{ "id": "e55e04e0-67e8-4d14-aaeb-95faaf731a8a", "created_at": "2026-04-06T00:14:32.265987Z", "updated_at": "2026-04-10T03:38:19.772945Z", "deleted_at": null, "sha1_hash": "f095e935f4cda8f34106f10ec596b5a9955de59e", "title": "APT trends report Q3 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78216, "plain_text": "APT trends report Q3 2021\r\nBy GReAT\r\nPublished: 2021-10-26 · Archived: 2026-04-05 13:25:35 UTC\r\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing\r\nquarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat\r\nintelligence research and provide a representative snapshot of what we have published and discussed in greater\r\ndetail in our private APT reports. They are designed to highlight the significant events and findings that we feel\r\npeople should be aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q3 2021.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact intelreports@kaspersky.com.\r\nThe SolarWinds incident reported last December stood out because of the extreme carefulness of the attackers and\r\nthe high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo\r\n(aka Nobelium), had spent six months inside OrionIT’s networks to perfect their attack. In June, more than six\r\nmonths after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS\r\nmember state that allowed the attacker to redirect traffic from government mail servers to computers under their\r\ncontrol – probably achieved by obtaining credentials to the control panel of the victims’ registrar. When victims\r\ntried to access their corporate mail, they were redirected to a fake copy of the web interface. Following this, they\r\nwere tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of\r\nsimilarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there\r\nare also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT\r\nthreat actor. None of the similarities is enough to link Tomiris and Sunshuttle with high confidence. However,\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 1 of 8\n\ntaken together they suggest the possibility of common authorship or shared development practices. You can read\r\nmore about our findings here.\r\nDisclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “speaking” other\r\nlanguages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found\r\nin scripts, etc.) containing words in these languages, based on the information we obtained directly or which was\r\notherwise publicly known and reported widely. The use of certain languages does not necessarily indicate a\r\nspecific geographic relation but rather points to the languages that the developers behind these APT artefacts use.\r\nRussian-speaking activity\r\nThis quarter we identified several malicious infection documents, droppers and implants that are typical of\r\nGamaredon; and which may suggest an ongoing malicious campaign against the Ukrainian government, possibly\r\nactive since May. We could not precisely identify the associated infection chains, as we could only retrieve parts\r\nof them from any live exploitation context. However, we were able to attribute the activity with medium to high\r\nconfidence to Gamaredon. Our private report gave details about the various droppers along with decoder scripts,\r\nas well as analysis of the DStealer backdoor and the large infrastructure we observed associated with the\r\ncampaign.\r\nReconHellcat is a little-known threat actor that was spotted publicly in 2020. The first accounts of its activity date\r\nback to March last year, in which archives carrying COVID-related decoy file names that contained a malicious\r\nexecutable were described in a tweet by MalwareHunterTeam. The malicious implant within the archive, dubbed\r\nBlackWater, would in turn drop and open a lure document and subsequently contact Cloudflare Workers as C2\r\nservers – an unusual choice that is not often encountered in use by other actors. Since the first sightings of this\r\nintrusion set, similar TTPs have been used as part of other attacks that were covered by QuoIntelligence,\r\nsuggesting the underlying actor is operating in a targeted fashion while going after high-profile government-related targets. This activity seems to have continued and stretched into 2021, when we spotted a set of recent\r\nattacks using the same techniques and malware to gain a foothold in diplomatic organizations based in Central\r\nAsia. In our private report we described this activity, with an eye to the various changes the actor made to\r\nelements in the infection chain, likely as a result of previous public exposure of its activity.\r\nSince then, we have identified additional documents operated by ReconHellcat; and a new campaign emerged\r\nfrom August through to September with an evolved infection chain. This campaign was also covered by\r\nresearchers at Zscaler in a blog post. Some of the changes introduced in the renewed activity include relying on\r\nMicrosoft Word templates (.dotm) for persistence, instead of the previously used Microsoft Word add-ons (.wll).\r\nNevertheless, some TTPs remain unchanged, as the new infection chain still delivers the same final implant, the\r\nBlacksoul malware, and still uses Cloudflare Workers as C2 servers. ReconHellcat goes after government\r\norganizations and diplomatic entities related to countries in Central Asia, such as Tajikistan, Kyrgyzstan, Pakistan\r\nand Turkmenistan. Additionally, we identified victims from two countries we did not encounter in the previous\r\nwave of attacks: Afghanistan and Uzbekistan. We assess, with a medium level of confidence, that ReconHellcat is\r\na Russian-speaking threat actor.\r\nChinese-speaking activity\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 2 of 8\n\nAn APT threat actor, suspected to be HoneyMyte, modified a fingerprint scanner software installer package on a\r\ndistribution server in a country in South Asia. The APT modified a configuration file and added a DLL with a\r\n.NET version of a PlugX injector to the installer package. On installation, even without network connectivity, the\r\n.NET injector decrypts and injects a PlugX backdoor payload into a new svchost system process and attempts to\r\nbeacon to a C2. Employees of the central government in a country in South Asia are required to use this biometric\r\npackage to support recording attendance. We refer to this supply-chain incident and this particular PlugX variant\r\nas SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March to June.\r\nDuring 2020 and 2021, we detected a new ShadowPad loader module, dubbed ShadowShredder, used against\r\ncritical infrastructure across multiple countries, including but not limited to India, China, Canada, Afghanistan and\r\nUkraine. Upon further investigation we also discovered additional implants deployed through both ShadowPad\r\nand ShadowShredder, such as Quarian backdoor, PlugX, Poison Ivy and other hack tools. Notably, the Quarian\r\nbackdoor and Poison Ivy showed similarities with previous IceFog activity targeting users in Central Asia.\r\nShadowPad is a highly sophisticated, modular cyberattack platform that APT groups have used since 2017. We\r\npublished a blog post at that time detailing the technical details of ShadowPad and its supply-chain attack\r\ncampaign after its initial discovery, when it was deployed by an APT group known as Barium or APT41. In Q1\r\n2020, we published private reports with the discovery of x64 ShadowPad dropper samples. The loader module\r\nused a unique anti-analysis trick that involves the loader module checking whether it’s been loaded via the specific\r\nEXE file by looking inside the memory space of the loader module for some hard coded bytes before the\r\ndecryption of embedded shellcode. The ShadowShredder loaders we discovered more recently don’t make use of\r\nthis technique, incorporating a new obfuscation method instead. Our report discusses the technical analysis of\r\nShadowShredder and related activities using second-stage payloads linked to ShadowShredder and ShadowPad.\r\nESET published a blog post in June describing a campaign targeting foreign affairs ministries and telecoms\r\ncompanies in Africa and the Middle East by an actor they dubbed BackdoorDiplomacy and categorized as\r\nChinese-speaking. We link this activity with high confidence to an actor we’re tracking under the alias\r\nCloudComputating, known to target high-profile entities in the Middle East. In their investigation ESET\r\ndiscovered a Quarian Linux variant sample sharing a C2 server with Windows variants, which was reportedly\r\ndeployed by exploiting a known RCE vulnerability (CVE-2020-5902) in F5 Networks’ BIG-IP traffic\r\nmanagement user interface or configuration utility. The same Quarian ELF binary was also mentioned being\r\ndeployed on an F5 BIG-IP server in a SANS ISC report in July 2020, one year earlier. Our private research report\r\nexpanded the analysis of the Quarian Linux variant and its ties to the Windows version.\r\nLast year, we described a campaign attributed to CloudComputating in which the APT actor exploited a known\r\nvulnerability to compromise publicly exposed Microsoft Exchange servers and infected them with the China\r\nChopper web shell. The malicious payload was then used to upload additional malware, usually the Quarian\r\nbackdoor that has been seen in use by Chinese-speaking actors since around 2010. This campaign affected\r\nEthiopia, Palestine and Kuwait. ESET’s blog post (see above) allowed us to link their campaign to the one we\r\ndescribed in June last year and extend our previous investigation to find new unknown variants and victims. Our\r\nprivate report covered the version ESET dubbed Turian, two other formerly unknown Quarian versions, an\r\noverview of a builder component used to generate malicious Quarian libraries and an extended list of IoCs.\r\nExCone is a set of attacks that started in mid-March against targets in the Russian Federation. The attackers\r\nexploited Microsoft Exchange vulnerabilities to deploy a previously unknown Trojan that we dubbed FourteenHI.\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 3 of 8\n\nDuring our previous analysis, we found multiple ties in infrastructure and TTPs to the ShadowPad malware and\r\nUNC2643 activity. However, we were unable to attribute the attack to any known actor. Following our first report,\r\nwe continued to monitor this cluster of activities and we found many other variants, which extended our\r\nknowledge of the attackers and the campaign itself. We found new malware samples used against a large number\r\nof targets, with victims in Europe, Central Asia and Southeast Asia. We also observed a cluster of publicly\r\nreported activities by various other vendors that we are able to link to ExCone with high confidence. Finally, we\r\nfound a new malware sample that allows us to link ExCone to the SixLittleMonkeys APT group with low\r\nconfidence. Specifically, we found a victim compromised by FourteenHI and another unknown backdoor. This\r\nnew “unknown backdoor” presents similarities to both FourteenHI and Microcin, a Trojan exclusively attributed\r\nto SixLittleMonkeys that we described in other reports available on our Threat Intelligence Portal.\r\nThis quarter, we also pursued our investigations of what is widely known to be Chinese-speaking activities in\r\nSouth Asia. We discovered another set of TTPs targeting aerospace and defense research establishments in India\r\nbetween 2019 and the end of June 2021, featuring two previously unknown backdoors: LGuarian and\r\nHTTP_NEWS. The former appears to be a new variant of the Quarian backdoor, which this attacker also uses.\r\nThanks to our telemetry, we obtained extensive information on the attacker’s post-exploitation process and were\r\nable to provide a detailed picture of the various tools they use during this phase, as well as actions performed on\r\nthe victims’ machines. This allowed us to gather a wide number of malware samples and subsequently discover a\r\nsignificant part of the attacker’s infrastructure.\r\nOn June 3, Check Point published a report about an ongoing surveillance operation targeting a Southeast Asian\r\ngovernment, and attributed the malicious activities to a Chinese-speaking threat actor named SharpPanda. We\r\npublished a private report providing additional data on the associated malicious activities and tools, based on our\r\nown visibility of this threat.\r\nIn April, we investigated a number of malicious installer files mimicking Microsoft Update Installer files, signed\r\nwith a stolen digital certificate from a company called QuickTech.com. These fake installers exhibited very\r\nconvincing visuals, which reflect the amount of effort that went into making them look legitimate. The final\r\npayload, which was a Cobalt Strike beacon module, was also configured with a “microsoft.com” subdomain C2\r\nserver. The C2 domain code.microsoft[.]com was a dangling DNS subdomain, which was registered by the\r\nattackers around April 15 to masquerade as the official Visual Studio Code website. The victims were tricked into\r\ndownloading and executing these installers on their machines through a fake Microsoft Update Catalog webpage,\r\nwhich was also hosted on another dangling subdomain of “microsoft.com”. While investigating the malicious\r\ninstaller files, we came across other malicious binaries which, based on various indications, we assume were\r\ndeveloped and used by the same threat actor, active since at least January and up until June. Our private report\r\nprovided an analysis of the extended toolset of this threat actor, which we named CraneLand.\r\nIn July, we identified a suspicious JavaScript (JS) inclusion on two websites that openly criticize China and which\r\nappear to be legitimate. The obfuscated JS is loaded from a remote domain name that impersonates the Google\r\nbrand and initiates a malicious JS payload chain. The compromised websites still include the JS, but we could not\r\nlink any other malicious activities or infrastructure to this watering-hole attack. The malicious JS does not seem to\r\nfit traditional cybercriminal goals, and its activities are quite unusual compared to those we have observed in other\r\nwatering-hole attacks. We believe the malicious JS payloads are aimed at profiling and targeting individuals from\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 4 of 8\n\nHong Kong, Taiwan or China. Any connections to the described malicious domains should be carefully reviewed\r\nto look for subsequent malicious activities.\r\nMiddle East\r\nLyceum is a threat group operating against high-profile targets in the Middle East since at least 2018. This year,\r\nwe uncovered significant activity by the group focused on Tunisia’s aviation and telecoms sectors. Throughout\r\nthis campaign the attackers demonstrated vigor and agility while developing two new C++ based malware\r\nimplants that we dubbed Kevin and James. Both relied on techniques and communication protocols from older\r\nmalware used by the group and coined DanBot. Following our report on this activity and the corresponding\r\ndeployment of protection against the group’s newly found implants, we observed recurring attempts by the\r\nattackers to deploy fresh samples that were not specified in our former report. Some of these samples revealed that\r\nthe attackers have also made use of two new C2 domains, likely as means to bypass security mechanisms that\r\nmitigated communication to the already known domains. Such effort characterizes the group’s persistence in\r\ncompromising a targeted organization, and shows that it has not ceased to operate after being discovered, a fact\r\nthat can be reinforced through yet another cluster of activity by the group that was recently exposed publicly. You\r\ncan read more about our findings in the ‘Lyceum group reborn’ article.\r\nSoutheast Asia and Korean Peninsula\r\nIn June, we observed the Lazarus group attacking the defense industry using the MATA malware framework.\r\nHistorically, Lazarus used MATA to attack various industries for cybercrime-like intentions: stealing customer\r\ndatabases and spreading ransomware. However, here we saw Lazarus using MATA for cyber-espionage purposes.\r\nThe actor delivered a Trojanized version of an application known to be used by their victim of choice,\r\nrepresenting a known characteristic of Lazarus. Executing this application starts a multi-staged infection chain\r\nbeginning with a downloader. This downloader fetches additional malware from compromised C2 servers. We\r\nwere able to acquire several MATA components, including plugins. The MATA malware discovered in this\r\ncampaign has evolved compared to previous versions and uses a legitimate, stolen certificate to sign some of its\r\ncomponents. Through this research, we discovered a stronger connection between MATA and the Lazarus group,\r\nincluding the fact that the downloader malware fetching MATA malware showed ties to TangoDaiwbo, which we\r\nhad previously attributed to the Lazarus group.\r\nWe have also discovered Lazarus group campaigns using an updated DeathNote cluster. The first involved an\r\nattack on a think tank in South Korea in June. The second was an attack on an IT asset monitoring solution vendor\r\nin May. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In\r\none case, we found that the infection chain stemmed from legitimate South Korean security software executing a\r\nmalicious payload; and in the second case, the target was a company developing asset monitoring solutions in\r\nLatvia, an atypical victim for Lazarus. The DeathNote malware cluster consisted of a slightly updated variant of\r\nBLINDINGCAN, malware previously reported by the US CISA (Cybersecurity \u0026 Infrastructure Security\r\nAgency). BLINDINGCAN was also used to deliver a new variant of COPPERHEDGE, also reported in a CISA\r\narticle. We had previously reported our initial finding of COPPERHEDGE in January 2020. As part of the\r\ninfection chain, Lazarus used a downloader named Racket that they signed using a stolen certificate. As a result of\r\ntaking over the attacker’s infrastructure with a local CERT, we had a chance to look into several C2 scripts\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 5 of 8\n\nassociated with the DeathNote cluster. The actor compromised vulnerable web servers and uploaded several\r\nscripts to filter and control the malicious implants on successfully breached victim machines.\r\nThe Kimsuky group is currently one of the most active APT groups. The threat actor is known for focusing on\r\ncyber-espionage but occasionally conducts cyberattacks for financial gain. Like other APT groups that constitute a\r\nbig umbrella, Kimsuky contains several clusters: BabyShark, AppleSeed, FlowerPower, and GoldDragon.\r\nEach cluster utilizes different methodologies and has different characteristics:\r\nBabyShark relies heavily on scripted malware and compromised web servers for C2 operations;\r\nAppleSeed uses a unique backdoor named AppleSeed;\r\nFlowerPower uses PowerShell scripts and malicious Microsoft Office documents;\r\nGoldDragon is the oldest cluster, closest to the original Kimsuky malware.\r\nHowever, these clusters also show several overlaps. In particular, GoldDragon and FlowerPower share a strong\r\nconnection in their C2 infrastructure. However, the other clusters also have a minor connection to the C2\r\ninfrastructure. We assess that BabyShark and AppleSeed are operating with different strategies.\r\nBack in May, we published a report about the freshly discovered activity of Andariel. In this campaign, a broad\r\nspectrum of industries located in South Korea were targeted with custom ransomware. During our research, we\r\ndiscovered that the actor was using two vectors to compromise targets. The first was the use of weaponized\r\nMicrosoft Office documents with malicious macros. At the time of our original report, the second vector was still\r\nunknown but we discovered artifacts containing the path of the tool ezPDF Reader, developed by a South Korean\r\nsoftware company named Unidocs. We were missing clear evidence that the attack leveraged a vulnerability\r\nwithin this software, and to solve this mystery we decided to audit the binary of this application. Our analysis of\r\nthe software led us to discover a remote code execution vulnerability in ezpdfwslauncher.exe that can be leveraged\r\nto break into computers on the network with ezPDF Reader without any user interaction. We assess with high\r\nconfidence that the Andariel group used the same vulnerability in its attacks. After this discovery, we contacted the\r\ndevelopers of Unidocs and shared the details of this vulnerability with them. It was fixed as CVE-2021-26605.\r\nThis quarter we described activity associated with the Origami Elephant threat actor (aka DoNot team, APT-C-35,\r\nSECTOR02) observed from the beginning of 2020 and continuing through to this year. Origami Elephant\r\ncontinues to utilize the known Backconfig (aka Agent K1) and Simple Uploader components, but we have also\r\nidentified lesser-known malware named VTYREI (aka BREEZESUGAR) used as a first-stage payload.\r\nAdditionally, we observed a unique technique of encoding the remote template used in the malicious documents\r\nthat we have not seen utilized by other threat actors. Victimology is consistent with past operations: the adversary\r\ncontinues to focus on the South Asia region with special interest in government and military entities mainly in\r\nPakistan, Bangladesh, Nepal and Sri Lanka.\r\nWe also tracked Origami Elephant activity targeting Android mobile phones from the end of 2020 up to the time\r\nof our report, picking up where we left off with last year’s report. We see that the infrastructure is still active,\r\ncommunicating with the same malware we previously reported, albeit with a few changes in code obfuscation.\r\nThe targeting remained the same as last year, with victims located in the South Asian region: India, Pakistan and\r\nSri Lanka in particular. The actor revised the infection chain compared with last year’s campaign. Instead of\r\ndelivering a downloader stager, we observed the Android Trojan being directly delivered. This is done via links to\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 6 of 8\n\nmalicious landing pages or direct messages via some instant messaging platform such as WhatsApp. The samples\r\nwe analyzed mimicked various applications such as private messaging, VPN, and media services. Our report\r\ncovered the current state of Origami Elephant’s activities against Android devices and provided additional IoCs\r\nlinked to both the latest and historical group activities. Scanning the internet with available clues from our\r\nprevious research, we are able to discover newly deployed hosts, in some cases even before they become active.\r\nOther interesting discoveries\r\nIn September, we provided an overview of the FinSpy PC implant. This covered not only the Windows version,\r\nbut also Linux and macOS ones, which share the same internal structure and features. FinSpy is a notorious\r\nsurveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents\r\nand human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer.\r\nThis version was detected and researched several times up to 2018. Since then, we have observed a decreasing\r\ndetection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting\r\nsome suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these\r\npackages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile\r\nimplants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing\r\nmore than first-stage implants that are used to download and deploy further payloads before the actual FinSpy\r\nTrojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR\r\nbootkit. While the MBR infection has been known since at least 2014, details of the UEFI bootkit were only\r\npublicly revealed for the first time in our article. We decided to share some of our unseen findings about the actual\r\nstate of FinSpy implants. You can read our public report here.\r\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using\r\ntwo infection chains to various government organizations and telecoms companies in the Middle East. The\r\npayload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being\r\npersistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed\r\nin this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot\r\nis a post-exploitation framework that we covered in several cases in the past (not to be confused with the\r\n‘Slingshot’ APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially\r\ndesigned for red team engagements. However, it’s not the first time that attackers appear to have taken advantage\r\nof it. One of our previous reports from 2019 covering FruityArmor’s activity showed that the threat group used it\r\nto target organizations across multiple industries in the Middle East, possibly by leveraging an exploit in Skype as\r\nan infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly\r\ndiscovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of\r\nactivity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as\r\nwell as its utilization in a particular long-standing activity against a high profile diplomatic target in Iraq.\r\nFinal thoughts\r\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a\r\nmeans of gaining a foothold in a target organization or compromising an individual’s device, others refresh their\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 7 of 8\n\ntoolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key\r\ndevelopments of APT groups.\r\nHere are the main trends that we’ve seen in Q3 2021:\r\nWe continue to see supply-chain attacks, including those of SmudgeX, DarkHalo and Lazarus.\r\nIn this quarter we focused on researching and dismantling surveillance frameworks following malicious\r\nactivities we detected. These include FinSpy and the use of advanced and highly capable payloads staged\r\nby a commercial post-exploitation framework known as Slingshot. These tools contain powerful covert\r\ncapabilities, such as the use of bootkits for persistence. Bootkits remain an active component of some high\r\nprofile APT attacks, notwithstanding various mitigations Microsoft has added to make them much less easy\r\nto deploy on the Windows operating system.\r\nWe observed an abnormal spike in activity coming from what is widely known to be Chinese-speaking\r\nthreat groups this quarter, particularly when compared to the start of the year. By contrast, we have seen a\r\ndecrease in activity in the Middle East this quarter.\r\nSocial engineering remains a key method for initiating attacks; but also exploits (CloudComputating,\r\nOrigami Elephant, Andariel), including exploiting firmware vulnerabilities.\r\nAs illustrated by the campaigns of various threat actors – including Gamaredon, CloudComputating,\r\nExCone, Origami Elephant, ReconHellcat, SharpPanda – geo-politics continues to drive APT\r\ndevelopments.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nshould be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nSource: https://securelist.com/apt-trends-report-q3-2021/104708/\r\nhttps://securelist.com/apt-trends-report-q3-2021/104708/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/apt-trends-report-q3-2021/104708/" ], "report_names": [ "104708" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd", "created_at": "2022-10-25T16:07:24.178007Z", "updated_at": "2026-04-10T02:00:04.89066Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon", "SharpPanda" ], "source_name": "ETDA:SharpPanda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "RoyalRoad", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3", "created_at": "2023-01-06T13:46:38.995743Z", "updated_at": "2026-04-10T02:00:03.175285Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "MISPGALAXY:Slingshot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2", "created_at": "2022-10-25T16:07:24.198891Z", "updated_at": "2026-04-10T02:00:04.897342Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "ETDA:Slingshot", "tools": [ "Cahnadr", "GollumApp", "NDriver" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6", "created_at": "2023-11-08T02:00:07.107758Z", "updated_at": "2026-04-10T02:00:03.415268Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon" ], "source_name": "MISPGALAXY:SharpPanda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434472, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f095e935f4cda8f34106f10ec596b5a9955de59e.pdf", "text": "https://archive.orkl.eu/f095e935f4cda8f34106f10ec596b5a9955de59e.txt", "img": "https://archive.orkl.eu/f095e935f4cda8f34106f10ec596b5a9955de59e.jpg" } }