{ "id": "e6655588-f6bf-4505-b849-eb086a6067b1", "created_at": "2026-04-06T00:22:37.106296Z", "updated_at": "2026-04-10T13:11:37.611656Z", "deleted_at": null, "sha1_hash": "e03d0ac2f2ceb90368d667cc7471e3cba3b34f27", "title": "StrongPity APT Group Deploys Android Malware for the First Time", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2407339, "plain_text": "StrongPity APT Group Deploys Android Malware for the First Time\r\nPublished: 2021-07-21 · Archived: 2026-04-05 14:23:28 UTC\r\nWe recently conducted an investigation into a malicious Android malware sample, which we believe can be attributed to the\r\nStrongPity APT group, that was posted on the Syrian e-Gov website. To the best of our knowledge, this is the first time that\r\nthe group has been publicly observed using malicious Android applications as part of its attacks.  \r\nWe first learned about the sample from a thread shared on the MalwareHunterTeam Twitter. Based on the discussion thread,\r\nwe learned that the shared sample is a trojanized version of the Syrian e-gov Android application that would steal contact\r\nlists and collect files with specific file extensions from its victim's device.\r\nOne response from the thread pointed out that the malicious APK was likely distributed using a \"watering-hole\"-like\r\ntechnique: the attacker allegedly had compromised the official Syrian E-Gov website and replaced the official Android\r\napplication file with a trojanized version of the original app. Due to the suspicious nature of this activity, we decided to\r\ninvestigate further.\r\nThis blog entry will discuss the group’s attack tactics, techniques, and procedures (TTPs) in relation to the Android malware\r\nand why these activities can be attributed to this threat actor. Furthermore, we will also dive into the threat actor’s\r\ndevelopment progress and identify several other malicious Android malware samples produced by StrongPity. Finally, we\r\nwill briefly discuss related malware variants, including the second version of the Android trojan, which appears to be a work\r\nin progress and includes several testing features.\r\nInitial investigation\r\nThe first thing we did was check the URL where the malicious APK file was hosted (https://egov[.]sy/mobile/egov[.]apk).\r\nThe version of the application that is downloadable from the site at the time of writing is a clean version of the Syrian e-gov\r\nAndroid application that is different from the malicious application previously discussed on Twitter. This means that, at one\r\npoint, the malicious version of the application was  deleted from the site.\r\nAt least six other samples with the same application name (\"بوابيت (\"and matching package names (com.egov.app.*) can be\r\nidentified on VirusTotal.  We verified all of these samples and concluded that all of them are benign. These benign versions\r\nof the application were created during the period from February 2020 until March 2021. We believe all of them are official\r\napps from the Syrian E-Gov website.\r\nThe malicious sample, mentioned in the Twitter thread, is available on VirusTotal and as of the time of writing, has several\r\npositive detections. Although some antivirus vendors detect the identified malicious sample as Bahamut, we doubted the\r\naccuracy of this attribution to the Bahamut APT group. Further investigation revealed several artifacts that could possibly\r\nlink the malicious sample to the StrongPity APT group.\r\nAnalysis of the malicious sample\r\nThe malicious version of the application (fd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7) was\r\ncreated on May 2021(The timestamps within the file point to 2021-05-03 as the creation date, while the file was uploaded to\r\nVirusTotal on May 24, 2021). This application is signed with a different certificate and was produced by repackaging the\r\noriginal app from the Syrian government. All of the original applications, on the other hand, are signed with another\r\ncertificate.\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 1 of 11\n\nFigure 1. Comparison of the certificates used to sign the original (top) and the malicious applications(bottom)\r\nThe malicious application has the AndroidManifest.xml modified to include references to additional classes and request\r\nadditional permissions on the device (seen in Figure 3).\r\nFigure 2. The modified AndroidManifest.xml of the malicious app\r\nOverview of the inserted code\r\nThe threat actor added the following classes to this application; some of these classes (com.egov.app.NetworkStatusService,\r\ncom.egov.app.Receiver) are referenced in the modified AndroidManifest.xml.\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 2 of 11\n\nFigure 3. The classes added to the malicious app are shown in the right part of the image. The original classes\r\nare shown in the left.\r\nFigure 3 shows that many of the other classes have randomly generated class and method names. This naming pattern was\r\nlikely produced by a software obfuscation tool.\r\nTwo major additional components were added to the malicious version of the application: a service and a receiver. The\r\nreceiver starts the malicious service. The malicious service is declared as an Android Service, which is an application\r\ncomponent that can perform long-running tasks in the background.\r\nThis malicious service is declared with the class name \"com.egov.app.NetworkStatusService\", and is started by the Receiver\r\nclass.\r\nOur analysis of the Receiver configuration and code found multiple methods for starting the malicious\r\nNetworkStatusService service.\r\nThe service is started when the device connectivity is changed. The djdeeu class registers a broadcast receiver for\r\nCONNECTIVITY_CHANGE.\r\nThe service can be started from launcher activity or other registered receivers.\r\nThe service can be started using the \"Alarm\" mechanism.\r\nOnce the malicious NetworkStatusService service is started, it executes its malicious functionality via a set of message\r\nhandlers, which are responsible for handling specific messages.\r\nThe sample uses the \"Handler\" mechanism to dispatch messages that trigger malicious behavior. A custom enum structure is\r\nused to define the message types.\r\nIt defines seven message types, shown in Figure 4.  \r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 3 of 11\n\nFigure 4. Code showing the seven defined messages.\r\nEach of the messages trigger a different behavior through the handler. The following is a quick summary of the purpose and\r\nbehavior of each specific message:\r\nWhen this message is received, a periodic task for heartbeat message is set.\r\nWhen this message is received, a periodic task for sync message is set.\r\nThis message triggers the heartbeat function, which sends a request to the command-and-control (C\u0026C) server and receives\r\na response with an encrypted payload.\r\nThe encrypted payload is first saved into the directory \u003cDIR\u003e/.android/water.zip, after which the file water.zip is decrypted\r\nand the decrypted payload written to \u003cDIR\u003e/.android/e.zip.\r\nNext, the file e.zip is decompressed into \u003cDIR\u003e/.android and the file with the name \"config.properties\" is accessed.\r\nFinally, this file is read and parsed. These properties are extracted and written as configuration settings to local shared\r\npreference, allowing the malware to change its behavior according to the configuration.\r\nSync is a repeated behavior. It uploads files, which were collected on infected devices, with a periodicity of 3000 seconds.\r\nThe handler for MSG_SYNC executes the following functionality:\r\nFirst, it enumerates all files under \u003cDIR\u003e/.android/.lib2. It then creates a zip file with the name \u003cuniqueId\u003e.zip (note that the\r\nunique ID is not a real device ID, the malware just calculates a  custom unique ID based on the device ID value), and writes\r\nthe files into the compressed file.\r\nFinally, it upload the zip file to the C\u0026C server and deletes all files under \u003cDIR\u003e/.android/.lib2, as well as the compressed\r\nfile \u003cuniqueId\u003e.zip.\r\nThe handler for this message collects data from the victim’s device. First, it collects contact information, followed by\r\ninformation regarding available Wi-Fi networks.\r\nIt then searches through the device files and harvests all files that match pre-defined file extensions:\r\n.asc\r\n.dgs\r\n.doc\r\n.docx\r\n.edf\r\n.gpg\r\n.jpeg\r\n.jpg\r\n.key\r\n.m2r\r\n.meo\r\n.pdf\r\n.pgp\r\n.pir\r\n.pkr\r\n.pub\r\n.rjv\r\n.rms\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 4 of 11\n\n.sem\r\n.sit\r\n.skr\r\n.sys\r\n.xls\r\n.xlsx\r\nFigure 5. A snippet of the file harvesting code\r\nWhen this message is received, a periodic task for the “collect message” handler is set.\r\nThis message sends all the mentioned messages one by one.\r\nModular Functionality of the backdoor\r\nThis sample uses highly modular components to create a flexible architecture for component loading and unloading. The\r\nfunctions onCreate and onDestroy show a common approach to loading and unloading a component.\r\nFigure 6. Code snippet showing the onCreate and onDestroy functions\r\nThe following are the components were used in the sample:\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 5 of 11\n\npekmek(Crypto Manager): Uses AES to decrypt and encrypt files and strings.\r\nltymcr(Helper Class): Contains many utility functions, such as a function to calculate unique id, parse config file,\r\nwrite/read shared preference, and define encryption keys.\r\nFigure 7. Code snippet showing the ltymcr(Helper Class) component\r\nsadwoo: A component used as PowerWakeLock.\r\nphkyxc: A component used as WifiWakeLock.\r\ntfsdne: This is a wrapper used for C\u0026C communication such as heartbeat and sync.\r\nitxdrx(Net Manager): A component responsible for handling HTTP protocol communication.\r\nFigure 8. Code from the itxdrx component\r\nnhnhpi: The component responsible for managing the C\u0026C server.\r\nThis component includes definition of an initial C\u0026C server. The initial value can be overridden. The StrongPity backdoor\r\nhas the ability to update (including deleting and adding) its C\u0026C server address via configuration updates from the\r\n\"heartbeat\" command.\r\nFigure 9. The code that handles the addition and deletion of C\u0026C servers\r\nInvestigation and attribution\r\nWhen we learned how the threat actor repackages benign applications into trojanized variants, we decided to search for\r\nsimilar samples on VirusTotal. We searched for other applications that were repackaged in a similar method and included\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 6 of 11\n\nsimilar malicious components.\r\nWe found several other samples that were produced by the same threat actor. We determined these samples to be similar\r\nbecause all of them (except for the last sample) were also repackaged from normal applications and had similar malicious\r\ncode inserted.\r\nDate of\r\nsubmission\r\nSHA256 Identified C\u0026C servers Additional Details\r\nAugust 2,\r\n2019\r\n374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb upeg-system-app[.]com Likely repacked from\r\nJune 8,\r\n2020\r\nbe9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3 networktopologymaps[.]com\r\nLikely repacked from\r\n596257ef017b02ba69\r\nJune 8,\r\n2020\r\na9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628 networktopologymaps[.]com\r\nLikely repacked from\r\ndownloaded from the\r\nJune 13,\r\n2021\r\n596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d upeg-system-app[.]com Likely repacked from\r\nJanuary 1,\r\n2021\r\n75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b upn-sec3-msd[.]com\r\nThis is likely a testing\r\nThis sample also cont\r\nsamples. This shows t\r\nAPK versions of the b\r\nTable 1. Similar malicious samples found on VirusTotal\r\nThe sample 75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b  serves as the key attribution factor\r\nand is the main link to the StrongPity threat actor, because it communicates with a C\u0026C server that was previously\r\nidentified by several research teams as infrastructure used by the group.\r\nTools, tactics, and procedures on Windows\r\nThere are no known public reports of StrongPity using malicious Android applications in their attacks at the time of writing.\r\nIn order to strengthen our confidence in the accuracy of our attribution to StrongPity, we decided to further examine some of\r\ntheir samples that were used to target Microsoft Windows platforms and see if we could identify similar tools, tactics, and\r\nprocedures (TTPs) in their actions.\r\nJust as we have seen with the Android apps, the StrongPity group favors repacking benign installers to produce trojanized\r\nversions of these applications. Likewise, the main function of these backdoors is to search, harvest, and exfiltrate files from\r\nthe victim’s computers.\r\nTake, for example, the following sample:  48f67be806b4e823280f03ee5512ffd58deb6f37ecc80842265d4e8d2ca30055. The\r\nsample first drops a file called \"TrustedInstaller.exe\" to \u003cDIR\u003e/AppData/Local/Temp and then executes it. This dropped file\r\nis a clean WinRAR installer.\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 7 of 11\n\nFigure 10. Code used in the file “TrustedInstaller.exe”\r\nIt then creates \u003cDIR\u003e/AppData/Local/Temp/lang_be29c9f3-83we to drop malicious files and execute them.\r\nFigure 11. Code showing the creation of the directory\r\nIf we examine another StrongPity sample (12818a96211b7c47863b109be63e951075cf6a41652464a584dd2f26010f7535),\r\nthe logic is similar — it drops a normal installer into the Temp directory and creates a directory for dropped malicious files.\r\nHere are three notable similarities between the Windows sample and the Android sample:\r\n1.    They all disguised as normal apps by utilizing the original clean applications — the Android sample repacks the original\r\none into a trojanized version, while the Windows sample uses a trojanized installer packed with the original program.\r\n2.    Both collect and exfiltrate files from the infected device.\r\n3.    Both are highly modular. The Windows sample has a standalone Exfiltration and File Search module, a feature that\r\ncould also be seen in the latest test Android sample.\r\nPossible connections to StrongPity\r\nWe found several clues that link the malicious Android samples with the StrongPity threat actor.\r\nThe sample 74582c3d920332117541a9bbc6b8995fbe7e1aff communicates with the URL  https://www.upn-sec3-\r\nmsd[.]com/ProxyServer/service/.  The domain name “upn-sec3-msd[.]com” was mentioned in another StrongPity report.\r\nThe domain naming pattern and domain acquisition techniques are quite similar. For example, the domain names used by\r\nStrongPity in 2020 have a domain naming pattern similar to the domains used by the identified Android samples.\r\nOne of the domain names, networktopologymaps[.]com, was likely bought when registration at Gandi expired. The domain\r\nwas acquired via the Porkbun network registrar.\r\nThis is similar to the domain hostoperationsystems[.]com, which was previously mentioned in the Talos report. This domain\r\nwas also acquired via Porkbun and features a comparable domain naming pattern.\r\nAnother notable point of correlation to StrongPity is the list of file extensions, which we have seen in Android samples. A\r\nsimilar list of the file extensions for the files is presented in variants of the trojan for Windows systems. For example, one of\r\nthe samples that we had examined earlier, gathers files with the following extensions:\r\n.7z\r\n.asc\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 8 of 11\n\n.dgs\r\n.doc\r\n.docx\r\n.gpg\r\n.pdf\r\n.pgp\r\n.ppt\r\n.pptx\r\n.rar\r\n.rjv\r\n.rms\r\n.rtf\r\n.sft\r\n.tc\r\n.txt\r\n.xls\r\n.xlsx\r\nAs we previously mentioned, there are no public reports of the StrongPity threat actor using malicious Android applications\r\nin the attack. However, we examined the trojan code-embedding techniques as well as the trojan functionality of the\r\nmalicious code written by the same threat actor for Windows platforms, and we have identified some similar patterns. This\r\nleads us to believe that these could belong to the same threat actor.\r\nStrongPity actively develops new malicious android apps\r\nWe believe that the StrongPity Threat actor is actively developing backdoors for Android. Based on the test sample that we\r\nhave identified, we can see that the threat actor attempts several techniques to lure potential victims: repackaged\r\napplications, compromised websites, and fake variants of popular applications.\r\nBased on the additional functionalities that we identified in the fake Samsung security service application\r\n(75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b), we think that among the APK files that we\r\nhad identified, the repackaged applications are bundled with the first version of the Android trojan, while the fake\r\napplication could be a work in progress for the next version of the tool.\r\nIn the second version, we observed the threat actor developed and included some additional components and as well as\r\nadded support for more message types.\r\nThe following table shows the types that the threat actor has defined.\r\nMessage type Details\r\nMSG_ADD_MODULE Add a new module\r\nMSG_GET_MODULE Get the module instance\r\nMSG_DEL_MODULE Delete module file under \u003cDIR\u003e/.android/.li/\u003cmodule name\u003e\r\nMSG_DEL_APK Delete the APK file under the download directory\r\nMSG_START_MODULES\r\nTable 2. Message types defined by the threat actor\r\nIn this version, MSG_COLLECT is no longer present — we think they replaced it with MSG_START_MODULES, a\r\nmessage used to read all module names from the shared preference, and start/initialize them one by one.\r\nWe were not able to get access to these modules, but based on some of the code functionality that we observed, we believe\r\nthat these modules are designed to collect data from the victim’s devices and write the collected data into a local SQLite db\r\ndata file. However, we were not able to find any of these modules in the wild.\r\nThere are also several other key differences between version 1 and version 2 of the trojan:\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 9 of 11\n\nThe message Handler for heartbeat message in version 2 is now split into two messages: heartbeat and taken_config.\r\nEither of these messages can receive a response from the C\u0026C server and decrypt the response to update the local\r\nconfiguration, similarly to the version 1.\r\nVersion 2 uses different AES encryption keys:  key(\"aaaanothingimpossiblebbb\"), and AES IV(\"aaaanothingimpos\")\r\nScreenReceiver class is added to the second version of the trojan. The purpose of this Receiver is to start the\r\nmalicious service via Screen_On and Screen_Off events.\r\nVersion 2 has an ability to execute “su” command, if the device is rooted. The main usage of the root privilege here is\r\nthat it could grant permissions silently. Such permissions include accessibility, notification and other. However, we\r\ndid not find any evidence that the sample would attempt to root the device.\r\nTwo components were added in version 2 for accessibility and notification.\r\nVersion 2 uses SQLite to store collected data. Furthermore, it no longer uses ZIP.\r\nIn Version 2, the extra modules used in “MSG_START_MODULES” are downloaded from the C\u0026C server via either\r\nthe heartbeat or taken_config message. It’s possible that these modules are decompressed as part of the response into\r\n\u003cDIR\u003e/.android/.li and consequentially executed.\r\nConclusion\r\nThis investigation has provided evidence to attribute the Android malware sample, which was posted on the Syrian e-Gov\r\nwebsite, to the StrongPity threat group. We were also able to identify additional Android trojan files and correlate these\r\nmalicious Android applications with existing public reports based on their similarities to the threat actor’s TTPs and network\r\ninfrastructure they used.\r\nAlthough there are no previously known malicious Android applications attributed to the StrongPity group, we strongly\r\nbelieve that the threat actor is in the process of actively developing new malicious components that can be used to target\r\nAndroid platforms.\r\nWe believe that the threat actor is exploring multiple ways of delivering the applications to potential victims, such as using\r\nfake apps and using compromised websites as watering holes to trick users into installing malicious applications. Typically,\r\nthese websites would require its users to download the applications directly onto their devices. In order to do so, these users\r\nwould be required to enable installation of the applications from “unknown sources” on their devices. This bypasses the\r\n“trust-chain” of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Description Detection\r\nfd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7\r\nThe trojanized\r\nversion of the\r\nSyria eGov\r\nApplication\r\nAndroidOS_StrongPity.HRX\r\n374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb\r\nSample\r\nrepackaged\r\nfrom Kingoroot\r\nAndroidOS_StrongPity.HRX\r\na9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628\r\nSample\r\nrepackaged\r\nfrom\r\nnet.cybertik.wifi\r\nAndroidOS_StrongPity.HRX\r\nbe9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3\r\nRepackaged\r\nfrom Snaptube\r\nAndroidOS_StrongPity.HRX\r\n596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d\r\nRepackaged\r\nfrom Snaptube\r\nAndroidOS_StrongPity.HRX\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 10 of 11\n\n75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b\r\nFake Samsung\r\nSecurity Service\r\nsample\r\nAndroidOS_StrongPity.HRX\r\nNetwork C\u0026C Infrastructure\r\nSHA256 Domain Detection\r\nfd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7 Internetwideband[.]com AndroidOS_StrongPity.HRX\r\n374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb upeg-system-app[.]com AndroidOS_StrongPity.HRX\r\na9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628 networktopologymaps[.]com AndroidOS_StrongPity.HRX\r\nbe9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3 networktopologymaps[.]com AndroidOS_StrongPity.HRX\r\n596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d upeg-system-app[.]com AndroidOS_StrongPity.HRX\r\n75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b upn-sec3-msd[.]com AndroidOS_StrongPity.HRX\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nhttps://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html" ], "report_names": [ "strongpity-apt-group-deploys-android-malware-for-the-first-time.html" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434957, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e03d0ac2f2ceb90368d667cc7471e3cba3b34f27.pdf", "text": "https://archive.orkl.eu/e03d0ac2f2ceb90368d667cc7471e3cba3b34f27.txt", "img": "https://archive.orkl.eu/e03d0ac2f2ceb90368d667cc7471e3cba3b34f27.jpg" } }