{ "id": "2ee5fc69-0f89-4666-8c32-a3136a953a21", "created_at": "2026-04-06T00:19:23.184697Z", "updated_at": "2026-04-10T03:35:52.994395Z", "deleted_at": null, "sha1_hash": "f57f1bde5e9e4b6c2eea46bb6bae72501b7be4e3", "title": "Financially motivated threat actors misusing App Installer | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1192552, "plain_text": "Financially motivated threat actors misusing App Installer |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-12-28 · Archived: 2026-04-02 10:56:59 UTC\r\nSince mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially\r\nmotivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller\r\nURI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from\r\nobserved attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this\r\nactivity, Microsoft has disabled the ms-appinstaller protocol handler by default.\r\nThe observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an\r\naccess vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a\r\nmalware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These threat actors\r\ndistribute signed malicious MSIX application packages using websites accessed through malicious advertisements\r\nfor legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.\r\nThreat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms\r\ndesigned to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser\r\nwarnings for downloads of executable file formats.\r\nIn this blog, we provide an analysis of activity by financially motivated threat actors abusing App Installer\r\nobserved since mid-November 2023.\r\nThreat actors abusing App Installer since mid-November 2023\r\nMicrosoft Threat intelligence observed several actors—including Storm-0569, Storm-1113, Sangria Tempest, and\r\nStorm-1674—using App Installer as a point of entry for human-operated ransomware activity. The observed\r\nactivity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as\r\nlegitimate applications, and evading detections on the initial installation files. \r\nStorm-0569\r\nAt the beginning of December 2023, Microsoft observed Storm-0569 distributing BATLOADER through search\r\nengine optimization (SEO) poisoning with sites spoofing legitimate software downloads such as Zoom, Tableau,\r\nTeamViewer, and AnyDesk. Users who search for a legitimate software application on Bing or Google may be\r\npresented with a landing page spoofing the original software provider’s landing pages that include links to\r\nmalicious installers through the ms-appinstaller protocol. Spoofing and impersonating popular legitimate software\r\nis a common social engineering tactic. These software are not affected by the attacks directly, but this information\r\ncan help users better spot malicious spoofing by threat actors.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 1 of 11\n\nFigure 1. A malicious landing page spoofing Zoom accessed via malicious search engine\r\nadvertisement for Zoom downloads\r\nFigure 2. Sample malicious App Installer experience. Note the Publisher is not who a user should\r\nexpect to be publishing this software.\r\nUsers who click the links to the installers are presented with the desktop App Installer experience. If the user\r\nclicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional\r\nprocesses and scripts that lead to malware installation.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 2 of 11\n\nStorm-0569 then uses PowerShell and batch scripts that lead to the download of BATLOADER. In one observed\r\ninstance, Storm-0569’s BATLOADER dropped a Cobalt Strike Beacon followed by data exfiltration using the\r\nRclone data exfiltration tools and Black Basta ransomware deployment by Storm-0506.\r\nStorm-0569 is an access broker that focuses on downloading post-compromise payloads, such as BATLOADER,\r\nthrough malvertising and phishing emails containing malicious links to download sites. The threat actor also\r\nprovides malicious installers and landing page frameworks to other actors. They cover multiple infection chains\r\nthat typically begin with maliciously signed Microsoft Installer (MSI) files posing as legitimate software\r\ninstallations or updates for applications such as TeamViewer, Zoom, and AnyDesk. Storm-0569 infection chains\r\nhave led to additional dropped payloads, including IcedID, Cobalt Strike Beacon, and remote monitoring and\r\nmanagement (RMM) tools, culminating in a handoff to ransomware operators like Storm-0846 and Storm-0506.\r\nStorm-1113\r\nSince mid-November 2023, Microsoft observed Storm-1113’s EugenLoader delivered through search\r\nadvertisements mimicking the Zoom app. Once a user accesses a compromised website, a malicious MSIX\r\ninstaller (EugenLoader) is downloaded on a device and used to deliver additional payloads. These payloads could\r\ninclude previously observed malware installs, such as Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport\r\nManager (also referred to as NetSupport RAT), Sectop RAT, and Lumma stealer.\r\nStorm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search\r\nadvertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In\r\nStorm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software\r\nthat host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the\r\ndeveloper of EugenLoader, a commodity malware first observed around November 2022.\r\nSangria Tempest\r\nIn mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113’s EugenLoader delivered through\r\nmalicious MSIX package installations. Sangria Tempest then drops Carbanak, a backdoor used by the actor since\r\n2014, that in turn delivers the Gracewire malware implant. In other cases, Sangria Tempest uses Google ads to lure\r\nusers into downloading malicious MSIX application packages—possibly relying on Storm-1113 infrastructure—\r\nleading to the delivery of POWERTRASH, a highly obfuscated PowerShell script. POWERTRASH is then used to\r\nload NetSupport and Gracewire, a malware typically affiliated with the threat actor Lace Tempest, whom Sangria\r\nTempest has cooperated with in past intrusions.\r\nSangria Tempest (previously ELBRUS, also tracked as Carbon Spider, FIN7) is a financially motivated\r\ncybercriminal group currently focusing on conducting intrusions that often lead to data theft, followed by targeted\r\nextortion or ransomware deployment such as Clop ransomware.\r\nStorm-1674\r\nSince the beginning of December 2023, Microsoft identified instances where Storm-1674 delivered fake landing\r\npages through messages delivered using Teams. The landing pages spoof Microsoft services like OneDrive and\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 3 of 11\n\nSharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send\r\nchat messages to potential victims using the meeting’s chat functionality.\r\nFigure 3. Landing page pretending to be a SharePoint site for a spoofed employment opportunity\r\nsite; target users are led to this landing page via malicious URLs sent via Teams messages.\r\nFigure 4. Fake error the user receives when clicking on any of the PDFs in the SharePoint. Clicking\r\nOK invokes ms-appinstaller.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 4 of 11\n\nFigure 5. Sample malicious App Installer experience. Note the Publisher is not who a user should\r\nexpect to be publishing Adobe software.\r\nFigure 6. Malicious landing page pretending to be a networking security tool; target users are led to\r\nthis landing page via malicious URLs sent via Teams messages.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 5 of 11\n\nFigure 7. Sample JavaScript invokes ms-appinstaller handler from malicious landing page at time of\r\nuser click.\r\nFigure 8. Sample malicious App Installer experience. Note the Publisher is not who a user should\r\nexpect to be publishing this software.\r\nThe user is then lured into downloading spoofed applications like the ones shown in figures 5 and 8, which will\r\nlikely drop SectopRAT or DarkGate. In these cases, Storm-1674 was using malicious installers and landing page\r\nframeworks provided by Storm-1113.\r\nMicrosoft assesses this technique was used to avoid the accept/block screen shown in one-on-one and group chats.\r\nThe Teams client now shows an accept/block screen for meeting chats sent by an external user.\r\nMicrosoft has taken action to mitigate the spread of malware from confirmed malicious tenants by blocking their\r\nability to send messages thus cutting off the main method used for phishing.\r\nStorm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to\r\ndistribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with\r\nmalicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In\r\nSeptember 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black\r\nBasta ransomware deployment.\r\nRecommendations\r\nThe ms-appinstaller URI scheme handler has been disabled by default in App Installer build 1.21.3421.0. Refer to\r\nthe Microsoft Security Response Blog for App Installer protection tips.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 6 of 11\n\nMicrosoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations\r\ncard for the deployment status of monitored mitigations. \r\nPilot and deploy phishing-resistant authentication methods for users.\r\nImplement Conditional Access authentication strength to require phishing-resistant authentication for\r\nemployees and external users for critical apps.\r\nEducate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external\r\nentities, be cautious about what they share, and never share their account information or authorize sign-in\r\nrequests over chat.\r\nApply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.\r\nEducate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender\r\nSmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites\r\nthat contain exploits and host malware.\r\nEducate users to use the browser URL navigator to validate that upon clicking a link in search results they\r\nhave arrived at an expected legitimate domain.\r\nEducate users to verify that the software that is being installed is expected to be published by a legitimate\r\npublisher.\r\nConfigure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning\r\nand rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in\r\nemail messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint\r\nOnline. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in\r\ninbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help\r\nprotect your organization from malicious links that are used in phishing and other attacks.\r\nTurn on PUA protection in block mode.\r\nTurn on attack surface reduction rules to prevent common attack techniques:\r\nUse advanced protection against ransomwareBlock executable files from running unless they meet a\r\nprevalence, age, or trusted list criterion\r\nAppendix\r\nMicrosoft Defender XDR detections \r\nMicrosoft Defender Antivirus \r\nMicrosoft Defender Antivirus detects threat components as the malware listed below. Enterprise customers\r\nmanaging updates should select the detection build 1.403.520.0 or newer and deploy it across their environments. \r\nTrojanDownloader:Win32/CryptedLoader\r\nBackdoor:PowerShell/CryptedLoader.PS\r\nMicrosoft Defender Antivirus detects associated post-compromise activity as the following:\r\nTrojan:Python/BatLoader\r\nTrojan:PowerShell/BatLoader\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 7 of 11\n\nTrojan:Win32/Batloader\r\nTrojanDownloader:PowerShell/EugenLoader\r\nTrojan:Win32/EugenLoader\r\nTrojanDownloader:PowerShell/Malgent\r\nTrojan:Win64/Lumma\r\nTrojan:Win32/Gozi\r\nTrojan:Win64/IcedID\r\nTrojan:Win32/Smokeloader\r\nBackdoor:MSIL/SectopRAT\r\nBehavior:Win32/CobaltStrike\r\nBackdoor:Win64/CobaltStrike\r\nHackTool:Win64/CobaltStrike\r\nRansom:Win32/BlackBasta\r\nRansom:Linux/BlackBasta\r\nMicrosoft Defender for Endpoint \r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nAn executable loaded an unexpected dll\r\nA process was injected with potentially malicious code\r\nSuspicious sequence of exploration activities\r\nActivity that might lead to information stealer\r\nPossible theft of passwords and other sensitive web browser information\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be\r\nalso triggered by unrelated threat activity.\r\nA file or network connection related to ransomware-linked actor Storm-0569 detected\r\nStorm-1113 threat actor detected\r\nRansomware-linked Sangria Tempest threat activity group detected\r\nPotential BATLOADER activity\r\nPotential IcedID activity\r\nOngoing hands-on-keyboard attacker activity detected (Cobalt Strike)\r\nHuman-operated attack using Cobalt Strike\r\nPossible POWERTRASH loader activity\r\nCarbanak backdoor detected\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 detects malicious activity associated with this threat.\r\nThreat intelligence reports\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 8 of 11\n\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated\r\nthreats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nActor profile: Sangria Tempest\r\nActor profile: Storm-0506\r\nTool profile: BATLOADER\r\nTool profile: Cobalt Strike\r\nTool profile: DarkGate\r\nTool profile: Black Basta ransomware\r\nTool profile: Lumma stealer\r\nTool profile: Pikabot\r\nMicrosoft 365 Defender Threat analytics \r\nActivity profile: Qakbot distributor Storm-0464 shifts to DarkGate and IcedID\r\nStorm-0569: Malvertising and phishing deliver fake software installers and lead to ransomware\r\nActor profile: Sangria Tempest\r\nIcedID’s frosty arrival can lead to data theft\r\nHunting queries\r\nMicrosoft Defender XDR\r\nUse this query to review all the ms-appinstaller protocol handler invoked network connections in your\r\nenvironment.\r\nDeviceNetworkEvents\r\n| where InitiatingProcessCommandLine == '\"AppInstaller.exe\" -\r\nServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca' and RemoteUrl has_any (\"https://\",\r\n\"http://\")\r\nIndicators of compromise\r\nStorm-0569 indicators related to App Installer abuse\r\nSHA-256\r\n48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e\r\n11b71429869f29122236a44a292fde3f0269cde8eb76a52c89139f79f4b97e63\r\n7e646dfe7b7f330cb21db07b94f611eb39f604fab36e347fb884f797ba462402\r\nffb45dc14ea908b21e01e87ec18725dff560c093884005c2b71277e2de354866\r\nb79633917e51da2a4401473d08719f493d61fd64a1b10fe482c12d984d791ccb\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 9 of 11\n\nURLs\r\nhxxps://scheta[.]site/api.store/ZoomInstaller.msix\r\nhxxps://scheta[.]site/api.store/Setup.msix\r\nDomain names\r\nteannviewer.ithr[.]org\r\ntab1eu.ithr[.]org\r\namydeks.ithr[.]org\r\nzoonn.ithr[.]org\r\nscheta[.]site\r\ntnetworkslicense[.]ru\r\n1204knos[.]ru\r\n1204networks[.]ru\r\nabobe.ithr[.]org\r\nStorm-0506 Cobalt Strike beacon C2:\r\ngertefin[.]com\r\nseptcntr[.]com\r\nStorm-1113 indicators related to App Installer abuse\r\nSHA-256\r\n44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5\r\nDomain names\r\ninfo-zoomapp[.]com\r\nzoonn[.]meetlng[.]group\r\nSangria Tempest indicators related to App Installer abuse\r\nDomain names\r\nstorageplace[.]pro\r\nsun1[.]space\r\nSHA-256\r\n2ba527fb8e31cb209df8d1890a63cda9cd4433aa0b841ed8b86fa801aff4ccbd\r\n06b4aebbc3cd62e0aadd1852102645f9a00cc7eea492c0939675efba7566a6de\r\nStorm-1674 indicators related to App Installer abuse\r\nSHA-256\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 10 of 11\n\n2ed5660c7b768b4c2a7899d00773af60cd4396f24a2f7d643ccc1bf74a403970\r\nDomain names:\r\nnixonpeabody[.]tech-department[.]us\r\namgreetings[.]tech-department[.]us\r\ncbre[.]tech-department[.]us\r\ntech-department[.]us\r\nkellyservices-hr[.]com\r\nhubergroup[.]tech-department[.]us\r\nformeld[.]tech-department[.]us\r\nkellyhrservices-my[.]sharepoint[.]com\r\nkellyserviceshr-my[.]sharepoint[.]com\r\nkellyservicesrecruitmentdep-my[.]sharepoint[.]com\r\nkellyservicesheadhunter-my[.]sharepoint[.]com\r\nmckinseyhrcompany-my[.]sharepoint[.]com\r\nwebmicrosoftservicesystem[.]com\r\nperimeter81support-my[.]sharepoint[.]com\r\ncabotcorpsupport-my[.]sharepoint[.]com\r\nReferences\r\nMalvertising Surges to Distribute Malware (Intel471)\r\nMicrosoft Security Response Blog\r\nCVE-2021-43890\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/" ], "report_names": [ "financially-motivated-threat-actors-misusing-app-installer" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "cf4d333d-ef79-40aa-b233-886e6de875a3", "created_at": "2023-12-08T02:00:05.754609Z", "updated_at": "2026-04-10T02:00:03.494821Z", "deleted_at": null, "main_name": "DEV-0569", "aliases": [ "Storm-0569" ], "source_name": "MISPGALAXY:DEV-0569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "5bc89c36-f1dd-4152-ae19-59eb5d8d19c2", "created_at": "2024-01-09T02:00:04.196078Z", "updated_at": "2026-04-10T02:00:03.508389Z", "deleted_at": null, "main_name": "Storm-1113", "aliases": [ "APOTHECARY SPIDER" ], "source_name": "MISPGALAXY:Storm-1113", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fa806f03-ec33-42db-99ee-59db37666ee0", "created_at": "2024-02-02T02:00:04.090714Z", "updated_at": "2026-04-10T02:00:03.566756Z", "deleted_at": null, "main_name": "Storm-1674", "aliases": [], "source_name": "MISPGALAXY:Storm-1674", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434763, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f57f1bde5e9e4b6c2eea46bb6bae72501b7be4e3.pdf", "text": "https://archive.orkl.eu/f57f1bde5e9e4b6c2eea46bb6bae72501b7be4e3.txt", "img": "https://archive.orkl.eu/f57f1bde5e9e4b6c2eea46bb6bae72501b7be4e3.jpg" } }