{ "id": "16e325a1-338b-4fc6-83da-cc225cf9b89c", "created_at": "2026-04-06T00:15:02.584291Z", "updated_at": "2026-04-10T13:12:18.236841Z", "deleted_at": null, "sha1_hash": "f5bea2d3629415ddba0d683a401156e176b5a292", "title": "BumbleBee (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 171965, "plain_text": "BumbleBee (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:59:07 UTC\r\nBumbleBee\r\naka: COLDTRAIN, SHELLSTING, Shindig\r\nActor(s): EXOTIC LILY, GOLD CABIN, TA578, TA579\r\nVTCollection    \r\nThis malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent \"bumblebee\" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis\r\nGroup (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.\r\nReferences\r\n2025-08-05 ⋅ The DFIR Report ⋅\r\nFrom Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira\r\nAdaptixC2 Akira BumbleBee\r\n2025-07-29 ⋅ Lumu ⋅ Antonio Gomez\r\nAdvisory Alert: BumbleBee Malware in the Spotlight\r\nBumbleBee\r\n2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT\r\nWarmCookie XWorm\r\n2025-06-17 ⋅ DARKReading ⋅ James Shank\r\nOperation Endgame: Do Takedowns and Arrests Matter?\r\nBumbleBee Emotet Pikabot SmokeLoader TrickBot\r\n2025-05-19 ⋅ cyjax ⋅ Joe Wrieden\r\nA Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign\r\nBumbleBee\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 1 of 8\n\n2024-10-18 ⋅ Netskope ⋅ Leandro Froes\r\nNew Bumblebee Loader Infection Chain Signals Possible Resurgence\r\nBumbleBee\r\n2024-05-30 ⋅ Europol ⋅ Europol\r\nLargest ever operation against botnets hits dropper malware ecosystem\r\nBumbleBee IcedID SmokeLoader SystemBC TrickBot\r\n2024-02-13 ⋅ Proofpoint ⋅ Axel F, Selena Larson\r\nBumblebee Buzzes Back in Black\r\nBumbleBee\r\n2023-10-04 ⋅ Twitter (@Intrisec) ⋅ CTI Intrinsec\r\nTweet about new Bumblebee campaign leveraging CVE-2023-38831\r\nBumbleBee\r\n2023-09-15 ⋅ Johannes Bader's Blog ⋅ Johannes Bader\r\nThe DGA of BumbleBee\r\nBumbleBee\r\n2023-09-11 ⋅ Twitter (@Artilllerie) ⋅ @Artilllerie\r\nTweet on BumbleBee sample containing a DGA\r\nBumbleBee\r\n2023-09-07 ⋅ Twitter (@Intrisec) ⋅ CTI Intrinsec\r\nTweets on Bumblebee campaign spreading via Html smuggling downloading RAR archive with European\r\nCentral Bank PDF lure and folder containing Bumblebee EXE payload.\r\nBumbleBee\r\n2023-09-01 ⋅ VMRay ⋅ Emre Güler\r\nUnderstanding BumbleBee: BumbleBee’s malware configuration and clusters\r\nBumbleBee\r\n2023-08-18 ⋅ VMRay ⋅ Emre Güler\r\nUnderstanding BumbleBee: The malicious behavior of BumbleBee\r\nBumbleBee\r\n2023-08-09 ⋅ VMRay ⋅ Emre Güler\r\nUnderstanding BumbleBee: The delivery of Bumblee\r\nBumbleBee\r\n2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT\r\nQakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 2 of 8\n\n2023-06-22 ⋅ DeepInstinct ⋅ Deep Instinct Threat Lab, Mark Vaitzman, Shaul Vilkomir-Preisman\r\nPindOS: New JavaScript Dropper Delivering Bumblebee and IcedID\r\nPindOS BumbleBee PhotoLoader\r\n2023-06-08 ⋅ VMRay ⋅ Patrick Staubmann\r\nBusy Bees - The Transformation of BumbleBee\r\nBumbleBee Cobalt Strike Conti Meterpreter Sliver\r\n2023-04-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nBumblebee Malware Distributed Via Trojanized Installer Downloads\r\nBumbleBee Cobalt Strike\r\n2023-04-18 ⋅ Twitter (@threatinsight) ⋅ Threat Insight\r\nTweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware\r\nBumbleBee\r\n2023-04-16 ⋅ Botconf ⋅ Suweera De Souza\r\nTracking Bumblebee’s Development\r\nBumbleBee\r\n2023-04-16 ⋅ YouTube (botconf eu) ⋅ Crowdstrike Technical Analysis Cell (TAC), Suweera De Souza\r\nTracking Bumblebee’s Development\r\nBumbleBee\r\n2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar\r\n2023-04-11 ⋅ SEC Consult ⋅ Angelo Violetti\r\nBumbleBee hunting with a Velociraptor\r\nBumbleBee\r\n2023-03-29 ⋅ Krakz ⋅ Pierre Le Bourhis\r\nBumbleBee notes\r\nBumbleBee\r\n2023-03-28 ⋅ Cerbero ⋅ Erik Pistelli\r\nReversing Complex PowerShell Malware\r\nBumbleBee\r\n2023-03-04 ⋅ 0xToxin Labs ⋅ @0xToxin\r\nBumblebee DocuSign Campaign\r\nBumbleBee\r\n2023-02-03 ⋅ Mandiant ⋅ Genevieve Stark, Kimberly Goody\r\nFloat Like a Butterfly Sting Like a Bee\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 3 of 8\n\nBazarBackdoor BumbleBee Cobalt Strike\r\n2023-01-19 ⋅ Cisco ⋅ Guilherme Venere\r\nFollowing the LNK metadata trail\r\nBumbleBee PhotoLoader QakBot\r\n2023-01-09 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec\r\nEmotet returns and deploys loaders\r\nBumbleBee Emotet IcedID PHOTOLITE\r\n2022-11-16 ⋅ Proofpoint ⋅ Axel F, Pim Trouerbach\r\nA Comprehensive Look at Emotet Virus’ Fall 2022 Return\r\nBumbleBee Emotet PHOTOLITE\r\n2022-11-10 ⋅ Intezer ⋅ Nicole Fishbein\r\nHow LNK Files Are Abused by Threat Actors\r\nBumbleBee Emotet Mount Locker QakBot\r\n2022-10-27 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence\r\nRaspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity\r\nFAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak\r\n2022-10-27 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nRaspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity\r\nFAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\n2022-10-06 ⋅ Twitter (@ESETresearch) ⋅ ESET Research\r\nTweet on Bumblebee being modularized like trickbot\r\nBumbleBee\r\n2022-10-03 ⋅ Check Point ⋅ Marc Salinas Fernandez\r\nBumblebee: increasing its capacity and evolving its TTPs\r\nBumbleBee Cobalt Strike Meterpreter Sliver Vidar\r\n2022-09-26 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBumbleBee: Round Two\r\nBumbleBee Cobalt Strike Meterpreter\r\n2022-09-07 ⋅ cyble ⋅ Cyble\r\nBumblebee Returns With New Infection Technique\r\nBumbleBee Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 4 of 8\n\n2022-09-05 ⋅ Infinitum IT ⋅ Arda Büyükkaya\r\nBumblebee Loader Malware Analysis\r\nBumbleBee\r\n2022-08-24 ⋅ Microsoft ⋅ Microsoft Security Experts\r\nLooking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks\r\nBumbleBee Sliver\r\n2022-08-24 ⋅ Deep instinct ⋅ Deep Instinct Threat Lab\r\nThe Dark Side of Bumblebee Malware Loader\r\nBumbleBee\r\n2022-08-18 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen\r\nFrom Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships\r\nBetween Malware Developers\r\nBumbleBee Karius Ramnit TrickBot Vawtrak\r\n2022-08-17 ⋅ Cybereason ⋅ Cybereason Global SOC Team\r\nBumblebee Loader – The High Road to Enterprise Domain Control\r\nBumbleBee Cobalt Strike\r\n2022-08-10 ⋅ ⋅ Weixin ⋅ Red Raindrop Team\r\nOperation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe\r\nBumbleBee Cobalt Strike\r\n2022-08-08 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBumbleBee Roasts Its Way to Domain Admin\r\nBumbleBee Cobalt Strike\r\n2022-08-04 ⋅ Cloudsek ⋅ Aastha Mittal, Anandeshwar Unnikrishnan\r\nTechnical Analysis of Bumblebee Malware Loader\r\nBumbleBee\r\n2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nFlight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware\r\nBazarBackdoor BumbleBee Cobalt Strike Conti\r\n2022-07-17 ⋅ Resecurity ⋅ Resecurity\r\nShortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise\r\nAsyncRAT BumbleBee Emotet IcedID QakBot\r\n2022-07-07 ⋅ IBM ⋅ Charlotte Hammond, Kat Weinberger, Ole Villadsen\r\nUnprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine\r\nAnchorMail BumbleBee Cobalt Strike IcedID Meterpreter\r\n2022-07-07 ⋅ Fortinet ⋅ Erin Lin\r\nNotable Droppers Emerge in Recent Threat Campaigns\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 5 of 8\n\nBumbleBee Emotet PhotoLoader QakBot\r\n2022-06-28 ⋅ Symantec ⋅ Threat Hunter Team, Vishal Kamble\r\nBumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem\r\nBumbleBee\r\n2022-06-14 ⋅ RiskIQ ⋅ Jordan Herman\r\nRiskIQ: Identifying BumbleBee Command and Control Servers\r\nBumbleBee\r\n2022-06-13 ⋅ Sekoia ⋅ Pierre Le Bourhis, Quentin Bourgue, Threat \u0026 Detection Research Team\r\nBumbleBee: a new trendy loader for Initial Access Brokers\r\nBumbleBee\r\n2022-06-07 ⋅ cyble ⋅ Cyble\r\nBumblebee Loader on The Rise\r\nBumbleBee Cobalt Strike\r\n2022-05-25 ⋅ Logpoint ⋅ Logpoint\r\nBuzz of the Bumblebee – A new malicious loader\r\nBumbleBee\r\n2022-05-25 ⋅ Team Cymru ⋅ S2 Research Team\r\nBablosoft; Lowering the Barrier of Entry for Malicious Actors\r\nBlackGuard BumbleBee RedLine Stealer\r\n2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nBumblebee Malware from TransferXL URLs\r\nBumbleBee Cobalt Strike\r\n2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nBumblebee Malware from TransferXL URLs\r\nBumbleBee Cobalt Strike\r\n2022-05-12 ⋅ Intel 471 ⋅ Intel 471\r\nWhat malware to look for if you want to prevent a ransomware attack\r\nConti BumbleBee Cobalt Strike IcedID Sliver\r\n2022-05-12 ⋅ OALabs ⋅ Sergei Frankoff\r\nTaking a look at Bumblebee loader\r\nBumbleBee\r\n2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nTA578 using thread-hijacked emails to push ISO files for Bumblebee malware\r\nBumbleBee Cobalt Strike IcedID PhotoLoader\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 6 of 8\n\n2022-05-11 ⋅ SANS ISC ⋅ Brad Duncan\r\nTA578 using thread-hijacked emails to push ISO files for Bumblebee malware\r\nBumbleBee\r\n2022-05-08 ⋅ Threat hunting with hints of incident response ⋅ Jouni Mikkola\r\nBzz.. Bzz.. Bumblebee loader\r\nBumbleBee\r\n2022-04-29 ⋅ NCC Group ⋅ Mike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis\r\nAdventures in the land of BumbleBee – a new malicious loader\r\nBazarBackdoor BumbleBee Conti\r\n2022-04-28 ⋅ Proofpoint ⋅ Kelsey Merriman, Pim Trouerbach\r\nThis isn't Optimus Prime's Bumblebee but it's Still Transforming\r\nBumbleBee TA578 TA579\r\n2022-04-28 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nNew Bumblebee malware replaces Conti's BazarLoader in cyberattacks\r\nBumbleBee\r\n2022-04-27 ⋅ Medium elis531989 ⋅ Eli Salem\r\nThe chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection\r\nBumbleBee TrickBot\r\n2022-04-14 ⋅ Cynet ⋅ Max Malyutin\r\nOrion Threat Alert: Flight of the BumbleBee\r\nBumbleBee Cobalt Strike\r\n2022-03-17 ⋅ Google ⋅ Benoit Sevens, Vladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Conti EXOTIC LILY\r\n2022-03-17 ⋅ Google ⋅ Benoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Cobalt Strike Conti\r\n2022-01-01 ⋅ aspirets ⋅ Michael Lamb\r\nBumblebee Malware Loader: Threat Analysis\r\nBumbleBee\r\n2021-09-10 ⋅ Gigamon ⋅ Joe Slowik\r\nRendering Threats: A Network Perspective\r\nBumbleBee Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 7 of 8\n\n2021-09-09 ⋅ Trend Micro ⋅ Trend Micro\r\nRemote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs\r\nBumbleBee Cobalt Strike\r\nYara Rules\r\n[TLP:WHITE] win_bumblebee_auto (20251219 | Detects win.bumblebee.)\r\n[TLP:WHITE] win_bumblebee_w0   (20220330 | BumbleBee / win.bumblebee)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee" ], "report_names": [ "win.bumblebee" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-10T02:00:04.97641Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f87ac52-682a-4bc7-b7ce-fac8d79815fa", "created_at": "2023-01-06T13:46:39.373008Z", "updated_at": "2026-04-10T02:00:03.305899Z", "deleted_at": null, "main_name": "TA579", "aliases": [], "source_name": "MISPGALAXY:TA579", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434502, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5bea2d3629415ddba0d683a401156e176b5a292.pdf", "text": "https://archive.orkl.eu/f5bea2d3629415ddba0d683a401156e176b5a292.txt", "img": "https://archive.orkl.eu/f5bea2d3629415ddba0d683a401156e176b5a292.jpg" } }