarily targeting U.S.-based companies, Muddled Libra has expanded its focus from\r\ntelecommunications and business process outsourcing (BPO) sectors to a diverse range of industries such as retail,\r\nhospitality, gaming, manufacturing and financial services.\r\nSectors Impacted\r\nMuddled Libra has previously impacted organizations in the following sectors:\r\nHigh Technology\r\nHospitality\r\nMedia and Entertainment\r\nProfessional and Legal Services\r\nTelecommunications\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 28 of 62\n\nScorpius – Ransomware\r\nRansomware groups get their naming convention from the constellation Scorpius, and are a frequent target of our\r\nresearch.\r\nAmbitious Scorpius\r\nAlso Known As\r\nALPHV, BlackCat, blackcat_raas\r\nSummary\r\nAmbitious Scorpius is a RaaS group that uses multi-extortion, distributing BlackCat ransomware. The\r\nransomware family was first observed in November 2021. The group is suspected to be of Russian origin and is a\r\npossible successor of DarkSide and BlackMatter. The group solicits for affiliates in known cybercrime forums,\r\noffering to allow them to keep 80-90% of the ransom payment.\r\nA significant disruption by joint law enforcement in December 2023 appears to have dealt the group a significant\r\nblow. Despite actively listing new victims through February 2024, about 40% of the victims were smaller\r\nbusinesses rather than the high value targets usually seen.\r\nSectors Impacted\r\nAmbitious Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nAgriculture\r\nConstruction\r\nEducation\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 29 of 62\n\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nBashful Scorpius\r\nAlso Known As\r\nNokoyawa\r\nSummary\r\nBashful Scorpius ransomware group was first observed in February 2022, distributing Nokoyawa ransomware,\r\nwhich is potentially an evolution of Nemty and Karma ransomware. Bashful Scorpius uses a multi-extortion\r\nstrategy, in which attackers demand payment both for a decryptor to restore access to encrypted files and for not\r\ndisclosing stolen data.\r\nThis group distributes their ransomware payloads through various means, including third-party frameworks such\r\nas Cobalt Strike and phishing emails. The creators of Nokoyawa ransomware have repurposed functions from the\r\nleaked Babuk ransomware source code.\r\nRansomware operators using Nokoyawa ransomware wield a command set that allows them to exercise precise\r\ncontrol over the execution and ultimate outcome of the infection. This further increases the threat’s effectiveness\r\nand potential damage.\r\nSectors Impacted\r\nBashful Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 30 of 62\n\nConstruction\r\nEducation\r\nFinance\r\nHealthcare\r\nHigh Technology\r\nNonprofits\r\nProfessional and Legal Services\r\nState and Local Government\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nBitter Scorpius\r\nAlso Known As\r\nBianLian, bianlian_group\r\nSummary\r\nInitially discovered in July 2022, Bitter Scorpius is a ransomware group that uses double-extortion (T1486,\r\nT1657). The group is known for being highly adaptable and quickly leverages newly disclosed vulnerabilities.\r\nThey have been among the top ten most active ransomware groups since 2023.\r\nBitter Scorpius distributes the BianLian ransomware, which is written in the Go programming language. The\r\ngroup gains initial access by exploiting external-facing remote services (T1190, T1133) and using custom remote\r\naccess malware to maintain persistence.\r\nAccording to previous research, the threat actors appear technically sophisticated in compromising targeted\r\nnetworks but are likely inexperienced overall based on the following behaviors observed during investigations:\r\nMistakenly sends data from one victim to another\r\nPossesses a relatively stable backdoor toolkit but an encryption tool that remains in active development,\r\nincluding an evolving ransom note\r\nMaintains unreliable infrastructure, as stated through the group's admission on their Onion site\r\nSectors Impacted\r\nBitter Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nAgriculture\r\nConstruction\r\nEducation\r\nFinancial Services\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 31 of 62\n\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nBlustering Scorpius\r\nAlso Known As\r\nStormous\r\nSummary\r\nBlustering Scorpius is an Arabic-speaking cybercrime group that first appeared in 2021. They gained fame by\r\nexploiting tensions in the Russia-Ukraine war and targeting Western entities in 2022. They initially sought to\r\nspecifically target entities in the U.S. but quickly began targeting entities based on global political tensions. While\r\nthe group has claimed numerous attacks, they have also been accused of posting fake data or claiming attacks\r\nperpetrated by other groups.\r\nBlustering Scorpius gains initial access via phishing, vulnerability exploits, remote data protocol (RDP),\r\ncredential abuse and malvertising. They use X (Twitter) and Telegram to advertise their exploits and to reach their\r\nfollowers and affiliates. The group also uses social engineering to exploit emotions surrounding geopolitical\r\ntensions.\r\nBlustering Scorpius began joint operations with GhostSec on July 13, 2023, which they announced via GhostSec’s\r\nTelegram channel. The two groups have gone on to jointly attack multiple entities in various countries and\r\nindustries.\r\nSectors Impacted\r\nBlustering Scorpius has previously impacted organizations in the following sectors:\r\nEducation\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 32 of 62\n\nFinancial Services\r\nHigh Technology\r\nManufacturing\r\nMedia and Entertainment\r\nTelecommunications\r\nUtilities and Energy\r\nWholesale and Retail\r\nChubby Scorpius\r\nAlso Known As\r\nCl0p, CL0P\r\nSummary\r\nThe Chubby Scorpius group, first observed in February 2019, is a financially motivated ransomware group known\r\nfor its sophisticated operations and large-scale attacks using the Cl0P ransomware. They operate under a\r\nransomware-as-a-service (RaaS) model, meaning they develop and maintain the ransomware while affiliates carry\r\nout the attacks.\r\nIn June 2021, six suspected members of the Cl0p ransomware gang were arrested in Ukraine during a series of\r\nraids conducted in and around Kyiv. Ukrainian law enforcement, working with investigators from South Korea\r\nand the United States, searched 21 homes and seized various devices including computers, smartphones and\r\nservers. They also confiscated approximately $184,000 USD in what is believed to be ransom payments.\r\nSectors Impacted\r\nChubby Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nAgriculture\r\nConstruction\r\nEducation\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nIndustrial Automation Industry\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofit\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 33 of 62\n\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nDapper Scorpius\r\nAlso Known As\r\nBlackSuit\r\nSummary\r\nDapper Scorpius is a ransomware group that emerged in early May 2023, distributing BlackSuit ransomware,\r\nimpacting a broad range of organizations globally. This group is suspected to be the Ignoble Scorpius ransomware\r\ngroup (aka Royal Ransomware) rebranded.\r\nUnlike many ransomware operations that use a RaaS model, Dapper Scorpius operates as a private group without\r\naffiliates, most likely composed of ex-Conti and ex-Ignoble Scorpius members. Dapper Scorpius employs a\r\nmultifaceted distribution strategy that includes phishing campaigns, malicious email attachments, SEO poisoning\r\nand using loaders like GootLoader for deploying their ransomware payload.\r\nSectors Impacted\r\nDapper Scorpius has previously impacted organizations in the following sectors:\r\nConstruction\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nReal Estate\r\nState and Local Government\r\nTransportation and Logistics\r\nWholesale and Retail\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 34 of 62\n\nDark Scorpius\r\nAlso Known As\r\nStorm-1811 (Microsoft), Curly Spider (CrowdStrike)\r\nBlack Basta, Black_Basta, BlackBasta, Cardina, UNC4393\r\nSummary\r\nDark Scorpius is a financially motivated ransomware-as-a-service (RaaS) group, with suspected ties to the defunct\r\nConti group. These two groups use similar tactics, techniques, procedures (TTPs) and infrastructure.\r\nDark Scorpius operations involve double extortion, encrypting data (T1486) and threatening public disclosure of\r\nsensitive information to coerce ransom payments (T1657). First observed in April 2022, they target critical\r\ninfrastructure and high-profile organizations globally, causing significant disruptions and financial losses.\r\nWhile Dark Scorpius has impacted organizations globally, their reported compromises skewed more toward\r\ndeveloped countries such as the U.S., UK, Germany and Canada. While organizations in developed countries are\r\nmost frequently targeted due to their potential for high-value payouts, this threat actor maintains an opportunistic\r\napproach, suggesting they will target any vulnerable organization if the opportunity for profit arises. The group\r\navoids operations within the Commonwealth of Independent States, a common behavior observed in Russia-based\r\ngroups.\r\nAs a RaaS group, Dark Scorpius has affiliates that leverage a wide set of TTPs to achieve their objectives. As\r\nsuch, what we capture in this report may differ from the activities they employ in future attacks.\r\nThe group exclusively uses the Black Basta ransomware for data encryption (T1486) after exfiltrating files with\r\ntools such as RClone (S1040, T1048, T1567).\r\nSectors Impacted\r\nDark Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nAgriculture\r\nConstruction\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 35 of 62\n\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nFiddling Scorpius\r\nAlso Known As\r\nPlay, PlayCrypt\r\nSummary\r\nFiddling Scorpius is a sophisticated cybercriminal organization that emerged in June 2022. This group is notorious\r\nfor its double-extortion tactics, where they exfiltrate sensitive data before encrypting systems and demanding\r\nransom payments to prevent data leaks.\r\nThe tooling employed by Fiddling Scorpius includes a mix of custom and publicly available tools for command\r\nand control (C2), lateral movement, credential dumping, and data exfiltration. The primary impact of their attacks\r\nis data encryption with a .play extension, causing significant operational disruptions.\r\nSectors Impacted\r\nFiddling Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nAgriculture\r\nConglomerates\r\nConstruction\r\nFederal Government\r\nFinancial Services\r\nHigh Technology\r\nHospitality\r\nIndustrial Automation Industry\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nProfessional and Legal Services\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 36 of 62\n\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nFiery Scorpius\r\nAlso Known As\r\nHelldown\r\nTop Impacted Industries\r\nConstruction\r\nHigh Technology\r\nHospitality\r\nProfessional and Legal Services\r\nTransportation and Logistics\r\nWholesale and Retail\r\nFlighty Scorpius\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 37 of 62\n\nAlso Known As\r\nABCD, LockBit, LockBit 2.0, LockBit 3.0, LockBit Black, Lockbit_RaaS\r\nSummary\r\nFlighty Scorpius is a ransomware as a service (RaaS) group, first observed in September 2019. They were initially\r\nknown for deploying ABCD ransomware, which was so named due to its characteristic .abcd file extension used\r\nduring attacks. They later rebranded as LockBit when they became a RaaS operation.\r\nFlighty Scorpius' operational model is distinguished by its affiliate program, which they aggressively marketed on\r\nunderground forums. The group has innovated in affiliate relations, offering direct ransom payments to affiliates\r\nbefore taking its cut, a practice that contrasts with the norm and incentivizes potential partners.\r\nOver the years, Flighty Scorpius has developed and released multiple LockBit ransomware variants. Each variant\r\nsignifies an evolution in the group's technical capabilities, from faster encryption speeds to more sophisticated\r\nextortion techniques. This evolution is mostly as a result of their acquiring different ransomware source code from\r\ncompetitors.\r\nThe group suffered a major disruption with Operation Cronos in February 2024, which led to law enforcement\r\nseizing infrastructure and public-facing websites crucial to LockBit's operations. They also exposed Russian\r\nnationals as members of the group, including its administrator.\r\nDespite these law enforcement disruptions Flighty Scorpius has resumed operations, including the potential\r\nrelease of a new ransomware variant.\r\nSectors Impacted\r\nAerospace and Defense\r\nAgriculture\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 38 of 62\n\nConstruction\r\nCryptocurrency Industry\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nFluttering Scorpius\r\nAlso Known As\r\nFOG\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 39 of 62\n\nSummary\r\nFluttering Scorpius, the group that distributes FOG ransomware, emerged as a significant threat actor in the\r\nransomware landscape when first observed in April 2024. This group is notorious for exploiting vulnerabilities in\r\nwidely used software to gain unauthorized access to systems.\r\nThe group employs various techniques, like using stolen credentials and unpatched vulnerabilities to infiltrate\r\nnetworks. Fluttering Scorpius has shared infrastructure with the Akira ransomware group, which suggests possible\r\ncollaboration between these groups.\r\nFluttering Scorpius' operations are marked by rapid encryption attacks and strategically using living-off-the-land\r\nbinaries (LOLBins) to evade detection.\r\nThe group focuses on targeting backup and disaster recovery solutions to maximize the impact of their attacks.\r\nThe group often uses compromised VPN credentials to get a foothold in the victim's environment. These threat\r\nactors accomplish lateral movement using pass-the-hash attacks on administrator accounts to establish RDP\r\nconnections targeting Hyper-V running on Windows servers. Fluttering Scorpius also uses credential stuffing to\r\ntake over high-value accounts.\r\nSectors Impacted\r\nAgriculture\r\nConstruction\r\nEducation\r\nHealthcare\r\nHospitality\r\nManufacturing\r\nNonprofits\r\nProfessional and Legal Services\r\nState and Local Government\r\nTelecommunications\r\nUtilities and Energy\r\nWholesale and Retail\r\nHowling Scorpius\r\nAlso Known As\r\nStorm-1567 (Microsoft), Punk Spider (CrowdStrike)\r\nAkira\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 40 of 62\n\nHowling Scorpius is a financially motivated ransomware-as-a-service (RaaS) operation observed since early 2023.\r\nIt employs double extortion tactics, exfiltrating sensitive data before typically encrypting systems.\r\nThe group targets organizations globally, with a focus on North America, the UK, Australia and Europe. It impacts\r\nvarious sectors, including manufacturing, professional services, education, critical infrastructure and retail.\r\nHowling Scorpius targets Windows and Linux/ESXi systems with evolving ransomware variants. It uses various\r\ntactics, including exploiting vulnerabilities and credential theft, to exfiltrate data.\r\nDwell times range from less than 24 hours to a month, likely reflecting varying affiliate capabilities. While\r\nHowling Scorpius primarily uses double extortion, threatening to publish stolen data if ransom demands are\r\nunmet, it has also engaged in extortion-only attacks. In cases we observed during Fall 2023, the group exfiltrated\r\ndata for payment extortion without deploying ransomware.\r\nSectors Impacted\r\nHowling Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nAgriculture and Food and Beverage Production Industry\r\nAutomotive Industry\r\nCivic Leagues and Social Welfare Organizations\r\nConglomerates\r\nConstruction\r\nConsumer Business Industry\r\nEducation\r\nEngineering and Construction Industry\r\nFederal Government\r\nFinancial Services\r\nHealth Care Providers and Services Industry\r\nHealth Insurance Providers\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nHospitality Industry\r\nIndustrial Products And Services Industry\r\nInformation Technology (IT) or Technology Consulting Industry\r\nInsurance\r\nInvestment Management Industry\r\nLaw Services and Consulting Industry\r\nManagement and Operations Consulting Industry\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 41 of 62\n\nNonprofits\r\nOil, Gas and Consumable Fuels Industry\r\nOperational NGOs\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nPublic Safety\r\nReal Estate\r\nReal Estate Management, Brokerage and Service Provider Industry\r\nRestaurants and Food Service Industry\r\nRetail, Wholesale and Distribution Industry\r\nState and Local Government\r\nTechnology Industry\r\nTelecommunications\r\nTelecommunications Industry\r\nTransportation and Logistics\r\nTransportation Industry\r\nUtilities and Energy\r\nWholesale and Retail\r\nIgnoble Scorpius\r\nAlso Known As\r\nBlack Suit, BlackSuit, Dapper Scorpius, Roy, Royal, Royal_Group, Zeon\r\nSummary\r\nIgnoble Scorpius is a cybercriminal organization specializing in ransomware attacks. First emerging in September\r\n2022 as the Royal ransomware group, it rebranded as BlackSuit around May 2023.\r\nThis group comprises experienced members possibly linked to the defunct Conti group. It has developed custom\r\nransomware payloads, notably introducing the BlackSuit ransomware as a successor to the earlier Royal\r\nransomware. BlackSuit retained over 90% of Royal's codebase.\r\nThe group's ransomware targets Windows and Linux systems, including ESXi servers and employs strong\r\nencryption algorithms to render data inaccessible.\r\nSectors Impacted\r\nIgnoble Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConstruction\r\nEducation\r\nFederal Government\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 42 of 62\n\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonclassifiable Establishments\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nInvisible Scorpius\r\nAlso Known As\r\nCloak\r\nSummary\r\nInvisible Scorpius is a ransomware group targeting small to medium-sized businesses and using initial access\r\nbrokers (IABs) for initial access. First seen at the end of 2022, the group is believed to be connected to the Stale\r\nScorpius ransomware group after threat actors posted victim information from Stale Scorpius to Invisible\r\nScorpius' leak site.\r\nSectors Impacted\r\nInvisible Scorpius has previously impacted organizations in the following sectors:\r\nFederal Government\r\nHospitality\r\nProfessional and Legal Services\r\nState and Local Government\r\nTransportation and Logistics\r\nMushy Scorpius\r\nAlso Known As\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 43 of 62\n\nKarakurt, Karakurt Lair, Karakurt Team\r\nSummary\r\nMushy Scorpius is the group behind Karakurt ransomware, known for focusing on extortion. It has links to the\r\nConti RaaS group. First emerging in 2021, Mushy Scorpius steals intellectual property and demands ransom from\r\nvictims without encrypting their data, leveraging threats to auction off the sensitive data or release it to the public.\r\nAs part of their extortion efforts, they provide victims with screenshots or copies of stolen file directories as\r\nevidence of the data theft. They aggressively contact victims' employees, business partners and clients with\r\nharassing emails and phone calls. They also leverage stolen data like social security numbers, payment accounts,\r\nprivate emails and other sensitive business information to exert pressure.\r\nUpon receiving ransom payments, Mushy Scorpius has occasionally provided victims with proof that they deleted\r\nthe stolen files, along with a brief explanation of how they initially breached the victim's defenses. This underlines\r\nthe group’s focus on financial gain but also that they seek a level of engagement from their victims toward\r\nmeeting their demands.\r\nSectors Impacted\r\nMushy Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConstruction\r\nEducation\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nUtilities and Energy\r\nWholesale and Retail\r\nPilfering Scorpius\r\nAlso Known As\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 44 of 62\n\nRobinhood\r\nSummary\r\nPilfering Scorpius ransomware group gained attention by attacking a number of local and state government\r\nentities starting in April 2019. This threat group often gains initial access by phishing, malicious websites and\r\nmalicious file sharing or downloads.\r\nOnce their ransomware has gained access, it obtains persistence by using RDP to spread throughout the victim\r\nnetwork. Initial reporting revealed that humans were largely responsible for operating these attacks, as opposed to\r\nthem being run by automated processes.\r\nSectors Impacted\r\nPilfering Scorpius has previously impacted organizations in the following sectors:\r\nPharma and Life Sciences\r\nUtilities and Energy\r\nTransportation and Logistics\r\nEducation\r\nNonprofits\r\nInsurance\r\nHealthcare\r\nManufacturing\r\nFederal Government\r\nState and Local Government\r\nReal Estate\r\nConstruction\r\nFinancial Services\r\nAgriculture\r\nWholesale and Retail\r\nPowerful Scorpius\r\nAlso Known As\r\nBlackByte\r\nSummary\r\nPowerful Scorpius is a RaaS group operating since July 2021, distributing BlackByte ransomware. This group’s\r\noperational tactics includes exploiting vulnerabilities such as the ProxyShell vulnerability in Microsoft Exchange\r\nServers, using tools like Cobalt Strike, and avoiding detection through obfuscation and anti-debugging techniques.\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 45 of 62\n\nTheir malware checks system languages and exits if it finds Russian or certain Eastern European languages,\r\npresumably to avoid impacting systems in those regions. The group uses multi-extortion techniques in their\r\ncampaigns.\r\nSectors Impacted\r\nPowerful Scorpius has previously impacted organizations in the following sectors:\r\nFinancial Services\r\nFood and Agriculture\r\nGovernment\r\nManufacturing\r\nWholesale and Retail\r\nProcedural Scorpius\r\nAlso Known As\r\nThreeAM, 3AM\r\nSummary\r\nProcedural Scorpius is a ransomware group discovered in September 2023, when researchers noticed Procedural\r\nScorpius’ malware being deployed in a failed LockBit attack. This group distributes 3 am ransomware, and is\r\nthought to be linked to two other notorious ransomware groups, Conti and Ignoble Scorpius (distributor of Royal\r\nransomware).\r\nProcedural Scorpius escalates their extortion tactics by contacting their victim's social media followers, informing\r\nthem of the data leak. They also use bots that post on highly visible X accounts to advertise the leaks. Procedural\r\nScorpius targets medium to large companies in countries not within the Commonwealth of Independent States\r\n(CIS).\r\nSectors Impacted\r\nProcedural Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nFinancial Services\r\nManufacturing\r\nProfessional and Legal Services\r\nWholesale and Retail\r\nProtesting Scorpius\r\nAlso Known As\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 46 of 62\n\nCactus, Cactus Ransomware Group\r\nSummary\r\nProtesting Scorpius emerged as a ransomware threat actor in March 2023, employing double-extortion tactics. The\r\ngroup distinguishes itself through innovative tactics, often securing initial access to target networks by exploiting\r\nvulnerabilities in internet-facing software and services, such as virtual private network (VPN) appliances. This\r\nincludes the use of zero-day vulnerabilities. The group also gains access through phishing attacks or by acquiring\r\ncredentials via partnerships with malware distributors.\r\nProtesting Scorpius targets are located primarily in the U.S. The group focuses on infiltrating networks of both\r\npublic sector organizations and large commercial entities.\r\nThe group exfiltrates sensitive data from its victims and engages in extortion using peer-to-peer messaging\r\nservices. Protesting Scorpius also uploads exfiltrated files to its own leak site to apply additional pressure to\r\nvictims.\r\nSectors Impacted\r\nProtesting Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nAgriculture\r\nConstruction\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nLife Insurance Providers\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nRepellent Scorpius\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 47 of 62\n\nAlso Known As\r\nCicada3301, Cicada3301 ransomware-as-a-service\r\nSummary\r\nFirst observed in June 2024 on multiple predominantly Russian-language cybercrime forums, Repellent Scorpius'\r\nis a ransomware-as-a-service (RaaS) affiliate program. While the group's precise origin remains unknown, its\r\npresence on these forums and the use of Russian by its members suggest a possible connection to the Russian-speaking cybercriminal underground.\r\nRepellent Scorpius prohibits attacks on Commonwealth of Independent States (CIS) countries (e.g., Russia) and\r\ncharges affiliates a 20% fee on all ransoms. This relatively high profit share for affiliates likely aims to attract\r\nskilled cybercriminals. Prospective affiliates must undergo an interview and vetting process, including providing\r\nproof of their activity on cybercrime forums.\r\nThe group's ransomware, written in Rust, uses ChaCha20 encryption and operates offline. It supports Windows,\r\nLinux, ESXi and NAS platforms.\r\nWhile no definitive link exists between the groups, some overlaps were observed between Repellent Scorpius and\r\nAmbitious Scorpius (aka BlackCat), which disbanded shortly before Repellent Scorpius appeared.\r\nSectors Impacted\r\nRepellent Scorpius has previously impacted organizations in the following sectors: \r\nConstruction\r\nHealthcare\r\nHigh technology\r\nTelecommunications\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 48 of 62\n\nSalty Scorpius\r\nAlso Known As\r\nTrigona\r\nSummary\r\nSalty Scorpius claims to be a highly profitable operation, launching global attacks deploying Trigona ransomware\r\nwith promises of 20%-50% returns from each successful endeavor. First identified in October 2022, their\r\noperations partnered with network access brokers, who provided them with compromised credentials via the\r\nRussian Anonymous Marketplace (RAMP) forum. This collaboration was crucial for gaining the initial access\r\nneeded to infiltrate their targets.\r\nSalty Scorpius has ties to the CryLock group, evidenced by their shared methodologies, strategies and the\r\nidentical ransom note filenames and email addresses they employ. By April 2023, Salty Scorpius shifted their\r\nfocus toward exploiting compromised Microsoft SQL (MSSQL) servers, leveraging brute-force attacks to\r\npenetrate these systems.\r\nThis group also performs detailed reconnaissance within the target’s network, malware distribution via remote\r\nmonitoring and management (RMM) software, creation of new user accounts and then finally deployment of\r\nransomware.\r\nThey were disrupted by hacktivists in 2023, but posts have appeared on their leak site in 2024.\r\nSectors Impacted\r\nSalty Scorpius has previously impacted organizations in the following sectors:\r\nHospitality\r\nWholesale and Retail\r\nShifty Scorpius\r\nAlso Known As\r\nHunters International\r\nSummary\r\nShifty Scorpius is a financially motivated ransomware-as-a-service (RaaS) group that emerged in October 2023.\r\nSecurity researchers believe the group to be related to the former Hive ransomware operation, potentially through\r\nacquisition or adaptation of Hive's codebase after law enforcement disruptions.\r\nUnlike other ransomware groups, Shifty Scorpius primarily focuses on data exfiltration and extortion, not\r\nencryption. This extortion includes leaking pre-operative pictures of patients from breached healthcare\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 49 of 62\n\norganizations.\r\nThe group targets a wide array of industries globally, with particular focus on the healthcare, finance and\r\nautomotive sectors. It employs a multifaceted approach to infiltrating and exploiting target networks.\r\nShifty Scorpius has directly contacted the clients and customers of victim organizations, often via email, to solicit\r\npayment for not publishing or selling their details on the dark web.\r\nSectors Impacted\r\nShifty Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConglomerates\r\nConstruction\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealth Insurance Providers\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nInternet of Things (IoT) industry\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nSpicy Scorpius\r\nAlso Known As\r\nAvos, AvosLocker\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 50 of 62\n\nSpicy Scorpius is a RaaS group that first emerged as a significant threat in 2021. This group uses multi-extortion\r\ntactics and remote administration tool AnyDesk for manual operation on victim machines. They can operate in\r\nsafe mode to evade security measures. They also auction stolen data on their site in addition to their ransom\r\ndemand.\r\nThe group’s deployment strategies include leveraging vulnerabilities like Log4Shell for initial access. This group\r\nhas a level of organization resembling that of legitimate tech businesses rather than traditional cybercrime\r\noperations.\r\nThe threat they use has evolved to specifically target Linux systems and VMware ESXi servers since its debut,\r\nwhere many similar operations primarily focus on Windows systems.\r\nSectors Impacted\r\nSpicy Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConstruction\r\nEducation\r\nFinance\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMining\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nSpikey Scorpius\r\nAlso Known As\r\nAgenda, Qilin, Qilin Team\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 51 of 62\n\nSpikey Scorpius operates as an affiliate program for ransomware as a service and has recently adopted Rust-based\r\nransomware to target its victims. Previously, they used Go as their preferred language.\r\nSpikey Scorpius often tailors ransomware attacks to each victim for maximum impact. To achieve this, threat\r\nactors employ strategies like altering file extensions of encrypted files and terminating specific processes and\r\nservices.\r\nThe group advertises their ransomware Qilin on the dark web. This ransomware features a proprietary data leak\r\nsite (DLS) containing unique company IDs and leaked account information.\r\nSpikey Scorpius' operators employ a double extortion approach, which involves encrypting a victim's sensitive\r\ndata and exfiltrating it. They then demand payment for a decryption key and threaten to release the stolen data\r\neven after receiving the ransom.\r\nThe malware offers various encryption modes, all under the operator's control. Additionally, they may attempt to\r\nreboot systems in normal mode and halt server-specific processes to complicate the victim's data recovery efforts.\r\nSectors Impacted\r\nSpikey Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConstruction\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nIndustrial Automation Industry\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional \u0026 Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nSpoiled Scorpius\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 52 of 62\n\nAlso Known As\r\nCyclops, Knight, RansomHub\r\nSummary\r\nSpoiled Scorpius is a prominent ransomware-as-a-service (RaaS) operation that emerged in February 2024. This\r\ncybercriminal group has rapidly become one of the most active ransomware threats, leveraging a double-extortion\r\nmodel to maximize financial gains. Analysis of code indicates significant overlap with Knight ransomware,\r\nsuggesting that Spoiled Scorpius could have evolved or built upon this earlier threat.\r\nWhile the group's primary focus has been on organizations within the U.S., it has also expanded operations to\r\nEuropean targets This indicates a strategic shift toward a more global victim base. Its victims cover a diverse\r\nrange of industries.\r\nSectors Impacted\r\nSpoiled Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nChemical Manufacturing\r\nConglomerates\r\nConstruction\r\nCryptocurrency Industry\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealth Insurance Providers\r\nHealthcare\r\nHigh Technology\r\nHolding Companies\r\nHospitality\r\nIndustrial Automation Industry\r\nInsurance\r\nInternet of Things (IoT) Industry\r\nManufacturing\r\nMedia and Entertainment\r\nManufacturing Chemical Preparations\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 53 of 62\n\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nSqualid Scorpius\r\nAlso Known As\r\n8Base\r\nSummary\r\nSqualid Scorpius ransomware group first emerged in March 2022, using a multi-extortion tactic. The group\r\ninitially remained under the radar with relatively few attacks, but in June 2023, their activity spiked dramatically,\r\nshowcasing a more aggressive approach.\r\nThey leverage encryption techniques alongside name-and-shame strategies to pressure victims into paying\r\nransoms. Squalid Scorpius has used a number of ransomware variants, including a customized version of the\r\nPhobos ransomware. This indicates their technical adaptability, as well as their focus on evading detection and\r\nmaximizing impact. This adaptability is evident in their use of advanced encryption techniques and strategies to\r\nbypass User Account Control (UAC) mechanisms on Windows systems, enabling them to execute their malicious\r\npayloads without immediate detection.\r\nSectors Impacted\r\nSqualid Scorpius has previously impacted organizations in the following sectors:\r\nUtilities and Energy\r\nWholesale and Retail\r\nSqueaking Scorpius\r\nAlso Known As\r\nRhysida\r\nSummary\r\nSqueaking Scorpius is a RaaS group first observed in May 2023. They are believed to go after targets of\r\nopportunity rather than specific industries or organizations. They employ a double extortion model, demanding a\r\nransom to decrypt victim data and threatening to publish sensitive data unless a ransom is paid.\r\nSqueaking Scorpius operates as a ransomware-as-a-service, where tools and infrastructure are leased out to\r\naffiliates. Any ransom paid is split between the group and the affiliated. They have been known to engage in\r\nransom negotiations and disclose compromised victim data.\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 54 of 62\n\nTheir primary means of initial access is through phishing emails, malvertising, or using stolen credentials to\r\nauthenticate to remote services, such as through VPNs, especially in organizations not using multi-factor\r\nauthentication.\r\nOnce in a victim's environment, they use Living off the Land (LotL) techniques including PowerShell for\r\nenumerating the environments and RDP connections for lateral movement. They have also used Cobalt Strike in\r\nvictim environments as well as a script that terminates anti-malware programs. The group distributes Rhysida\r\nransomware, which encrypts data using a 4096-bit RSA encryption key.\r\nSome researchers have suggested links between this group and the actors behind Vice Society ransomware,\r\nsuggesting a rebrand.\r\nSectors Impacted\r\nSqueaking Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConstruction\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nPharma and Life sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nUtilities and Energy\r\nWholesale and Retail\r\nStale Scorpius\r\nAlso Known As\r\nGood Day\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 55 of 62\n\nStale Scorpius is a ransomware group initially observed in May of 2023. Their infrastructure as well as purported\r\nvictims are closely linked with Invisible Scorpius, leading researchers to believe the groups are connected.\r\nContact information such as threat actor channels and email addresses that were observed in Invisible Scorpius\r\nattacks have also been seen in Stale Scorpius attacks.\r\nSectors Impacted\r\nStale Scorpius has previously impacted organizations in the following sectors:\r\nConstruction\r\nEducation\r\nFederal Government\r\nHealthcare\r\nHigh Technology\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nWholesale and Retail\r\nStumped Scorpius\r\nAlso Known As\r\nNoEscape, No Escape\r\nSummary\r\nStumped Scorpius is a RaaS group that first emerged in May 2023 and quickly established themselves as a\r\nsuccessor to the Avaddon ransomware group, which ceased operations in 2021. Stumped Scorpius uses aggressive\r\nmulti-extortion tactics, targeting a broad range of industries including healthcare.\r\nThey encrypt files on Windows, Linux and VMware ESXi servers, demanding ransoms ranging from hundreds of\r\nthousands of dollars to over $10 million. Their developers claim to have built the malware and infrastructure from\r\nscratch, differentiating the threat from other ransomware families that often repurpose existing code.\r\nStumped Scorpius employs techniques like reflective DLL injection to target VMware ESXi servers. They have a\r\nrobust RaaS platform that allows affiliates to customize attacks, including encryption strategies and ransom\r\ndemands.\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 56 of 62\n\nTheir ransomware can bypass UAC on Windows, executing commands to delete shadow copies and system\r\nbackups to prevent file recovery. It also uses the Microsoft Enhanced RSA and AES Cryptographic Provider for\r\nfile encryption.\r\nSectors Impacted\r\nStumped Scorpius has previously impacted organizations in the following sectors:\r\nEducation\r\nFederal Government\r\nMedia and Entertainment\r\nTarnished Scorpius\r\nAlso Known As\r\nGold Ionic, Inc, Inc Group, Inc Ransom, Inc.\r\nSummary\r\nTarnished Scorpius is a cybercriminal group that emerged in mid-2023. It specializes in ransomware attacks\r\nfocusing on financial gain through double and triple extortion tactics. Originally targeting a wide variety of\r\nindustries in the U.S., Tarnished Scorpius has notably shifted focus by launching attacks on healthcare institutions\r\nin the UK.\r\nTarnished Scorpius gains initial access to target networks through the exploitation of known vulnerabilities in\r\npublic-facing applications. The group uses a wide range of tools and platforms to carry out operations.\r\nSectors Impacted\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 57 of 62\n\nAerospace and Defense\r\nAgriculture\r\nConstruction\r\nCryptocurrency Industry\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nTransforming Scorpius\r\nAlso Known As\r\nMedusa (Note: Medusa should not be confused with a similarly named RaaS, MedusaLocker, which has been\r\navailable since 2019)\r\nSummary\r\nTransforming Scorpius, which appeared in late 2022, operates under a ransomware-as-a-service (RaaS) model.\r\nThey use encryption techniques to lock the victim's data and demand a ransom for the decryption keys. The\r\nransomware avoids encrypting extensions like .dll, .exe and .lnk and excludes specific folders from encryption to\r\nensure the system's operability remains intact.\r\nTransforming Scorpius has introduced multiple variants, differentiated mainly by their ransom notes, which have\r\ntransitioned from text to HTML formats in newer versions. The ransomware also features a dedicated data leak\r\nsite, launched in early 2023, to publish victim data as part of a multi-extortion strategy. Based on their\r\nunwillingness to comply with ransom demands, victims are offered options like data deletion or download for a\r\nfee.\r\nSectors Impacted\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 58 of 62\n\nTransforming Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nConstruction\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nHospitality\r\nIndustrial Automation Industry\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nMining\r\nNonprofits\r\nPharma and Life Sciences\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTelecommunications\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nTropical Scorpius\r\nAlso Known As\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 59 of 62\n\nStorm-0671 (Microsoft), Storm-0978 (Microsoft)\r\nCuba, DEB-0978, Romcom, UAT-5647, UNC2596, Void Rabisu\r\nSummary\r\nTropical Scorpius is a cybercriminal group active since 2021. Initially deploying the Cuba ransomware family in\r\nfinancially motivated attacks, the group has since expanded its ransomware operations to include the Industrial\r\nSpy, Underground and Trigona families.\r\nThey maintain a variety of custom implants written in different programming languages, relying on the malware\r\nRomCom in particular. They have used zero and n-day exploits for initial access.\r\nFollowing the start of the Russia-Ukraine conflict in 2022, Tropical Scorpius also began conducting\r\ncyberespionage campaigns against Ukraine and its allies, supporting Russian geopolitical interests. While\r\nMicrosoft researchers have placed the group's operations in Russia, the exact relationship between Tropical\r\nScorpius and the Russian government remains unknown. It could be direct state-sponsorship, a contractual\r\nrelationship or independent action aligned with Russian interests.\r\nSectors Impacted\r\nAgriculture\r\nConstruction\r\nEducation\r\nFederal Government\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nInsurance\r\nManufacturing\r\nMedia and Entertainment\r\nProfessional and Legal Services\r\nReal Estate\r\nState and Local Government\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nTwinkling Scorpius\r\nAlso Known As\r\nHelloKitty, Gookie, HelloGookie\r\nSummary\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 60 of 62\n\nTwinkling Scorpius is a ransomware group distributing HelloKitty ransomware that was identified in November\r\n2020, targeting Windows systems and using unpatched vulnerabilities like those in SonicWall devices to gain\r\ninitial access to victim networks. In July 2021, Unit 42 observed the group using a Linux variant of HelloKitty\r\ntargeting VMware’s ESXi hypervisor.\r\nThe group uses both email and Tor chats for communications. In late 2023, the ransomware developer and\r\noperator, also known as Gookee/kapuchin0 and Guki, leaked the source code and shut the operation down.\r\nIn March 2024, the group rebranded, and now calls themselves Gookie or HelloGookie. To mark the occasion of\r\nthe rebrand, the malware author released the data stolen in the CD Projekt Red breach and 2022 Cisco attack.\r\nSectors Impacted\r\nTwinkling Scorpius has previously impacted organizations in the following sectors:\r\nAerospace and Defense\r\nInformation Technology Services\r\nWeary Scorpius\r\nAlso Known As\r\nBackmydata, Devos, Eight, Eking, Elbie, Faust, Phobos\r\nSummary\r\nWeary Scorpius is a financially motivated cybercriminal group active since late 2018. The group has used Phobos\r\nransomware and its variants (e.g. Eking, Eight, Elbie, Devos, Faust and BackMyData) to operate under a\r\nransomware-as-a-service (RaaS) model.\r\nThis group has targeted a diverse range of industries, including critical infrastructure and essential services. It has\r\nprimarily focused on the U.S., Western Europe and the Asia-Pacific region. In early 2024, the group intensified its\r\nfocus on the technology sector and adopted double extortion tactics.\r\nAs a RaaS group, Weary Scorpius exhibits a wide range of tactics, techniques and procedures (TTPs) during the\r\npre-encryption attack stage. It gains initial access by exploiting exposed Remote Desktop Protocol (RDP) services\r\nthrough brute-force attacks, conducting phishing campaigns with malicious macros and employing loader\r\nmalware to distribute ransomware variants.\r\nThe group performs the following activities:\r\nAccessing credentials using public tools then using those credentials for lateral movement within the\r\nnetwork\r\nPerforming network discovery with network scanning tools to identify valuable targets\r\nExfiltrating data before encryption, leveraging double extortion tactics by threatening to leak stolen data if\r\nvictims have not paid the ransom\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 61 of 62\n\nSectors Impacted\r\nWeary Scorpius has previously impacted organizations in the following sectors:\r\nAgriculture\r\nAviation and Aeronautical Engineering\r\nEducation\r\nFinancial Services\r\nHealthcare\r\nHigh Technology\r\nManufacturing\r\nNonprofits\r\nProfessional and Legal Services\r\nState and Local Government\r\nTransportation and Logistics\r\nUtilities and Energy\r\nWholesale and Retail\r\nUpdated Aug. 7, 2024, at 12:05 p.m. PT to clarify headings. \r\nUpdated Sept. 3, 2024, at 9:56 a.m. PT to remove StellarParticle from Cloaked Ursa akas.\r\nUpdated Sept. 11, 2024, at 11:25 a.m. PT for clarifying language.\r\nUpdated Jan. 29, 2025, at 7:55 a.m. PT. \r\nUpdated June 19, 2025, at 9:55 a.m. PT to add Nuclear Taurus and Starchy Taurus.  \r\nUpdated Aug. 1, 2025, at 11:05 am P.T. to update many entries and add Bling Libra, Fiery Scorpius, Flighty\r\nScorpius, Repellent Scorpius, Tarnished Scorpius and Tropical Scorpius. \r\nSource: https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nhttps://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/\r\nPage 62 of 62", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/" ], "report_names": [ "threat-actor-groups-tracked-by-palo-alto-networks-unit-42" ], "threat_actors": [ { "id": "a6fe280e-31d2-4e79-8b00-123587a5dbf8", "created_at": "2022-10-25T16:07:23.213445Z", "updated_at": "2026-04-10T02:00:04.490533Z", "deleted_at": null, "main_name": "Electric Panda", "aliases": [], "source_name": "ETDA:Electric Panda", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "c35e2826-1133-4130-9c2a-9e533779a6dc", "created_at": "2022-10-25T16:07:23.196141Z", "updated_at": "2026-04-10T02:00:04.484248Z", "deleted_at": null, "main_name": "Boulder Bear", "aliases": [], "source_name": "ETDA:Boulder Bear", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5f970245-d0cd-4dbc-9420-9e6f51c93bdd", "created_at": "2023-01-06T13:46:38.417767Z", "updated_at": "2026-04-10T02:00:02.966014Z", "deleted_at": null, "main_name": "Boulder Bear", "aliases": [], "source_name": "MISPGALAXY:Boulder Bear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60c270f9-5aa8-41d5-850c-6003135c5815", "created_at": "2023-01-06T13:46:38.687298Z", "updated_at": "2026-04-10T02:00:03.068415Z", "deleted_at": null, "main_name": "Clever Kitten", "aliases": [ "Group 41" ], "source_name": "MISPGALAXY:Clever Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25bd25be-762c-404c-be9e-b11f074b34dd", "created_at": "2022-10-25T16:07:23.470771Z", "updated_at": "2026-04-10T02:00:04.621239Z", "deleted_at": null, "main_name": "Clever Kitten", "aliases": [ "Group 41" ], "source_name": "ETDA:Clever Kitten", "tools": [ "Acunetix Web Vulnerability Scanner", "RC SHELL" ], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "73d59abd-4330-48ef-a460-b00d98650f5a", "created_at": "2023-01-06T13:46:38.665023Z", "updated_at": "2026-04-10T02:00:03.060387Z", "deleted_at": null, "main_name": "ELECTRIC PANDA", "aliases": [], "source_name": "MISPGALAXY:ELECTRIC PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "adc8bb1a-6ded-4b27-8163-8069d5a6d492", "created_at": "2022-10-25T15:50:23.566869Z", "updated_at": "2026-04-10T02:00:05.385876Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Silent Librarian", "TA407", "COBALT DICKENS" ], "source_name": "MITRE:Silent Librarian", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "8b61d214-62b2-455b-8eb4-fb0594763787", "created_at": "2023-01-06T13:46:38.502064Z", "updated_at": "2026-04-10T02:00:03.002552Z", "deleted_at": null, "main_name": "Dancing Salome", "aliases": [], "source_name": "MISPGALAXY:Dancing Salome", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81ea5ca6-9450-4188-95c6-58cea919f6b0", "created_at": "2023-01-06T13:46:39.419536Z", "updated_at": "2026-04-10T02:00:03.320575Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [], "source_name": "MISPGALAXY:BRONZE VAPOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "42e41377-c64c-4be9-87a0-ee903e4b9055", "created_at": "2023-01-06T13:46:38.950322Z", "updated_at": "2026-04-10T02:00:03.158476Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Mabna Institute", "TA407", "TA4900", "Yellow Nabu", "COBALT DICKENS" ], "source_name": "MISPGALAXY:Silent Librarian", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a80df4d-5ab7-4ca3-809d-8ef7b5a54f1f", "created_at": "2023-11-21T02:00:07.386886Z", "updated_at": "2026-04-10T02:00:03.474764Z", "deleted_at": null, "main_name": "TiltedTemple", "aliases": [ "Circle Typhoon", "DEV-0322" ], "source_name": "MISPGALAXY:TiltedTemple", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "358432a9-d927-43c7-9201-b7aa7d184c26", "created_at": "2024-06-20T02:02:10.317536Z", "updated_at": "2026-04-10T02:00:05.043265Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "ETDA:UNC5537", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4c0e20f-e199-448e-9056-88bb1cf1c63e", "created_at": "2025-08-07T02:03:24.717633Z", "updated_at": "2026-04-10T02:00:03.630245Z", "deleted_at": null, "main_name": "COBALT DICKENS", "aliases": [ "ITG22 ", "SilentLibrarian ", "TA407 ", "Yellow Nabu " ], "source_name": "Secureworks:COBALT DICKENS", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d", "created_at": "2024-11-01T02:00:52.730802Z", "updated_at": "2026-04-10T02:00:05.330644Z", "deleted_at": null, "main_name": "INC Ransom", "aliases": [ "INC Ransom", "GOLD IONIC" ], "source_name": "MITRE:INC Ransom", "tools": [ "PsExec", "Nltest", "Rclone", "AdFind", "esentutl", "INC Ransomware" ], "source_id": "MITRE", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "94890f31-3a6c-447b-8995-5c5958efea28", "created_at": "2023-01-06T13:46:39.352776Z", "updated_at": "2026-04-10T02:00:03.29716Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "MISPGALAXY:UNC3524", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ff183540-67fb-4514-bd30-b4a264795901", "created_at": "2022-10-25T16:07:24.367762Z", "updated_at": "2026-04-10T02:00:04.956814Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "ETDA:UNC3524", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2c936440-1695-4b9d-88c1-32ab6df31d1b", "created_at": "2025-03-04T02:00:03.004127Z", "updated_at": "2026-04-10T02:00:03.816503Z", "deleted_at": null, "main_name": "GOLD REBELLION", "aliases": [ "WANDERING SPIDER", "White Dev 115", "Dark Scorpius" ], "source_name": "MISPGALAXY:GOLD REBELLION", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "c3c24777-7c0f-4772-b273-2163ac5a6b67", "created_at": "2024-06-19T02:00:04.373472Z", "updated_at": "2026-04-10T02:00:03.651748Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "MISPGALAXY:UNC5537", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-10T02:00:02.941254Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7", "created_at": "2022-10-25T16:07:23.821494Z", "updated_at": "2026-04-10T02:00:04.759302Z", "deleted_at": null, "main_name": "Mabna Institute", "aliases": [ "Academic Serpens", "Cobalt Dickens", "G0122", "Mabna Institute", "Silent Librarian", "TA407", "TA4900", "Yellow Nabu" ], "source_name": "ETDA:Mabna Institute", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3", "created_at": "2025-04-23T02:00:55.20526Z", "updated_at": "2026-04-10T02:00:05.307504Z", "deleted_at": null, "main_name": "Storm-1811", "aliases": [ "Storm-1811" ], "source_name": "MITRE:Storm-1811", "tools": [ "Black Basta", "Cobalt Strike", "Quick Assist", "BITSAdmin", "PsExec", "Impacket", "QakBot" ], "source_id": "MITRE", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "9afb532d-6183-46ed-a638-595c9e49056b", "created_at": "2024-06-19T02:03:08.032166Z", "updated_at": "2026-04-10T02:00:03.700322Z", "deleted_at": null, "main_name": "GOLD ENCORE", "aliases": [ "Balloonfly ", "Fiddling Scorpius " ], "source_name": "Secureworks:GOLD ENCORE", "tools": [ "ADFind", "Bloodhound", "Cobalt Strike", "GMER", "Grixba", "Mimikatz", "Nekto", "Play", "Plink", "PowerTool", "Process Hacker", "PsExec", "SystemBC", "WinRAR", "WinSCP", "Winpeas" ], "source_id": "Secureworks", "reports": null }, { "id": "6ee68fe6-17f3-4de5-a78e-6d0bdcd83622", "created_at": "2024-06-19T02:03:08.072478Z", "updated_at": "2026-04-10T02:00:03.627092Z", "deleted_at": null, "main_name": "GOLD IONIC", "aliases": [ "" ], "source_name": "Secureworks:GOLD IONIC", "tools": [ "INC ransomware", "MEGAsync", "Metasploit", "PsExec" ], "source_id": "Secureworks", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434332, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7d2a4583ea183aba4de64ef0306395fe305c0ae.pdf", "text": "https://archive.orkl.eu/d7d2a4583ea183aba4de64ef0306395fe305c0ae.txt", "img": "https://archive.orkl.eu/d7d2a4583ea183aba4de64ef0306395fe305c0ae.jpg" } }