{ "id": "6584bac4-add3-4f6b-94d3-9821690a5ce7", "created_at": "2026-04-06T00:08:49.720702Z", "updated_at": "2026-04-10T03:37:51.326345Z", "deleted_at": null, "sha1_hash": "d87e8ac4e34f7df013e145848843f9a1c82c317d", "title": "Maze (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 348465, "plain_text": "Maze (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:26:58 UTC\r\nMaze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of\r\nthe ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different\r\nextensions appended to files which are randomly generated.\r\nActors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam\r\nand various exploit kits (Spelevo, Fallout).\r\nThe code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions\r\nusing signature-based detections.\r\n2024-05-01 ⋅ Natto Thoughts ⋅\r\nRansom-War: Russian Extortion Operations as Hybrid Warfare, Part One\r\nClop Conti Maze TrickBot 2024-02-15 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nForeign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses\r\nEgregor IcedID Maze Zeus 2024-02-15 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nZeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison\r\nEgregor IcedID Maze Zeus 2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team,\r\nMicrosoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-05-05 ⋅\r\nIntel 471 ⋅ Intel 471\r\nCybercrime loves company: Conti cooperated with other ransomware gangs\r\nLockBit Maze RagnarLocker Ryuk 2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker\r\nConti Leaks: Examining the Panama Papers of Ransomware\r\nLockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot 2022-03-23 ⋅ splunk ⋅ Shannon\r\nDavis\r\nGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-03-17 ⋅ Sophos ⋅ Tilly\r\nTravers\r\nThe Ransomware Threat Intelligence Center\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 1 of 8\n\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2022-02-23 ⋅ splunk ⋅ Shannon Davis,\r\nSURGe\r\nAn Empirically Comparative Analysis of Ransomware Binaries\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-02-09 ⋅ Bleeping Computer ⋅\r\nLawrence Abrams\r\nRansomware dev releases Egregor, Maze master decryption keys\r\nEgregor Maze Sekhmet 2022-02-09 ⋅ Security Affairs ⋅ Pierluigi Paganini\r\nMaster decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online\r\nEgregor m0yv Maze Sekhmet 2021-11-03 ⋅ CERT-FR ⋅ ANSSI\r\nIdentification of a new cybercriminal group: Lockean\r\nDoppelPaymer Egregor Maze PwndLocker REvil 2021-10-26 ⋅ ANSSI\r\nIdentification of a new cyber criminal group: Lockean\r\nCobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-10 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nCrytek confirms Egregor ransomware attack, customer data theft\r\nEgregor Maze 2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRansomware Gangs and the Name Game Distraction\r\nDarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze\r\nRansomEXX REvil Ryuk Sekhmet 2021-07-09 ⋅ The Record ⋅ Catalin Cimpanu\r\nRansomwhere project wants to create a database of past ransomware payments\r\nEgregor Mailto Maze REvil 2021-07-01 ⋅ DomainTools ⋅ Chad Anderson\r\nThe Most Prolific Ransomware Families: A Defenders Guide\r\nREvil Conti Egregor Maze REvil 2021-06-16 ⋅ Proofpoint ⋅ Daniel Blackford, Garrett M. Graff, Selena Larson\r\nThe First Step: Initial Access Leads to Ransomware\r\nBazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577 2021-05-\r\n18 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkside gang estimated to have made over $90 million from ransomware attacks\r\nDarkSide DarkSide Mailto Maze REvil Ryuk 2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware made $90 million in just nine months\r\nDarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-05-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nData leak marketplaces aim to take over the extortion economy\r\nBabuk Maze 2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 2 of 8\n\nRansomware: Hunting for Inhibiting System Backup or Recovery\r\nAvaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX\r\nREvil Ryuk Snatch ThunderX 2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton\r\nRansomware Preparedness: A Call to Action\r\nDharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER 2021-04-07 ⋅ ANALYST1 ⋅ Jon\r\nDiMaggio\r\nRansom Mafia Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER 2021-04-07 ⋅ ANALYST1 ⋅\r\nJon DiMaggio\r\nRansom Mafia - Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER 2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅\r\nUnit42\r\nRansomware Threat Report 2021\r\nRansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker\r\n2021-03-02 ⋅ CERT-FR ⋅ CERT-FR\r\nThe Egregor Ransomware\r\nEgregor Maze Sekhmet 2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nRansomware Uncovered 2020/2021\r\nRansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot\r\nRansomEXX REvil Ryuk SDBbot TrickBot Zloader 2021-02-28 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-25 ⋅ FireEye ⋅ Brendan\r\nMcKeague, Bryce Abdo, Van Ta\r\nSo Unchill: Melting UNC2198 ICEDID to Ransomware Operations\r\nMOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE\r\nCTIL Darknet Report – 2021\r\nConti Mailto Maze REvil Ryuk 2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team\r\nBlockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains\r\nDoppelPaymer Egregor Maze SunCrypt 2021-01-01 ⋅ Talos ⋅ Talos Incident Response\r\nEvicting Maze\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 3 of 8\n\nCobalt Strike Maze 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD VILLAGE\r\nMaze TA2101 2020-12-16 ⋅ Accenture ⋅ Paul Mansfield\r\nTracking and combatting an evolving danger: Ransomware extortion\r\nDarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt 2020-12-14 ⋅ Medium Killbit ⋅ killbit\r\nApplying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware\r\nMaze 2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT\r\nAlert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data\r\nPerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim\r\nREvil Ryuk Zeus 2020-12-09 ⋅ Cisco ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends from Fall 2020\r\nCobalt Strike IcedID Maze RansomEXX Ryuk 2020-12-08 ⋅ Sophos ⋅ Anand Aijan, Bill Kearney, Gabor Szappanos, Mark\r\nLoman, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Shahram\r\nEgregor ransomware: Maze’s heir apparent\r\nEgregor Maze 2020-12-07 ⋅ Minerva Labs ⋅ Tom Roter\r\nEgregor Ransomware - An In-Depth Analysis\r\nEgregor Maze Sekhmet 2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores\r\nThe Impact of Modern Ransomware on Manufacturing Networks\r\nMaze Petya REvil 2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich\r\nZooming into Darknet Threats Targeting Japanese Organizations\r\nConti DoppelPaymer Egregor LockBit Maze REvil Snake 2020-11-16 ⋅ Intel 471 ⋅ Intel 471\r\nRansomware-as-a-service: The pandemic within a pandemic\r\nAvaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk\r\nSunCrypt ThunderX 2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn\r\nTargeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”\r\nEgregor Maze RagnarLocker 2020-11-06 ⋅ Telsy ⋅ Telsy Research Team\r\nMalware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze\r\nMaze 2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nMaze ransomware is shutting down its cybercrime operation\r\nEgregor Maze 2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor\r\nA Decade of WMI Abuse – an Overview of Techniques in Modern Malware\r\nsLoad Emotet Maze 2020-10-26 ⋅ Checkpoint ⋅ Eyal Itkin, Itay Cohen\r\nExploit Developer Spotlight: The Story of PlayBit\r\nDyre Maze PyLocky Ramnit REvil 2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nLeakware-Ransomware-Hybrid Attacks\r\nAvaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet\r\nSunCrypt 2020-10-21 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Nikita Galimov, Vladimir Kuskov\r\nLife of Maze ransomware\r\nMaze 2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 2\r\nMaze MedusaLocker REvil VIKING SPIDER 2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich\r\nTo Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 4 of 8\n\nConti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt 2020-09-29 ⋅ Microsoft ⋅ Microsoft\r\nMicrosoft Digital Defense Report\r\nEmotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot 2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker\r\nMIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER 2020-09-25 ⋅ StateScoop ⋅ Benjamin Freed\r\nBaltimore ransomware attack was early attempt at data extortion, new report shows\r\nMaze RobinHood OUTLAW SPIDER 2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER\r\nOVERLORD SPIDER 2020-09-22 ⋅ Sophos SecOps ⋅ Greg Iddon\r\nMTR Casebook: Blocking a $15 million Maze ransomware attack\r\nMaze 2020-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nMaze ransomware now encrypts via virtual machines to evade detection\r\nMaze 2020-09-17 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie\r\nMaze attackers adopt Ragnar Locker virtual machine technique\r\nMaze 2020-09-01 ⋅ Cisco Talos ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends in Summer 2020\r\nCobalt Strike LockBit Mailto Maze Ryuk 2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich\r\nHow Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing\r\nAvaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil\r\nSekhmet 2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider\r\nGlobal Ransomware Attacks in 2020: The Top 4 Vulnerabilities\r\nClop Maze REvil Ryuk 2020-08-13 ⋅ SentinelOne ⋅ SentinelLabs\r\nCase Study: Catching a Human-Operated Maze Ransomware Attack In Action\r\nMaze 2020-08-04 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nRansomware gang publishes tens of GBs of internal data from LG and Xerox\r\nMaze 2020-08-01 ⋅ Temple University ⋅ CARE\r\nCritical Infrastructure Ransomware Attacks\r\nCryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor 2020-07-29 ⋅\r\nESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin\r\nNemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor 2020-07-22 ⋅ SentinelOne ⋅\r\nJason Reaves, Joshua Platt\r\nEnter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)\r\nISFB Maze TrickBot Zloader 2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska,\r\nNathan Brubaker\r\nFinancially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes\r\nUsed With Seven Malware Families\r\nClop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake 2020-06-18 ⋅ Quick Heal ⋅ Preksha Saxena\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 5 of 8\n\nMaze ransomware continues to be a threat to the consumers\r\nMaze 2020-06-17 ⋅ Cognizant ⋅ Cognizant\r\nNotice of Data Breach\r\nMaze 2020-06-16 ⋅ BleepingComputer ⋅ Sergiu Gatlan\r\nChipmaker MaxLinear reports data breach after Maze Ransomware attack\r\nMaze 2020-06-04 ⋅ Sophos Naked Security ⋅ Lisa Vaas\r\nNuclear missile contractor hacked in Maze ransomware attack\r\nMaze 2020-05-21 ⋅ BrightTALK (FireEye) ⋅ Jeremy Kennelly, Kimberly Goody\r\nNavigating MAZE: Analysis of a Rising Ransomware Threat\r\nMaze 2020-05-12 ⋅ SophosLabs Uncut ⋅ Sophos\r\nMaze ransomware: extorting victims for 1 year and counting\r\nMaze 2020-05-07 ⋅ FireEye Inc ⋅ Jeremy Kennelly, Joshua Shilko, Kimberly Goody\r\nNavigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents\r\nMaze 2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja\r\nSodinokibi / REvil ransomware\r\nMaze MimiKatz REvil 2020-05-04 ⋅ Blueliv ⋅ Blueliv Team\r\nEscape from the Maze\r\nMaze 2020-05-01 ⋅ CrowdStrike ⋅ Shaun Hurley\r\nThe Many Paths Through Maze\r\nMaze 2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team\r\nRansomware groups continue to target healthcare, critical services; here’s how to reduce risk\r\nLockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood 2020-04-18 ⋅ Bleeping Computer ⋅\r\nLawrence Abrams\r\nIT services giant Cognizant suffers Maze Ransomware cyber attack\r\nMaze 2020-04-18 ⋅ Cognizant ⋅ Cognizant\r\nCognizant Security Incident Update\r\nMaze 2020-03-26 ⋅ McAfee ⋅ Alexandre Mundo\r\nRansomware Maze\r\nMaze 2020-03-26 ⋅ TechCrunch ⋅ Zack Whittaker\r\nCyber insurer Chubb had data stolen in Maze ransomware attack\r\nMaze 2020-03-25 ⋅ Bitdefender ⋅ Bitdefender Team\r\nA Technical Look into Maze Ransomware\r\nMaze 2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nThree More Ransomware Families Create Sites to Leak Stolen Data\r\nClop DoppelPaymer Maze Nefilim Nemty REvil 2020-03-12 ⋅ Cyberbit ⋅ Dor Neemani, Hod Gavriel, Omer Fishel\r\nLost in the Maze\r\nMaze 2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2020 CrowdStrike Global Threat Report\r\nMESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon\r\nSystem Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx\r\nGandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook\r\nBackdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 6 of 8\n\nTerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40\r\nBlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group\r\nGOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER\r\nPINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY\r\nTIGER 2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nRansomware Attackers Use Your Cloud Backups Against You\r\nDoppelPaymer Maze 2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Darren Fitzpatrick, Eamonn Ryan\r\nCSI: Evidence Indicators for Targeted Ransomware Attacks – Part II\r\nCobalt Strike LockerGoga Maze MegaCortex 2020-01-30 ⋅ ⋅ ZATAZ ⋅ Damien Bancal\r\nCyber attaque à l’encontre des serveurs de Bouygues Construction\r\nMaze 2020-01-29 ⋅ ANSSI ⋅ ANSSI\r\nÉtat de la menace rançongiciel\r\nClop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam 2020-01-22 ⋅\r\nDeloitte ⋅ Deloitte\r\nProject Lurus\r\nMaze 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nGOLD VILLAGE\r\nMaze 2020-01-01 ⋅ Blackberry ⋅ Blackberry Research\r\nState of Ransomware\r\nMaze MedusaLocker Nefilim Phobos REvil Ryuk STOP 2019-12-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nMaze Ransomware Releases Files Stolen from City of Pensacola\r\nMaze 2019-12-18 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits\r\nMaze ransomware\r\nMaze 2019-12-17 ⋅ Cisco ⋅ Dave Liebenberg, JJ Cummings\r\nIncident Response lessons from recent Maze ransomware attacks\r\nMaze 2019-12-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRansomware Gangs Now Outing Victim Businesses That Don’t Pay Up\r\nMaze 2019-12-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nMaze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand\r\nMaze 2019-11-21 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nAllied Universal Breached by Maze Ransomware, Stolen Data Leaked\r\nMaze 2019-11-14 ⋅ Proofpoint ⋅ Bryan Campbell, Proofpoint Threat Insight Team\r\nTA2101 plays government imposter to distribute malware to German, Italian, and US organizations\r\nMaze TA2101 2019-11-08 ⋅ Twitter (@certbund) ⋅ CERT-Bund\r\nTweet on Spam Mails containing MAZE\r\nMaze 2019-10-18 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nMaze Ransomware Now Delivered by Spelevo Exploit Kit\r\nMaze 2019-05-13 ⋅ ⋅ Amigo A\r\nChaCha Ransomware\r\nMaze 2019-01-01 ⋅ CrowdStrike ⋅ CrowdStrike\r\nTwisted Spider\r\nMaze TA2101\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 7 of 8\n\n[TLP:WHITE] win_maze_auto (20251219 | Detects win.maze.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.maze\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze" ], "report_names": [ "win.maze" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "e5a1096e-e481-4a8c-ae06-e3328276d935", "created_at": "2022-10-25T16:07:23.199712Z", "updated_at": "2026-04-10T02:00:04.485374Z", "deleted_at": null, "main_name": "Clockwork Spider", "aliases": [], "source_name": "ETDA:Clockwork Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "53201ab8-30d2-4722-816e-f914604e78df", "created_at": "2022-10-25T16:07:23.466825Z", "updated_at": "2026-04-10T02:00:04.620188Z", "deleted_at": null, "main_name": "Circus Spider", "aliases": [], "source_name": "ETDA:Circus Spider", "tools": [ "Koko Ransomware", "MailTo", "NetWalker" ], "source_id": "ETDA", "reports": null }, { "id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30", "created_at": "2022-10-25T16:07:23.586985Z", "updated_at": "2026-04-10T02:00:04.676803Z", "deleted_at": null, "main_name": "EmpireMonkey", "aliases": [ "Anthropoid Spider", "CobaltGoblin", "EmpireMonkey" ], "source_name": "ETDA:EmpireMonkey", "tools": [ "AKO Doxware", "AKO Ransomware", "MedusaLocker", "MedusaReborn" ], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "20e4919f-4dd4-4464-932a-354ffa8038ee", "created_at": "2025-08-07T02:03:25.024225Z", "updated_at": "2026-04-10T02:00:03.673649Z", "deleted_at": null, "main_name": "GOLD VILLAGE", "aliases": [ "" ], "source_name": "Secureworks:GOLD VILLAGE", "tools": [ "Maze" ], "source_id": "Secureworks", "reports": null }, { "id": "8b7faa58-947b-4530-ab1f-250a0370aabf", "created_at": "2022-10-25T16:07:24.34248Z", "updated_at": "2026-04-10T02:00:04.945921Z", "deleted_at": null, "main_name": "Traveling Spider", "aliases": [ "Gold Mansard" ], "source_name": "ETDA:Traveling Spider", "tools": [ "7-Zip", "AdFind", "LaZagne", "MEGAsync", "Mimikatz", "Nefilim", "Nemty", "Nephilim", "Network Password Recovery", "PsExec", "smbtool" ], "source_id": "ETDA", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "748eb9f3-ef15-4645-881b-b91681111812", "created_at": "2022-10-25T16:07:24.510024Z", "updated_at": "2026-04-10T02:00:05.016515Z", "deleted_at": null, "main_name": "Monty Spider", "aliases": [ "Gold Riverview" ], "source_name": "ETDA:Monty Spider", "tools": [ "Necurs", "nucurs" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e", "created_at": "2022-10-25T16:07:24.55351Z", "updated_at": "2026-04-10T02:00:05.031489Z", "deleted_at": null, "main_name": "Salty Spider", "aliases": [], "source_name": "ETDA:Salty Spider", "tools": [ "Kookoo", "Kukacka", "Kuku", "SalLoad", "SaliCode", "Sality" ], "source_id": "ETDA", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "b57a3b93-3a22-4889-af28-37cc53e824e7", "created_at": "2023-01-06T13:46:39.24034Z", "updated_at": "2026-04-10T02:00:03.256906Z", "deleted_at": null, "main_name": "MIMIC SPIDER", "aliases": [], "source_name": "MISPGALAXY:MIMIC SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94", "created_at": "2023-01-06T13:46:38.904178Z", "updated_at": "2026-04-10T02:00:03.14055Z", "deleted_at": null, "main_name": "SALTY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SALTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "dd08f179-5c65-4497-92ad-8ca0997e17e8", "created_at": "2023-01-06T13:46:39.113278Z", "updated_at": "2026-04-10T02:00:03.217613Z", "deleted_at": null, "main_name": "NOCTURNAL SPIDER", "aliases": [], "source_name": "MISPGALAXY:NOCTURNAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c76f1b6-a05b-4dba-82ea-07011b47c6cd", "created_at": "2023-01-06T13:46:39.201507Z", "updated_at": "2026-04-10T02:00:03.244851Z", "deleted_at": null, "main_name": "TRAVELING SPIDER", "aliases": [], "source_name": "MISPGALAXY:TRAVELING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac", "created_at": "2023-01-06T13:46:39.222456Z", "updated_at": "2026-04-10T02:00:03.250483Z", "deleted_at": null, "main_name": "CIRCUS SPIDER", "aliases": [], "source_name": "MISPGALAXY:CIRCUS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "a9db5b93-dd22-4e33-9012-3650745266ee", "created_at": "2023-01-06T13:46:39.234575Z", "updated_at": "2026-04-10T02:00:03.254853Z", "deleted_at": null, "main_name": "OVERLORD SPIDER", "aliases": [], "source_name": "MISPGALAXY:OVERLORD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e2776db-982d-4c07-8dd5-3888242aa7bc", "created_at": "2023-01-06T13:46:38.437237Z", "updated_at": "2026-04-10T02:00:02.974399Z", "deleted_at": null, "main_name": "PIZZO SPIDER", "aliases": [ "DD4BC", "Ambiorx" ], "source_name": "MISPGALAXY:PIZZO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9639c065-3fa6-432f-9cbd-5708500c4eaa", "created_at": "2022-10-25T16:07:23.255684Z", "updated_at": "2026-04-10T02:00:04.506059Z", "deleted_at": null, "main_name": "Overlord Spider", "aliases": [ "The Dark Overlord" ], "source_name": "ETDA:Overlord Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "186f3cc2-500c-4233-b688-8b6d6e08e2a3", "created_at": "2023-01-06T13:46:39.098169Z", "updated_at": "2026-04-10T02:00:03.212492Z", "deleted_at": null, "main_name": "ANTHROPOID SPIDER", "aliases": [ "Empire Monkey", "CobaltGoblin" ], "source_name": "MISPGALAXY:ANTHROPOID SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28a272c4-098b-4d1b-9115-c7ff8decab7c", "created_at": "2023-01-06T13:46:39.101189Z", "updated_at": "2026-04-10T02:00:03.21354Z", "deleted_at": null, "main_name": "CLOCKWORK SPIDER", "aliases": [], "source_name": "MISPGALAXY:CLOCKWORK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a15363f3-ec73-4a94-a94c-60ffb4925a40", "created_at": "2023-01-06T13:46:39.10693Z", "updated_at": "2026-04-10T02:00:03.215548Z", "deleted_at": null, "main_name": "MONTY SPIDER", "aliases": [ "Spandex Tempest" ], "source_name": "MISPGALAXY:MONTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434129, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d87e8ac4e34f7df013e145848843f9a1c82c317d.pdf", "text": "https://archive.orkl.eu/d87e8ac4e34f7df013e145848843f9a1c82c317d.txt", "img": "https://archive.orkl.eu/d87e8ac4e34f7df013e145848843f9a1c82c317d.jpg" } }