{ "id": "d10d6a91-c7f4-481f-a348-f841b59dd08a", "created_at": "2026-04-06T00:18:58.239135Z", "updated_at": "2026-04-10T03:34:00.709585Z", "deleted_at": null, "sha1_hash": "e6190809dde1606ac348fe3aeb06b93f338cb19e", "title": "Iranian Threat Actor \u0026 Mass Exploitation Tools | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2638603, "plain_text": "Iranian Threat Actor \u0026 Mass Exploitation Tools | Deep Instinct\r\nBy Simon KeninThreat Intelligence Researcher\r\nPublished: 2022-06-01 · Archived: 2026-04-05 17:32:29 UTC\r\nDeep Instinct researchers have recently identified unusual – and dangerous – activity within the environment of one of our\r\ncustomers, an infrastructure and construction company in the Southern U.S. After close analysis, we found that an Iranian\r\nAPT was attempting to compromise an Exchange server and that seven attempts were made in total, each of which was\r\nimmediately prevented by Deep Instinct.\r\nDue to the discovery, Deep Instinct was able to find additional new malware variants and TTPs related to the threat actor.\r\nNotably, installation of a root certificate and an attempt to blend malicious traffic with legitimate traffic.\r\nA full analysis of the event follows.\r\nDiscovery\r\nFigure 1: Deep Instinct console showing the prevented event\r\nWhile investigating the logs from the machine that triggered the alert for the malicious file, it was observed that the file was\r\ncreated by the Exchange Server:\r\nFigure 2: Log entry showing w3wp.exe process responsible for creating a file\r\nAfter inspecting additional events from the same machine, a total of seven exploitation attempts were discovered, followed\r\nby an attempt to drop a malicious file:\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 1 of 12\n\nDate Path Hash\r\n2021-10-\r\n30T13:21:50\r\nC:\\Windows\\Temp\\user.exe 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00\r\n2021-12-\r\n05T14:44:13\r\nC:\\Windows\\Temp\\task_update.exe 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d\r\n2021-12-\r\n05T14:44:34\r\nC:\\Windows\\Temp\\user.exe 7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00\r\n2021-12-\r\n18T12:06:07\r\nC:\\Windows\\Temp\\task_update.exe 12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d\r\n2022-01-\r\n01T11:51:48\r\nC:\\Windows\\Temp\\user.exe b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becb\r\n2022-02-\r\n12T08:47:36\r\nC:\\Windows\\Temp\\user.exe b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becb\r\n2022-02-\r\n12T08:47:47\r\nC:\\Windows\\Temp\\task_update.exe 5a383edfc3c71d55773df40c71473bd949eddc6828ed7e78977b87e1854ea9\r\nExcept for b8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd all of the hashes have been\r\npublicly reported and attributed to an Iranian threat actor Microsoft refers to as PHOSPHORUS. While most of the hashes\r\nwhich surfaced in our telemetry are identical to the ones published in an article from “The DFIR Report,” we have found\r\nadditional hashes that overlap with other aliases of the same threat actor, so to avoid any further confusion we will refer to\r\nthe threat actor simply as PHOSPHORUS.\r\nuser.exe\r\nThe previously unknown sample that was found in our telemetry\r\nb8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd is another variant of the malware that has been\r\ndescribed by “The DFIR Report.”\r\nIts sole purpose is to create a new user account on the compromised system with the credentials DefaultAccount\r\nP@ssw0rd1234.\r\nIt is then added to the local administrator’s group, allowed RDP access to this account, and the password is set to never\r\nexpire.\r\nThis action allows the attacker to connect to the compromised system at a later time.\r\nWhile searching in VirusTotal for files with similar behavior, we were able to identify another previously unknown variant\r\nof this file with the hash 104a5ef1b1f52fe3633ce88190a1a2b2df79437cabe31b21c540cecf43c94951:\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 2 of 12\n\nFigure 3: Output from execution of “user.exe”\r\ntask_update.exe\r\nWe observed two variants of this file in our telemetry, which is responsible for downloading FRPC from an attacker-controlled server, followed by a creation of a scheduled task to run the downloaded FRPC.\r\nFRPC stands for Fast Reverse Proxy Client; the downloaded FRPC is configured to connect to yet another attacker-controlled server, creating a tunnel between the attacker and the compromised system.\r\nThe attacker executes “user.exe” before “task_update.exe,” the created tunnel. This allows the attacker to log in to the\r\ncompromised system via RDP, even if the RDP is not exposed directly to the internet.\r\nBased on the above behavior, we were able to find a new variant of task_update.exe with the hash\r\n3e36b7a7fc8f742489ddcbe90195774b1ebf62eecc99c77152bf3a85bcb48d74.\r\nThis new variant of “task_update” adds a new root certificate to the system by issuing the command “certutil -addstore -f\r\nroot %wintmp%\\cert.cer.”\r\nThe behavior of installing a root certificate using “certutil” is not present in previous iterations of “task_update” and it can\r\nbe fairly easy to identify for defenders.\r\nThe hash of this root certificate file is b06c9d01cd4b89baa595f48736e6e31f2559381f1487f16304dde98ebd5e9d90 and it is\r\nimpersonating Microsoft:\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 3 of 12\n\nFigure 4: Details of the certificate added by the threat actor\r\nThis variant has been observed downloading FRPC from a previously undocumented attacker-controlled server\r\n172.245.26[.]118.\r\nFRPC Evolution\r\nThe hash of the new FRPC variant that was observed downloaded by the new task_update.exe is\r\na03e832aa245e3f549542f61e0e351c2cb4886feb77c02bf09bc8781944741f5.\r\nThis file has an invalid certificate chain:\r\nFigure 5: Certificate chain before installation of the root certificate\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 4 of 12\n\nAs mentioned earlier, the new variant of “task_update.exe” added a new root certificate. On a system with this installed\r\ncertificate, the certificate chain of the FRPC is slightly different but not valid:\r\nFigure 6: Certificate chain after the installation of the root certificate\r\nWe can see the root certificate has been changed, yet the intermediate certificate is still invalid.\r\nWhile observing the traffic created by this variant, Deep Instinct researchers identified a previously undocumented evasion\r\ntechnique used by the threat actor.\r\nHiding Malicious Domains in Plain Sight\r\nThe binary generates many connections to domains and subdomains of legitimate companies along with connection to\r\nvisually similar subdomains that are attacker controlled.\r\nThis specific variant connects to the following domains:\r\nLegitimate domain Attacker-controlled domain\r\nkcp53.bing.com kcp53.msupdate.us\r\nkcp53.symantec.com kcp53.tcp443.org\r\nsophos.com tcp443.msupdate.us\r\ntcp443.bing.com tcp443.tcp443.org\r\ntcp443.kaspersky.com  \r\ntcp443.symantec.com  \r\ntcp443.virustotal.com  \r\nThis surge of network activity is used to confuse analysts by blending the malicious domains with similar-looking legitimate\r\ndomains, which may lead the analyst to classify all the above as legitimate traffic.\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 5 of 12\n\nWhile analyzing a plethora of previously undocumented FRPC variants used by the threat actor we have concluded that this\r\nchange was made in early 2022. Prior to this change, FRPC variants only had one attacker-controlled domain configured.\r\nSome of the new FRPC variants contained additional malicious and legitimate subdomains which are listed in the appendix.\r\nIn addition to the windows FRPC variants, ELF variants were identified that were also used with log4j exploitation.\r\nAdditional Payload – Conser.exe\r\n6a62aa730bac97951c313880e4c6229c17fc4c393d97230f63c8be4bb7f84164\r\nThis is the hash for a .NET executable file that downloads and executes two additional files:\r\nFigure 7: Code snippet responsible for downloading the two payloads from the attacker’s server\r\nThe downloaded files were hosted on attacker-controlled sub-domain google.onedriver-srv[.]ml.\r\nThe domain onedriver-srv[.]ml is related to COBALT MIRAGE, this cluster of activity overlaps with PHOSPHORUS.\r\nDuring our analysis, we were not able to retrieve the “ad” file, however we were able to retrieve the “pl” file; it is a Plink\r\nexecutable with the hash c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d262, which was previously\r\nmentioned in a CISA alert AA21-321A describing Iranian APT activity. The file is used to create a SSH tunnel to the\r\nattacker’s machine while exposing RDP port, and was also hosted on another attacker-controlled server, activate-time-microsoft[.]cf.\r\nThe first unknown executable (“ad” file), referred to in the code as “AudioManagement,” is installed as service named\r\n“Windows Backup Management.”\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 6 of 12\n\nFigure 8: Code snippet responsible for creating SSH tunnel and adding the “AudioManagement” payload as a\r\nsystem service\r\nConnecting the dots\r\nWhile Microsoft tracked ransomware activity by PHOSPHORUS as early as May 2021, further research reveals\r\nPHOSPHORUS activity can be tracked at least as early as June 2020.\r\nThe FRPC sample with the hash 8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9 from 2021\r\nonly connects to the subdomain tcp443.newdesk[.]top which resolved in the past to the IP 148.251.71[.]182.\r\nThe IP 148.251.71[.]182 was also used to resolve to the domain tcp443.symantecserver[.]co.\r\nThis domain is mentioned in another article by “The DFIR Report” regarding Exchange exploitation, both the IP and the\r\ndomain are related to Plink, however, the hash of the file was not published.\r\nThe same article mentioned the usage of FRPC with a standalone config file, the hash of the file is\r\ne3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2.\r\nThis same hash also appeared in another article regarding Exchange exploitation.\r\nThe hash is related to incident #3 in the article, in this same incident, another hash was observed\r\n27cb14b58f35a4e3e13903d3237c28bb386d5a56fea88cda16ce01cbf0e5ad8e.\r\nThis file is another version of PowerLess which was also linked to PHOSPHORUS.\r\nFigure 9: PDB Path of 27cb14b58f35a4e3e13903d3237c28bb386d5a56fea88cda16ce01cbf0e5ad8e\r\nThe final nail in the coffin is a .zip file uploaded in June 2020 from Iran with the hash\r\nc36556977959f682e564b63ee8f0f33f70ab365bc85c043034242d2f6dbac219.\r\nThis zip contains a uniquely modified FRPC with the hash\r\nadb2b4ee5c7002bc64ecb1a87f0e7d728eddfda1dd550021c458f1aedcbc31f9.\r\nThis FRPC also requires a configuration file with the hash\r\n29486c9dc095874e8e04ac4b8c33a14ae7ad0a9e395f36b3fb71bce4e1f76758, which is also included in the .zip file.\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 7 of 12\n\nFigure 10: FRPC configuration used by the attacker\r\nFurthermore, the configuration file contains the attacker-controlled domain newdesk[.]top as well as the IP 94.182.164[.]92\r\nwhich is located in Iran.\r\nThe domain newdesk[.]top used to resolve in 2020 to the IP 89.32.248[.]47 is also located in Iran.\r\nThis same Iranian IP was also resolved to yet another PHOSPHORUS subdomain update.symantecserver[.]co in 2021.\r\nIn 2022, the subdomain update.symantecserver[.]co started resolving to another IP address located in Iran -\r\n79.175.165[.]150.\r\nFigure 11: Maltego Graph Illustrating Connections\r\nConclusion\r\nIn this article we described threat actor activity related to PHOSPHORUS, an Iranian APT actor active from at least 2020.\r\nThe threat actor is known to exploit Fortinet CVE-2018-13379, Exchange ProxyShell, and the log4j vulnerabilities.\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 8 of 12\n\nOur analysis indicated that PHOSPHORUS continues in its automated scanning and exploitation process in order to widely\r\ngain access to multiple vulnerable organizations.\r\nFurthermore, we found that the actor is continuously changing its payload and infrastructure and discovered a new evasion\r\ntechnique used by PHOSPHORUS to conceal their malicious traffic and mislead security teams.\r\nThanks to Deep Instinct’s prevention capabilities the threat actor was unsuccessful in executing the payloads in a customer\r\nenvironment despite successful exploitation of the Exchange server.\r\nIf you’d like to see the platform in action for yourself, we’d be honored to show you what true prevention looks like.\r\nIOC\r\nSHA26 Description\r\nb8a472f219658a28556bab4d6d109fdf3433b5233a765084c70214c973becbbd User.exe\r\n104a5ef1b1f52fe3633ce88190a1a2b2df79437cabe31b21c540cecf43c94951 User.exe\r\n7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b User.exe\r\n3e36b7a7fc8f742489ddcbe90195774b1ebf62eecc99c77152bf3a85bcb48d74 Task_update.exe\r\n12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a Task_update.exe\r\n5a383edfc3c71d55773df40c71473bd949eddc6828ed7e78977b87e1854ea90a Task_update.exe\r\n17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f Task_update.exe\r\n400743690cf1addd5c64c514b8befa981fb60881fa56737a09da747f674fb36b\r\nSigned FRPC from\r\n172.245.26[.]118/update.log\r\nconnecting to multiple domains\r\na03e832aa245e3f549542f61e0e351c2cb4886feb77c02bf09bc8781944741f5\r\nSigned FRPC from\r\n172.245.26[.]118/update.log\r\nconnecting to multiple domains\r\n4066c680ff5c4c4c537c03cf962679a3f71700d4138acd6967f40f72045b1b23\r\nFRPC from\r\n172.245.26[.]118/update.log\r\nconnecting to multiple domains\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 9 of 12\n\nSHA26 Description\r\n3c5d586620d1aec4ee37833b2fa340fc04ed9fdf6c80550a801704944a4ebe57 FRPC connecting to multiple domains\r\nd5b85892479f79ed622e8e0f67b3f0e30f0dd3d92bc0bc401695d3a0b3cd92ad FRPC connecting to multiple domains\r\n21b1c01322925823c1e2d8f4f2a1d12dafa2ef4b9e37d6e56d0724366d96d714\r\nFRPC from\r\n148.251.71[.]182/update_win\r\nconnecting to multiple domains\r\n2bc46b0362fa7f8f658ce472958a70385b772ab9361625edc0a730211629a3c4\r\nFRPC from\r\n148.251.71[.]182/update_win\r\nconnecting to a single domain\r\n724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26\r\nFRPC from\r\n148.251.71[.]182/update_win\r\nconnecting to a single domain\r\n1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e\r\nFRPC from\r\n148.251.71[.]182/update.tmp\r\nconnecting to a single domain\r\n6fde690b06de85a399df02b89b87f0b808fde83c753cda4d11affded4dca46d7\r\nFRPC from\r\n148.251.71[.]182/symantec.tmp\r\nconnecting to a single domain\r\nbdf347ce89860bdde9e0b4eba3673fbcb0c5a521e4887b620106dc73650358da FRPC connecting to a single domain\r\n8aa3530540ba023fb29550643beb00c9c29f81780056e02c5a0d02a1797b9cd9\r\nFRPC from 198.144.189[.]74/logo.png\r\nconnecting to a single domain\r\nd9a75fe86b231190234df9aba52efcffd40fead59bb4b06276a850f4760913bf\r\nFRPC from 198.144.189[.]74/logo.png\r\nconnecting to a single domain\r\n061a78f6f211e5c903bca514de9a6d9eb69560e5e750030ce74afec75c1fc95b\r\nFRPC from 198.144.189[.]74/logo.png\r\nconnecting to a single domain\r\n137a0cc0b96c892a67c634aef128b7a97e5ce443d572d3631e8fa43d772144c4 FRPC connecting to a single domain\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 10 of 12\n\nSHA26 Description\r\nb04b97e7431925097b3ca4841b8941397b0b88796da512986327ff66426544ca FRPC connecting to a single domain\r\n736b61b9c6bc2da2a8bb8d8f134c682f071ea90d50c42fc0b86ebf1c592c9332 ELF FRPC\r\nf97c3ef344f5fd695b68e8f2f326f90fe02d00e4bb6bbc72d0bbe51588c35874 ELF FRPC\r\ne3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2 FRPC requiring config file\r\nc36556977959f682e564b63ee8f0f33f70ab365bc85c043034242d2f6dbac219\r\nZip file containing FRPC binary and\r\nconfig files\r\nadb2b4ee5c7002bc64ecb1a87f0e7d728eddfda1dd550021c458f1aedcbc31f9\r\nFRPC from zip file, requiring config\r\nfile\r\n29486c9dc095874e8e04ac4b8c33a14ae7ad0a9e395f36b3fb71bce4e1f76758 FRPC config file from Zip\r\n27cb14b58f35a4e3e13903d3237c28bb386d5a56fea88cda16ce01cbf0e5ad8e PowerLess\r\na4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040 PowerLess\r\n6a62aa730bac97951c313880e4c6229c17fc4c393d97230f63c8be4bb7f84164 Conser.exe\r\nc51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624 Plink.exe downloaded by Conser.exe\r\nb06c9d01cd4b89baa595f48736e6e31f2559381f1487f16304dde98ebd5e9d90 Root certificate added by threat actor\r\nDomains/IPs:\r\nmicrosoft-updateserver[.]cf\r\nactivate-time-microsoft[.]cf\r\nonedriver-srv[.]ml\r\nmsupdate[.]us\r\ntcp443[.]org\r\naptmirror[.]eu\r\nnewdesk[.]top\r\nsymantecserver[.]co\r\n172.245.26[.]118\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 11 of 12\n\n198.144.189[.]74\r\n148.251.71[.]182\r\n94.182.164[.]92\r\n107.173.231[.]114\r\nIOA\r\nkcp53.bing.com\r\nkcp53.ubuntu.com\r\nkcp53.kaspersky.com\r\nkcp53.symantec.com\r\nkcp53.eset.com\r\ntcp443.bing.com\r\ntcp443.ubuntu.com\r\ntcp443.kaspersky.com\r\ntcp443.symantec.com\r\ntcp443.virustotal.com\r\nSource: https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nhttps://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools" ], "report_names": [ "iranian-threat-actor-continues-to-develop-mass-exploitation-tools" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6190809dde1606ac348fe3aeb06b93f338cb19e.pdf", "text": "https://archive.orkl.eu/e6190809dde1606ac348fe3aeb06b93f338cb19e.txt", "img": "https://archive.orkl.eu/e6190809dde1606ac348fe3aeb06b93f338cb19e.jpg" } }