{ "id": "65eb154f-dd19-4078-acab-120d024b5895", "created_at": "2026-04-06T00:21:14.570419Z", "updated_at": "2026-04-10T03:38:20.644957Z", "deleted_at": null, "sha1_hash": "f7be25e6bd2a16ba2bd80b78bff6f7c077b06b7d", "title": "APT annual review 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53866, "plain_text": "APT annual review 2021\r\nBy GReAT\r\nPublished: 2021-11-30 · Archived: 2026-04-05 18:36:05 UTC\r\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900\r\nadvanced threat actors and activity clusters; you can find our quarterly overviews here, here and here. For this\r\nannual review, we have tried to focus on what we consider to be the most interesting trends and developments of\r\nthe last 12 months. This is based on our visibility in the threat landscape and it’s important to note that no single\r\nvendor has complete visibility into the activities of all threat actors.\r\nPrivate sector vendors play a significant role in the threat landscape\r\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published\r\nin July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been\r\ntargeted using Pegasus. The report, called Pegasus Project, alleged that the software uses a variety of exploits,\r\nincluding several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty\r\nInternational’s Security Lab found that the software was repeatedly used in an abusive manner for surveillance.\r\nThe list of targeted individuals includes 14 world leaders. Later that month, representatives from the Israeli\r\ngovernment visited the offices of NSO as part of an investigation into the claims. And in October, India’s Supreme\r\nCourt commissioned a technical committee to investigate whether the government had used Pegasus to spy on its\r\ncitizens. In November, Apple announced that it was taking legal action against NSO Group for developing\r\nsoftware that targets its users with “malicious malware and spyware”.\r\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by\r\nthe security features of modern OSs such as iOS and Android. Based on our observations, this is further\r\ncomplicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many\r\nforensics frameworks require a device jailbreak, this results in the malware being removed from memory during\r\nthe reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. MVT\r\n(Mobile Verification Toolkit) from Amnesty International is free, open source and allows technologists and\r\ninvestigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators\r\nof compromise) collected from high profile cases and made available by Amnesty International.\r\nSupply-chain attacks\r\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was\r\nreported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company’s Orion IT, a solution for monitoring and managing customers’ IT infrastructure, was\r\ncompromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more\r\nthan 18,000 SolarWinds customers, including many large corporations and government bodies, in North America,\r\nEurope, the Middle East and Asia.\r\nhttps://securelist.com/apt-annual-review-2021/105127\r\nPage 1 of 5\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as\r\nBountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management\r\nclient software with a malicious downloader. Related infrastructure was identified and used in multiple other\r\nincidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized\r\nFlash Player installers on the client side.\r\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority’s\r\nwebsite, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a\r\nnumber of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which\r\nwere in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed\r\nsimilarities with the previously analyzed CoughingDown malware.\r\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had\r\nbeen compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is\r\npublicly distributed by Codecov and aims to gather information on the user’s execution environments, collect code\r\ncoverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes\r\na supply-chain attack.\r\nEarlier this year we discovered Lazarus group campaigns using an updated DeathNote cluster. Our investigation\r\nrevealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the\r\ninfection chain stemmed from legitimate South Korean security software executing a malicious payload; and in\r\nthe second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus.\r\nAs part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen\r\ncertificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the\r\nmalicious implants on successfully breached victim machines.\r\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer\r\npackage on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL\r\nwith a .NET version of a PlugX injector to the installer package. Employees of the central government in this\r\ncountry are required to use this biometric package to track attendance. We refer to this supply-chain incident and\r\nthis particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution\r\nserver from March through June.\r\nExploiting vulnerabilities\r\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange\r\nServer in what they called “limited and targeted attacks”. At the time, Microsoft claimed that, in addition to\r\nHAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same\r\nExchange zero-days being in use in early 2021. According to Volexity’s telemetry, some of the exploits in use are\r\nshared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a\r\nspike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft.\r\nDuring the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which\r\none or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most\r\nexploitation attempts were observed for servers in Europe and the United States. Some of the servers were\r\nhttps://securelist.com/apt-annual-review-2021/105127\r\nPage 2 of 5\n\ntargeted multiple times by what appear to be different threat actors (based on the command execution patterns),\r\nsuggesting the exploits had become available to multiple groups.\r\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using\r\nthe same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we\r\ndubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating\r\nback a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and\r\nTTPs as well as the use of ShadowPad malware during the same timeframe.\r\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted\r\nsecurity researchers. According to Google TAG’s blog, this actor used highly sophisticated social engineering,\r\napproached security researchers through social media, and delivered a compromised Visual Studio project file or\r\nlured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an\r\nupdate on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with our previously published reporting\r\nabout Lazarus group’s ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle\r\n– malware that we have been tracking since 2018. While investigating associated information, a fellow external\r\nresearcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We\r\ndiscovered additional C2 servers after decrypting configuration data from the compromised host. The servers were\r\nstill in use during our investigation, and we were able to get additional data related to the attack. We assess that the\r\npublished infrastructure was used not only to target security researchers but also in other Lazarus attacks. We\r\nfound a relatively large number of hosts communicating with the C2s at the time of our research.\r\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat\r\nIntelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the\r\nAsia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had\r\npotentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in\r\nFebruary. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-\r\n1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to\r\nbe an exploit developer who makes exploits available to several threat actors, based on other past exploits and the\r\nactors observed using them. To date, we have confirmed that at least two known threat actors have utilized\r\nexploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well\r\nas privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in\r\nthe last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren’t able\r\nto directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained\r\ntogether with other browser exploits to escape sandboxes and obtain system level privileges for further access.\r\nUnfortunately, we weren’t able to capture a full exploit chain, so we don’t know if the exploit is used with another\r\nbrowser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\r\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies.\r\nCloser analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome\r\nweb browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system\r\nhttps://securelist.com/apt-annual-review-2021/105127\r\nPage 3 of 5\n\nprivileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10\r\n(17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and exploited two distinct\r\nvulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they\r\nassigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP\r\nvulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain\r\nattempts to install malware in the system through a dropper. The malware starts as a system service and loads the\r\npayload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn’t find\r\nany connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\r\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server\r\nvariants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free\r\nvulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We\r\nanalyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps\r\nthat link it to the IronHusky APT.\r\nFirmware vulnerabilities\r\nIn September, we provided an overview of the FinSpy PC implant, covering not only the Windows version, but\r\nalso Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for “legal\r\nsurveillance” purposes. Historically, several NGOs have repeatedly reported it being used against journalists,\r\npolitical dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage\r\nspyware installer; and this version was detected and researched several times up to 2018. Since then, we have\r\nobserved a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained\r\nunknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were\r\nunable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served\r\nthese installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out\r\nthat the backdoored installers are nothing more than first stage implants that are used to download and deploy\r\nfurther payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections\r\ninvolving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details\r\non the UEFI bootkit were publicly revealed for the first time in our report.\r\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using\r\ntwo infection chains to various government organizations and telecoms companies in the Middle East. The\r\npayload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being\r\npersistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed\r\nin this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot\r\nis a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot\r\nAPT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red\r\nteam engagements. However, it’s not the first time that attackers appear to have taken advantage of it. One of our\r\nprevious reports from 2019 covering FruityArmor’s activity showed that the threat group used the framework to\r\ntarget organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a\r\nmessenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of\r\nthe newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in\r\nhttps://securelist.com/apt-annual-review-2021/105127\r\nPage 4 of 5\n\nclusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the\r\nmalware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in\r\nthe Middle East.\r\nSource: https://securelist.com/apt-annual-review-2021/105127\r\nhttps://securelist.com/apt-annual-review-2021/105127\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://securelist.com/apt-annual-review-2021/105127" ], "report_names": [ "105127" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3", "created_at": "2023-01-06T13:46:38.995743Z", "updated_at": "2026-04-10T02:00:03.175285Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "MISPGALAXY:Slingshot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938", "created_at": "2023-11-08T02:00:07.135638Z", "updated_at": "2026-04-10T02:00:03.42332Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [], "source_name": "MISPGALAXY:IronHusky", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2", "created_at": "2022-10-25T16:07:24.198891Z", "updated_at": "2026-04-10T02:00:04.897342Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "ETDA:Slingshot", "tools": [ "Cahnadr", "GollumApp", "NDriver" ], "source_id": "ETDA", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "2caf4672-1812-4bb9-9576-6011e56102d2", "created_at": "2022-10-25T16:07:23.742765Z", "updated_at": "2026-04-10T02:00:04.733853Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [ "BBCY-TA1", "Operation MysterySnail" ], "source_name": "ETDA:IronHusky", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "MysterySnail", "MysterySnail RAT", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "115ee14e-a122-47a4-bef7-5d3668cda109", "created_at": "2025-01-10T02:00:03.15179Z", "updated_at": "2026-04-10T02:00:03.800179Z", "deleted_at": null, "main_name": "CoughingDown", "aliases": [], "source_name": "MISPGALAXY:CoughingDown", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434874, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7be25e6bd2a16ba2bd80b78bff6f7c077b06b7d.pdf", "text": "https://archive.orkl.eu/f7be25e6bd2a16ba2bd80b78bff6f7c077b06b7d.txt", "img": "https://archive.orkl.eu/f7be25e6bd2a16ba2bd80b78bff6f7c077b06b7d.jpg" } }