{ "id": "63cf3128-34d6-4c18-bd3d-ff56556e8b80", "created_at": "2026-04-06T00:09:14.03245Z", "updated_at": "2026-04-10T13:12:42.863274Z", "deleted_at": null, "sha1_hash": "f4cc781f3d98a56cba20613f0550f457a7d47956", "title": "RTF Template Injection: Phishing Attachment Techniques | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1336564, "plain_text": "RTF Template Injection: Phishing Attachment Techniques |\r\nProofpoint US\r\nBy December 01, 2021 Michael Raggi\r\nPublished: 2021-11-23 · Archived: 2026-04-05 12:55:28 UTC\r\nKey Takeaways  \r\nRTF template injection is a novel technique that is ideal for malicious phishing attachments because it is\r\nsimple and allows threat actors to retrieve malicious content from a remote URL using an RTF file. \r\nProofpoint has observed three APT actors from India, Russia, and China using this technique in 2021,\r\ntargeting a variety of entities likely of interest to their respective states. \r\nRTF template injection is poised for wider adoption in the threat landscape including among\r\ncybercriminals based on its ease of use and relative effectiveness when compared with other phishing\r\nattachment template injection-based techniques. \r\nOverview \r\nProofpoint threat researchers have observed the adoption of a novel and easily implemented phishing attachment\r\ntechnique by APT threat actors in Q2 and Q3 of 2021. This technique, referred to as RTF template injection,\r\nleverages the legitimate RTF template functionality. It subverts the plain text document formatting properties of an\r\nRTF file and allows the retrieval of a URL resource instead of a file resource via an RTF’s template control word\r\ncapability. This enables a threat actor to replace a legitimate file destination with a URL from which a remote\r\npayload may be retrieved. \r\nThe sample RTF template injection files analyzed for this publication currently have a lower detection rate by\r\npublic antivirus engines when compared to the well-known Office-based template injection technique. Proofpoint\r\nhas identified distinct phishing campaigns utilizing the technique which have been attributed to a diverse set of\r\nAPT threat actors in the wild. While this technique appears to be making the rounds among APT actors in several\r\nnations, Proofpoint assesses with moderate confidence, based on the recent rise in its usage and the triviality of its\r\nimplementation, that it could soon be adopted by cybercriminals as well. \r\nRTF Template Injection  \r\nRTF template injection is a simple technique in which an RTF file containing decoy content can be altered to\r\nallow for the retrieval of content hosted at an external URL upon opening an RTF file. By altering an RTF file’s\r\ndocument formatting properties, specifically the document formatting control word for “\\*\\template” structure,\r\nactors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible\r\nfile resource destination. RTF files include their document formatting properties as plaintext strings within the\r\nbytes of the file. This allows the property control word syntax to be referenced even in the absence of a word\r\nprocessor application, providing formatting stability for the filetype across numerous platforms. However, RTF\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 1 of 14\n\nfiles based on the malleability of these plaintext strings within the bytes of a file are often subverted for malicious\r\nfile delivery purposes in the context of a phishing campaign. While historically the use of embedded malicious\r\nRTF objects has been well documented as a method for delivering malware files using RTFs, this new technique is\r\nmore simplistic and, in some ways, a more effective method for remote payload delivery than previously\r\ndocumented techniques.  \r\nFigure 1. RTF Document Formatting Properties Rich Text Format (RTF) Version 1.5 Specification.  \r\nAs documented in the RTF file Version 1.5 specifications (Figure 1), RTF files include a “\\*\\template” control\r\nword, where the value “*\\” designates that the following value is a destination, and “template” designates the\r\nspecific control word function. This control word value is intended to be the destination of a legitimate template\r\nfile which is retrieved and loaded upon the opening of the initial RTF, changing the visual appearance of the file.\r\nHowever, it is trivial to alter the bytes of an existing RTF file to insert a template control word destination\r\nincluding a URL resource. This allows the RTF file to retrieve a URL resource as a destination rather than a file\r\nlike the RTF structure intends. This method is viable in both .rtf and .doc.rtf files, allowing for the successful\r\nretrieval of remote payloads hosted at an external URL.  \r\nRTF Template Injection in Microsoft Word \r\nIn the case of .doc.rtf files the extension specifies that the RTF file will be opened utilizing Microsoft Word. As a\r\nresult, when an RTF Remote Template Injection file is opened using Microsoft Word, the application will retrieve\r\nthe resource from the specified URL before proceeding to display the lure content of the file. This technique is\r\nsuccessful despite the inserted URL not being a valid document template file. This process is demonstrated in\r\nFigures 2 and 3 below in which an RTF file has been weaponized by researchers to retrieve the documentation\r\npage for RTF version 1.5 from a URL at the time the file is opened. The technique is also valid in the .rtf file\r\nextension format, however a message is displayed when opened in Word which indicates that the content of the\r\nspecified URL is being downloaded and in some instances an error message is displayed in which the application\r\nspecifies that an invalid document template was utilized prior to then displaying the lure content within the file.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 2 of 14\n\nFigure 2. Sample RTF template injection File Downloading Remote Resource.  \r\nFigure 3. Sample RTF template injection File Displayed Lure.  \r\nWeaponization \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 3 of 14\n\nThe weaponization of an RTF file can be achieved by creating or altering an existing RTF file’s document\r\nproperty bytes using a hex editor. This technique does not require the use of a word processor application for the\r\ninjection of the RTF remote template URL into the file. The example in Figure 4 demonstrates the insertion of a\r\ntemplate control word into an existing RTF file, specifically within a preexisting enclosing group for a font family\r\ncontrol word. Note that the template control word value is not contained in an independent set of braces, which\r\nresults in an invalid RTF file format error. Instead, it is appended at the beginning of an existing enclosing group\r\nfor a font family control word allowing for a valid RTF file structure. This is not the only control word group of an\r\nRTF file that will successfully incorporate a template control word as part of an existing enclosing group. RTF\r\nfiles allow for the parsing of destination control words in a number of enclosing groups throughout the file\r\nstructure. The below file excerpt has been included for demonstrative purposes.  \r\n \r\nFigure 4. Sample RTF template injection Template Control Word.  \r\nThe success of this technique was tested in a limited capacity by researchers at Proofpoint and is likely more\r\nmalleable than what has been demonstrated in this publication. The malleability of this method paired with an\r\nRTF file’s capability to render encoding for Unicode characters further increases the viability of this technique. By\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 4 of 14\n\nincluding the template control word within various enclosing groups of a file and utilizing Unicode rendering to\r\nobfuscate the included URLs, this technique may prove to be an in the wild alternative to Office based Template\r\nInjection.  \r\nA Timeline of APT Actors Adopting RTF Template Injection \r\nProofpoint has observed an increasing adoption of RTF template injection from February through April of 2021 by\r\nAPT threat actors. While the technique appears to pre-date this adoption with researchers mentioning the\r\ntechnique as early as January 2021, two distinct APT groups believed to be associated with the state interests of\r\nIndia and China adopted RTF template injection during this time. Signs of weaponization including the\r\nregistration of delivery infrastructure were observed beginning on March 15, 2021 and April 8, 2021, respectively,\r\nwith multiple distinct campaigns following throughout the months of April and May.  \r\nTemplate injection RTF files attributable to the APT group DoNot Team, that has historically been suspected of\r\nbeing aligned with Indian-state interests, were identified through July 8, 2021. RTF files likely attributable to a\r\nChinese-related APT actor were identified as recently as September 29, 2021, targeting entities with ties to\r\nMalaysian deep water energy exploration. Following this initial adoption period, the APT actor Gamaredon, which\r\nhas been linked to the Russian Federal Security Service (FSB), was later observed utilizing RTF template injection\r\nfiles in campaigns that leveraged Ukrainian governmental file lures on October 5, 2021.  \r\nFigure 5. Timeline of RTF template injection Adoption by APT Actors. \r\nAnalyzing DoNot Team RTF Template Injection  \r\nThe earliest observed public instance of the APT actor DoNot Team utilizing RTF template injection files appears\r\nto have occurred in February 2021 with lures referencing the same period. Some RTF template injection\r\nfiles attributed by security researchers to DoNot Team had compilation timestamps from 2017, suggesting\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 5 of 14\n\npossible earlier adoption. However, Proofpoint could not verify this group’s usage of the technique dating back\r\nseveral years and note that manipulation of compilation stamps in RTF files is a technique within threat actors’\r\ncapabilities.  \r\nFiles publicly identified on April 5, 2021 utilize Unicode-signed 16-bit character notation within the RTF file that,\r\nwhen rendered, are revealed to be the remote template injection URL within the RTF template property field. This\r\ngroup used this same technique throughout subsequent campaigns spanning from April through July 2021.\r\nSamples from the campaign utilized “defense proposal” lures and appeared to target entities in Pakistan and Sri\r\nLanka. The use of Unicode signed character notation provides an obfuscation for the URL value included in the\r\nRTF file and is likely used by actors as an effort to evade static detection signatures in anti-virus engines. The\r\nability of RTF files to parse these signed 16-bit Unicode characters provides actors an alternative to using\r\nplaintext strings containing a URL, which allows for easy analysis of malicious samples upon detection. A\r\ndetailed description of how to decode this URL format within DoNot Team files has been published by the\r\nsecurity analyst Rafa Pedrero following mention of the sample in open source. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 6 of 14\n\nFigure 6. DoNot Team RTF template injection File Signed 16-Bit Unicode Template URL.  \r\nA deeper analysis of the structure of DoNot Team’s RTF template injection files reveals that they are including the\r\ntemplate formatting property within a preexisting list override table in the RTF file. This table is part of a list of\r\nlists within an RTF that governs the formatting of various document features including things like headers,\r\nfooters, and footnotes. In the case of the DoNot Team attachment files, the malicious template control word is\r\nembedded within the “\\*\\wgrffmtfilter” control word enclosing group. This feature is intended to apply a set of\r\nfilters that will limit the displayed document style options in Microsoft Word when an RTF file is opened. The\r\n“wgrffmtfilters” are normally specified by four-digit hexadecimal values. This preexisting hexadecimal value may\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 7 of 14\n\nhave informed the threat actor’s decision to include the template field in this section, since they used Unicode-signed 16-bit format to replace an existing hexadecimal value. \r\nDespite the perceived sophistication in using Unicode encoding within the RTF injection template, DoNot Team\r\nappears to have struggled to seamlessly integrate the template control word into the RTF file for initialization in\r\nMicrosoft Word. When opening the files in Microsoft Word, a downloading message is displayed which reveals\r\nthe intended malicious URL along with the invalid document template error message described above. These\r\nmessages are visible in Figures 7 and 8. Further the files were altogether lacking social engineering content,\r\ndisplaying a blank document after the downloading alert and error messages were displayed. Samples analyzed for\r\nthe purposes of this blog include:  \r\n801402ffa0f0db6cc8fc74c68c4b707a625205f25bc2c379f6a8b8329231eb56  \r\n694d433a729b65993dae758e862077c2d82c92018e8e310e121e1fa051567dba  \r\nFigure 7. DoNot Team RTF template injection File Downloading Remote Payload.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 8 of 14\n\nFigure 8. DoNot Team RTF template injection File Document Template Error Message.  \r\nTA423 Adopts RTF Template Injection to Target Malaysia \r\nBetween April and late September 2021, security researchers identified RTF template injection files in campaigns\r\ntargeting entities in Malaysia as well as international companies operating in the energy exploration sector. These\r\nfiles demonstrate a persistent targeting of entities operating in the region utilizing RTF template injection files as\r\nphishing attachments. Unlike previously observed variants of files using this technique, these files include remote\r\ntemplate injection URLs in plaintext. The URLs referencing external content were plainly visible in the strings of\r\nthe RTF attachments. Of note is that this threat actor also weaponized the RTF files by using a different section of\r\nthe document formatting properties than was previously observed among the DoNot Team campaigns. This actor\r\nchose to modify a preexisting enclosing group with a font family control word rather than the \"wgrffmtfilters”\r\ngroup previously discussed. Below is an analyzed public sample from July 2021 for demonstrative purposes:  \r\ndf203b04288af9e0081cd18c7c2daec2bc4686e2e21dcaf415bb70bbd12169a0  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 9 of 14\n\nFigure 9. TA423 RTF template injection File Template Control Word. \r\nThe Malaysian-themed RTF template injection file successfully loaded in Microsoft Word without displaying error\r\nmessages or displaying the URL downloading content message. The social engineering lure within the document\r\nis a simple message impersonating Office 365 that requests users to “Enable Editing” and “Enable Content” for\r\nthe file. Additionally, it includes a single line referencing the National Palace in Kuala Lumpur.  \r\nFigure 10. TA423 Malaysian Themed RTF template injection File Lure. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 10 of 14\n\nGamaredon Onboards RTF Template Injection Capabilities \r\nAt the beginning of October 2021, Proofpoint researchers identified public samples of Gamaredon RTF template\r\ninjection documents which impersonated the Ukrainian Ministry of Defense. This tactic is consistent\r\nwith reporting on this APT group that links Gamaredon to the Russian FSB operating in the Republic of Crimea\r\nand the city of Sevastopol. The files communicate with the domain pretence77.glorious[.]nonima[.]ru which also\r\nwas a remote template delivery URL used by several Microsoft Office Word documents that impersonated\r\nUkrainian government organizations. These Office files communicate with actor infrastructure using a URI pattern\r\npreviously observed among Gamaredon malicious Microsoft Office phishing documents. Specifically, the\r\nMicrosoft Office documents used remote template injection to retrieve malicious payload files using URIs with\r\nthe directory “/ELENAPC/principles/” on several occasions. Additionally, in several instances the resources\r\nretrieved delivered an MP3 file as a delivery resource.  \r\nThe combination of these shared delivery domains, use of known Gamaredon remote template injection document\r\ntechniques, social engineering lures impersonating governmental organizations within the groups primary area of\r\nresponsibility, and the URI patterns across both RTF and Office template injection files allowed researchers to\r\nattribute the samples to Gamaredon. Researchers note that several of these Office remote template injection\r\ndocuments were identified in open-source in relation to Gamaredon on October 6, 2021. \r\nFigure 11. Gamaredon RTF template injection File Lure.  \r\nRelated Files and URLs:  \r\n9525.rtf|a33ccc612a03de4f42a6f5ab5277470f6a7e8ee7abe52725b13704366e8da48b  \r\n9525.doc|8f4a91ecfb9190461459a2d05e5cb944da80ec30a2b1d69f9817ecb431a5ac8f  \r\nedc84bbf13b8300540daf7cd203dc12eede6286a1ac5ce2175031fba3125d354  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 11 of 14\n\nЗразок тлг ІСД\r\nІНТЕРНЕТ.docx|066b2b884b250a3bda4feb19aaa71616c19bf6387ed2767b633521647ada29f8  \r\nАкт інсталяції.docx|b9aefe12015489b94e9e7d2cc19fd5e81a471da93a320477f1c8e362344f6bde  \r\nhxxp://pretence77.glorious.nonima[.]ru/ELENAPC/principles/nearly.mp3  \r\nhxxp://intense52.faithful.onihik[.]ru/elenapc/  \r\nhxxp://intense52.faithful.onihik[.]ru/ELENAPC/bikes.conf  \r\nThe RTF template injection files observed in use by the Gamaredon group notably includes the template control\r\nword in the same group as DoNot Team malicious files. Gamaredon similarly utilizes the “\\*\\wgrffmtfilter”\r\ncontrol word enclosure group that governs document style filters. Gamaredon, however, opts to include the URL\r\nin plaintext rather than using signed 16-bit Unicode values. Gamaredon’s use of this technique alongside several\r\nother attachment delivery methods, such as Office and XML template documents which all share a single remote\r\ntemplate URL, suggests that the actor is experimenting with new file types. The actor may be comparing the\r\neffectiveness of their efforts that utilize diverse attachment files to gauge the efficacy of their phishing tactics as\r\nthey stage new campaigns. While Proofpoint cannot definitively determine where Gamaredon may have\r\nencountered this RTF template injection technique, the inclusion of the template control word within the style\r\nfilter section of the document suggests that they may be replicating capabilities encountered in open-source that\r\nwere previously used as part of the DoNot Team campaigns earlier in 2021.  \r\n  \r\n Figure 12. Gamaredon RTF template injection File Template Control Word.  \r\nOutlook: Injections are So 2021  \r\nThe viability of XML Office based remote template documents has proven that this type of delivery mechanism is\r\na durable and effective method when paired with phishing as an initial delivery vector. The innovation by threat\r\nactors to bring this method to a new file type in RTFs represents an expanding surface area of threat for\r\norganizations worldwide. While this method currently is used by a limited number of APT actors with a range of\r\nsophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further\r\nacross the threat landscape. Ultimately this is a technique poised for wider adoption in the threat landscape beyond\r\ntargeted phishing attacks with likely adopters being crimeware actors. While Indian and Chinese APT actors have\r\ndemonstrated an affinity for RTF file types in the past by using RTF weaponizers like the tool Royal Road,\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 12 of 14\n\ndefenders eventually saw those tools and techniques become widely used by less sophisticated actors. This well-established trickle-down pattern may be accelerated in this case based on the minimal effort needed to weaponize\r\nRTF attachments before deploying in active phishing campaigns  \r\nET Signatures  \r\nSID: 2032483 – ET TROJAN DonotGroup Template Download \r\nSID: 2034157 - ET TROJAN Gamaredon Maldoc Remote Template Retrieval (GET)  \r\nSID: 2034156 - ET TROJAN Gamaredon Maldoc Remote Template Retrieval (GET)  \r\nYARA Signatures \r\nrule Proofpoint_RTFtemplateInjection_Technique_Generic_HTTP_HTTPS\r\n{\r\n    meta:\r\n        author = \"Proofpoint Threat Research\"\r\n        description = \"Detects malicious RTFs using RTF Template Injection to Retrieve\r\n        Remote Content from a URL\"\r\n        disclaimer = \"Yara signature created for hunting purposes - not quality controlled\r\n        within enterprise environment\"\r\n        hash1 = \" 43538d9010462668721f178efaeca89f95f6f35a \"\r\n        hash2 = \" b5ec74e127ce9dfcb1b3bd9072c1d554b59b4005 \"\r\n    strings:\r\n        $rtf = { 7b 5c 72 74 66 } //rtf_bytes\r\n        $s1 = \"{\\\\*\\\\template http\" ascii nocase //https_intentionally_not_specified      \r\n    condition:\r\n        $rtf at 0 and $s1\r\n}\r\nrule Proofpoint_RTFtemplateInjection_Technique_Generic_Unicode_16Bit\r\n{\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 13 of 14\n\nmeta:\r\n        author = \"Proofpoint Threat Research\"\r\n        description = \"Detects malicious RTFs using RTF Template Injection to Retrieve Remote\r\n        Content from Unicode 16 Bit Encoded URL\"\r\n        disclaimer = \"Yara signature created for hunting purposes - not quality controlled\r\n        within enterprise environment\"\r\n        hash1 = \" fbc8064399008fe20f350f0de5e4bbf5833847c7 \"\r\n        hash2 = \"6c01fe16e8cffa3049e84707672b82dc32f1cf72 \"\r\n    strings:\r\n        $rtf = { 7b 5c 72 74 66 } //rtf_bytes\r\n        $s1 = {7B 5C 2A 5C 74 65 6D 70 6C 61 74 65 20 0D 0A 5C 75 2D } //{\\*\\template \\u-   \r\n    condition:\r\n        $rtf at 0 and $s1\r\n}\r\nLearn more\r\nSANS STAR Live Stream: https://www.youtube.com/watch?v=bqyOtkibGro\u0026feature=youtu.be\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nhttps://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread\r\nPage 14 of 14\n\n https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread \nFigure 2. Sample RTF template injection File Downloading Remote Resource.\nFigure 3. Sample RTF template injection File Displayed Lure. \nWeaponization \n Page 3 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread" ], "report_names": [ "injection-new-black-novel-rtf-template-inject-technique-poised-widespread" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434154, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4cc781f3d98a56cba20613f0550f457a7d47956.pdf", "text": "https://archive.orkl.eu/f4cc781f3d98a56cba20613f0550f457a7d47956.txt", "img": "https://archive.orkl.eu/f4cc781f3d98a56cba20613f0550f457a7d47956.jpg" } }