{ "id": "a2bb8445-2c1e-4f59-b66c-a4003cdaff29", "created_at": "2026-04-06T02:11:20.642803Z", "updated_at": "2026-04-10T03:38:19.851164Z", "deleted_at": null, "sha1_hash": "f2bfcb7ec3094df8c19e943ba2bb835b54d890fa", "title": "Threat actor impersonates FSB APT to target Russian orgs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 597782, "plain_text": "Threat actor impersonates FSB APT to target Russian orgs\r\nBy Catalin Cimpanu\r\nPublished: 2025-01-22 · Archived: 2026-04-06 01:53:44 UTC\r\nThis newsletter is brought to you by Resourcely, the company that can help you manage Terraform securely.\r\nYou can subscribe to an audio version of this newsletter as a podcast by searching for \"Risky Business\" in your\r\npodcatcher or subscribing via this RSS feed.\r\nA cyber-espionage group has mimicked the tactics of an FSB-linked APT to target Russian organizations for\r\nmonths.\r\nNamed GamaCopy (or Core Werewolf), the group emulated the tactics of Gamaredon (or Armageddon), a cyber-espionage group operated by the Russian FSB intelligence agency from the occupied region of Crimea.\r\nThe group's false flag attacks have been taking place since June of last year. The campaign has tricked several\r\nsecurity vendors who misattributed attacks to Gamaredon, according to a report from Chinese security firm\r\nKnownsec 404.\r\nThe spear-phishing campaigns have used military-related lures to target individuals in Russia's defense and critical\r\ninfrastructure sectors and trick them into extracting malicious 7zip archive files.\r\n\"Obviously, this is a successful false flag operation by the organization that has deceived some vendors\r\nwho have not conducted in-depth analysis.\"\r\nKnownsec 404 has not made a formal attribution for GamaCopy, and neither have the Russian security vendors\r\nwho previously covered past campaigns, such as BI.ZONE, FACCT, and Kaspersky.\r\nWhile Ukraine would seem an easy source of origin for the attacks, both China and North Korea have been just as\r\nactive in spying on Russian defense orgs over the past two years as the Ukrainians, so it's not as clear as it may\r\nlook.\r\nRisky Business Podcasts\r\nRisky Business is now on YouTube with video versions of our main podcasts. Below is our latest weekly show with\r\nPat and Adam at the helm!\r\nEtt fel inträffade.\r\nDet går inte att köra\r\nJavaScript.\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 1 of 8\n\nBreaches, hacks, and security incidents\r\nRostelecom attack: The Russian government says that a threat actor has hacked one of Rostelecom's contractors\r\nbut that the incident did not impact the activity of the government's Gosuslugi e-portal. A hacking group named\r\nSilent Crow has breached and leaked data from several of Rostelecom's online portals. The Russian company and\r\nthe Russian government have confirmed the hack and blamed the breach on one of Rostelecom's contractors.\r\nRostelecom manages Russia's e-government portal known as the Gosuslugi. Rostelecom says the leaked data is\r\nnot sensitive in nature and did not impact Gosuslugi in any way. This is Silent Crow's second major hack this year\r\nafter it also breached Russia's State Registration, Cadastre, and Cartography agency, the Rosreestr.\r\nHPE investigates breach: American tech giant HPE is investigating a possible security breach after a threat actor\r\nstarted advertising a batch of data allegedly stolen from its servers. The hacker claims to have stolen old user data\r\nand source code for the Zerto \u0026 iLO products. The threat actor is named IntelBroker, the same individual who\r\nbreached Cisco's DevHub portal at the end of last year. [Additional coverage in SecurityWeek]\r\nCarrefour leak: On the same note, a threat actor is also claiming to have breached French retail giant Carrefour.\r\nThis one's unconfirmed at the time of writing.\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 2 of 8\n\nGeneral tech and privacy\r\nDouyin takes down restrictions: Douyin, the name of the Chinese version of TikTok, has removed restrictions on\r\nthe use of foreign phone numbers to register accounts. This means that international users can now apply and\r\nbrowse the Chinese version of TikTok. [Additional coverage in Tech In Asia]\r\nCoDCW anti-cheat: A reverse engineer known as ssno has reverse-engineered the anti-cheat system used by the\r\nCall of Duty: Cold War game.\r\nRPKI ROA coverage: According to RIPE Labs, more than half of both the IPv4 and IPv6 routes in the global\r\nrouting system are covered by RPKI ROAs (~ 54%).\r\nGovernment, politics, and policy\r\nTrump revokes Biden's AI executive order: Hours after being sworn in, US President Donald Trump has\r\nrevoked a 2023 executive order signed by his predecessor that required AI companies to limit the risks that\r\nartificial intelligence poses to consumers, workers, and national security. [Additional coverage in Reuters and\r\nLawfare Media]\r\n\"Large AI labs, such as Google and OpenAI, faced reporting requirements under the EO. The Biden\r\nadministration intended for the US AI Safety Institute—also a product of the EO—to ensure that leading\r\nAI models did not pose excessive societal risks. [...] In line with the GOP platform, which called for\r\naccelerating AI research and deployment, any forthcoming AI EO by the Trump Administration will\r\nlikely omit safeguards related to privacy, misinformation, and bias.\"\r\nTrump ousts CSRB members: The Trump administration has removed all non-government members from all\r\nDHS committees, including the Cyber Safety Review Board. Six CSRB members representing private sector\r\nentities were removed, such as Heather Adkins, Dmitri Alperovitch, and Rob Joyce. The CSRB was founded in\r\nFebruary 2022 and had a 14-member panel. [Additional coverage in Politico] [Post-publication update: We\r\nremoved Chris Krebs of SentinelOne from the list. The company told us Krebs resigned on Saturday, two days\r\nbefore Trump was sworn in.]\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 3 of 8\n\nIn this Risky Bulletin sponsor interview, Travis McPeak, the CEO and founder of Resourcely, explains that\r\ncompanies are now realising they have a ton of cloud-related technical debt because of the success of cloud\r\nposture management products. Travis talks about different approaches he has seen to tackle rampant cloud\r\nmisconfigurations.\r\nArrests, cybercrime, and threat intel\r\nFraudster pleads guilty: A Washington man has pleaded guilty to his role in running multiple smishing\r\ncampaigns that resulted in losses of almost $600,000 to victims.\r\nDrugHub leaks real IP addresses: The DrugHub has leaked the real-world IP address on which it hosts its dark\r\nweb drugs marketplace. The IP address is 186.2.171.6, owned by UAE ISP IQWeb FZ-LLC.\r\nFake Fortinet leak installs malware: Last week, a threat actor leaked the configuration files and login\r\ncredentials of over 15,000 Fortinet firewalls. Now, a threat actor is using the said leak to distribute a malware-laced ZIP file via GitHub.\r\nMalicious Chrome extensions: Security researcher Wladimir Palant has discovered 35 Chrome extensions that\r\ncircumvent a Google ban and retrieve and execute code from remote servers. The extensions pose as VPN and ad-block-related tools but spy on users and engage in affiliate link fraud. All the extensions are still available through\r\nthe official Chrome Web Store.\r\n\"As noted last week I consider it highly problematic that Google for a long time allowed extensions to\r\nrun code they downloaded from some web server, an approach that Mozilla prohibited long before\r\nGoogle even introduced extensions to their browser.\"\r\nZendesk abuse: CloudSEK has spotted a threat actor abusing Zendesk SaaS infrastructure to mimic popular\r\nbrands for phishing and online fraud operations.\r\nSpam bomb campaigns: Threat actors are adopting spam bombs to overwhelm workers at large corporations and\r\nthen contact the target posing as their IT help desk. Attackers usually contact workers via Microsoft Teams by\r\nexploiting a misconfiguration in the Teams platform that allows remote parties to call and text individuals inside\r\nprivate workspaces. The technique was first used last year by a Black Basta ransomware affiliate [Rapid7, Red\r\nCanary, Microsoft] and has now spread to other groups.\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 4 of 8\n\nMalware technical reports\r\nInfostealer hunting guide: Israel's National Cyber Directorate has published a guide [PDF] for hunting\r\ninfostealer malware.\r\nApateWeb: Validin has published new IOCs on ApateWeb, a botnet of hacked websites that redirects users to\r\nPUP and scareware.\r\nQbot: Walmart's security team is raising the alarm that the Qbot (Qakbot, Pinkslipbot) botnet is slowly rebuilding\r\nits infrastructure and mounting new operations following a law enforcement takedown in May 2024.\r\nMurdoc botnet: Qualys researchers have discovered a new IoT botnet used to carry out large-scale DDoS attacks.\r\nNamed Murdoc, the botnet began operating in July of last year. Qualys says the botnet was assembled by\r\nexploiting unpatched vulnerabilities in AVTECH cameras and Huawei routers. Based on open-source intelligence,\r\nthe botnet is currently running on around 1,300 devices.\r\nResourcely is releasing Campaigns, a tool for identifying and remediating vulnerabilities in your existing\r\ninfrastructure. Want to burn down your CSPM findings? Try out Campaigns today!\r\nAPTs, cyber-espionage, and info-ops\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 5 of 8\n\nLazarus' InvisibleFerret: ANY.RUN has published a report on InvisibleFerret, a Python-based backdoor\r\ndistributed as an npm package. The malware was linked to the Lazarus Group last year by Hauri, PAN, and\r\nGroup-IB.\r\nOperation 99: SecurityScorecard has spotted a new \"fake interview\" campaign linked to North Korean hackers.\r\nThis one targeted freelance Web3 and cryptocurrency developers.\r\nDonot Android malware: Security firm CyFirma has published a report on a piece of Android malware it found\r\nin the Tanzeem Android app. The company says the malware appears to be the work of the Donot APT group.\r\nFakeTicketer: A new cyber-espionage group named FakeTicketer has targeted Russian government officials in a\r\nclever campaign that used fake tickets for sporting events. The campaign has been going on since June of last year\r\nand used tickets for Russian football matches and rowing competitions to trick victims into infecting themselves\r\nwith malware. The final payload was a new malware family named Zagrebator, consisting of a loader, RAT, and\r\ninfostealer.\r\nOceanLotus comeback: Chinese security firm QiAnXin reports seeing new attacks from Vietnamese APT group\r\nOceanLotus after a period of inactivity. The new attacks targeted China's military, energy, and aerospace sectors.\r\nMore on the US-hacks-China report: Back in December, the Chinese CERT accused the US government of\r\nhacking two Chinese organizations. CERTCN has now published a tad more details and IOCs, including some of\r\nthe attacking IPs—if you can call entire /16 subnets that. The organization claims the attacks took place during a\r\n10:00 to 20:00 time window, from Monday to Friday on an Eastern US timezone. They also claim no attacks took\r\nplace during US holidays.\r\nVulnerabilities, security research, and bug bounty\r\n7zip patches: The 7zip team has patched a bug that allowed threat actors to bypass the Mark-of-the-Web\r\nprotection mechanism and drop \"safe-looking\" files from malicious archives.\r\nElastic security updates: Elastic has released security updates for the Elasticsearch database, the Defend security\r\nsystem, and the Kibana UI.\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 6 of 8\n\nIntel TDX vulnerabilities: A team of academics from the Indian Institute of Technology Kharagpur has\r\ndiscovered several vulnerabilities in the Intel Trust Domain Extensions (TDX) trusted execution environment\r\n(TEE) technology. The vulnerabilities can be used to breach the isolation between the Virtual Machine Manager\r\n(VMM) and Trust Domains (TDs).\r\n\"In this work for the first time, we show through a series of experiments that these performance\r\ncounters can also be exploited by the VMM to differentiate between activities of an idle and active TD.\r\nThe root cause of this leakage is core contention. This occurs when the VMM itself, or a process\r\nexecuted by the VMM, runs on the same core as the TD. Due to resource contention on the core, the\r\neffects of the TD's computations become observable in the performance monitors collected by the\r\nVMM. This finding underscore the critical need for enhanced protections to bridge these gaps within\r\nthese advanced virtualized environments.\"\r\nInfosec industry\r\nThreat/trend reports: Cloudflare, CyberInt, Omdia, Recorded Future, RIPE Labs, SentinelOne, and Trustwave\r\nhave published reports and summaries covering various infosec trends and industry threats.\r\nNew infosec book: VirusTotal founder Bernardo Quintero has published a book on the company's launch, growth,\r\nand up until its Google acquisition.\r\nNew tool—BaitRoute: Security researcher Utku Sen has released BaitRoute, a web honeypot library to create\r\nvulnerable-looking endpoints to detect and mislead attackers.\r\nNew tool—Cyberbro: Cybersecurity engineer Stanislas M. has released Cyberbro, a tool to extract IoCs from\r\ngarbage input and check their reputation using multiple CTI services.\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 7 of 8\n\nRisky Business Podcasts\r\nIn this podcast, Tom Uren and Adam Boileau talk about the continued importance of hack and leak operations.\r\nThey didn't really affect the recent US presidential election, but they are still a powerful tool for vested interests to\r\ninfluence public policy.\r\nEtt fel inträffade.\r\nDet går inte att köra\r\nJavaScript.\r\nIn this edition of Between Two Nerds, Tom Uren and The Grugq talk about the evolution of Russian cyber\r\noperations during its invasion of Ukraine.\r\nEtt fel inträffade.\r\nDet går inte att köra\r\nJavaScript.\r\nSource: https://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nhttps://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/" ], "report_names": [ "risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "d18b9735-1af7-433c-a582-a01886bc5e3f", "created_at": "2024-10-25T02:02:07.582653Z", "updated_at": "2026-04-10T02:00:04.569471Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "ETDA:Awaken Likho", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "f9871bb8-2d6a-498e-9798-ca42d008ba26", "created_at": "2025-03-07T02:00:03.808806Z", "updated_at": "2026-04-10T02:00:03.836261Z", "deleted_at": null, "main_name": "GamaCopy", "aliases": [], "source_name": "MISPGALAXY:GamaCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0263e1e1-4568-410a-a5e4-6932db1d40da", "created_at": "2024-06-26T02:00:04.854969Z", "updated_at": "2026-04-10T02:00:03.667295Z", "deleted_at": null, "main_name": "IntelBroker", "aliases": [], "source_name": "MISPGALAXY:IntelBroker", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4", "created_at": "2024-10-08T02:00:04.462582Z", "updated_at": "2026-04-10T02:00:03.722048Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "MISPGALAXY:Awaken Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441480, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2bfcb7ec3094df8c19e943ba2bb835b54d890fa.pdf", "text": "https://archive.orkl.eu/f2bfcb7ec3094df8c19e943ba2bb835b54d890fa.txt", "img": "https://archive.orkl.eu/f2bfcb7ec3094df8c19e943ba2bb835b54d890fa.jpg" } }