{ "id": "2be9f79c-d2a6-40cd-978e-46826fa74a61", "created_at": "2026-04-06T01:30:22.047477Z", "updated_at": "2026-04-10T13:12:54.046343Z", "deleted_at": null, "sha1_hash": "e5f1c33cac341286af9062168f4d925bb241ac7a", "title": "Investigating Intrusions From Intriguing Exploits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 751480, "plain_text": "Investigating Intrusions From Intriguing Exploits\r\nBy Joe Slowik\r\nPublished: 2023-02-08 · Archived: 2026-04-06 00:50:41 UTC\r\nSummary\r\nOn 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was\r\nfairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on\r\nscheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the\r\nevent in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent\r\nransomware groups. As a result of a combination of quick initial triage and action with deeper investigation,\r\nHuntress was able to mitigate and prevent an intrusion likely leading to a disruptive ransomware incident.\r\nThe Event\r\nThe Huntress Security Operations Center received two alerts for a managed host on 02 February 2023. The first\r\nalert was for certutil downloading a file from a remote resource:\r\nUsing certutil to download a file is not malicious by itself. The important question to ask about this activity is\r\nalways, \"What was downloaded?\" In this case we were unable to obtain much information immediately. We tried\r\nconnecting to the resource ourselves to pull down the file and analyze it, but the port seemed to already be closed. \r\nLooking at publicly available resources, VirusTotal did show a couple resources that marked this IP as malicious,\r\nand that it was physically hosted in Bulgaria. This information was not enough to be sure what was happening but\r\ndid indicate that the IP address likely was not a known-good IP address associated with the organization.\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 1 of 11\n\nSince we are unable to obtain the file, at this point, to analyze it directly, and little information was available\r\npublicly, we had to look for other evidence on the system itself to try and find out if this was malicious\r\nactivity. Looking more closely at the first command executed, the file was downloaded to the C:\\users\\Public\r\ndirectory followed by attempted execution of the downloaded file with rundll32.exe . Storing and executing\r\nfiles out of the C:\\users\\Public directory is a common tactic used by adversaries, so this made the activity seem\r\nmore suspicious. Knowing that the DLL was also executed further raised the risk level of the incident, since if it\r\nwas malware that was downloaded, it is now running on the system. \r\nThe main question we wanted to answer at this point was: What was the dll? What does it do? Since the file was\r\nno longer present on the host, we could not do any Reverse Engineering or Malware Analysis ourselves. However,\r\none part of the execution of the dll pointed to what might be happening. \r\nThe attempted execution command was: rundll32.exeC:\\\\Users\\\\Public\\\\gamft.dll,ChkdskExs indicating the\r\nexecution of a specified exported resource within the DLL. This is a normal behavior, however this SPECIFIC\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 2 of 11\n\nentry point is not normal and is in fact quite unique, and this resulted in the second alert for this host. Huntress has\r\npreviously observed this activity from malware named Truebot, which references the same export. This can be\r\nseen in the strings of a different known Truebot DLL:\r\nHuntress was able to further determine the DLL was likely malicious based on the creation of very specifically-named Scheduled Tasks used as persistence to execute the malicious DLL. These tasks were named:\r\nNvTmRep_CrashReport3_{B2FE1952-0186-36D3-AAHC-AB80CA35AH5B6}\r\nNvTmRep_CrashReport2_{B2FE1952-0186-26H3-AAHC-FB80AA35AH5B1}\r\nThese tasks pointed to the same DLL execution previously described:\r\nrundll32.exeC:\\\\Users\\\\Public\\\\gamft.dll,ChkdskExs Notably, these task names also followed a pattern\r\nconsistent with recent Truebot samples we have seen, illustrated in the following regular expression (regex):\r\nNvTmRep_CrashReport[0-9]{1}_{[0-9A-Z]{1}2FE1952-0186-[0-9A-Z]{4}-AAHC-[0-9A-Z]{7,8}AH5B[0-9]{1}} .\r\nThe above regex provided an additional detection touchpoint for Huntress. These names are designed to\r\nmasquerade as legitimate NVIDIA crash report scheduled tasks using NVTmRep.exe, illustrated as follows: \r\nNvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}\r\nThese tasks normally execute a legitimate NVIDIA executable file, such as:\r\n  C:\\Program Files\\NVIDIA Corporation\\NvBackend\\NvTmRep.exe .\r\nAnother important factor Huntress observed was that these two commands ( certutil and rundll32 ) both were\r\nexecuted by the user GoAnywhereSvcAcct on a host that was clearly designated to process GoAnywhereMFT\r\ntransactions.\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 3 of 11\n\nThe question with odd commands executed on a server should be, \"Where did they come from?\" In this case the\r\nparent process was tomcat.exe executing from a subdirectory inside the C:\\Program Files\\Linoma\r\nSoftware\\GoAnywhere directory. Apache Tomcat is an open-source Java Web Application Server, and is typically\r\naccessed from the internet as a web server; this does not normally include executing native utilities such as\r\ncertutil.exe or rundll32.exe on the host operating system! \r\nThe activity, at this point, appears to be a web server compromise of some kind, which resulted in the download\r\nand execution of a malicious file. Initial observations indicate a likely overlap or relationship with Truebot, but\r\ninsufficient evidence is available to support this claim at this point in the investigation.  \r\nThe method used to gain access to the server was unknown at this point, and the intended post-exploitation\r\nactivity on the host is also unknown, as no further activity had yet been observed via EDR telemetry. Interestingly,\r\nHuntress identified that after the server was isolated due to the observed activity, a similar alert was received for\r\nanother system in the organization; this system was also designated for GoAnywhereMFT services. This raised\r\neven more suspicion about the nature of this attack and the involvement of the GoAnywhereMFT application, and\r\nprompted deeper research and analysis.\r\nResearch and Root Cause Analysis\r\nAfter initial triage and incident response, the Huntress team investigated how and why the observed activity took\r\nplace. Central to this analysis was understanding the relationship of the observed malicious activity - a\r\ncombination scheduled task creation, and apparent second-stage payload retrieval - to parent processes and\r\nexecuting users.\r\nFor both impacted servers, the source of activity appeared to be the same; execution under a service account\r\n( GoAnywhereSvcAcct ) in the context of the Apache Tomcat web server. This combination, along with the names\r\nof the impacted servers, link to the GoAnywhere Managed File Transfer (MFT) software. Although precise\r\nreasons why this software was involved remain indeterminate at this point, Huntress analysts were able to trace\r\ncompromise activity to this application.\r\nAt this stage, several possibilities presented themselves; for one, an adversary may have brute-forced remote\r\nconnectivity for the servers in question to gain access to the environment and then run subsequent commands in\r\nthe context of the compromised account. Alternatively, the service itself may have been exploited, resulting in\r\nfollow-on remote code execution (RCE) in the victim environment as child processes under the GoAnywhere\r\nsoftware.\r\nIn the moments of initial analysis and triage, the precise cause or route to adversary command execution was\r\nunknown - a not unexpected set of circumstances in the middle of time-sensitive managed defense and response.\r\nHowever, further research and analysis, as well as diligent monitoring of open source reporting and social media\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 4 of 11\n\nposting, would soon prove beneficial in revealing more about this event, and enable proper contextualization of\r\nthe incident.\r\nOpen Source Analysis and Links\r\nOn 02 February 2023, roughly in concert with the incident described above, security reporter Brian Krebs posted\r\non Mastodon regarding a RCE vulnerability in GoAnywhere MFT software. The security advisory, which was not\r\nmade public and as of this writing has no CVE associated with it,was described as follows:\r\nA Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT. The attack vector of this exploit\r\nrequires access to the administrative console of the application, which in most cases is accessible only from within\r\na private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments,\r\nsuch as Azure or AWS).\r\nBased on this description and given the combination of impacted hosts (GoAnywhere file servers), subsequent\r\nimpacted users and processes (linked to GoAnywhere operations), and observed actions (attempted second-stage\r\nretrieval), we arrive at a plausible explanation for the observed alerts. A GoAnywhere server with an externally-exposed management interface was compromised on or before 02 February 2023 leading to attempted post-exploitation survey and persistence activity.\r\nFollowing initial analysis and discovery, further research emerged identifying the specific vulnerability in\r\nGoAnywhere MFT software on 06 February 2023. Given the relative simplicity of the vulnerability (and ability to\r\nreverse engineer a payload based on the vendor’s non-public advisory), Huntress considers this analysis as\r\neffectively the release of a proof of concept (POC) for this exploit in the wild. As a result, we anticipate wider\r\nactivity.\r\nArtifact Analysis and Potential Responsibility\r\nAlthough Huntress already performed significant analysis of the infected hosts and subsequent actions (attempted\r\nor otherwise) following exploitation, true RCA requires “digging deeper.” While details are somewhat sparse,\r\nenough items remain, from network infrastructure to a malware sample, to engage in further research and analysis.\r\nInfrastructure Research\r\nThe IP address referenced, 5.188.206[.]76 , is associated with a Bulgarian virtual private server (VPS) provider.\r\nWhile this alone may be suspicious, as analysts we should dig further to understand, if possible, the creation,\r\ndisposition, and use of this infrastructure.\r\nBased on the command observed via EDR telemetry and alerting, the remote host had an HTTP listener on TCP\r\n8000 on 02 February 2023. Notably, this port is associated with the GoAnywhere MFT administrative access port,\r\nthe target of the reported RCE. Subsequent research and investigation show that this port (and all others, except\r\nSSH) were closed off shortly after the incident, resulting in only remote administration possibilities. It is therefore\r\npossible that the threat actor rotates infrastructure frequently, making IP blocklists and similar of limited utility for\r\nproactive defense, or this specific piece of infrastructure was recognized as “burned,” and thus “shut down” from\r\nfurther operations.\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 5 of 11\n\nThe combination of communication direct to an IP address (i.e., not using a domain name with its corresponding\r\nDNS lookup) combined with a nonstandard port for a standard service (HTTP over TCP 8000) provides a potential\r\ndetection point, albeit a limited one. With limited additional details to explore, this avenue of investigation is\r\nclosed off; we have an IP address, but limited ability (given the initial case) to explore further absent additional\r\nobservations.\r\nBinary Research\r\nWith network infrastructure research closed off, we can proceed with analysis of the binary in question that was\r\nhosted on the remote resource. Huntress was eventually able to recover a copy of this file, with the following\r\ncharacteristics:\r\nName: gamft.dll\r\nMD5: 82d4025b84cf569ec82d21918d641540\r\nSHA1: 62f5a16d1ef20064dd78f5d934c84d474aca8bbe\r\nSHA256: c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c\r\nThe file was compiled in late January 2023, shortly but not immediately before the incident in question, and\r\ncontains a number of interesting characteristics. One item that immediately stands out is the filename. “Gamft”\r\nmay seem semi-random at first, but appears to be an abbreviation for “GoAnywhere Managed File Transfer.”\r\nHuntress is not aware of any legitimate DLLs associated with GoAnywhere MFT software or what their naming\r\nconvention would be, but deliberate mimicry likely represents an effort by the adversary to evade detection or\r\nfurther scrutiny.\r\nIn addition to the “legitimate” name, the file is a signed binary, using the following signing certificate issued via\r\nSectigo:\r\nName: SAVAS INVESTMENTS PTY LTD\r\nStatus: Valid\r\nIssuer: Sectigo Public Code Signing CA R36\r\nValid From: 12:00 AM 10/07/2022\r\nValid To: 11:59 PM 10/07/2023\r\nThumbprint: 8DCCF6AD21A58226521E36D7E5DBAD133331C181\r\nSerial Number: 00-82-D2-24-32-3E-FA-65-06-0B-64-1F-51-FA-DF-EF-02\r\nQuick searches identify posts on social media as well as other resources flagging this certificate (or at least,\r\ncertificates associated with “Savas”) as linked to malicious activity.\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 6 of 11\n\nFurther investigation reveals signs of functionality, such as strings referencing follow-on PowerShell and WMI\r\nfunctionality, as well as POST activity to command and control (C2) infrastructure. What stood out though are\r\nreferences to what appear to be commands or functions for the malware:\r\nKLLS\r\n404NO\r\nFinally, analysis of execution identified the C2 infrastructure for this sample:\r\nhXXp://qweastradoc[.]com/gate[.]php\r\nThe combination of items, including the use of a Sectigo code signing certificate, command string references, and\r\nC2 domain and infrastructure patterns, aligns closely with a campaign initially described by Cisco Talos in\r\nDecember 2022. Based on preliminary analysis, Huntress’ earlier hypothesis on the nature of this malware appears\r\nto be correct, that the recovered DLL appears to be an updated version of a malware family referred to as Truebot,\r\nassociated with a Russian-language actor known as Silence.\r\nPotential Responsibility\r\nWhile Huntress was able to identify and contain this infection event before further adversary actions could take\r\nplace, enough bits of information are available to arrive at some plausible theories on responsibility. As previously\r\nmentioned, Truebot is linked to a group referred to as Silence. As reported by the French CERT, Silence has been\r\nactive in some form since 2016, with Truebot serving as an initial access, post-compromise tool for the entity’s\r\noperations.\r\nWhile links are not authoritative, analysis of Truebot activity and deployment mechanisms indicate links to a\r\ngroup referred to as TA505. Distributors of a ransomware family referred to as Clop, reporting from various\r\nentities links Silence/Truebot activity to TA505 operations. Based on observed actions and previous reporting, we\r\ncan conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware,\r\nwith potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose.\r\nDefensive Guidance and Recommendations\r\nThe incident above spans two distinct security problems: server-side exploitation for initial system access, and\r\npost-exploitation actions to “break out” of an initial access point toward wider network compromise. Resilient\r\ndefense requires investing in defensive countermeasures and monitoring across these phases of operations, along\r\nwith later-stage actions as well had this specific incident not been identified at a relatively early stage.\r\nExploit Detection and Prevention\r\nIdeally, defenders can identify (or block) exploitation attempts (especially items against external-facing devices\r\nthat lead to RCE). In this specific case, however, we appear to have a true zero day issue, where adversaries have\r\nidentified a flaw in the targeted software (GoAnywhere MFT) before the vendor is able to release a patch.\r\nDeploying detections via network security monitoring thus becomes implausible, and removing the vulnerability\r\nis (as of this writing) not possible either.\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 7 of 11\n\nApproximately a week after releasing the notice to customers, and after active exploitation as described above,\r\nGoAnywhere vendor Fortra released a patch to users on 07 February 2023. However, this still leaves an extended\r\nperiod of vulnerability even if organizations are able to rapidly test and deploy this fix. For events such as these in\r\nthe future, organizations should first and foremost work to limit externally-exposed services to only those\r\nnecessary for business function, and work to secure and monitor those remaining items as part of attack surface\r\nmanagement.\r\nUnfortunately, while this advice is sound, it is also difficult to implement and maintain over time. System owners\r\nand defenders must therefore extend defense and monitoring beyond the perimeter to ensure that if (or more likely\r\nwhen) an adversary gains initial access, options remain for detecting and defeating such activity.\r\nPost-Exploit Defense and Identification\r\nCritically in this incident, Huntress identified and initiated a response very early in this attacker’s lifecycle\r\nthrough identification of post-exploitation behaviors. Defenders must look for opportunities to flag and respond to\r\nbehaviors strongly correlated with malicious activity. Examples linked to this event include but are not limited to\r\nthe following possibilities:\r\nUse of certutil to retrieve and decode remotely-hosted content.\r\nNon-standard or unusual applications (such as Apache Tomcat) spawning processes such as  certutil\r\n(along with other deobfuscation or execution mechanisms such as  PowerShell or similar).\r\nUnusual use of rundll32.exe such as calling binaries from atypical disk locations.\r\nAttempts to achieve persistent presence on a system through the creation of new scheduled tasks.\r\nWhile adversaries may gain initial access to the defended network, layered monitoring of post-exploitation\r\nactivity can detect (and hopefully defeat) adversaries before they can harden their presence within the network,\r\nand move laterally.\r\nConclusions\r\nHuntress identified and mitigated an intrusion associated with exploitation of a zero day through layered\r\nmonitoring of a client environment. By catching post-exploitation activity at an early stage, the victim\r\norganization was able to avoid a likely ransomware event that could have cost the entity dearly.\r\nThrough a combination of layered detection and monitoring as well as post-incident RCA, Huntress researchers\r\nidentified not only the likely cause of this incident (exploitation of a vulnerability in GoAnywhere MFT), but also\r\nlinks to broader criminal cyber activity. Through repeated application of these mechanisms - incident response,\r\nincident analysis, and post-incident research - organizations can not only ensure adequate response to intrusions,\r\nbut also reveal motivations and deeper technical behaviors that underlie them.\r\nAssociated Intrusion Indicators\r\nHost Indicators\r\nSHA256\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 8 of 11\n\nFile Name\r\nCompilation Date\r\nComment\r\nc042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c\r\ngamft.dll\r\n25 Jan 2023\r\nTruebot DLL identified in incident.\r\n0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3\r\nlarabqFa.exe\r\n18 Jan 2023\r\nRelated Truebot DLL sample.\r\nc9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d\r\nPxaz.dll\r\n11 Jan 2023\r\nRelated Truebot DLL sample.\r\nNetwork Indicators\r\nObservation\r\nComment\r\n5.188.206[.]76\r\nHosting location for Truebot.\r\nqweastradoc[.]com\r\nC2 domain for Truebot.\r\n92.118.36[.]213\r\nHosting IP for Truebot C2 domain.\r\nDetection Opportunities\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 9 of 11\n\nIn addition to the indicators above, organizations can leverage tools such as Sigma to identify suspicious\r\nbehaviors linked to this intrusion. Huntress has an example of such a rule, looking for instances of Apache Tomcat\r\nspawning a process.\r\nMITRE ATT\u0026CK Mapping\r\nTactic\r\nTechnique\r\nDescription\r\nInitial Access\r\nT1190 - Exploit Public Facing Application\r\nAdversary gained initial access via exploit of GoAnywhere MFT service.\r\nExecution\r\nT1203 - Exploitation for Client Execution\r\nAdversary gained code execution capability through exploit of GoAnywhere MFT service.\r\nPersistence\r\nT1053.005 - Scheduled Task/Job: Scheduled Task\r\nAdversary created scheduled tasks for persistence purposes.\r\nDefense Evasion\r\nT1036.004 - Masquerading: Masquerade Task or Service\r\nAdversary used file naming conventions to impersonate legitimate-looking processes and files.\r\nT1553.002 - Subvert Trust Controls: Code Signing\r\nAdversary used a valid code signing certificate for Truebot payload.\r\nT1078.003 - Valid Accounts: Local Accounts\r\nAdversary used account associated with exploited process for subsequent actions.\r\nT1140 - Deobfuscate/Decode Files of Information\r\nAdversary used certutil to decode an encoded Truebot payload.\r\nT1218.011 - System Binary Proxy Execution: Rundll32\r\nAdversary used Rundll32 to attempt execution of Truebot payload.\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 10 of 11\n\nCommand and Control\r\nT1071.001 - Application Layer Protocol: Web Protocols\r\nTruebot payload C2 communications performed over HTTP.\r\nT1105 - Ingress Tool Transfer\r\nAdversary attempted to retrieve and build Truebot payload via certutil command.\r\nT1571 - Non-Standard Port\r\nAdversary used HTTP over a non-standard port for Truebot payload retrieval.\r\nT1132.001 - Data Encoding: Standard Encoding\r\nAdversary encoded Truebot payload for standard decoding via certutil.\r\n*Special thanks to Matt Anderson for his help with writing this blog.\r\nSource: https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nhttps://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits" ], "report_names": [ "investigating-intrusions-from-intriguing-exploits" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439022, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5f1c33cac341286af9062168f4d925bb241ac7a.pdf", "text": "https://archive.orkl.eu/e5f1c33cac341286af9062168f4d925bb241ac7a.txt", "img": "https://archive.orkl.eu/e5f1c33cac341286af9062168f4d925bb241ac7a.jpg" } }