{ "id": "5a325cd0-f2c8-4901-9812-a3cefba2794a", "created_at": "2026-04-06T00:22:04.688354Z", "updated_at": "2026-04-10T13:12:36.380548Z", "deleted_at": null, "sha1_hash": "f0feb954fcb1e7715a48f6d9fe7d36cff3defa38", "title": "Egregor (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 211947, "plain_text": "Egregor (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:47:14 UTC\r\nAccording to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it\r\nenables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network,\r\nidentifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the\r\ninsertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders.\r\n2024-02-15 ⋅ Bleeping Computer ⋅\r\nZeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison\r\nEgregor IcedID Maze Zeus 2024-02-15 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nForeign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses\r\nEgregor IcedID Maze Zeus 2022-05-01 ⋅ BushidoToken ⋅ BushidoToken\r\nGamer Cheater Hacker Spy\r\nEgregor HelloKitty NetfilterRootkit RagnarLocker Winnti 2022-03-17 ⋅ Sophos ⋅ Tilly Travers\r\nThe Ransomware Threat Intelligence Center\r\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2022-02-09 ⋅ Security Affairs ⋅\r\nPierluigi Paganini\r\nMaster decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online\r\nEgregor m0yv Maze Sekhmet 2022-02-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nRansomware dev releases Egregor, Maze master decryption keys\r\nEgregor Maze Sekhmet 2021-11-03 ⋅ CERT-FR ⋅ ANSSI\r\nIdentification of a new cybercriminal group: Lockean\r\nDoppelPaymer Egregor Maze PwndLocker REvil 2021-10-26 ⋅ ANSSI\r\nIdentification of a new cyber criminal group: Lockean\r\nCobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil 2021-10-22 ⋅ HUNT \u0026 HACKETT ⋅ Krijn de Mik\r\nAdvanced IP Scanner: the preferred scanner in the A(P)T toolbox\r\nConti DarkSide Dharma Egregor Hades REvil Ryuk 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-10 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nCrytek confirms Egregor ransomware attack, customer data theft\r\nEgregor Maze 2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRansomware Gangs and the Name Game Distraction\r\nDarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze\r\nRansomEXX REvil Ryuk Sekhmet 2021-08-04 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team, CrowdStrike IR, Falcon\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.egregor\r\nPage 1 of 5\n\nOverWatch Team\r\nPROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity\r\nCobalt Strike Egregor Mount Locker Prophet Spider 2021-07-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLockBit ransomware now encrypts Windows domains using group policies\r\nEgregor LockBit 2021-07-21 ⋅ IBM ⋅ Allison Wikoff, Chris Caridi\r\nThis Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered\r\nEgregor 2021-07-09 ⋅ The Record ⋅ Catalin Cimpanu\r\nRansomwhere project wants to create a database of past ransomware payments\r\nEgregor Mailto Maze REvil 2021-07-01 ⋅ DomainTools ⋅ Chad Anderson\r\nThe Most Prolific Ransomware Families: A Defenders Guide\r\nREvil Conti Egregor Maze REvil 2021-06-16 ⋅ Proofpoint ⋅ Daniel Blackford, Garrett M. Graff, Selena Larson\r\nThe First Step: Initial Access Leads to Ransomware\r\nBazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577 2021-05-\r\n18 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware made $90 million in just nine months\r\nDarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-04-26 ⋅ CoveWare ⋅ CoveWare\r\nRansomware Attack Vectors Shift as New Software Vulnerability Exploits Abound\r\nAvaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt 2021-04-07 ⋅ ANALYST1 ⋅ Jon\r\nDiMaggio\r\nRansom Mafia Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER 2021-04-07 ⋅ ANALYST1 ⋅\r\nJon DiMaggio\r\nRansom Mafia - Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER 2021-03-26 ⋅ Trend Micro ⋅ Trend Micro\r\nAlleged Members of Egregor Ransomware Cartel Arrested\r\nEgregor QakBot 2021-03-24 ⋅ Cisco ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends from Winter 2020-21\r\nEgregor REvil WastedLocker 2021-03-16 ⋅ The Record ⋅ Catalin Cimpanu\r\nFrance’s lead cybercrime investigator on the Egregor arrests, cybercrime\r\nEgregor 2021-03-02 ⋅ ANSSI ⋅ ANSSI\r\nEGREGOR RANSOMWARE\r\nEgregor 2021-03-02 ⋅ CERT-FR ⋅ CERT-FR\r\nThe Egregor Ransomware\r\nEgregor Maze Sekhmet 2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nRansomware Uncovered 2020/2021\r\nRansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot\r\nRansomEXX REvil Ryuk SDBbot TrickBot Zloader 2021-02-25 ⋅ FireEye ⋅ Brendan McKeague, Bryce Abdo, Van Ta\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.egregor\r\nPage 2 of 5\n\nSo Unchill: Melting UNC2198 ICEDID to Ransomware Operations\r\nMOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-17 ⋅ Intel 471 ⋅ Intel 471\r\nEgregor operation takes huge hit after police raids\r\nEgregor 2021-02-17 ⋅ Security Service of Ukraine ⋅ Security Service of Ukraine\r\nSBU blocks activity of transnational hacking group\r\nEgregor 2021-02-15 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab\r\nRansomware Profile: Egregor\r\nEgregor 2021-02-11 ⋅ Morphisec ⋅ Morphisec\r\nAn Analysis of the Egregor Ransomware\r\nEgregor 2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team\r\nBlockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains\r\nDoppelPaymer Egregor Maze SunCrypt 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2021-01-18 ⋅ Arete ⋅ Adam Brown, Harold Rodriguez\r\nEgregor: The Ghost of Soviet Bears Past Haunts On\r\nEgregor 2021-01-06 ⋅ FBI ⋅ FBI\r\nPIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort\r\nBusinesses by Publicly Releasing Exfiltrated Data\r\nEgregor QakBot 2021-01-04 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nTransLink confirms ransomware data theft, still restoring systems\r\nEgregor 2020-12-16 ⋅ Accenture ⋅ Paul Mansfield\r\nTracking and combatting an evolving danger: Ransomware extortion\r\nDarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt 2020-12-15 ⋅ Malwarebytes ⋅ Pieter Arntz\r\nThreat profile: Egregor ransomware is making a name for itself\r\nEgregor 2020-12-15 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nQakBot reducing its on disk artifacts\r\nEgregor PwndLocker QakBot 2020-12-14 ⋅ Trend Micro ⋅ Trend Micro Research\r\nEgregor Ransomware Launches String of High-Profile Attacks to End 2020\r\nEgregor 2020-12-11 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nEGREGOR Ransomware\r\nEgregor 2020-12-08 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Robert Falcone\r\nThreat Assessment: Egregor Ransomware\r\nEgregor 2020-12-08 ⋅ Sophos ⋅ Anand Aijan, Bill Kearney, Gabor Szappanos, Mark Loman, Peter Mackenzie, Sean Gallagher, Sergio\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.egregor\r\nPage 3 of 5\n\nBestulic, Syed Shahram\r\nEgregor ransomware: Maze’s heir apparent\r\nEgregor Maze 2020-12-07 ⋅ Minerva Labs ⋅ Tom Roter\r\nEgregor Ransomware - An In-Depth Analysis\r\nEgregor Maze Sekhmet 2020-12-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nMetro Vancouver's transit system hit by Egregor ransomware\r\nEgregor 2020-12-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLargest global staffing agency Randstad hit by Egregor ransomware\r\nEgregor 2020-12-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nKmart nationwide retailer suffers a ransomware attack\r\nEgregor 2020-12-03 ⋅ Recorded Future ⋅ Insikt Group®\r\nEgregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot\r\nEgregor QakBot 2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)\r\nTweet on increased #Qbot activity delivering Cobalt Strike \u0026 #Egregor ransomware\r\nCobalt Strike Egregor QakBot 2020-12-01 ⋅ Group-IB ⋅ Group-IB, Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nEgregor ransomware: The legacy of Maze lives on\r\nEgregor QakBot 2020-11-26 ⋅ Cybereason ⋅ Cybereason Nocturnus, Lior Rochberger\r\nCybereason vs. Egregor Ransomware\r\nCobalt Strike Egregor IcedID ISFB QakBot 2020-11-25 ⋅ SentinelOne ⋅ Jim Walter\r\nEgregor RaaS Continues the Chaos with Cobalt Strike and Rclone\r\nCobalt Strike Egregor 2020-11-20 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nThe Locking Egregor\r\nEgregor QakBot 2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nThe malware that usually installs ransomware and you need to remove right away\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx\r\nMegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader 2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich\r\nZooming into Darknet Threats Targeting Japanese Organizations\r\nConti DoppelPaymer Egregor LockBit Maze REvil Snake 2020-11-16 ⋅ Intel 471 ⋅ Intel 471\r\nRansomware-as-a-service: The pandemic within a pandemic\r\nAvaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk\r\nSunCrypt ThunderX 2020-11-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nRetail giant Cencosud hit by Egregor Ransomware attack, stores impacted\r\nEgregor 2020-11-12 ⋅ Intrinsec ⋅ Jean Bichet\r\nEgregor – Prolock: Fraternal Twins ?\r\nEgregor PwndLocker QakBot 2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn\r\nTargeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”\r\nEgregor Maze RagnarLocker 2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nMaze ransomware is shutting down its cybercrime operation\r\nEgregor Maze 2020-10-29 ⋅ Security Boulevard ⋅ Tomas Meskauskas\r\nEgregor: Sekhmet’s Cousin\r\nEgregor 2020-10-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBarnes \u0026 Noble hit by Egregor ransomware, strange data leaked\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.egregor\r\nPage 4 of 5\n\nEgregor 2020-10-15 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nUbisoft, Crytek data posted on ransomware gang's site\r\nEgregor 2020-10-02 ⋅ AppGate ⋅ AppGate Labs\r\nAppgate Labs Analyzes New Family Of Ransomware - Egregor\r\nEgregor 2020-09-18 ⋅ ⋅ ID Ransomware ⋅ Andrew Ivanov\r\nEgregor Ransomware\r\nEgregor\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.egregor\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor" ], "report_names": [ "win.egregor" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8", "created_at": "2023-03-04T02:01:54.115678Z", "updated_at": "2026-04-10T02:00:03.360898Z", "deleted_at": null, "main_name": "Prophet Spider", "aliases": [ "GOLD MELODY", "UNC961" ], "source_name": "MISPGALAXY:Prophet Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47b52642-e5b8-4502-b714-b625002d86aa", "created_at": "2024-06-19T02:03:08.086579Z", "updated_at": "2026-04-10T02:00:03.812509Z", "deleted_at": null, "main_name": "GOLD MELODY", "aliases": [ "PROPHET SPIDER", "UNC961" ], "source_name": "Secureworks:GOLD MELODY", "tools": [ "7-Zip", "AUDITUNNEL", "BURP Suite", "GOTROJ", "JSP webshells", "Mimikatz", "Wget" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434924, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0feb954fcb1e7715a48f6d9fe7d36cff3defa38.pdf", "text": "https://archive.orkl.eu/f0feb954fcb1e7715a48f6d9fe7d36cff3defa38.txt", "img": "https://archive.orkl.eu/f0feb954fcb1e7715a48f6d9fe7d36cff3defa38.jpg" } }