{
	"id": "51a003a0-fdcf-4fe7-96f0-5d41f898a816",
	"created_at": "2026-04-06T00:18:07.831021Z",
	"updated_at": "2026-04-10T03:36:36.795158Z",
	"deleted_at": null,
	"sha1_hash": "e4f1ed545b9e901b9fbd8490d2eb1b35e05c8211",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72440,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy CyberHunterAutoFeed\r\nArchived: 2026-04-05 16:46:15 UTC\r\nCVE: 2 | FileHash-MD5: 42 | FileHash-SHA1: 41 | FileHash-SHA256: 54 | URL: 8 | YARA: 5 | Domain: 7 |\r\nEmail: 2\r\n根据开源信息，从2023年5月27日开始，CL0P勒索软件团伙，也被称为TA505，开始利用Progress Software\r\n的管理文件传输(MFT)解决方案MOVEit transfer中先前未知的SQL注入漏洞(CVE-2023-34362)。面向互联\r\n网的MOVEit Transfer网络应用程序被一个名为LEMURLOOT的网络外壳感染，然后被用来从底层MOVEit\r\nTransfer数据库窃取数据。在类似的活动中，TA505在2020年和2021年对Accellion文件传输设备(FTA)设备\r\n进行了零日漏洞攻击，在2023年初对Fortra/Linoma GoAnywhere MFT服务器进行了零日漏洞攻击。 CL0P\r\n于2019年2月出现，从CryptoMix勒索软件变种演变而来，在大规模鱼叉式网络钓鱼活动中被用作勒索软\r\n件即服务(RaaS)，该活动使用经过验证和数字签名的二进制文件来绕过系统防御。CL0P以前以使用“双重\r\n勒索”策略而闻名，即窃取和加密受害者数据，拒绝恢复受害者访问权限，并通过CL0P-LEAKS网站在Tor\r\n上发布泄露的数据。2019年，TA505攻击者利用CL0P勒索软件作为网络钓鱼活动的最后有效载荷，该活\r\n动涉及一个启用宏的文档，该文档使用Get2恶意软件发射器下载SDBot和FlawedGrace。在最近从2021年\r\n开始的攻击活动中，CL0P更倾向于主要依靠数据泄露而不是加密。 除了CL0P勒索软件之外，TA505还以\r\n频繁更改恶意软件和推动全球犯罪恶意软件分发趋势而闻名。TA505被认为是全球最大的网络钓鱼和垃圾\r\n邮件分发者之一，据估计，它已经攻击了3000多个美国组织和8000多个全球组织。\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:flawedammyy\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:flawedammyy\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "ZH",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:flawedammyy"
	],
	"report_names": [
		"pulses?q=tag:flawedammyy"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434687,
	"ts_updated_at": 1775792196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4f1ed545b9e901b9fbd8490d2eb1b35e05c8211.pdf",
		"text": "https://archive.orkl.eu/e4f1ed545b9e901b9fbd8490d2eb1b35e05c8211.txt",
		"img": "https://archive.orkl.eu/e4f1ed545b9e901b9fbd8490d2eb1b35e05c8211.jpg"
	}
}