{ "id": "b609fc95-d447-4ab2-9ad2-9b5febd3af70", "created_at": "2026-04-06T00:11:02.400155Z", "updated_at": "2026-04-10T03:34:02.930087Z", "deleted_at": null, "sha1_hash": "ece228c7c68ab3bf0ae4652d3d01dad30a4a0210", "title": "Securonix Threat Labs Monthly Intelligence Insights – September 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 311619, "plain_text": "Securonix Threat Labs Monthly Intelligence Insights – September\r\n2023\r\nArchived: 2026-04-05 16:41:17 UTC\r\nBy Dheeraj Kumar, Ella Dragun, Securonix Threat Labs\r\nThe Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by\r\nSecuronix Threat Labs in September. The report additionally provides a synopsis of the threats; indicators of\r\ncompromise (IoCs); tactics, techniques, and procedures (TTPs); and related tags. Each threat has a comprehensive\r\nthreat summary from Threat Labs and search queries from the Threat Research team. For additional information\r\non Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below mentioned\r\nthreats, refer to our Threat Labs home page.\r\nIn September 2023, Threat Labs analyzed and monitored major threat categories, including a brand-new\r\nransomware family going by the name of 3AM. The ransomware is employed in a single attack by a ransomware\r\naffiliate that tried to install LockBit on a target’s network but switched to 3AM after LockBit was blocked,\r\naccording to Symantec researchers.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 1 of 8\n\nIn September 2023, Securonix Autonomous Threat Sweeper identified 2,517 TTPs and IoCs, 144 distinct\r\nthreats, and reported 26 threat detections.  The top data sources swept against include IDS/IPS/UTM/Threat\r\nDetection, Endpoint Management Systems, Data Loss Prevention, and Email/Email Security.\r\nProminent ransomware attacks (Originally published in September 2023)\r\nRecent ransomware attacks have unveiled a concerning trend in the digital domain. Notably, major casino chains,\r\nCaesars Entertainment and MGM Resorts, have found themselves in the crosshairs. The dual-threat approach by\r\ncybercriminals has heightened the risks. They aren’t content with just encrypting data; they are also exfiltrating it,\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 2 of 8\n\nposing a dual threat to organizations. Furthermore, the focus on critical infrastructure components, as observed in\r\nthe MGM attack where ESXi servers were encrypted, reveals a shift from traditional end-user targets. This surge\r\nin sophisticated attacks is reminiscent of the tactics employed by the notorious LockBit, Snatch, and Vidar\r\nransomware groups in 2023, emphasizing a global trend in cyber threats.\r\nThe continuous evolution of ransomware tactics underlines the need for industries, especially data-rich sectors like\r\ncasinos, to bolster their cybersecurity measures. With the recent activities of groups like LockBit, Snatch, and\r\nVidar setting a menacing precedent, it’s imperative for organizations to adopt a multifaceted defense strategy. The\r\nrecent willingness of entities like Caesars Entertainment to pay substantial ransoms also raises concerns about\r\npotentially emboldening cybercriminals for future attacks. In this fully digital environment, being proactive rather\r\nthan reactive could be the difference between security and compromise.\r\nRansomware Description\r\nFreeWorld\r\nransomware\r\nA cyberattack operation that compromises vulnerable Microsoft SQL Server (MSSQL)\r\ndatabases and uses brute-force attacks to deliver Cobalt Strike and ransomware payloads\r\nhas been identified. A recent Securonix analysis covers this campaign’s typical attack\r\nsequence with brute forcing entry into the unprotected MSSQL databases. After initial\r\ninfiltration, the attackers launch a number of payloads using MSSQL as a beachhead,\r\nincluding remote-access Trojans (RATs) and a new Mimic ransomware variant called\r\n“FreeWorld.” The binary file names contain the word “FreeWorld,” the ransom demand file\r\nis called FreeWorld-Contact.txt, and the ransomware extension is “.FreeWorldEncryption.”\r\n3AM\r\nransomware\r\n3AM was recently discovered by researchers. According to the analysis, this ransomware\r\nwas first used in a failed attack when threat actors swapped it out for LockBit ransomware.\r\nThis new strategy shows that ransomware affiliates can also carry several ransomware\r\nstrains to pursue their targets until the very end and guarantee the success of their\r\noperations. Typically, ransomware affiliates carry a number of tools in their armory for use\r\nin attacks.\r\nRedLine and\r\nVidar\r\nAccording to analysis by researchers, the threat groups behind RedLine and Vidar have\r\nstarted distributing ransomware using the same techniques they use to spread info-stealers.\r\nIn one such instance, victims first encountered malware that was issued with Extended\r\nValidation (EV) code signing certificates and that stole information. However, over time,\r\nthey also began acquiring ransomware using the same technique.\r\nSnatch\r\nRansomware\r\nA combined cybersecurity advisory from the FBI and CISA has been released regarding the\r\nSnatch ransomware variant. The warning includes the tactics, techniques, and procedures\r\n(TTPs) used by the Snatch ransomware and offers insights into how it operates. The Snatch\r\nransomware strain, which engages in data theft and extortion activities, was discovered\r\nthrough FBI investigations as recently as June 1, 2023, according to the advisory.\r\nThreat Labs summary\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 3 of 8\n\nSecuronix Threat Labs recommends leveraging our findings to deploy protective measures against increased\r\nthreats from these ransomware.\r\nContinually do backups, and store the results either offline or on a different network.\r\nOn your computer, smartphone, and other connected devices, turn on automatic software upgrades\r\nwhenever practicable and practical.\r\nUse a trusted antivirus and internet security software suite on all connected devices, including your\r\ncomputer, laptop, and mobile.\r\nAvoid opening email attachments without first verifying their legitimacy and clicking on dubious links.\r\n88 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers.\r\nTTPs related to the FreeWorld ransomware include but are not limited to the following:\r\nMonitor for network-level authentication for RDP connection.\r\nMonitor for Mimikatz was executed through another batch file.\r\nTTPs related to the 3AM ransomware include but are not limited to the following:\r\nMonitor for the presence of the following filenames in the directory – /usr/lib64/seahorses/\r\n– ‘kbioset’\r\n– ‘cpc’\r\n– ‘kkdmflush’\r\n– ‘soss’\r\n– ‘sshod’\r\n– ‘nethoogs’\r\n– ‘iftoop’\r\n– ‘iptraof’”\r\nTTPs related to the RedLine and Vidar include but are not limited to the following:\r\nMonitor for the rare installation path in TEMP folder which is later added to startup folder for establishing\r\npersistence.\r\nTags: Ransomware: FreeWorld, Mimic, 3AM, LockBit, Snatch Target: MS SQL server Target Sector:\r\nInfrastructure, IT, US Defense Industrial Base, Food and Agriculture Vertical\r\nOngoing phishing campaigns (Originally published in September 2023)\r\nGroup-IP claims that a custom phishing kit called W3LL Panel was available for purchase on the threat actor’s\r\nsecret underground market, W3LL Store, which catered to a closed community of at least 500 other threat actors.\r\nW3LL Panel is made to get around MFA and 16 other completely customized tools for business email compromise\r\n(BEC) attacks. A previously undocumented “phishing empire” has been linked to more than 56,000 Microsoft 365\r\nbusiness email accounts over the past six years, according to firm Group-IB, who has identified a hidden\r\nunderground market. W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing\r\nkits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 4 of 8\n\ncapabilities. W3LL Panel does not have a variety of fake pages and it was designed to compromise Microsoft 365\r\naccounts specifically. However, due to its high efficiency, the phishing kit became trusted by a narrow circle of\r\nBEC criminals.\r\nSecuronix Threat Labs experts have identified an ongoing phishing campaign that employs an ongoing cyber\r\nattack campaign, dubbed STARK#VORTEX, that is specifically targeting Ukraine’s military. Orchestrated by the\r\nthreat group UAC-0154, this campaign utilizes sophisticated techniques to evade detection. The attackers use a\r\nMicrosoft Help file with an embedded obfuscated JavaScript code as a lure document, disguised as a manual for\r\nPilot-in-Command (PIC) Drones, to deliver the MerlinAgent malware. The PowerShell-based malware is heavily\r\nobfuscated and downloads a payload from a remote server, giving attackers full control over compromised\r\nsystems.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends leveraging our findings to deploy defensive measures against this campaign.\r\nFortify the authentication mechanism. Implement FIDO v 2.0 authentication solutions to disarm BEC\r\nadversaries that use W3LL tools or other phishing kits aimed at stealing OTPs or session cookies.\r\nImprove access policies. To prevent session cookies from being abused, organizations can implement\r\nstricter access policies such as IP whitelisting and trusted devices.\r\nStay vigilant about any suspicious activity. Constantly monitor account activity, logins, forwarding rules,\r\ndeleted emails, and other indicators potentially left by BEC threat actors\r\nProactively detect and take down phishing domains. A proactive approach to hunting for phishing\r\nresources could also be part of a wider mitigation strategy. Leverage Group-IB Digital Risk Protection.\r\nConduct regular training for your cybersecurity specialists and raise awareness with cyber security\r\nworkshops for all of your employees.\r\nEven if there are no clear signs of an account compromise, it is important to leave threat actors no chance\r\nof going undetected. If there is doubt, a compromise assessment would be a necessary step to ensure that\r\nyour cloud environment is secure.\r\nReview security policies. Following recommendations after a compromise assessment or implementing\r\nprecaution measures listed above will help to decrease the likelihood of being a victim of BEC again.\r\n15 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers\r\nTTPs related to the STARK#VORTEX include but are not limited to the following:\r\nMonitor for bxor, IO.StreamReader and Decompress command in PowerShell\r\nMonitor for STARK#VORTEX campaign, would be executed using the Windows binary hh.exe which is\r\nlaunched automatically when a user runs the .chm file.\r\nTags: Attack Type: Phishing | Threat Actor: W3LL, |UAC-0154 | Target Sector: companies in the US, the UK,\r\nAustralia and Europe primarily operating in the manufacturing, IT, and financial services sectors.\r\nAttacks by Iranian hackers (Originally published in September 2023)\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 5 of 8\n\nSince February 2023, Microsoft researchers have seen that a threat group supported by Iran has been conducting\r\npassword spray attacks against hundreds of businesses in the United States and around the world. The actor in\r\nthese attacks was tracked as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state threat\r\nactor who has targeted organizations in the satellite, defense, and pharmaceutical sectors around the globe.\r\nIn the initial phase of their campaign, Peach Sandstorm conducted password spray campaigns against thousands of\r\norganizations across several sectors and geographies. While Microsoft observed several organizations previously\r\ntargeted by Peach Sandstorm, the volume of activity and range of organizations suggests that at least a subset of\r\nthe initial activity is opportunistic. Microsoft observed Peach Sandstorm using two distinct sets of TTPs in the\r\nearly stages of the intrusion lifecycle in 2023 attacks.\r\nThe second incident with Iranian hackers h was discovered by researchers from ESET. They reported the Iranian\r\nthreat actor Charming Kitten is connected to a recent round of attacks that target targets in Brazil, Israel, and the\r\nUnited Arab Emirates using a hidden Ballistic Bobcat backdoor they have dubbed Sponsor. Victimology patterns\r\nsuggest that the group primarily singles out education, government, and healthcare organizations, as well as\r\nhuman rights activists and journalists. The Sponsor backdoor uses configuration files stored on disk. These files\r\nare discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade\r\ndetection by scanning engines. Sponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab\r\nEmirates.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends the following guidelines\r\nImplement network segmentation and maintain offline backups of data to ensure limited interruption to\r\nyour organization.\r\nApply the vendor patches immediately.\r\nAdd users to the Protected Users Security Group\r\n23 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers.\r\nTTPs related to the Charming Kitten backdoor include but are not limited to the following:\r\nMonitor for network traffic containing “info.php?name=”, “dn.php?name=” and “up.php?name=” in the\r\nrequest url.\r\nMonitor for the rare instance where rundll32.exe is executed with command line parameter – ”iiiiiiii“\r\nExample: cmd /c rundll32 “C:\\Users\\username\\AppData\\Local\\Temp\\wpnprv.dll”, IIIIIIII 4 “cmd /c\r\ndel /f /q C:\\Windows\\system32\\wpcsvc.dll”\r\nMonitor for rare command lines executed that contain all these parameters – “cd /d” and ”dir” and ”/a/o-d/s” and ”*.”\r\nExample: cmd /c cd /d “C:\\Users” \u0026\u0026 dir /a/o-d/s *.*\r\nMonitor for cmd.exe spawning expand.exe to decompress the cab files.\r\nExample: cmd /c expand %TEMP%\\1.cab -f:* %TEMP%\r\nMonitor the rare registry additions that contain either of the two combinations –\r\n“system\\currentcontrolset\\services” and “reg_expand_sz” or “software\\microsoft\\windows\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 6 of 8\n\nnt\\currentversion\\svchost” and “reg_multi_sz”.\r\nExample: reg add “HKLM\\SYSTEM\\CurrentControlSet\\Services\\wpcsvc\\Parameters” /v\r\nServiceDll /t REG_EXPAND_SZ /d “%windir%\\System32\\wpcsvc.dll” /f \u003e nul\r\nMonitor the execution of process sc.exe wherein the commandlines contain the parameters ”failure”,\r\n”reset=” and ”actions=”\r\nTags: Attack Type: password spray| Threat actor: Peach Sandstorm is an Iranian nation-state threat actor, \r\nCharming Kitten | Targeted organizations: education, government, and healthcare organizations, as well as human\r\nrights activists and journalists\r\nExploitation of CVE-2022-47966 and CVE-2022-42475 (Originally published in\r\nSeptember 2023)\r\nA U.S. aeronautical corporation was compromised by state-sponsored hacker gangs using exploits that targeted\r\ncrucial Fortinet and Zoho ManageEngine vulnerabilities. Although the threat groups responsible for this breach\r\nhave not yet been identified, USCYBERCOM’s press release links the malicious actors to Iranian exploitation\r\nefforts, but the joint alert did not link the attackers to a specific state.\r\nNation-state APTs used CVE-2022-47966 to acquire unauthorized access to a public-facing application (Zoho\r\nManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network, according to\r\nstatements from CISA, FBI, and CNMF. The ManageEngine program is vulnerable and permits remote code\r\nexecution. Additional APT actors were seen using  CVE-2022-42475 to set up shop on the company’s firewall\r\ndevice.\r\nThreat Labs summary\r\nSecuronix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats\r\nfrom this campaign.\r\nThe organization confirmed the user had been disabled before the observed behavior, but it was discovered\r\nthat APT actors had stolen and used legal administrative account credentials from a previously engaged\r\ncontractor.\r\nIn addition to using legitimate credentials to jump from the firewall to a web server and deploy web shells\r\nfor backdoor access, the attackers have been seen starting multiple transport layer security (TLS)-encrypted\r\nsessions to a number of IP addresses, indicating data transfer from the firewall device.\r\nIn both situations, the adversaries allegedly deactivated administrative account credentials and erased logs\r\nfrom a number of important systems to try to cover their tracks forensically.\r\n25 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous\r\nThreat Sweeper customers\r\nTags: Vulnerability: CVE-2022-47966, CVE-2022-42475 | Target Sector: Aviation Organization | Target Location:\r\nUnited State | Exploit: Zoho ManageEngine, Fortinet\r\nFor a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to our\r\nThreat Labs home page. The page also references a list of relevant policies used by threat actors.\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 7 of 8\n\nWe would like to hear from you. Please reach out to us at scia@securonix.com.\r\nNote: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with\r\nother indicators mentioned.\r\nContributors: Sina Chehreghani, Dhanaraj K R\r\nSource: https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nhttps://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/" ], "report_names": [ "securonix-threat-labs-monthly-intelligence-insights-september-2023" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b1acb4fd-d57f-4b28-818e-d3ec282d43d5", "created_at": "2024-09-20T02:00:04.580908Z", "updated_at": "2026-04-10T02:00:03.698967Z", "deleted_at": null, "main_name": "UAC-0154", "aliases": [], "source_name": "MISPGALAXY:UAC-0154", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434262, "ts_updated_at": 1775792042, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ece228c7c68ab3bf0ae4652d3d01dad30a4a0210.pdf", "text": "https://archive.orkl.eu/ece228c7c68ab3bf0ae4652d3d01dad30a4a0210.txt", "img": "https://archive.orkl.eu/ece228c7c68ab3bf0ae4652d3d01dad30a4a0210.jpg" } }