{ "id": "39327ef9-9933-47a7-9b43-a0f7b2b8282e", "created_at": "2026-04-06T00:14:10.326067Z", "updated_at": "2026-04-10T03:38:06.286839Z", "deleted_at": null, "sha1_hash": "de6367ab017abe4bd17cc269f7e9ca30b29d60a7", "title": "Analytics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1606997, "plain_text": "Analytics\r\nBy Positive Technologies\r\nPublished: 2021-02-18 · Archived: 2026-04-05 13:09:43 UTC\r\nIn most cases, hackers \"case out\" their targets before attacking. They do this by collecting information about the system and\r\ninternal network, which gives an idea of how they can profit from an attack and helps to plan further actions. Of course, the\r\nattackers need to be sure they have accessed a real workstation on a company's infrastructure, and not a mere sandbox—a\r\nvirtual environment designed to analyze the behavior of executable files. That is why modern malware has capabilities for\r\ndetecting and evading protection mechanisms, as well as for hiding malicious functionality if run in a sandbox or code\r\nanalyzer.\r\nContents\r\nIntroduction\r\nExecutive summary\r\nEvolution of anti-sandbox techniques\r\nPopular virtualization evasion techniques\r\nAnti-analysis and anti-debugging\r\nConclusion\r\nIntroduction\r\nIn most cases, hackers \"case out\" their targets before attacking. They do this by collecting information about the system and\r\ninternal network, which gives an idea of how they can profit from an attack and helps to plan further actions. Of course, the\r\nattackers need to be sure they have accessed a real workstation on a company's infrastructure, and not a mere sandbox—a\r\nvirtual environment designed to analyze the behavior of executable files. That is why modern malware has capabilities for\r\ndetecting and evading protection mechanisms, as well as for hiding malicious functionality if run in a sandbox or code\r\nanalyzer.\r\nWe have analyzed 36 malware families used by at least 23 APT groups around the world during the period from 2010\r\nthrough the first half of 2020. The selection was made based on MITRE data and information about new malware samples\r\nanalyzed by the PT Expert Security Center.\r\nIn this research, we will show how sandbox evasion techniques have evolved in the last 10 years.\r\nAgent-based\r\nsandboxes\r\nThe virtual machine has a built-in agent (special process) that manages the system, in addition to\r\ngetting and passing events and artifacts of interest. When a new process is generated, the sandbox\r\nintercepts API function calls (changes to an address in process memory or changes to code in a\r\nfunction body).\r\nThis approach has one significant drawback: the sandbox needs to conceal and protect agent-related\r\nobjects from malware.\r\nAgentless\r\nsandboxes These sandboxes use second level address translation (SLAT), a form of hardware-assisted\r\nvirtualization built into CPUs. AMD processors support SLAT through Rapid Virtualization Indexing\r\n(RVI), while Intel's implementation is known as Extended Page Table (EPT).\r\nExtended page tables are nested between the guest physical memory and the host virtual memory. This\r\nallows to do the following:\r\nExamine memory pages of the guest machine.\r\nIdentify important parts (for example, parts containing addresses or code of kernel functions).\r\nMark selected pages to separate EPT memory access rights from guest machine access rights.\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 1 of 12\n\nIntercept attempts to access marked memory regions (if this happens, an EPT violation error\r\nwill occur and the guest machine will be stopped).\r\nAnalyze the memory state and extract information about an event.\r\nMark the memory page anew to return it to the correct state.\r\nRestore operation of the guest machine..\r\nAll these actions are observed from outside the sandbox: malware cannot detect that it is being\r\nwatched.\r\nExecutive summary\r\nSandbox evasion and anti-analysis techniques are found most frequently in remote access tools (accounting for 56% of the\r\nmalware in our dataset) and loaders (14%). These types of malware are used to perform reconnaissance and gather\r\ninformation about the target system. If attackers spot that their malware is running inside a virtual environment, they will not\r\ncontinue their attack and will not download the payload. Instead, they will attempt to maintain stealth by terminating\r\nexecution of the malware.\r\nRATs Loaders Banking trojans Ransomware Spyware\r\n© Posit\r\nFigure 1. Types of malware\r\n69 percent of the malware samples in our dataset were used for cyberespionage. Such attacks require staying invisible on a\r\nvictim's system for extended periods, which is why attackers look for ways to maintain long-term, stealthy persistence.\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 2 of 12\n\nEspionage Financial profit\r\n© Posit\r\nFigure 2. Attacker motives\r\nTo detect virtual machines (sandboxes), attackers send WMI queries (25% of malware in the dataset), perform other\r\nenvironment checks (33%), or check which processes are running (19%). Attackers can also use information about the\r\nvirtualization environment to plan their future efforts.\r\nAnti-analysis and anti-debugging\r\nChecking the environment\r\nSending WMI queries\r\nChecking running processes\r\nRegistry key checks\r\n0 10 20 30 40 50 60 70\r\n© Posit\r\nFigure 3. Popular sandbox evasion and anti-analysis methods (percentage of malware)\r\nIt is getting more and more difficult to perform static analysis of malicious files by matching suspicious files with known\r\nsignatures and hash sums, because malware authors are using code obfuscation to impede analysis attempts. That is why we\r\nrecommend analyzing file behavior in a sandbox.\r\nEvolution of anti-sandbox techniques\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 3 of 12\n\nFigure 4. Sandbox evasion and anti-analysis methods used by malware in 2010–2020\r\nDownload Timeline\r\nTo evade sandboxes and analysis tools, the same malware may use different methods in different years. Threat actors also try\r\nto combine multiple methods. If one method does not work and is intercepted by the sandbox, the malware can still use\r\nother signs to determine whether it is running in a virtual environment and, if so, terminate itself in time to avoid discovery.\r\nHere are several more examples:\r\nROKRAT\r\nType: RAT\r\nGroup: APT37, active since 2012\r\nTarget: organizations in South Korea\r\nInfection vector: phishing (phishing emails with malicious HWP attachments exploiting vulnerability CVE-2013-0808)\r\nMotive:espionage\r\nSandbox evasion and anti-analysis methods used 2016 2018\r\nChecking whether the SbieDll.dll, Dbghelp.dll, Api_log.dll, or Dir_watch.dll libraries are loaded + +\r\nObtaining the value of the SystemBiosVersion key of the HARDWARE\\DESCRIPTION\\System\r\nregistry branch\r\n+ -\r\nUsing the NOP (No Operation) instruction as padding in self-modifying code to protect from\r\ndebuggers\r\n+ -\r\nCalling the IsDebuggerPresent function to detect debugging - +\r\nCalling the GetTickCount function twice to check for step-through execution - +\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 4 of 12\n\nSandbox evasion and anti-analysis methods used 2016 2018\r\nChecking for the file C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe - +\r\nRogueRobin\r\nType: RAT\r\nGroup: DarkHydrus, active since 2016\r\nTarget: government agencies and educational institutions in the Middle East\r\nInfection vector: phishing (malicious Microsoft Office documents distributed via Google Drive)\r\nMotive: espionage\r\nSandbox evasion and anti-analysis methods used 2018 2019\r\nSending WMI queries to get the BIOS version and manufacturer + +\r\nSending WMI queries to check the number of CPU cores; the value must exceed 1 + +\r\nSending WMI queries to check the amount of physical memory; the value must be at least\r\n2,900,000,000 bytes\r\n+ +\r\nChecking the number of running processes for Wireshark and Sysinternals + +\r\nObfuscating a PowerShell script with Invoke-Obfuscation + +\r\nChecking for debuggers in each DNS request - +\r\nRemcos\r\nType: RAT\r\nGroup: Gorgon Group, active since 2018\r\nTarget: government organizations in Russia, the United Kingdom, Spain, and the United States\r\nInfection vector: phishing (emails with malicious Microsoft Word documents exploiting vulnerability CVE-2017-0199)\r\nMotive: espionage\r\nSandbox evasion and anti-analysis methods used 2018 2019\r\nChecking for obsolete SbieDll.dll system artifact + -\r\nEncrypting source code with RC4 and Base64 algorithms + +\r\nChecking active processes for vmtoolsd.exe and vbox.exe - +\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 5 of 12\n\nSandbox evasion and anti-analysis methods used 2018 2019\r\nCalling the IsDebuggerPresent function to check whether the process that calls the function is being\r\nrun in a debugger context\r\n- +\r\nAttackers who sell malware on the darkweb also offer functionality for detecting and evading sandboxes and antivirus tools,\r\nas well as for countering analysis and debugging. The starting price for malware with built-in sandbox evasion is $30.\r\nAdditional protection from detection by sandboxes and antivirus solutions costs $20.\r\nFigure 5. Advertisement for a loader with built-in evasion functionality\r\nFigure 6. Advertisement for services to protect malware from sandbox detection\r\nFigure 7. Advertisement for malware with built-in virtualization evasion functionality\r\nPopular virtualization evasion techniques\r\nChecking running processes\r\nOne fifth of malware analyzes the list of running processes to detect a virtual environment. For example:\r\nThe EvilBunny RAT continues execution only if at least 15 processes are running.\r\nPlugX (a backdoor widely used by APT groups over the last 10 years) checks if VMware Tools are running in\r\nbackground by searching for processes named \"vmtoolsd\".\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 6 of 12\n\nRemcos, used by Gorgon Group in phishing attacks against governments, searches for \"vmtoolsd\" and \"vbox.exe\" in\r\nthe list of active processes.\r\nFigure 8. Searching for vmtoolsd (Remcos)\r\nWMI queries\r\nSince 2016, malware developers have been actively using WMI queries Windows Management Instrumentation (WMI) is a\r\ntechnology for centralized management of Windows-based infrastructures. to access devices, accounts, services, processes,\r\nnetwork interfaces, and other programs. Of the malware in question, 25 percent makes use of them. In most cases, the\r\nattackers are trying to find out the model of hard drive or motherboard, as well as OS and BIOS versions.\r\nGravityRAT uses an interesting method to detect virtual environments. By sending the SELECT * FROM\r\nMSAcpi_ThermalZoneTemperature WMI query, it checks the CPU temperature: if the malware is being run on a physical\r\nmachine, the temperature value will be returned. But if the system responds with \"ERROR\" or \"Not Supported,\" this means\r\nthat the malware is running in a virtual environment.\r\nFigure 9. Output for the query SELECT * FROM MSAcpi_ThermalZoneTemperature on a physical machine\r\nFigure 10. Output for the query SELECT * FROM MSAcpi_ThermalZoneTemperature in a virtual\r\nenvironment\r\nWMI queries have also been used by the OilRig group (APT34, Helix Kitten), which for more than five years has targeted a\r\nvariety of industries, including government, finance, energy, and telecommunications, primarily in the Middle East. The\r\ngroup's backdoor OopsIE sends the WMI query SELECT * FROM Win32_Fan to check the state of the CPU fan. This query\r\nshould return a class that provides statistics on the CPU fan. The backdoor checks whether the response is empty, which\r\nwould indicate a virtual environment.\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 7 of 12\n\nFigure 11. Output for the query SELECT * FROM Win32_Fan on a physical machine\r\nFigure 12. Output for the query SELECT * FROM Win32_Fan in a virtual environment\r\nRegistry key values checks\r\nSome malware (14 percent) reads registry key values and looks for substrings in them that suggest a virtual machine. For\r\nexample:\r\nThe Smoke Loaderbanking trojan, used by TA505, checks registry key values in\r\nSystem\\CurrentControlSet\\Enum\\IDE and System\\CurrentControlSet\\Enum\\SCSI to search for substrings that match\r\nQEMU, VirtualBox, VMware, or Xen virtualization products. Smoke Loader (Smoke Bot) is offered for sale on the\r\ndarkweb. The complete malware package costs $1,650.\r\nFigure 13. Smoke Bot banking malware for sale\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 8 of 12\n\nFigure 14. Price of Smoke Bot banking malware on the darkweb\r\nFinFisher verifies that HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid does not equal \"6ba1d002-21ed-4dbe-afb5-08cf8b81ca32\"; HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId does not\r\nequal \"55274-649-6478953-23109\", \"A22-00001\", or \"47220\", and that\r\nHARDWARE\\Description\\System\\SystemBiosDate does not contain \"01/02/03\".\r\nCozyCar used by APT29, checks the registry key values in\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall for security products to avoid.\r\nOther environment checks\r\nIn addition to checking running processes, registry key values, and sending WMI queries, malefactors can check the\r\nenvironment in other ways. For example, the RTM (Redaman) banking trojan checks for the following files and directories\r\non C:\\ and D:\\ drives:\r\ncuckoo,\r\nfake_drive,\r\nperl,\r\nstrawberry,\r\ntargets.xls,\r\ntsl,\r\nwget.exe,\r\n*python*.\r\nThe existence of any of these files or directories indicates that the malware is running in a sandbox or a code analyzer.\r\nAPT37 (also known as ScarCruft, Group123, and TEMP.Reaper) has modified its ROKRAT backdoor over the last several\r\nyears. In addition to checking registry key values, this malware also checks whether the file C:\\Program\r\nFiles\\VMware\\VMware Tools\\vmtoolsd.exe exists and whether the following code analyzer and debugger DLLs have been\r\nloaded:\r\nSbieDll.dll,\r\nDbghelp.dll,\r\nApi_log.dll,\r\nDir_watch.dll.\r\nCorrectly configuring virtual machines is enough to stop the following attacker technique. PoetRAT, remote access malware,\r\nused in targeted attacks against ICS and SCADA systems in the energy sector, checks the hard disk size to determine\r\nwhether it is running in a sandbox environment. Since the malware assumes that sandboxes have hard drives of less than 62\r\nGB, it can be tricked by allocating more space for the virtual machine.\r\nDoes a sandbox have to detect all evasion techniques\r\nNot all sandbox evasion methods are easy to detect. Some checks—such as file path, MAC address, date and time, and\r\noperation execution time—strongly resemble legitimate actions. Detection may generate a large number of false positives\r\nand interfere with proper functioning of other programs. This, however, does not mean that malware will remain totally\r\ninvisible. Sandboxes do not have to catch each and every evasion technique, since malware has many other attributes that\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 9 of 12\n\ncan be detected at other stages of operation. That said, the more techniques the sandbox sees, the greater the chances of\r\ndetecting new malware samples and applying this information to counter cyberthreats.\r\nAnti-analysis and anti-debugging\r\nTo slip past antivirus programs for as long as possible, malefactors try to prevent analysis of malware by security\r\nprofessionals. They do so by using code obfuscation and anti-debugging techniques.\r\nIn 2019, the Remcos RAT added an anti-debugging method to its arsenal. If the loader detects a debugger in the system after\r\ncalling the IsDebuggerPresent function, it displays the message \"This is a third-party compiled AutoIt script\" and terminates\r\nexecution.\r\nThe authors of FinFisher spyware went to great effort to obfuscate malicious code and impede analysis. For example,\r\nopcode 0x1A should represent a JB (Jump if below) function, but is implemented through a set carry (STC) instruction\r\nfollowed by a JMP to the dispatcher code which will verify the carry flag condition set by STC.\r\nFigure 15. Example of an obfuscation technique (FinFisher)\r\nTo check for the step-through execution normally used by debuggers, EvilBunny calls NtQuerySystemTime,\r\nGetSystemTimeAsFileTime, and GetTickCount. It calls each function twice to calculate a delta and performs a sleep\r\noperation between the first and second calls. If any of the three deltas is below 998 milliseconds, execution will terminate.\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 10 of 12\n\nFigure 16. Double calling of functions (EvilBunny)\r\nIt is getting more and more difficult to perform static analysis of malware and identify attributes of malicious files by\r\nmatching them with signatures and hash sums. That is why, in addition to static analysis, we recommend running suspicious\r\nfiles in a virtual environment to analyze their behavior.\r\nConclusion\r\nAttackers constantly modify their malware to evade detection for as long as possible. In this respect, APT groups do\r\nespecially well. To collect information about the victim's infrastructure, attackers prefer using malware with built-in\r\nfunctionality for detecting and evading virtual machines and code analyzers. In addition, loaders and remote access tools\r\nsold on the darkweb have built-in basic sandbox evasion functions, or at least this is what their sellers claim.\r\nIn recent years, malware authors have been trying especially hard to evade code analyzers. Hackers do all they can to hide\r\nmalicious functionality from security researchers and minimize the likelihood of detection of malware based on known\r\nindicators of compromise. Traditional defenses may not be able to detect malicious programs. To detect modern malware,\r\nwe recommend analyzing file behavior in a secure virtual environment. By using a sandbox, you also enrich your IOC\r\ndatabase and can leverage this information to better respond to cyberthreats. By updating all your protection tools with the\r\nlatest IOCs, you can detect even new malware versions if hackers attempt a second attack on your infrastructure. For\r\nexample, if attackers compile a new malware version but forget to change the command and control (C2) address, the newer\r\nmalware will still be detected because of the identical address.\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 11 of 12\n\nSandboxes have already learned to thwart the majority of popular evasion techniques. Even if hackers use methods that\r\nresemble legitimate processes, such as checking the current date and time, malware will most likely reveal itself by other\r\nsigns a sandbox will be able to detect. Hackers constantly refine their tools, change sandbox detection techniques, and use\r\nmultiple techniques at the same time. In parallel, sandboxes must be flexible enough and easily adapt to new challenges by\r\nimitating a real workstation. A sandbox must hide its presence well in order to prevent malware from terminating early and\r\nsuccessfully collect indicators of compromise.\r\nSource: https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/" ], "report_names": [ "antisandbox-techniques" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434450, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/de6367ab017abe4bd17cc269f7e9ca30b29d60a7.pdf", "text": "https://archive.orkl.eu/de6367ab017abe4bd17cc269f7e9ca30b29d60a7.txt", "img": "https://archive.orkl.eu/de6367ab017abe4bd17cc269f7e9ca30b29d60a7.jpg" } }