{ "id": "198f65d2-3283-460b-84bc-0394d7cbbb0e", "created_at": "2026-04-06T00:15:07.826114Z", "updated_at": "2026-04-10T03:37:08.988206Z", "deleted_at": null, "sha1_hash": "e3e716bd10709b5ec2b63c1843e76c495fe56c51", "title": "DanaBot: A New Banking Trojan Targeting Australia | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1381632, "plain_text": "DanaBot: A New Banking Trojan Targeting Australia | Proofpoint US\r\nBy May 31, 2018 Proofpoint Staff\r\nPublished: 2018-05-31 · Archived: 2026-04-02 10:39:37 UTC\r\nOverview\r\n2018 has seen a marked shift away from high-volume, immediately destructive ransomware campaigns to distribution of\r\nbanking Trojans, information stealers, and downloaders. Banking Trojans now make up almost 60% of malicious payloads\r\nwe observe in email. Now a new banking Trojan has emerged, adding to the growing diversity of this segment specifically\r\nand malicious email campaigns in general.\r\nProofpoint researchers discovered a new banking Trojan, dubbed “DanaBot”, targeting users in Australia via emails\r\ncontaining malicious URLs. Written in Delphi, the malware is still under active development. To date, we have only\r\nobserved it being spread by a single threat actor. However, it remains to be seen if distribution and use becomes more\r\nwidespread given that the actor is known for purchasing banking Trojans from other developers and operators. We also\r\nfound additional samples in malware repositories other than those we observed in the wild, potentially suggesting\r\ndistribution by other actors.\r\nDelivery Analysis\r\nMay 6-7, 2018\r\nWe first observed DanaBot as the payload of an Australia-targeted email campaign on May 6, 2018. The messages used the\r\nsubject \"Your E-Toll account statement\" and contained URLs redirecting to Microsoft Word documents hosted on another\r\nsite (hxxp://users[.]tpg[.]com[.]au/angelcorp2001/Account+Statement_Mon752018.doc).\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 1 of 16\n\nFigure 1: Sample email from a May 6, 2018, DanaBot campaign\r\nThe Word document contained a macro that, if enabled, downloaded DanaBot using a PowerShell command from\r\nhxxp://bbc[.]lumpens[.]org/tXBDQjBLvs.php. This payload was only served to potential victims in AU, with the server\r\nchecking the client’s IP geolocation. The document also contained stolen branding used for social engineering, claiming to\r\nbe protected by a security vendor (branding obscured in Figure 2).\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 2 of 16\n\nFigure 2: Screenshot of the “Account Statement_Mon752018.doc” document\r\nMay 28-30, 2018\r\nThe DanaBot banker appeared again most recently on May 28-30, again as the payload of an Australia-targeted email\r\ncampaign. The emails used many subjects such as:\r\nCert \"123456789\"\r\nDoc:-\"123456789\"\r\nDocument12345-678\r\nGT123456789\r\nInvoice and Tracking Code 12345678\r\nInvoice from John Doe\r\nThis time, the emails contained URLs linking to zipped JavaScript hosted on FTP servers including\r\nftp://kuku1770:GxRHRgbY7@ftp[.]netregistry[.]net/0987346-23764.zip. The JavaScript, if executed, downloaded DanaBot\r\nfrom hxxp://members[.]giftera[.]org/whuBcaJpqg.php. Again, the server checked geolocation before downloading the\r\nJavaScript.\r\nMalware Functionality Summary\r\nDanaBot is a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component\r\nthat downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 3 of 16\n\n443 and downloads additional modules including:\r\nVNCDLL.dll - \"VNC\"\r\nStealerDLL.dll - \"Stealer\"\r\nProxyDLL.dll - \"Sniffer\"\r\nThe malware also downloads configuration files such as:\r\nList of targeted sites for the Sniffer module\r\nBanking web injects\r\nLists of cryptocurrency processes and files to monitor\r\nFinally, it also uploads files to the command and control (C\u0026C) server including:\r\nDetailed system information\r\nScreenshot of the user's desktop\r\nList of files on the user's hard disk\r\nAll uploads and downloads are encrypted with the Microsoft CryptAPI AES256 algorithm.\r\nMalware Analysis\r\nCurrently, the malware is in active development and there appear to be two versions. We observed the first in a campaign\r\naround May 6 and 7 while the second appeared around May 29. However, we found even earlier samples via pivots in\r\nmalware repositories that date from the middle of April but we have not seen these in the wild.\r\nDownloader Component\r\nThe downloader component communicates to the C\u0026C server and sends an initial checkin beacon with a report about the\r\ninfected machine encoded in the URL parameters. It makes a request such as shown below:\r\nFigure 3: Network request generated by the older version of the malware\r\nFigure 4: Network request generated by the newer version of the malware, featuring an expanded set of URL parameters\r\nIn these network requests, the “e=” parameter is a key used to decrypt the next-stage payload using the Microsoft\r\nCryptAPI’s CryptDeriveKey and CryptDecrypt using an MD5 hash and the AES algorithm. The explanations for the other\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 4 of 16\n\nparameters are provided in the table below:\r\nParameter Explanation Example Value\r\nm= - “T” (also seen “F” and “S”)\r\na= Hardcoded campaign ID 5,6,7,9,10 and 15\r\nb= (older version) 32 or 64 bit DLL requested 32, 64\r\nb= (newer version) 32 or 64 bit Operating System 32, 64\r\nc= (older version) Client ID (Possibly short hash of system info) [8 hex chars]\r\nd= (older version) Probable nonce [8 hex chars]\r\nd= (newer version) Client ID (MD5 hash of system info) [32 hex chars]\r\ne= Encryption key [32 hex chars]\r\ng= (newer version) Nonce [8 hex chars]\r\ni= (newer version) Integrity level 12288\r\nu= (newer version) 1 if user has admin privileges: 0 otherwise 1, 0\r\nv= (newer version) Windows version information 610760110\r\nx= (newer version) Request count 0\r\nt= (newer version) 32 or 64 bit DLL requested 32, 64\r\nTable 1: Explanation of the key-value pairs sent by the infected client to the C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 5 of 16\n\nIn response to the downloader’s initial check-in, the C\u0026C server sends the next-stage DLL. The DLL is cryptographically\r\nverified using the RSA algorithm and the following public key:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOmbQ1gGQtE8PUhjKIETLaSSEc\r\nJGp9O0gyckoyrIfb4l4BZqLKAkDGm59lUxSFWPCINQOMQvgvDYydMOyMvABtmi4c\r\n0yb4te8dXE0xVxTQmnxGV9pAf3gfcEg3aqBne/7AQmS+0fFUpccX+huz4Sys415+\r\n6lwVPX2A3RA60ToS6wIDAQAB\r\n-----END PUBLIC KEY-----\r\nThe payload DLL is invoked using “rundll32.exe” and the parameter “#1”. Subsequently, it is invoked with the parameter\r\n#2, #3, etc.\r\nMain DLL Component\r\nThe main DLL communicates using raw TCP to port 443. It was observed downloading further DLL modules such as VNC,\r\nSniffer, and Stealer, along with configuration files, all encrypted in a similar way using the Microsoft CryptAPI. Again, the\r\ndownloads are verified using the RSA algorithm with a different public key than noted above:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpQbDeOOrFbGOuu989TSd1+sJJ\r\ngi1WFiYV0RInlLkAAv1XZwUodBJRMyNWeKPHg40dn9oseicUScBH3lQb5fRvwm9Q\r\noppN5DIhiK9au8yzhm6/BGDUuVfK+vDlutanjYLAnz/Wp/W9bofUe5Ej3WZo2w1T\r\nX/KpjiO/gB/+4vf75wIDAQAB\r\n-----END PUBLIC KEY-----\r\nModule Name Description\r\nVNCDLL.dll “VNC”\r\nProxyDLL.dll “Sniffer”\r\nStealerDLL.dll “Stealer”\r\nTable 2: Modules downloaded by the main component\r\nObject name / (newer version name) Description\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 6 of 16\n\nPFUrlU / PFilter Sniffer filter list\r\nBVideo / BitVideo Cryptocurrency processes\r\nBKey / BitKey Cryptocurrency processes\r\nCFiles / BitFiles Cryptocurrency files\r\nInjFirst / Pinject Web Injects\r\nTable 3: Configuration files downloaded by the main component\r\nWe have also observed the bot uploading files to the C\u0026C, each compressed with the Deflate algorithm and encrypted with a\r\nrandom AES key. The key itself appears to be encrypted with one of the RSA public keys and appended to the uploaded file.\r\nHowever, decryption would require the matching RSA private key, which is presumably only available to the malware\r\noperators.\r\nUploaded file name Description\r\n[none] System Info\r\ndesktopscreen.bmp Screenshot of victim desktop\r\n[32-character hex string].info LZMA-compressed Zip archive containing “Files-C.txt”, a listing of files\r\nTable 4: Files uploaded by the main component of the bot\r\nThe following RSA public key was used for the System Info upload, while uploads of other files used the same key as for\r\nmodule downloads:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCilEDyzfbBKas+W2brWstcdKfY\r\nWgAl79oHSmdACo7zVCSkqJPocK3u3naHuFD3rYTTkEQbj6IaTNi1vn6eceNedExE\r\nu3ppOvxzRKqCOUOB+yQbz9Hv8xzsh0QnlJzcuLZHDhCDWoKwMbNU2/AXiVR5w7wF\r\nus8H3Gkr8MQZxt/bEwIDAQAB\r\n-----END PUBLIC KEY-----\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 7 of 16\n\nDiving into greater detail, the downloaded modules of the newer DanaBot consist of a header, followed by an AES-encrypted file, followed by an RSA signature. For example, we highlight interesting and relevant sections of the downloaded\r\nVNC module in the newer bot version:\r\nFigure 5: A hexdump of an example downloaded module with interesting sections highlighted\r\nBytes Description\r\n0x0 ... 0x3 Object size (file data + file signature + header)\r\n0x0c ... 0x0f Object type\r\n0x10 ... Object name (unicode)\r\n0x218 ... Object file name (unicode)\r\n0xaa2 … 0xaa5 Object size 2 (file data + signature)\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 8 of 16\n\n0xac3 ... (0xac3 + [size 2] - 129) Encrypted file data\r\n(0xac3 + [size 2] - 128) ... (0xac3 + [size 2] - 1) File signature (decrypts to MD5 of encrypted file data)\r\nTable 5: Explanation of the interesting sections of the downloaded module payload\r\nConfiguration Files\r\nTables 6-9 provide the values of some of the configuration files downloaded by the bot.\r\n*m.adnxs.com/ut/v3*\r\n*.youtube.com*event=streamingstats*\r\n*.youtube.com/api/stats/*\r\n*outlook.live.com/owa/service.svc?action=LogDatapoint\u0026*\r\n*clientservices.googleapis.com*\r\n*clients4.google.com*\r\n*connect.facebook.net/log/*\r\n*.mozilla.org*\r\n*.mozilla.com*\r\n*syndication.twitter.com/*\r\n*cws.conviva.com*\r\n*api.segment.io*\r\n*as-sec.casalemedia.com*\r\n*yunify.chicoryapp.com*\r\n*oauth20_token.srf*\r\n*Exchange/ucwa/oauth/v1/*\r\n*beacons.gcp.gvt2.com*\r\n*.facebook.com*\r\n*.facebook.com/login.php?*\r\n*mc.yandex.ru/webvisor*\r\n*api.logmatic.io/v1/*\r\n*sot3.mavenhut.com*\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 9 of 16\n\n*erlang.simcase.ru/api/*\r\n*sentry.io/api*\r\n*dsn.algolia.net/1*\r\n*t.urs.microsoft.com*\r\n*.paypal.com/webapps/hermes/api/log*\r\n*.netflix.com*\r\n*s.update.fbsbx.com*\r\n*.youtube.com/youtubei/v1/*\r\n*p.cybertonica.com*\r\n*webmail.subwayadmin.com.au*\r\n*email.telstra.com/webmail/*\r\n*.googleapis.com*\r\nhttp://*\r\n*outlook.office365.com/owa/service.svc?*\r\n*outlook.office.com/owa/service.svc?*\r\n*outlook.live.com/owa/service.svc?*\r\n*mail.google.com/mail/u/0/*\r\n*.client-channel.google.com*\r\n*bam.nr-data.net*\r\n*browser.pipe.aria.microsoft.com*\r\n*client-s.gateway.messenger.live.com*\r\n*notifications.google.com*\r\n*.google.com/recaptcha/api2/*\r\n*.bing.com*\r\n*.youtube.com*\r\n*bidder.criteo.com*\r\n*.demdex.net/event?*\r\n*insights.hotjar.com/api*\r\n*nexus-long-poller-b.intercom.io*\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 10 of 16\n\n*.icloud.com/*\n*s.acexedge.com*\n*s.update.*\n*vid-io.springserve.com*\n*vuws.westernsydney.edu.au*\nTable 6: Sniffer filter list (“PFUrlU” configuration file in the older version); the newer version configuration file\n(“Pflilter”) only contained a “*mozilla*” target in our tests, suggesting that this may be a whitelist.\nset_url *my.commbank.com.au/netbank* GP\ndata_before\ndata_end\ndata_inject\n\ndata_end\ndata_after\ndata_end\ndata_inject\n\ndata_end\ndata_after\ndata_end\nset_url *my.commbiz.commbank.com.au* GP\ndata_before\ndata_end\ndata_inject\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\nPage 11 of 16\n\ndata_end\ndata_after\ndata_end\ndata_inject\n\ndata_end\ndata_after\ndata_end\nTable 7: Web injects configuration file (“InjFirst” in the older version, “PInject” in the newer; brackets added to URLs)\n*-QT*.EXE*\n*ETHEREUM*.EXE*\n*DECENT.EXE*\n*ELECTRON*.EXE*\n*ELECTRUM*.EXE*\n*ZCASH*.EXE*\n*EXPANSE*.EXE*\n*SUMOCOIN*.EXE*\n*BITCONNECT*.EXE*\n*IOTA*.EXE*\n*KARBOWANEC.EXE*\n*ARKCLIENT.EXE*\n*ZCLASSIC*WALLET.EXE*\n*PASCALCOINWALLET.EXE*\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\nPage 12 of 16\n\nTable 8: Cryptocurrency processes (“BVideo” and “Bkey” configuration files in the older version, ”BitVideo” and\r\n“BitKey”in the newer; italicized processes appeared only in the older version)\r\n*\\WALLETKEYS.DAT*\r\n*\\DEFAULT_WALLET*\r\n*\\WALLET.DAT*\r\nTable 9: CryptoCurrency files (“CFiles” configuration file in the older version, ”BitFiles” in the newer; italicized files\r\nappeared only in the older version)\r\nStealer Module\r\nWe observed that the stealer module targets mail clients such as Windows Live Mail and Outlook. It also targets instant\r\nmessengers such as Miranda, Trillian, and Digsby; FTP clients such as WS_FTP, FileZilla and SmartFTP; and checks\r\nbrowser history.\r\nFigure 6: Stealer module targeting information from browsers\r\nFigure 7: Stealer module targeting FTP clients (actual list is much longer)\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 13 of 16\n\nAttribution\r\nAs noted in the introduction, we only observed DanaBot being distributed by a single threat actor, tracked by Proofpoint as\r\nTA547. However, this may change since the actor is known for purchasing banking Trojans from other developers and\r\noperators.\r\nTA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often\r\nlocalized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader\r\n(a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.\r\nIt is worth noting that samples of DanaBot found in a public malware repository contained different campaign IDs (the “a=”\r\nparameter) than the ones we observed in the wild, suggesting that there may be activity other than that which we observed.\r\nFinally, we should mention that DanaBot bears some similarities in its technical implementation and choices of technology\r\nto earlier malware, in particular Reveton and CryptXXX [1], which were also written in Delphi and communicated using\r\nraw TCP to port 443. These malware strains also featured similarities in the style of C\u0026C traffic.\r\nConclusion\r\nAfter nearly two years of relentless, high-volume ransomware campaigns, threat actors appear to be favoring less noisy\r\nmalware such as banking Trojans and information stealers. DanaBot is the latest example of malware focused on persistence\r\nand stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The\r\nsocial engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a\r\nrenewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download\r\nadditional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. We\r\nwill continue to dive deeper into this new malware and monitor its place in the changing threat landscape.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhxxp://users[.]tpg[.]com[.]au/angelcorp2001/Account+Statement_Mon752018.doc URL\r\nURL hosting document\r\nleading to DanaBot on\r\n2018-05-06\r\n82c783d3c8055e68dcf674946625cfae864e74a973035a61925d33294684c6d4 SHA256\r\nAccount\r\nStatement_Mon752018.doc\r\nhxxp://bbc[.]lumpens[.]org/tXBDQjBLvs.php URL\r\nAccount\r\nStatement_Mon752018.doc\r\nDocument payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 14 of 16\n\nf60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12 SHA256 DanaBot 2018-05-06\r\nfxp://kuku1770:GxRHRgbY7@ftp[.]netregistry[.]net/secure/325-5633346%20-\r\n%20C-12%20%2811%29.zip\r\nURL\r\nURL hosting zipped\r\nJavaScript leading to\r\nDanaBot on 2018-05-29\r\na8a9a389e8da313f0ffcde75326784268cbe1447ce403c7d3a65465f32a1d858 SHA256 JavaScript on 2018-05-29\r\nhxxp://members[.]giftera[.]org/whuBcaJpqg.php URL\r\nJavaScript payload URL on\r\n2018-05-29\r\ne59fdd99c210415e5097d9703bad950d38f448b3f98bb35f0bdc83ac2a41a60b SHA256 DanaBot 2018-05-29\r\nfxp://lbdx020a:mbsx5347@marinersnorth[.]com[.]au/images/090909-001-\r\n8765%28239%29.zip\r\nURL\r\nURL hosting zipped\r\nJavaScript leading to\r\nDanaBot on 2018-05-30\r\n78b0bd05b03a366b6fe05621d30ab529f0e82b02eef63b23fc7495e05038c55a SHA256 DanaBot 2018-05-30\r\n6ece271a0088c88ed29f4b78eab00d0e7800da63757b79b6e6c3838f39aa7b69 SHA256\r\nAdditional DanaBot 2018-\r\n04-17 (early sample found\r\nusing pivots)\r\n207.148.86[.]218 IP\r\nDanaBot C\u0026C\r\n(May 2017)\r\n144.202.61[.]204 IP\r\nDanaBot C\u0026C (May 2017\r\n- raw TCP)\r\n104.238.174[.]105 IP\r\nDanaBot C\u0026C (May 2017\r\n- raw TCP)\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 15 of 16\n\n5.188.231[.]229 IP\r\nDanaBot C\u0026C (April 17\r\nearly sample)\r\nET and ETPRO Suricata/Snort/ClamAV Signatures\r\n2830756 || ETPRO TROJAN Win32.DanaBot Starting VNC Module\r\n2803757 || ETPRO TROJAN Win32.DanaBot HTTP Checkin\r\n2831097 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M2\r\n2831096 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M3\r\n2831099 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M4\r\n2831100 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M5\r\nSource: https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\nPage 16 of 16\n\n2830756 || ETPRO 2803757 || ETPRO TROJAN Win32.DanaBot TROJAN Win32.DanaBot Starting HTTP Checkin VNC Module\n2831097 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M2\n2831096 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M3\n2831099 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M4\n2831100 || ETPRO TROJAN Win32.DanaBot HTTP Checkin M5\nSource: https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0 \n Page 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0" ], "report_names": [ "danabot-new-banking-trojan-surfaces-down-under-0" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434507, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3e716bd10709b5ec2b63c1843e76c495fe56c51.pdf", "text": "https://archive.orkl.eu/e3e716bd10709b5ec2b63c1843e76c495fe56c51.txt", "img": "https://archive.orkl.eu/e3e716bd10709b5ec2b63c1843e76c495fe56c51.jpg" } }