{ "id": "52a43450-a1b6-49c0-bbf2-2c9548f88f50", "created_at": "2026-04-06T00:17:41.611452Z", "updated_at": "2026-04-10T03:36:18.943876Z", "deleted_at": null, "sha1_hash": "ed44daa0c6cc00a02656cecaae622327972cedf3", "title": "Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 613499, "plain_text": "Ransomware operators exploit ESXi hypervisor vulnerability for\r\nmass encryption | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-07-29 · Archived: 2026-04-05 12:39:37 UTC\r\nMicrosoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware\r\noperators to obtain full administrative permissions on domain-joined ESXi hypervisors. ESXi is a bare-metal\r\nhypervisor that is installed directly onto a physical server and provides direct access and control of underlying\r\nresources. ESXi hypervisors host virtual machines that may include critical servers in a network. In a ransomware\r\nattack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the\r\nfile system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to\r\naccess hosted VMs and possibly to exfiltrate data or move laterally within the network.\r\nThe vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full\r\nadministrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the\r\nfindings to VMware through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability\r\nResearch (MSVR), and VMWare released a security update. Microsoft recommends ESXi server administrators to\r\napply the updates released by VMware to protect their servers from related attacks, and to follow the mitigation\r\nand protection guidance we provide in this blog post. We thank VMWare for their collaboration in addressing this\r\nissue.\r\nThis blog post presents analysis of the CVE-2024-37085, as well as details of an attack that was observed by\r\nMicrosoft to exploit the vulnerability. We’re sharing this research to emphasize the importance of collaboration\r\namong researchers, vendors, and the security community to continuously advance defenses for the larger\r\necosystem. As part of Microsoft’s commitment to improve security for all, we will continue to share intelligence\r\nand work with the security community to help protect users and organizations across platforms.\r\nCVE-2024-37085 vulnerability analysis\r\nMicrosoft security researchers identified a new post-compromise technique utilized by ransomware operators like\r\nStorm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of\r\nthis technique has led to Akira and Black Basta ransomware deployments. The technique includes running the\r\nfollowing commands, which results in the creation of a group named “ESX Admins” in the domain and adding a\r\nuser to it:\r\nnet group “ESX Admins” /domain /add\r\nnet group “ESX Admins” username /domain /add\r\nWhile investigating the attacks and the described behavior, Microsoft researchers discovered that the threat actors’\r\npurpose for using this command was to utilize a vulnerability in domain-joined ESXi hypervisors that allows the\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 1 of 7\n\nthreat actor to elevate their privileges to full administrative access on the ESXi hypervisor. This finding was\r\nreported as part of a vulnerability disclosure to VMware earlier this year.\r\nFurther analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory\r\ndomain consider any member of a domain group named “ESX Admins” to have full administrative access by\r\ndefault. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do\r\nnot validate that such a group exists when the server is joined to a domain and still treats any members of a group\r\nwith this name with full administrative access, even if the group did not originally exist. Additionally, the\r\nmembership in the group is determined by name and not by security identifier (SID).\r\nMicrosoft researchers identified three methods for exploiting this vulnerability:\r\n1. Adding the “ESX Admins” group to the domain and adding a user to it – This method is actively\r\nexploited in the wild by the abovementioned threat actors. In this method, if the “ESX Admins” group\r\ndoesn’t exist, any domain user with the ability to create a group can escalate privileges to full\r\nadministrative access to domain-joined ESXi hypervisors by creating such a group, and then adding\r\nthemselves, or other users in their control, to the group.\r\n2. Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an\r\nexisting group member – This method is similar to the first, but in this case the threat actor needs a user\r\nthat has the capability to rename some arbitrary groups and rename one of them to “ESX Admins”. The\r\nthreat actor can then add a user or use a user that already exists in the group, to escalate privileges to full\r\nadministrative access. This method was not observed in the wild by Microsoft.\r\n3. ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the\r\ndomain to be the management group for the ESXi hypervisor, the full administrative privileges to members\r\nof the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This\r\nmethod was not observed in the wild by Microsoft.\r\nSuccessful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to\r\nencrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It\r\nalso allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the\r\nnetwork.\r\nRansomware operators targeting ESXi hypervisors\r\nOver the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption\r\nimpact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to\r\nincrease impact on the organizations they target.\r\nESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors\r\nbecome a favored target for threat actors. These hypervisors could be convenient targets if ransomware operators\r\nwant to stay under the SOC’s radar because of the following factors:\r\n1. Many security products have limited visibility and protection for an ESXi hypervisor.\r\n2. Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted.\r\nThis could provide ransomware operators with more time and complexity in lateral movement and\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 2 of 7\n\ncredential theft on each device they access.\r\nTherefore, many ransomware threat actors like Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, and\r\nothers support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper (Figure 1). The\r\nnumber of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting\r\nESXi hypervisors have more than doubled in the last three years.\r\nFigure 1. ESXi unauthenticated shell for sale on the dark web\r\nStorm-0506 Black Basta ransomware deployment\r\nEarlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by\r\nStorm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated\r\nprivileges to the ESXi hypervisors within the organization.\r\nThe threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a\r\nWindows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor\r\nthen used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain\r\nadministrators and to move laterally to four domain controllers.\r\nOn the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and\r\na SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP)\r\nconnections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike\r\nand SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to\r\navoid detection.\r\nMicrosoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user\r\naccount to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file\r\nsystem and losing functionality of the hosted virtual machines on the ESXi hypervisor.   The actor was also\r\nobserved to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender\r\nAntivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption\r\nattempts in devices that had the unified agent for Defender for Endpoint installed.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 3 of 7\n\nFigure 2. Storm-0506 attack chain\r\nMitigation and protection guidance\r\nMicrosoft recommends organizations that use domain-joined ESXi hypervisors to apply the security update\r\nreleased by VMware to address CVE-2024-37085. The following guidelines will also help organizations protect\r\ntheir network from attacks:\r\nInstall software updates – Make sure to install the latest security updates released by VMware on all\r\ndomain-joined ESXi hypervisors. If installing software updates is not possible, you can use the following\r\nrecommendations to reduce the risk:\r\nValidate the group “ESX Admins” exists in the domain and is hardened.\r\nManually deny access by this group by changing settings in the ESXi hypervisor itself. If full admin\r\naccess for the Active Directory ESX admins group is not desired, you can disable this behavior\r\nusing the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.\r\nChange the admin group to a different group in the ESXi hypervisor.\r\nAdd custom detections in XDR/SIEM for the new group name.  \r\nConfigure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.\r\nCredential hygiene – To utilize the different vulnerability methods, threat actors require control of a\r\nhighly privileged user in the organization. Therefore, our recommendation is making sure to protect your\r\nhighly privileged accounts in the organization, especially those that can manage other domain groups:\r\nEnforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and\r\nstrictly require MFA from all devices, in all locations, always.\r\nEnable passwordless authentication methods (for example, Windows Hello, FIDO keys, or\r\nMicrosoft Authenticator) for accounts that support passwordless. For accounts that still require\r\npasswords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the\r\ndifferent authentication methods and features.\r\nIsolate privileged accounts from productivity accounts to protect administrative access to the\r\nenvironment. Refer to this article to understand best practices.\r\nImprove critical assets posture – Identify your critical assets in the network, such as  ESXi hypervisors\r\nand vCenters (a centralized platform for controlling VMware vSphere environments), and make sure to get\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 4 of 7\n\nthem protected with latest security updates, proper monitoring procedures and backup and recovery plans.\r\nMore information can be found in this article.\r\nIdentify vulnerable assets – Use Microsoft Defender Vulnerability Management to reduce risk with\r\ncontinuous vulnerability assessment of ESXi hypervisor out of the box.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender for Endpoint             \r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nSuspicious modifications to ESX Admins group\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be\r\nalso triggered by unrelated threat activity.\r\nNew group added suspiciously\r\nSuspicious Windows account manipulation\r\nCompromised account conducting hands-on-keyboard attack\r\nMicrosoft Defender for Identity\r\nThe following Microsoft Defender for Identity alerts can indicate associated threat activity:\r\nSuspicious creation of ESX group\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports\r\nprovide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to\r\nassociated threats found in customer environments:\r\nStorm-0506\r\nStorm-1175\r\nOcto Tempest \r\nManatee Tempest\r\nAkira\r\nBlack Basta\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following queries to find related activity in their networks\r\nThis query identifies ESXi hypervisors in the organization:\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 5 of 7\n\nDeviceInfo\r\n| where OSDistribution =~ \"ESXi\"\r\n| summarize arg_max(Timestamp, *) by DeviceId\r\nThis query identifies ESX Admins group changes in the Active directory:\r\n1\r\n2\r\n3\r\nIdentityDirectoryEvents\r\n| where Timestamp \u003e= ago(30d)\r\n| where AdditionalFields has ('esx admins')\r\nThe following queries are for assessing the already discovered ESXi with the Microsoft Defender Vulnerability\r\nManagement information:\r\nDeviceInfo\r\n| where OSDistribution =~ \"ESXi\"\r\n| summarize arg_max(Timestamp, *) by DeviceId\r\n| join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId\r\nDeviceInfo\r\n| where OSDistribution =~ \"ESXi\"\r\n| summarize arg_max(Timestamp, *) by DeviceId\r\n| join kind=inner (DeviceTvmSecureConfigurationAssessment) on DeviceId\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nMicrosoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel\r\nsolutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender\r\ndetections. These hunting queries include the following:\r\nQakbot:\r\nQakbot hunting queries\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 6 of 7\n\nCobalt Strike:\r\nCobalt Strike DNS Beaconing\r\nPotential ransomware activity related to Cobalt Strike\r\nSuspicious named pipes\r\nCobalt Strike Invocation using WMI\r\nReferences\r\nhttps://knowledge.broadcom.com/external/article?legacyId=1025569\r\nhttps://core.vmware.com/vmware-vsphere-8-security-configuration-guide\r\nhttps://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html\r\nhttps://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\nhttps://www.sygnia.co/blog/esxi-ransomware-attacks/?blaid=6088911https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/\r\nhttps://www.darkreading.com/cloud-security/agenda-ransomware-vmware-esxi-servers\r\nhttps://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/amp/\r\nhttps://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/amp/\r\nDanielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, Vaibhav Deshmukh\r\nMicrosoft Threat Intelligence Community\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encr\r\nyption/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/" ], "report_names": [ "ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption" ], "threat_actors": [ { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "86e3a92b-2e59-4c29-aacb-e84f829f3e95", "created_at": "2026-02-03T02:00:03.437562Z", "updated_at": "2026-04-10T02:00:03.938623Z", "deleted_at": null, "main_name": "Storm-1175", "aliases": [], "source_name": "MISPGALAXY:Storm-1175", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434661, "ts_updated_at": 1775792178, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed44daa0c6cc00a02656cecaae622327972cedf3.pdf", "text": "https://archive.orkl.eu/ed44daa0c6cc00a02656cecaae622327972cedf3.txt", "img": "https://archive.orkl.eu/ed44daa0c6cc00a02656cecaae622327972cedf3.jpg" } }