{ "id": "4eddd771-bc91-4c2a-b64e-828ce83329b6", "created_at": "2026-04-06T00:13:30.233365Z", "updated_at": "2026-04-10T03:37:09.059031Z", "deleted_at": null, "sha1_hash": "f658b55bc50cbc0aa1ca0ead080657f552cebd38", "title": "LokiBot is Being Distributed by Windows Shortcut Files", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1889961, "plain_text": "LokiBot is Being Distributed by Windows Shortcut Files\r\nPublished: 2024-03-13 · Archived: 2026-04-05 18:01:21 UTC\r\nOverview\r\nThe SonicWall RTDMI ™ engine has recently detected Windows Shortcut Files (LNKs) inside archives that\r\nexecute LokiBot malware on the victim’s machine. The malicious LNK file is packed inside an archive along with\r\na text file that says, “Find attached March Order” in Spanish, essentially pretending to be a legitimate file. The\r\nLNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL.\r\nLokiBot malware has been observed using image steganography, multi-layered packing and Living Off the Land\r\n(LOTL) techniques in past campaigns. The malware authors' trend of using a low-profile file type as an initial\r\nvector keeps increasing, and they prefer the use of custom packers and protectors to prevent detection rather than\r\nupdating the core executable code.\r\nFigure 1: LNK file executing PowerShell to download LokiBot\r\nLoader Executable\r\nThe downloaded executable is protected in two layers by the Confuser application to make the analysis difficult\r\nfor the reversing engineers. After unpacking and de-obfuscating both of the layers, the actual code that is\r\nresponsible for loading and executing the LokiBot executable is exposed. The LokiBot binary is kept RSA-encrypted and Base64-encoded in the resource of the loader executable, which is only visible after unpacking.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 1 of 18\n\nFigure 2: Encrypted LokiBot executable in the resource of loader executable\r\nTo get the RSA key, the malware computes MD5 of the string “UV?vgotlHR?P\\Y?LEhgU]CdJIS?W;yBTkDZw??\r\nFTEi\u003eZ” and self-concatenates the MD5 value by overwriting the last byte of the MD5. After doing Base64\r\ndecoding, the malware decrypts the encrypted executable data using an RSA algorithm with the below parameters:\r\nFigure 3: Parameters\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 2 of 18\n\nFigure 4: Code performing RSA decryption\r\nThe decrypted bytes are the string representation of the executable’s hex bytes, and a string-to-hex conversion is\r\nperformed to finally get the LokiBot executable. The malware executes the LokiBot binary using the\r\nCreateProcessW API.\r\nFigure 5: LokiBot binary string representation\r\nLokiBot\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 3 of 18\n\nLokiBot is an information stealer that has been active in the wild since 2015. It contains a rich list of applications\r\nthat are used to steal data from the victim’s machine. After sending data to its C\u0026C server, the malware receives\r\ncommands to perform various actions on the victim’s machine.\r\nDelayed Execution\r\nThe execution of LokiBot starts by examining the argument value for space-separated “-u” occurrences. The\r\nmalware execution has been delayed by 10000 milliseconds for each occurrence of the value “-u”.\r\nFigure 6: Checks process arguments\r\nAPI Name Hashing\r\nThe malware uses API name hashing and resolves addresses just before invoking the APIs. To make the analysis\r\ndifficult, the malware does not store the resolved API addresses, instead it loads and executes the API address\r\nfrom the accumulator register. If the malware needs to execute the same API more than once, it needs to resolve\r\nthe API address again to invoke the API.\r\nHashing Algorithm\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 4 of 18\n\nCode representation for the hashing module is in the C language and can be seen below. It generates a DWORD\r\nhash for the given array of bytes.\r\nFigure 7: Hashing algorithm\r\nGetting the Load Addresses of DLLs\r\nAn array of DLL names with a fixed length of 0x1A for each name is created by the malware. To resolve an API\r\naddress, the malware calls a function with the index of the DLL names array and API name hash. The name of the\r\nDLL is retrieved from the DLL names array using the index value. The malware invokes the LoadLibraryW API to\r\nget the load address of the DLL, except for the kernel32 and ntdll DLLs. The malware considers kernel32 and\r\nntdll to be already loaded into the memory and does PEB traversal to find the load address. It does this by\r\ncomparing the DLL name hash with the loaded module name hashes.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 5 of 18\n\nFigure 8: Array of DLL names\r\nFigure 9: Gets DLL load address\r\nResolving APIs Addresses\r\nAfter getting the DLL load address either by calling the LoadLibraryW API or by PEB traversal, the malware\r\nenumerates the export directory of the loaded DLL and compares the requested API name hash with the exported\r\nAPI name hash to resolve the API address.\r\nSingle Instance Execution\r\nThe malware retrieves the MachineGUID from the registry entry\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography” to compute its MD5 string representation\r\nto the 12th byte, which is used as a mutex name. The malware attempts to create the mutex and examines the error\r\nvalue ERROR_ALREADY_EXISTS to terminate the current execution and ensure a single execution of the\r\nmalware process. The mutex value for my system is “06E1A66DB87D112F02F38F7C” and is expected to always\r\nbe the same for a given system. It is later sent to the Command and Control (C\u0026C) server. The mutex name can\r\nhelp the malware author identify whether a system is reinfected or has been infected for the first time. Some of the\r\ncharacter sequences of the mutex name are used by the malware as dropped file names and a directory name.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 6 of 18\n\nFigure 10: Creates mutex using machine GUID\r\nIf the malware fails to get the mutex name using MachineGUID, then it executes its backup code to compute a\r\nrandom mutex name using the system time.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 7 of 18\n\nFigure 11: Code to create an alternative random mutex\r\nStealing Application Data\r\nThe malware steals data from installed applications like browsers, SSH clients, document applications, password\r\nmanagers, email clients and FTP clients The data it steals includes login credentials, autofill web forms, document\r\ntexts and more. The malware contains a total of 101 functions to steal data from the installed applications. The\r\nmalware initializes the array of function pointers with the address of stealing functions and initializes another\r\narray with the respective argument values for the stealing functions. The malware invokes the stealing functions in\r\na loop. It invokes them from the array of function pointers with the respective argument from the arguments array.\r\nThe stealer functions keep the stolen data in a structured buffer along with their sizes.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 8 of 18\n\nFigure 12: Calling stealing functions\r\nBrowsers\r\nThe malware contains a list of chromium-based browsers, gecko-based browsers and other browsers to steal the\r\nstored data. For a gecko-based browser, malware reads the registry entry for the respective browser to get the\r\ninstallation directory and sets the installation directory into the environment path variable to smoothly load the\r\nnss3.dll which is used to decrypt the gecko-based browsers data. After decrypting the data, malware restores the\r\nenvironment path variable. The malware reads the profiles.ini file from the browser dedicated application data\r\ndirectory to get the list of profile directories. The malware enumerates each profile directory and uses multiple\r\nAPIs (NSS_Init, GetInternalKeySlot, Authenticate, Decrypt, FreeSlot, FreeItem, CheckUserPassword,\r\nNSS_Shutdown) of nss3.dll, to decrypt data from the files mentioned below:\r\nlogins.json\r\nprefs.js\r\nsignons.sqlite\r\nsignons.txt\r\nsignons2.txt\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 9 of 18\n\nFor chromium-based browsers, the malware steals data from the files “Web Data” and “Login Data” placing them\r\ninto respective application data folders for the browsers. For Edge and Internet Explorer, the malware steals data\r\nfrom Windows Password Manager and registry entry “Software\\Microsoft\\Internet\r\nExplorer\\IntelliForms\\Storage2”. The malware enumerates and retrieves credentials from the Windows Password\r\nManager using multiple APIs (VaultEnumerateVaults, VaultOpenVault. VaultEnumerateItems, VaultGetItem,\r\nVaultFree, VaultCloseVault) of library vaultcli.dll.\r\nChromium-based Gecko-based Others\r\nDragon Mozilla Firefox Safari\r\nChromePlus SeaMonkey Opera Next\r\nChrome Flock Opera Stable\r\nNichrome Black Hawk QtWeb\r\nRockMelt Cyberfox QupZilla\r\nSpark IceDragon Internet Explorer\r\nChromium K-Meleon Opera\r\nTitan Browser Lunascape\r\nTorch Pale Moon\r\nYandexBrowser Waterfox\r\nEpic Privacy Browser\r\nCocCoc\r\nVivaldi\r\nChromodo\r\nSuperbird\r\nCoowon\r\nMustang Browser\r\n360Browser\r\nCitrio\r\nChrome SxS\r\nOrbitum\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 10 of 18\n\nIridium\r\nFigure 13: List of browsers\r\nApart from the browsers, the malware steals data from other installed applications which include SSH clients, FTP\r\nclients, email applications, document applications, password managers and more, which are mentioned in the table\r\nbelow:\r\nFigure 14: List of applications to steal data\r\nC\u0026C Communication\r\nThe malware has an array to contain four C\u0026C server addresses, however, in current variants, only one of the\r\nunique and valid C\u0026C server addresses is found. After decrypting the C\u0026C URL, the malware separates the IP\r\naddress, port number, path and protocol to establish a connection.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 11 of 18\n\nFigure 15: Code for C\u0026C communication\r\nThe malware compresses the stolen application data using aPLib compression library and appends into the\r\nstructured buffer. The malware then prepares the HTTP post request with the user-agent “Mozilla/4.08 (Charon;\r\nInferno)” and sends the stolen data to the C\u0026C server. After sending the HTTP post request, the malware keeps\r\nthe check sum of the data it sent into a file “C:\\Users\\Deepak\\AppData\\Roaming\\DB87D1\\112F02.hdb”. The\r\ndirectory name is taken from the mutex name’s character offsets from seven to 12, and the file name is taken from\r\noffsets 12 to 17.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 12 of 18\n\nFigure 16: Stolen data sent to the C\u0026C server\r\nAn explanation of values sent by the malware to the C\u0026C server is mentioned in the table below:\r\nOffset Size Field Description Value\r\n00 2 Version 12\r\n02 2 Information type 27\r\n04 2 IsUnicodeFlag 0\r\n06 4 Size of binary ID 07\r\n10 7 BinaryID ckav.ru\r\n17 2 IsUnicodeFlag 1\r\n19 4 Size of username 12\r\n23 12 Username Deepak (Unicode)\r\n35 2 IsUnicodeFlag 01\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 13 of 18\n\n37 4 Size of computer name 30\r\n41 30 Computer name DESKTOP-HQ11H51 (unicode)\r\n71 2 IsUnicodeFlag 01\r\n73 4 Size of computer name 30\r\n77 30 Computer name DESKTOP-HQ11H51 (unicode)\r\n107 4 Screen width 780\r\n111 4 Screen height 438\r\n115 2 IsUserAdmin 01\r\n117 2 IsBuiltInAdministrator 00\r\n119 2 PROCESSOR_ARCHITECTURE_AMD64 01\r\n121 2 OS major version 10\r\n123 2 OS minor version 00\r\n125 2 Left over 6B\r\n127 2 Related to service pack version 01\r\n129 2 IsFirstPacketSent 00\r\n131 2 Word value 1 00\r\n133 2 Word value 0 00\r\n135 2 Word value 0 00\r\n137 2 Word value 0 00\r\n139 4 Size of stolen data 20776\r\n141 2 IsUnicodeFlag 01\r\n145 4 Size of mutex name 30\r\n149 48 Mutex name 06E1A66DB87D112F02F38F7C\r\n197 4 Size of random string 5\r\n201 5 Random string ytPeE\r\n206 4 Size of compressed data 680\r\n210 680 Compressed data 01 E1 48 01 B0 D9…\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 14 of 18\n\nFigure 17: Description of the data sent to the C\u0026C\r\nAfter sending the stolen application data, the malware checks to see if the process is running in administrator\r\nmode to steal credentials stored in Windows Credential Manager. The malware enumerates files from the directory\r\n“%AppData%\\Roaming\\Microsoft\\Credentials” using the APIs FindFirstFileW and FindNextFileW to read the\r\nencrypted data which is decrypted by accessing the process memory of lsass.exe.\r\nFigure 18: Encrypted credentials in Windows Credential Manager\r\nDecrypted credentials are compressed using aPLib compression library and appended into the structured buffer\r\nafter malware variant-specific information and collected system information. It is then sent to the C\u0026C server.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 15 of 18\n\nFigure 19: Decrypted credential from Windows Credential Manager\r\nThe malware creates the file “%APPDATA%\\Roaming\\DB87D1\\112F02.lck” before attempting to decrypt\r\ncredentials from Windows Credential Manager and deletes the files once the decryption routine is completed.\r\nFigure 20: Creating the lock file\r\nAfter sending the stolen data, the malware expects commands from the C\u0026C server and spawns a separate thread\r\nto perform actions based on the received command.\r\nRegistry Entry\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 16 of 18\n\nThe malware creates a self-copy in the application data folder using a file move operation. If it fails in moving the\r\nfile, then the malware uses the file copy operation. The malware creates a registry entry\r\n“HKCU\\http://91.92.252.146:8015/wioy/five/fre.php\\DB87D1” and sets the values as the path of the dropped file.\r\nFigure 21: Registry entry\r\nThe malware modifies the attributes of the directory to the following values to lower the visibility:\r\nFILE_ATTRIBUTE_HIDDEN\r\nFILE_ATTRIBUTE_SYSTEM\r\nFILE_ATTRIBUTE_NOT_CONTENT_INDEXED\r\nFigure 22: Modifies directory attributes\r\nThe archive file cannot be found in any of the popular threat intelligence sharing portals like VirusTotal and\r\nReversingLabs at the time of writing this blog, which indicates its uniqueness and limited distribution.\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 17 of 18\n\nFigure 23: File is not available on Virus Total\r\nEvidence of the detection by our RTDMI engine can be seen below in the Capture ATP report for this file.\r\nFigure 24: Capture report\r\nSource: https://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nhttps://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/\r\nPage 18 of 18\n\nFigure 2: Encrypted To get the RSA LokiBot executable key, the malware computes in the resource MD5 of of loader executable the string “UV?vgotlHR?P\\Y?LEhgU]CdJIS?W;yBTkDZw?? \nFTEi\u003eZ” and self-concatenates the MD5 value by overwriting the last byte of the MD5. After doing Base64\ndecoding, the malware decrypts the encrypted executable data using an RSA algorithm with the below parameters:\nFigure 3: Parameters \n Page 2 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.sonicwall.com/en-us/2024/03/lokibot-is-being-distributed-by-windows-shortcut-files/" ], "report_names": [ "lokibot-is-being-distributed-by-windows-shortcut-files" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434410, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f658b55bc50cbc0aa1ca0ead080657f552cebd38.pdf", "text": "https://archive.orkl.eu/f658b55bc50cbc0aa1ca0ead080657f552cebd38.txt", "img": "https://archive.orkl.eu/f658b55bc50cbc0aa1ca0ead080657f552cebd38.jpg" } }