{ "id": "3e6dc465-4274-417a-91b1-b308243f05cd", "created_at": "2026-04-06T00:12:21.968078Z", "updated_at": "2026-04-10T03:35:48.479388Z", "deleted_at": null, "sha1_hash": "da543a6b0f68bf6a6de7ec5bf2c919d3662e5ef2", "title": "Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2585584, "plain_text": "Sanctions Be Damned | From Dridex to Macaw, The Evolution of\r\nEvil Corp\r\nBy Antonio Pirozzi\r\nPublished: 2022-02-23 · Archived: 2026-04-05 12:55:22 UTC\r\nBy Antonio Pirozzi, Antonis Terefos and Idan Weizman\r\nExecutive Summary\r\nSince OFAC sanctions in 2020, the global intelligence community has been split into different camps as to\r\nhow Evil Corp is operating.\r\nSentinelLabs assesses with high confidence that WastedLocker, Hades, Phoenix Locker, PayloadBIN\r\nbelong to the same cluster. There are strong overlaps in terms of code similarities, packers, TTPs and\r\nconfigurations.\r\nSentinelLabs assesses with high confidence that the Macaw ransomware variant is derived from the same\r\ncodebase as Hades.\r\nOur analysis indicates that Evil Corp became a customer of the CryptOne packer-as-a-service from March\r\n2020. We created a static unpacker, de-CryptOne for CryptOne and identified different versions of this\r\ncryptor which have never previously been reported.\r\nRead the Full Report\r\nIntroduction\r\nEvil Corp (EC) is an advanced cybercrime operations cluster originating from Russia that has been active since\r\n2007. The UK National Crime Agency called it “the world’s most harmful cyber crime group.” In December 2019,\r\nthe U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued a sanction against 17 individuals\r\nand seven entities related to EC cyber operations for causing financial losses of more than 100 million dollars with\r\nDridex.\r\nAfter the indictments, the global intelligence community was split into different camps as to how Evil Corp was\r\noperating. Some assessed that there was a voluntary transition of EC operations to another ‘trusted’ partner while\r\nthe core group remained the controller of operations. Some had theories that Evil Corp had stopped operating and\r\nthat another advanced actor operated Hades, trying to mimic the same modus operandi as Evil Corp to mislead\r\nattribution. Others claimed possible attribution to the HAFNIUM activity cluster.\r\nSentinelLabs has conducted an in-depth review and technical analysis of Evil Corp activity, malware and TTPs.\r\nOur full report has a number of important findings for the research community. We relied heavily on our analysis\r\nof a crypter tool dubbed “CryptOne”, which supports our wider clustering of Evil Corp activity. Our research also\r\nargues that the original operators continue to be active despite the sanctions, continuously changing their TTPs in\r\norder to stay under the radar.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 1 of 11\n\nIn this post, we summarize some key observations from our technical analysis on the evolution of Evil Corp from\r\nDridex through to Macaw Locker and, for the first time, publicly describe CryptOne and the role it plays in Evil\r\nCorp malware development. For the full technical analysis, comprehensive IOCs and YARA hunting rules, please\r\nsee the full report.\r\nOverview of Recent Evil Corp Activity\r\nAfter the OFAC indictment, we witnessed a change in Evil Corp TTPs: from 2020, they started to frequently\r\nchange their payload signatures, using different exploitation tools and methods of initial access. They switched\r\nfrom Dridex to the SocGholish framework to confuse attribution and distance themselves from both Dridex and\r\nBitpaymer, which fell within the scope of the sanctions. During this period, they started relying more heavily on\r\nCobalt Strike to gain an initial foothold and perform lateral movement, rather than PowerShell Empire.\r\nIn May 2020, a new ransomware variant appeared in the wild dubbed WastedLocker. WastedLocker (S0612)\r\nemployed techniques to obfuscate its code and perform tasks similar to those already seen in BitPaymer and\r\nDridex. Those similarities allowed the threat intelligence community to identify the connections between the\r\nmalware families.\r\nIn December 2020, a new ransomware variant named Hades was first seen in the wild and publicly reported.\r\nHades is a 64-bit compiled version of WastedLocker that displays important code and functionality overlaps. A\r\nfew months later, in March 2021, a new variant Phoenix Locker appeared in the wild. Our analysis suggests this is\r\na rebranded version of Hades with little to no changes. Later, a new variant named PayloadBIN appeared in the\r\nwild, a continuation from Phoenix Locker.\r\nA Unique Cluster: BitPaymer, WastedLocker, Hades, Phoenix Locker, PayloadBIN\r\nFrom our analysis, we discovered evidence of code overlaps, as well as shared configurations, packers and TTPs\r\nleading us to assess with high confidence that Bitpaymer, WastedLocker, Hades, PhoenixLocker and PayloadBIN\r\nshare a common codebase. Our full report goes into the evidence in fine detail. The following section presents a\r\nbrief summary.\r\nFrom BitPaymer to WastedLocker\r\nPrevious research shows a sort of knowledge reuse between BitPaymer and WastedLocker. SentinelLabs analysis\r\nshows that Hades and WastedLocker share the same codebase.\r\nAmong other similarities, detailed in the full report, we observe that the RSA functions – responsible for\r\nasymmetrically encrypting the keys which were used in the AES phase to encrypt files – are identical in both\r\nransomware variants, hinting that the same utility library was used.\r\nFrom WastedLocker to Hades\r\nPrevious research assessed the main similarities and differences between the two ransomware families.\r\nSentinelLabs analysis shows that Hades and WestedLocker share the same codebase.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 2 of 11\n\nAgain we see the same RSA functions in both families. Both also implement file and directory enumeration logic\r\nidentically. Comparing the logic and the Control Flow Graph of both routines, we conclude that both ransomware\r\nuse the same code for file and directory enumeration. We also found similarities between the functions responsible\r\nfor drive enumeration.\r\nFrom Hades to Phoenix Locker\r\nIn the samples we analyzed, we discovered that Phoenix Locker was a reused and newly-packed Hades payload.\r\nHades and Phoenix samples were compiled at the same time. We confirmed that they reused a ‘clean’ Hades\r\nversion each time, statically introducing junk code with the help of a script in order to alter the signature. The\r\ncompiler and linker versions are also the same. This technique of payload reuse was also seen in BitPaymer in\r\norder to make the ransomware polymorphic and more evasive.\r\nFrom Phoenix Locker to PayloadBIN\r\nWe observed that the majority of PayloadBIN functions overlap with PhoenixLocker. File enumerating functions\r\nare practically identical.\r\nWe conducted further similarity analysis by analyzing the TTPs of the different variants. We did this by extracting\r\nthe main command lines from all the ransomwares and comparing them. We distinguished two distinct clusters.\r\nFrom Hades onwards, we found a unique self-delete implementation including the waitfor command.\r\ncmd /c waitfor /t 10 pause /d y \u0026 attrib -h \"C:\\Users\\Admin\\AppData\\Roaming\\CenterLibrary\\Tip\" \u0026 del\r\nThis command is not present in WastedLocker, where the choice command is used instead:\r\ncmd /c choice /t 10 /d y \u0026 attrib -h \"C:\\Users\\Admin\\AppData\\Roaming\\Wmi\" \u0026 del \"C:\\Users\\Admin\\AppDa\r\nWhilst syntax difference may seem like a significant difference, these two implementations are very similar: the\r\nlogic is the same, only the signature changes.\r\nAll ransomwares have the same implementation of Shadows copy deletion:\r\nC:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet\r\nThe evidence of this code reuse supports the assessment that it is almost certain these ransomware families are\r\nrelated to the same ‘factory’.\r\nAnalysis of the Cypherpunk Variant\r\nA new, possibly experimental, variant dubbed “Cypherpunk” – first reported in June 2021- was analyzed and\r\nlinked to the same lineage.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 3 of 11\n\nC:\\Users\\Lucas\\Documents\\OneNote Notebooks\\Personal\\General.one.cypherpunk\r\nC:\\Users\\Lucas\\Documents\\OneNote Notebooks\\Personal\\CONTACT-TO-DECRYPT.txt\r\nC:\\Users\\Lucas\\Documents\\awards.xls.cypherpunk\r\nC:\\Users\\Lucas\\Desktop\\ZoneMap.dwf.cypherpunk\r\nC:\\Users\\Administrator\\Searches\\Everywhere.search-ms.cypherpunk\r\nC:\\Users\\Lucas\\Desktop\\th (2).jpg.cypherpunk\r\nC:\\Users\\Lucas\\Documents\\pexels-photo-46710.jpeg.cypherpunk\r\nC:\\Users\\Lucas\\Desktop\\ppt_ch10.ppt.cypherpunk\r\nC:\\Users\\Lucas\\Desktop\\WEF_Future_of_Jobs.pdf.cypherpunk\r\nCode similarity analysis shows that the Cypherpunk version (SHA1\r\ne8d485259e64fd375e03844c03775eda40862e1c) is the same as the previous PayloadBIN variant. It was compiled\r\non 2021-04-01 17:15:24, 20 days after the PayLoadBIN sample. It is possible that this is another attempt at\r\nrebranding. Although this variant was reported, it was improperly flagged as Hades.\r\nSentinelLabs assesses this new finding is likely an indication that Evil Corp is still working on updating their\r\ntradecraft in order to change their signature and stay under the radar.\r\nEvil Corp Pivots to Macaw Locker Ransomware\r\nIn October 2021, a new ransomware variant named ‘Macaw Locker’ appeared in the wild, in an attack that began\r\non October 10th against Olympus. A few days later Sinclair Broadcast Group was also attacked, causing\r\nwidespread disruption. Some researchers claimed a possible connection with WastedLocker, but to date no further\r\ndetails have emerged.\r\nMacaw ransom note\r\nThe ransomware presents anti-analysis features like API hashing and indirect API calls with the intention of\r\nevading analysis. One aspect that immediately sets Macaw apart is that it requires a custom token, provided from\r\nthe command line, which appears to be specific to each victim; without it, the ransomware won’t execute.\r\nmacaw_sample.exe -k\r\nThe use of a custom token is also seen in Egregor and BlackCat ransomware families, and is a technique used to\r\naid anti-analysis (T1497.002).\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 4 of 11\n\nAnother new addition to Macaw is a special function that acquires the imports for APIs at runtime, instead of\r\nwhen the executable is started via the PE import section. Below, we can see the function that is used before each\r\nAPI call to get its address prior to the call itself.\r\nMacaw function to dynamically fetch addresses\r\nThe function gets a 32-bit value that uniquely represents the required API and searches for it through a data\r\nstructure created beforehand. The data structure can be described as an array with small binary search trees in each\r\nof its entries.\r\nWe assessed the similarity of two core functions between Hades and Macaw. In both strains, the implementation is\r\nthe same. The only minor differences are from the imports fetched at runtime.\r\nCryptOne: One Packer To Rule Them All\r\nCryptOne (also known as HellowinPacker) was a special packer used by Evil Corp up until mid-2021.\r\nCryptOne appears to have first been noticed in 2015. Early versions were used by an assortment of different\r\nmalware families such as NetWalker, Gozi, Dridex, Hancitor and Zloader. In 2019, Bromium analyzed and\r\nreported it as in use by Emotet. In June 2020, NCC Group reported that CryptOne was used to pack\r\nWastedLocker. In 2021, researchers observed CryptOne being advertised as a Packer-as-a-Service on various\r\ncrime-oriented forums.\r\nCryptOne has the following characteristics and features:\r\nSandbox evasion with getInputState() or GetKeyState() API;\r\nAnti-emulation with UCOMIEnumConnections and the IActiveScriptParseProcedure32 interface;\r\nCode-flow obfuscation;\r\nWe created a static unpacker, de-CryptOne, which unpacks both x86 and x64 samples. It outputs two files:\r\n1. the shellcode responsible for unpacking\r\n2. the unpacked sample.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 5 of 11\n\nWe collected CryptOne packed samples, and with the use of the above tool, unpacked and categorized them at\r\nscale.\r\nUnpacking CryptOne\r\nCryptOne unpacking method consists of two stages:\r\n1. Decrypts and executes embedded shellcode.\r\n2. Shellcode decrypts and executes embedded executables.\r\nCryptOne gets chunks of the encrypted data, which are separated by junk.\r\nCryptOne junk data\r\nExample Memory Dump:\r\n0x5EE00, Encrypted size\r\n0x4011CA, Address of encrypted data\r\n0x4D/”M”, Junk data\r\n0x14, Junk size\r\n0x7A, Chunk Size\r\nAfter removal of the junk data, the decryption starts with a simple XOR-Key which increases by 0x4 in each\r\nround. The initial XOR-Key is 0xA113 .\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 6 of 11\n\nCryptOne XOR Key\r\nOnce the shellcode is decrypted, we can partially observe the string “This program cannot be run in DOS mode”\r\nwhere this data contains an executable which requires a second decryption.\r\nCryptOne partially decrypted shellcode\r\nSimilar to previous decryption, this time the shellcode decrypts the embedded binary.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 7 of 11\n\nFastcall Shellcode XOR\r\nThe shellcode allocates and copies the encrypted executable and starts the decryption loop; once it finishes, it\r\njumps to the EntryPoint and executes the unpacked sample.\r\nCryptOne executing the unpacked sample\r\nAt this stage we can observe strings related to the unpacked sample.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 8 of 11\n\nCryptOne embedded strings after unpacking\r\nA Unique Factory\r\nHunting for CryptOne led us to identify different implementations of the stub, some of which have never been\r\nreported previously. Each version is identified by a certain signature, listed below:\r\n111111111\\\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}\r\n1nterfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\n444erfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\n555erfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\n5nterfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\n987erfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\nInterfac4\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\nInterfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\naaaerfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\ninterfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\nrrrerfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\nThe first part of the string is composed of a custom string (111111111, 1nterfacE, 444erfacE,…) which is replaced\r\nat runtime by the ‘interface’ keyword, creating the following registry key:\r\nHKEY_CLASSES_ROOT\\interface\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\nThe registry keys are related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces\r\nrespectively.\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 9 of 11\n\nOnce executed, the cryptor checks for the presence of those keys before loading the next stage payload. If it does\r\nnot find the keys, then the malware goes into an endless loop without doing anything as an anti-emulation\r\ntechnique. This works because some emulators do not implement the full Windows registry.\r\nIn reviewing two different versions of CryptOne:\r\naaerfacE\\\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\n111111111\\\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}\r\nwe noticed that in order to update the signature, the actor needs to re-compile the cryptor as the cryptor\r\nimplementation changes.\r\nCryptOne Timeline\r\nOur analysis shows that it is likely Evil Corp started being a customer of the CryptOne service from March 2020.\r\nFrom March to May 2020 we found WastedLocker, gozi_rm3 (version:3.00 build:854) and Dridex (10121)\r\nsamples were all packed and compiled in the same timeframe using the same CryptOne stub signature(InterfacE).\r\nFor a limited period of time between May 2020 and August 2020, we observed different versions of CryptOne\r\noverlaps.\r\nCryptOne overlaps between May 2020 and August 2020\r\nIt seems that from a specific point in time, around September 2020, Hades, PhoenixLocker and PayloadBIN\r\nstarted adopting a specific CryptOne stub identified by the signature:\r\n111111111\\\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 10 of 11\n\nFrom December 2020, the CryptOne version ‘111111111’ appeared in the wild without any overlap.\r\nConclusion\r\nClustering Evil Corp activity is demonstrably difficult considering that the group has changed TTPs several times\r\nin order to bypass sanctions and stay under the radar. This is in addition to the overall trend of actors receding\r\nback into secrecy. In this research, we connect the dots in the Evil Corp ecosystem, cluster Evil Corp malware,\r\ndocument the group’s activities and provide insight into their TTPs.\r\nSentinelLabs assesses with high confidence that WastedLocker, Hades, PhoenixLocker, Macaw Locker and\r\nPayloadBIN belong to the same cluster. Our assessment is based on code similarity and reuse, timeline\r\nconsistency and nearly identical TTPs across the ransomware families indicating there is a consistent modus\r\noperandi for the cluster. In addition, we assess that there is a likely evolutionary link between WastedLocker and\r\nBitPaymer, and suggest that it can be attributed to the same Evil Corp activity cluster.\r\nWe fully expect that Evil Corp will continue to evolve and target organizations. In addition, we assess it is likely\r\nthey will also continue to advance their tradecraft, finding new methods of evading detection and misleading\r\nattribution. SentinelLabs will continue tracking this activity cluster to provide insight into its evolution.\r\nIn-depth technical analysis, Indicators of Compromise and further technical references are available in the full\r\nreport.\r\nRead the Full Report\r\nSource: https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nhttps://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/" ], "report_names": [ "sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434341, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da543a6b0f68bf6a6de7ec5bf2c919d3662e5ef2.pdf", "text": "https://archive.orkl.eu/da543a6b0f68bf6a6de7ec5bf2c919d3662e5ef2.txt", "img": "https://archive.orkl.eu/da543a6b0f68bf6a6de7ec5bf2c919d3662e5ef2.jpg" } }