{ "id": "6636f42b-c02d-4036-b99e-3250e7b773a9", "created_at": "2026-04-06T00:08:38.236958Z", "updated_at": "2026-04-10T13:12:02.754219Z", "deleted_at": null, "sha1_hash": "db3e088a3bd7d6d1d9fa03151cbd545d237918f6", "title": "BlackMatter (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 183509, "plain_text": "BlackMatter (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 16:42:44 UTC\r\nBlackMatter\r\nVTCollection    \r\nAccording to PCrisk, BlackMatter is a piece of malicious software categorized as ransomware. It operates by\r\nencrypting data for the purpose of making ransom demands for the decryption tools. In other words, files affected\r\nby BlackMatter are rendered inaccessible, and victims are asked to pay - to recover access to their data.\r\nDuring the encryption process, files are appended with an extension consisting of a random character string. For\r\nexample, a file initially named \"1.jpg\" would appear as something similar to \"1.jpg.k5RO9fVOl\". After this\r\nprocess is complete, the ransomware changes the desktop wallpaper and created a ransom note - \"\r\n[random_string].README.txt\" (e.g., k5RO9fVOl.README.txt).\r\nReferences\r\n2025-03-13 ⋅ Forescout ⋅\r\nNew Ransomware Operator Exploits Fortinet Vulnerability Duo\r\nBlackMatter LockBit Mora_001\r\n2024-06-05 ⋅ S-RM ⋅ David Broom, Gavin Hull\r\nExmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data\r\ntargeting\r\nBlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk\r\n2022-09-22 ⋅ Broadcom ⋅ Symantec Threat Hunter Team\r\nNoberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics\r\nBlackCat BlackMatter DarkSide\r\n2022-08-02 ⋅ Recorded Future ⋅ Insikt Group\r\nInitial Access Brokers Are Key to Rise in Ransomware Attacks\r\nAzorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar\r\n2022-07-25 ⋅ Trend Micro ⋅ Byron Gelera, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Gregory\r\nRagasa, Nathaniel Morales\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nPage 1 of 6\n\nLockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities\r\nBlackMatter LockBit\r\n2022-07-13 ⋅ ⋅ GLIMPS ⋅ GLIMPS\r\nLockbit 3.0\r\nBlackMatter DarkSide LockBit\r\n2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nGriffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot\r\n2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands\r\nGozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix\r\nLocker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT\r\n2022-04-27 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nLE GROUPE CYBERCRIMINEL FIN7\r\nBateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter\r\nBOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz\r\nMurofet Qadars Ranbyus SocksBot\r\n2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nDismantling ZLoader: How malicious ads led to disabled security tools and ransomware\r\nBlackMatter Cobalt Strike DarkSide Ryuk Zloader\r\n2022-04-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nResearchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity\r\nBlackCat BlackMatter BlackCat BlackMatter\r\n2022-03-24 ⋅ SentinelOne ⋅ Antonio Cocomazzi\r\nRansomware Encryption Internals: A Behavioral Characterization\r\nBabuk Babuk BlackMatter\r\n2022-03-23 ⋅ splunk ⋅ Shannon Davis\r\nGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk\r\n2022-03-22 ⋅ The Register ⋅ Jeff Burt\r\nThis is a BlackCat you don't want crossing your path\r\nBlackCat BlackMatter\r\n2022-03-17 ⋅ Sophos ⋅ Tilly Travers\r\nThe Ransomware Threat Intelligence Center\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nPage 2 of 6\n\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim\r\nRagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker\r\n2022-03-17 ⋅ Cisco ⋅ Caitlin Huey, Tiago Pereira\r\nFrom BlackMatter to BlackCat: Analyzing two attacks from one affiliate\r\nBlackCat BlackMatter BlackCat BlackMatter\r\n2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nThe Ransomware Threat Landscape: What to Expect in 2022\r\nAvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty\r\nSquirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin\r\n2022-03-01 ⋅ VirusTotal ⋅ VirusTotal\r\nVirusTotal's 2021 Malware Trends Report\r\nAnubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT\r\nOrcus RAT\r\n2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe\r\nAn Empirically Comparative Analysis of Ransomware Binaries\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk\r\n2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nKraken the Code on Prometheus\r\nPrometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk\r\n2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter\r\nOne Source to Rule Them All: Chasing AVADDON Ransomware\r\nBlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX\r\n2021-12-10 ⋅ Medium s2wlab ⋅ S2W TALON\r\nBlackCat: New Rust based ransomware borrowing BlackMatter’s configuration\r\nBlackCat BlackMatter\r\n2021-11-24 ⋅ Google ⋅ Google Cybersecurity Action Team, Google Threat Analysis Group\r\nThreat Horizons Cloud Threat Intelligence November 2021. Issue 1\r\nBlackMatter\r\n2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds\r\nCARBON SPIDER Embraces Big Game Hunting, Part 2\r\nBlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader\r\n2021-11-03 ⋅ The Record ⋅ Catalin Cimpanu\r\nBlackMatter ransomware says its shutting down due to pressure from local authorities\r\nBlackMatter\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nPage 3 of 6\n\n2021-11-03 ⋅ Group-IB ⋅ Andrey Zhdanov\r\nThe Darker Things BlackMatter and their victims\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-11-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBlackMatter ransomware moves victims to LockBit after shutdown\r\nBlackMatter BlackMatter LockBit\r\n2021-11-02 ⋅ Varonis ⋅ Dvir Sason\r\nBlackMatter Ransomware: In-Depth Analysis \u0026 Recommendations\r\nBlackMatter\r\n2021-10-22 ⋅ Elliptic ⋅ Elliptic Intel\r\nDarkSide bitcoins on the move following government cyberattack against REvil ransomware group\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-10-22 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-10-22 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware rushes to cash out $7 million in Bitcoin\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-10-22 ⋅ Twitter (@GelosSnake) ⋅ Omri Segev Moyal\r\nTweet on List of wallets used by Darkside/Blackmatter Operator to split out the money\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-10-20 ⋅ Mandiant ⋅ Jacob Thompson\r\nHidden in Plain Sight: Identifying Cryptography in BLACKMATTER Ransomware\r\nBlackMatter\r\n2021-10-18 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-291A): BlackMatter Ransomware\r\nBlackMatter BlackMatter\r\n2021-10-14 ⋅ YouTube (Uriel Kosayev) ⋅ Uriel Kosayev\r\nDarkSide Ransomware Reverse Engineering\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity\r\nBabuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nPage 4 of 6\n\n2021-09-23 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nThreat Thursday: BlackMatter RaaS - Darker Than DarkSide?\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-09-22 ⋅ McAfee ⋅ Alexandre Mundo, Marc Elias\r\nBlackMatter Ransomware Analysis; The Dark Side Returns\r\nBlackMatter\r\n2021-09-21 ⋅ Nozomi Networks ⋅ Nozomi Networks Labs\r\nBlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs\r\nBlackMatter\r\n2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nBig Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack\r\nBlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades\r\nREvil\r\n2021-09-10 ⋅ S2W LAB Inc. ⋅ S2W TALON\r\nGroove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter\r\nBabuk BlackMatter Babuk BlackMatter\r\n2021-09-08 ⋅ McAfee ⋅ John Fokker, Max Kersten, Thibault Seret\r\nHow Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates\r\nBabuk BlackMatter Babuk BlackMatter CTB Locker\r\n2021-09-08 ⋅ Medium s2wlab ⋅ S2W TALON\r\nGroove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands\r\nBabuk BlackMatter Babuk BlackMatter\r\n2021-09-08 ⋅ Ciper Tech Solutions ⋅ Cipher Tech ACCE Team\r\nRapidly Evolving BlackMatter Ransomware Tactics\r\nBlackMatter\r\n2021-09-06 ⋅ KELA ⋅ Victoria Kivilevich\r\nThe Ideal Ransomware Victim: What Attackers Are Looking For\r\nBlackMatter Cryakl\r\n2021-09-05 ⋅ Chuongdong blog ⋅ Chuong Dong\r\nBlackMatter Ransomware v2.0\r\nBlackMatter\r\n2021-09-02 ⋅ US Department of Health and Human Services ⋅ Health Sector Cybersecurity Coordination Center (HC3)\r\nDemystifying BlackMatter\r\nBlackMatter BlackMatter DarkSide\r\n2021-09-01 ⋅ Medium s2wlab ⋅ Chaewon Moon, Denise Dasom Kim, Jungyeon Lim, S2W LAB INTELLIGENCE TEAM, Sujin\r\nLim, Yeonghyeon Jeong\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nPage 5 of 6\n\nBlackMatter x Babuk : Using the same web server for sharing leaked files\r\nBabuk BlackMatter Babuk BlackMatter\r\n2021-08-31 ⋅ Minerva Labs ⋅ Minerva Labs\r\nBlackMatter - The New Star Of Ransomware\r\nBlackMatter\r\n2021-08-23 ⋅ Netskope ⋅ Gustavo Palazolo\r\nNetskope Threat Coverage: BlackMatter\r\nBlackMatter\r\n2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker\r\n2021-08-09 ⋅ Sophos ⋅ Mark Loman\r\nBlackMatter ransomware emerges from the shadow of DarkSide\r\nBlackMatter BlackMatter\r\n2021-08-06 ⋅ Group-IB ⋅ Andrey Zhdanov\r\nIt's alive! The story behind the BlackMatter ransomware strain\r\nBlackMatter DarkSide BlackMatter DarkSide\r\n2021-08-05 ⋅ Tesorion ⋅ Gijs Rijnders\r\nAnalysis of the BlackMatter ransomware\r\nBlackMatter\r\n2021-08-04 ⋅ Jan Gruber\r\nUnderstanding BlackMatter's API Hashing\r\nBlackMatter\r\n2021-08-04 ⋅ Recorded Future ⋅ Insikt Group®\r\nProtect Against BlackMatter Ransomware Before It’s Offered\r\nBlackMatter DarkSide\r\nYara Rules\r\n[TLP:WHITE] win_blackmatter_auto (20251219 | Detects win.blackmatter.)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter" ], "report_names": [ "win.blackmatter" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "353d3a83-ce02-44a2-a663-dafdbbb617a0", "created_at": "2025-03-21T02:00:03.842688Z", "updated_at": "2026-04-10T02:00:03.83742Z", "deleted_at": null, "main_name": "Mora_001", "aliases": [], "source_name": "MISPGALAXY:Mora_001", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db3e088a3bd7d6d1d9fa03151cbd545d237918f6.pdf", "text": "https://archive.orkl.eu/db3e088a3bd7d6d1d9fa03151cbd545d237918f6.txt", "img": "https://archive.orkl.eu/db3e088a3bd7d6d1d9fa03151cbd545d237918f6.jpg" } }