{ "id": "fd4c9909-4d42-4e04-9672-bb714db2d168", "created_at": "2026-04-06T00:11:59.827286Z", "updated_at": "2026-04-10T03:38:20.337462Z", "deleted_at": null, "sha1_hash": "ed5416eee47d2593f73a98217225193a73603373", "title": "North Korean Lazarus Group Now Working With Medusa Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49734, "plain_text": "North Korean Lazarus Group Now Working With Medusa\r\nRansomware\r\nBy About the Author\r\nArchived: 2026-04-05 19:12:18 UTC\r\nNorth Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion\r\nattacks on the U.S. healthcare sector. \r\nNorth Korea has long been involved in ransomware attacks and has been previously associated with the Maui and\r\nPlay ransomware families. However, the Symantec and Carbon Black Threat Hunter Team has uncovered\r\nevidence North Korean actors using Medusa in an attack on a target in the Middle East. The same attackers also\r\nmounted an unsuccessful attack against a healthcare organization in the U.S. \r\nMedusa, which is operated by the Spearwing cybercrime group, was launched in 2023 and is run as a\r\nransomware-as-a-service, where affiliate attackers can deploy the ransomware in exchange for a percentage of\r\nransom payments. More than 366 attacks have been claimed by attackers using Medusa.\r\nAnalysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S.\r\nsince the beginning of November 2025. Victims included a non-profit in the mental health sector and an\r\neducational facility for autistic children. It is unknown if all these victims were targeted by North Korean\r\noperatives or if other Medusa affiliates were responsible for some of these attacks. The average ransom demand in\r\nthat period was $260,000.\r\nHistory of extortion\r\nOne of the prime movers in mounting North Korean ransomware attacks in recent years has been the Lazarus sub-group Stonefly (aka Andariel). For many years, Stonefly was thought to be solely engaged in espionage attacks,\r\nparticularly against high-value targets. However, the group became involved in ransomware attacks approximately\r\nfive years ago. Its involvement in digital extortion came to public attention in July 2025, when the U.S. Justice\r\nDepartment indicted a North Korean man named Rim Jong Hyok on charges related to a ransomware campaign\r\nagainst U.S. hospitals and other healthcare providers. Rim is alleged to be a member of Stonefly, which is linked\r\nto the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB). \r\nThe indictment shed some light on the motivation behind Stonefly’s move into ransomware. It alleged that the\r\ngroup was using the proceeds of ransomware attacks to fund its espionage activities, including attacks against the\r\ndefense, technology, and government sectors in the U.S., Taiwan and South Korea. \r\nThe indictment, and a $10 million reward for information on Rim, did not appear to deter Stonefly from mounting\r\nfurther attacks. In October 2024, our Threat Hunter Team found evidence of intrusions against three different U.S.\r\norganizations. Although no ransomware was successfully deployed, the attacks appeared to be financially motived\r\nsince all victims were private companies and involved in businesses with no obvious intelligence value.\r\nhttps://www.security.com/threat-intelligence/lazarus-medusa-ransomware\r\nPage 1 of 5\n\nIn the same month, Palo Alto Unit 42 reported that it had begun collaborating with the Play ransomware group. \r\nAttacker toolset\r\nLazarus is using a range of tools in its current ransomware campaigns. These include:\r\nComebacker: A custom backdoor and loader exclusively associated with Lazarus. \r\nBlindingcan: A remote access Trojan (RAT) associated with Lazarus. \r\nChromeStealer: A tool for extracting stored passwords from the Chrome browser.\r\nCurl: An open-source command-line tool for transferring data using various network protocols.\r\nInfohook: Information-stealing malware.\r\nMimikatz: A publicly available credential dumping tool.\r\nRP_Proxy: A custom proxying tool.\r\nAttribution\r\nWhile the current Medusa ransomware attacks are undoubtedly the work of Lazarus, the blanket designation for\r\nNorth Korean state-sponsored activity, it is unclear which Lazarus sub-group is behind them. While the TTPs –\r\nextortion attacks against the U.S. healthcare sector – are like previous Stonefly attacks, the malware tools used are\r\nnot exclusive to Stonefly. For example, the Comebacker backdoor has previously been reported to be associated\r\nwith the Pompilus group (aka Diamond Sleet).\r\nFew scruples\r\nThe switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated.\r\nNorth Korean actors appear to have few scruples about targeting organizations in the U.S. While some cybercrime\r\noutfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract,\r\nLazaurs doesn’t seem to be in any way constrained.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nFile indicators\r\n15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10 - Medusa ransomware\r\n0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120 - Comebacker\r\n202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08d - Comebacker\r\n61f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca40 – Comebacker\r\nhttps://www.security.com/threat-intelligence/lazarus-medusa-ransomware\r\nPage 2 of 5\n\n8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880a – Comebacker\r\na12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef – Comebacker\r\nbf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5 - Comebacker\r\n60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e - Comebacker Loader\r\n7a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc – Loader\r\nab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d6 – SSH Loader\r\n16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a - File used for DLL sideloading\r\n3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb - RP_Proxy\r\n60aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8ba - RP_Proxy\r\n7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081 - RP_Proxy\r\nce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e82013990 - RP_Proxy\r\ndb98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791 – Mimikatz\r\ne24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc - ChromeStealer\r\n61c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0 – Credential Stealer\r\n18049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b11 - Suspicious file\r\n313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3 - Suspicious file\r\n3b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763 - Suspicious file\r\n416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6 - Suspicious file\r\n4a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b - Suspicious file\r\n52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d - Suspicious file\r\n55cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07 - Suspicious file\r\n63432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8 - Suspicious file\r\n6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee6 - Suspicious file\r\n6ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d9046 - Suspicious file\r\n6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d - Suspicious file\r\n84168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e4 - Suspicious file\r\nhttps://www.security.com/threat-intelligence/lazarus-medusa-ransomware\r\nPage 3 of 5\n\n918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb8 - Suspicious file\r\n932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991 - Suspicious file\r\n9cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b9 - Suspicious file\r\na670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca2171 - Suspicious file\r\na957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1 - Suspicious file\r\nb42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e568 - Suspicious file\r\nb8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51 - Suspicious file\r\nbf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57 - Suspicious file\r\nc69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0ad - Suspicious file\r\ncf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b18116220389 - Suspicious file\r\ncfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c - Suspicious file\r\nd80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3 - Suspicious file\r\ndf1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcda - Suspicious file\r\nf0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c19 - Suspicious file\r\nfdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45 - Suspicious file\r\n35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c7 - Suspicious file\r\na55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31 - Suspicious file\r\nbedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9f - Suspicious file\r\nNetwork indicators\r\n23.27.140[.]49\r\n23.27.140[.]135\r\n23.27.140[.]228\r\n23.27.124[.]228\r\namazonfiso[.]com\r\nhuman-check[.]com\r\nillycoffee[.]my\r\nhttps://www.security.com/threat-intelligence/lazarus-medusa-ransomware\r\nPage 4 of 5\n\nillycafe[.]my\r\nmarkethubuk[.]com\r\nsictradingc[.]com\r\ntrustpdfs[.]com\r\nzypras[.]com\r\nSource: https://www.security.com/threat-intelligence/lazarus-medusa-ransomware\r\nhttps://www.security.com/threat-intelligence/lazarus-medusa-ransomware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.security.com/threat-intelligence/lazarus-medusa-ransomware" ], "report_names": [ "lazarus-medusa-ransomware" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434319, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed5416eee47d2593f73a98217225193a73603373.pdf", "text": "https://archive.orkl.eu/ed5416eee47d2593f73a98217225193a73603373.txt", "img": "https://archive.orkl.eu/ed5416eee47d2593f73a98217225193a73603373.jpg" } }