{
	"id": "df752fc9-9c7f-4d30-a5d8-dda9b765c27c",
	"created_at": "2026-04-06T00:15:27.175385Z",
	"updated_at": "2026-04-10T13:12:00.795761Z",
	"deleted_at": null,
	"sha1_hash": "f912bab5eac56d6654ef3f4954193f5e9ab75cc1",
	"title": "MAR-10135536-17 – North Korean Trojan: KEYMARBLE | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63900,
	"plain_text": "MAR-10135536-17 – North Korean Trojan: KEYMARBLE | CISA\r\nPublished: 2018-08-09 · Archived: 2026-04-05 20:08:29 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial\r\nproduct or service, referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol, see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and\r\nthe Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan\r\nmalware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The\r\nU.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more\r\ninformation on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\nDHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government\r\nmalicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the\r\nDHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and\r\ngive the activity the highest priority for enhanced mitigation.\r\nThis malware report contains analysis of one 32-bit Windows executable file, identified as a Remote Access Trojan (RAT).\r\nThis malware is capable of accessing device configuration data, downloading additional files, executing commands,\r\nmodifying the registry, capturing screen shots, and exfiltrating data.\r\nFor a downloadable copy of IOCs, see:\r\nMAR-10135536-17.stix\r\nSubmitted Files (1)\r\ne23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09 (704d491c155aad996f16377a35732c...)\r\nIPs (3)\r\n100.43.153.60\r\n104.194.160.59\r\n212.143.21.43\r\nFindings\r\ne23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\nTags\r\ntrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nPage 1 of 6\n\nName 704d491c155aad996f16377a35732cb4\r\nSize 126976 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 704d491c155aad996f16377a35732cb4\r\nSHA1 d1410d073a6df8979712dd1b6122983f66d5bef8\r\nSHA256 e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\nSHA512 0092900bf4ca71c17a3caa225a4d7dcc60c7b58f7ffd173f46731db7f696e34b2e752aefaf9cedc27fe76fe317962a394f1be2e59bd0cffaab\r\nssdeep 3072:IDdXEYhXxS550wwiY0Pe6Q1vLo4lJnCtea:EXEEXxcQxZ\r\nEntropy 6.264656\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/Agent.rhagj\r\nBitDefender Trojan.GenericKD.4837544\r\nESET a variant of Win32/NukeSped.H trojan\r\nEmsisoft Trojan.GenericKD.4837544 (B)\r\nIkarus Trojan.Agent\r\nK7 Trojan ( 0050e4401 )\r\nMcAfee GenericRXBP-FF!704D491C155A\r\nNANOAV Trojan.Win32.Agent.eqcfki\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.IGENERIC\r\nSymantec Process timed out\r\nTACHYON Trojan/W32.Agent.126976.CTO\r\nZillya! Trojan.NukeSped.Win32.5\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule rsa_modulus { meta: Author=\"NCCIC trusted 3rd party\"\r\nIncident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family =\r\n\"n/a\" description = \"n/a\" strings: $n =\r\n\"bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40\"\r\ncondition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any\r\nof them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-04-12 11:16:04-04:00\r\nImport Hash fc7dab4d20f23681313b91eba653aa21\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nPage 2 of 6\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n47f6fac41465e01dda5eac297ab250db header 4096 0.627182\r\n30d34a8f4c29d7c2feb0f6e2b102b0a4 .text 94208 6.633409\r\n77f4a11d375f0f35b64a0c43fab947b8 .rdata 8192 5.054283\r\nd4364f6d2f55a37f0036e9e0dc2c6a2b .data 20480 4.416980\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nRelationships\r\ne23900b00f... Connected_To 104.194.160.59\r\ne23900b00f... Connected_To 212.143.21.43\r\ne23900b00f... Connected_To 100.43.153.60\r\nDescription\r\nThis application is a malicious 32-bit Windows executable file, which functions as a RAT. When executed, it de-obfuscates\r\nits application programming interfaces (APIs) and using port 443, attempts to connect to the hard-coded IP addresses listed\r\nbelow. After connecting, the malware waits for further instructions.\r\n--Begin hard-coded IP addresses--\r\n100.43.153.60\r\n104.194.160.59\r\n212.143.21.43\r\n--End hard-coded IP addresses--\r\nStatic analysis reveals that this RAT uses a customized XOR cryptographic algorithm displayed in Figure 1 to secure its data\r\ntransfers and command-and-control (C2) sessions. It is designed to accept instructions from the remote server to perform the\r\nfollowing functions:\r\n--Begin functions--\r\nDownload and upload files\r\nExecute secondary payloads\r\nExecute shell commands\r\nTerminate running processes\r\nDelete files\r\nSearch files\r\nSet file attributes\r\nCreate registry entries for storing data:(HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\WABE\\DataPath)\r\nCollect device information from installed storage devices (disk free space and their type)\r\nList running processes information\r\nCapture screenshots\r\nCollect and send information about the victim's system (operating system, CPU, MAC address, computer name, language\r\nsettings, list of disk devices and their type, time elapsed since the system was started, and unique identifier of the victim's\r\nsystem)\r\n--End functions--\r\nScreenshots\r\nFigure 1 - Screenshot of the cryptographic algorithms the malware used to secure its data transfers and C2 sessions.\r\n100.43.153.60\r\nPorts\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nPage 3 of 6\n\n443 TCP\r\nWhois\r\nDomain Name: KRYPT.COM\r\nRegistry Domain ID: 4620809_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: http://www.godaddy.com\r\nUpdated Date: 2016-02-25T03:39:29Z\r\nCreation Date: 1998-05-04T04:00:00Z\r\nRegistry Expiry Date: 2024-05-03T04:00:00Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\nRegistrar Abuse Contact Email: abuse@godaddy.com\r\nRegistrar Abuse Contact Phone: 480-624-2505\r\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\r\nDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\r\nName Server: NS1.CF.KRYPT.COM\r\nName Server: NS2.CF.KRYPT.COM\r\nName Server: NS3.CF.KRYPT.COM\r\nDNSSEC: signedDelegation\r\nDNSSEC DS Data: 2371 13 2 503AEB51F773BBCA00DB982C938895EF147DDC7D48A4E1E6FD0FE5BE7B98DA0D\r\nURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\r\nLast update of whois database: 2018-06-28T02:39:11Z\r\nRelationships\r\n100.43.153.60 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\n104.194.160.59\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain Name: SERVPAC.COM\r\nRegistry Domain ID: 81803816_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: http://www.godaddy.com\r\nUpdated Date: 2013-12-27T04:46:10Z\r\nCreation Date: 2001-12-31T08:29:34Z\r\nRegistry Expiry Date: 2018-12-31T08:29:34Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\nRegistrar Abuse Contact Email: abuse@godaddy.com\r\nRegistrar Abuse Contact Phone: 480-624-2505\r\nDomain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\r\nDomain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\r\nName Server: NS1.SERVPAC.COM\r\nName Server: NS2.SERVPAC.COM\r\nDNSSEC: unsigned\r\nURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\r\nLast update of whois database: 2018-06-28T02:40:41Z\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nPage 4 of 6\n\nRelationships\r\n104.194.160.59 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\n212.143.21.43\r\nPorts\r\n443 TCP\r\nWhois\r\nnetnum:        212.143.21.0 - 212.143.21.63\r\nnetname:        Nana10-LAN\r\ndescr:         Nana10-LAN\r\ncountry:        IL\r\nadmin-c:        NV6695-RIPE\r\ntech-c:         NV6695-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         NV-MNT-RIPE\r\ncreated:        2011-02-17T09:16:56Z\r\nlast-modified: 2011-02-17T09:16:57Z\r\nsource:         RIPE\r\nperson:         Nana 10 LTD\r\naddress:        1 Korazin str\r\naddress:        Givataim, Israel, 53583\r\nmnt-by:         NV-MNT-RIPE\r\nphone:         +972-73-7992000\r\nfax-no:         +972-73-7992220\r\ne-mail:         domains@nana10.net.il\r\nnic-hdl:        NV6695-RIPE\r\ncreated:        2010-08-04T09:51:11Z\r\nlast-modified: 2011-02-17T09:01:21Z\r\nsource:         RIPE\r\n% Information related to '212.143.0.0/16AS1680'\r\nroute:         212.143.0.0/16\r\ndescr:         013 Netvision Network\r\norigin:         AS1680\r\nmnt-by:         NV-MNT-RIPE\r\ncreated:        1970-01-01T00:00:00Z\r\nlast-modified: 2009-03-26T10:55:12Z\r\nsource:         RIPE\r\nRelationships\r\n212.143.21.43 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\nRelationship Summary\r\ne23900b00f... Connected_To 104.194.160.59\r\ne23900b00f... Connected_To 212.143.21.43\r\ne23900b00f... Connected_To 100.43.153.60\r\n100.43.153.60 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\n104.194.160.59 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\n212.143.21.43 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nPage 5 of 6\n\nRecommendations\r\nNCCIC would like to remind users and administrators to consider using the following best practices to strengthen the\r\nsecurity posture of their organization's systems. Any configuration changes should be reviewed by system owners and\r\nadministrators prior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate ACLs.\r\nAdditional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83,\r\nGuide to Malware Incident Prevention \u0026 Handling for Desktops and Laptops.\r\nContact Information\r\nDocument FAQ\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide\r\ninformation regarding the level of desired analysis.\r\nCan I submit malware to NCCIC? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nNCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code,\r\nsoftware vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-221A\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
	],
	"report_names": [
		"AR18-221A"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "32a223a8-3c79-4146-87c5-8557d38662ae",
			"created_at": "2022-10-25T15:50:23.703698Z",
			"updated_at": "2026-04-10T02:00:05.261989Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Lazarus Group",
				"Labyrinth Chollima",
				"HIDDEN COBRA",
				"Guardians of Peace",
				"NICKEL ACADEMY",
				"Diamond Sleet"
			],
			"source_name": "MITRE:Lazarus Group",
			"tools": [
				"RawDisk",
				"Proxysvc",
				"BADCALL",
				"FALLCHILL",
				"WannaCry",
				"MagicRAT",
				"HOPLIGHT",
				"TYPEFRAME",
				"Dtrack",
				"HotCroissant",
				"HARDRAIN",
				"Dacls",
				"KEYMARBLE",
				"TAINTEDSCRIBE",
				"AuditCred",
				"netsh",
				"ECCENTRICBANDWAGON",
				"AppleJeus",
				"BLINDINGCAN",
				"ThreatNeedle",
				"Volgmer",
				"Cryptoistic",
				"RATANKBA",
				"Bankshot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f32df445-9fb4-4234-99e0-3561f6498e4e",
			"created_at": "2022-10-25T16:07:23.756373Z",
			"updated_at": "2026-04-10T02:00:04.739611Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"APT-C-26",
				"ATK 3",
				"Appleworm",
				"Citrine Sleet",
				"DEV-0139",
				"Diamond Sleet",
				"G0032",
				"Gleaming Pisces",
				"Gods Apostles",
				"Gods Disciples",
				"Group 77",
				"Guardians of Peace",
				"Hastati Group",
				"Hidden Cobra",
				"ITG03",
				"Jade Sleet",
				"Labyrinth Chollima",
				"Lazarus Group",
				"NewRomanic Cyber Army Team",
				"Operation 99",
				"Operation AppleJeus",
				"Operation AppleJeus sequel",
				"Operation Blockbuster: Breach of Sony Pictures Entertainment",
				"Operation CryptoCore",
				"Operation Dream Job",
				"Operation Dream Magic",
				"Operation Flame",
				"Operation GhostSecret",
				"Operation In(ter)caption",
				"Operation LolZarus",
				"Operation Marstech Mayhem",
				"Operation No Pineapple!",
				"Operation North Star",
				"Operation Phantom Circuit",
				"Operation Sharpshooter",
				"Operation SyncHole",
				"Operation Ten Days of Rain / DarkSeoul",
				"Operation Troy",
				"SectorA01",
				"Slow Pisces",
				"TA404",
				"TraderTraitor",
				"UNC2970",
				"UNC4034",
				"UNC4736",
				"UNC4899",
				"UNC577",
				"Whois Hacking Team"
			],
			"source_name": "ETDA:Lazarus Group",
			"tools": [
				"3CX Backdoor",
				"3Rat Client",
				"3proxy",
				"AIRDRY",
				"ARTFULPIE",
				"ATMDtrack",
				"AlphaNC",
				"Alreay",
				"Andaratm",
				"AngryRebel",
				"AppleJeus",
				"Aryan",
				"AuditCred",
				"BADCALL",
				"BISTROMATH",
				"BLINDINGCAN",
				"BTC Changer",
				"BUFFETLINE",
				"BanSwift",
				"Bankshot",
				"Bitrep",
				"Bitsran",
				"BlindToad",
				"Bookcode",
				"BootWreck",
				"BottomLoader",
				"Brambul",
				"BravoNC",
				"Breut",
				"COLDCAT",
				"COPPERHEDGE",
				"CROWDEDFLOUNDER",
				"Castov",
				"CheeseTray",
				"CleanToad",
				"ClientTraficForwarder",
				"CollectionRAT",
				"Concealment Troy",
				"Contopee",
				"CookieTime",
				"Cyruslish",
				"DAVESHELL",
				"DBLL Dropper",
				"DLRAT",
				"DRATzarus",
				"DRATzarus RAT",
				"Dacls",
				"Dacls RAT",
				"DarkComet",
				"DarkKomet",
				"DeltaCharlie",
				"DeltaNC",
				"Dembr",
				"Destover",
				"DoublePulsar",
				"Dozer",
				"Dtrack",
				"Duuzer",
				"DyePack",
				"ECCENTRICBANDWAGON",
				"ELECTRICFISH",
				"Escad",
				"EternalBlue",
				"FALLCHILL",
				"FYNLOS",
				"FallChill RAT",
				"Farfli",
				"Fimlis",
				"FoggyBrass",
				"FudModule",
				"Fynloski",
				"Gh0st RAT",
				"Ghost RAT",
				"Gopuram",
				"HARDRAIN",
				"HIDDEN COBRA RAT/Worm",
				"HLOADER",
				"HOOKSHOT",
				"HOPLIGHT",
				"HOTCROISSANT",
				"HOTWAX",
				"HTTP Troy",
				"Hawup",
				"Hawup RAT",
				"Hermes",
				"HotCroissant",
				"HotelAlfa",
				"Hotwax",
				"HtDnDownLoader",
				"Http Dr0pper",
				"ICONICSTEALER",
				"Joanap",
				"Jokra",
				"KANDYKORN",
				"KEYMARBLE",
				"Kaos",
				"KillDisk",
				"KillMBR",
				"Koredos",
				"Krademok",
				"LIGHTSHIFT",
				"LIGHTSHOW",
				"LOLBAS",
				"LOLBins",
				"Lazarus",
				"LightlessCan",
				"Living off the Land",
				"MATA",
				"MBRkiller",
				"MagicRAT",
				"Manuscrypt",
				"Mimail",
				"Mimikatz",
				"Moudour",
				"Mydoom",
				"Mydoor",
				"Mytob",
				"NACHOCHEESE",
				"NachoCheese",
				"NestEgg",
				"NickelLoader",
				"NineRAT",
				"Novarg",
				"NukeSped",
				"OpBlockBuster",
				"PCRat",
				"PEBBLEDASH",
				"PLANKWALK",
				"POOLRAT",
				"PSLogger",
				"PhanDoor",
				"Plink",
				"PondRAT",
				"PowerBrace",
				"PowerRatankba",
				"PowerShell RAT",
				"PowerSpritz",
				"PowerTask",
				"Preft",
				"ProcDump",
				"Proxysvc",
				"PuTTY Link",
				"QUICKRIDE",
				"QUICKRIDE.POWER",
				"Quickcafe",
				"QuiteRAT",
				"R-C1",
				"ROptimizer",
				"Ratabanka",
				"RatabankaPOS",
				"Ratankba",
				"RatankbaPOS",
				"RawDisk",
				"RedShawl",
				"Rifdoor",
				"Rising Sun",
				"Romeo-CoreOne",
				"RomeoAlfa",
				"RomeoBravo",
				"RomeoCharlie",
				"RomeoCore",
				"RomeoDelta",
				"RomeoEcho",
				"RomeoFoxtrot",
				"RomeoGolf",
				"RomeoHotel",
				"RomeoMike",
				"RomeoNovember",
				"RomeoWhiskey",
				"Romeos",
				"RustBucket",
				"SHADYCAT",
				"SHARPKNOT",
				"SIGFLIP",
				"SIMPLESEA",
				"SLICKSHOES",
				"SORRYBRUTE",
				"SUDDENICON",
				"SUGARLOADER",
				"SheepRAT",
				"SierraAlfa",
				"SierraBravo",
				"SierraCharlie",
				"SierraJuliett-MikeOne",
				"SierraJuliett-MikeTwo",
				"SimpleTea",
				"SimplexTea",
				"SmallTiger",
				"Stunnel",
				"TAINTEDSCRIBE",
				"TAXHAUL",
				"TFlower",
				"TOUCHKEY",
				"TOUCHMOVE",
				"TOUCHSHIFT",
				"TOUCHSHOT",
				"TWOPENCE",
				"TYPEFRAME",
				"Tdrop",
				"Tdrop2",
				"ThreatNeedle",
				"Tiger RAT",
				"TigerRAT",
				"Trojan Manuscript",
				"Troy",
				"TroyRAT",
				"VEILEDSIGNAL",
				"VHD",
				"VHD Ransomware",
				"VIVACIOUSGIFT",
				"VSingle",
				"ValeforBeta",
				"Volgmer",
				"Vyveva",
				"W1_RAT",
				"Wana Decrypt0r",
				"WanaCry",
				"WanaCrypt",
				"WanaCrypt0r",
				"WannaCry",
				"WannaCrypt",
				"WannaCryptor",
				"WbBot",
				"Wcry",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"WinorDLL64",
				"Winsec",
				"WolfRAT",
				"Wormhole",
				"YamaBot",
				"Yort",
				"ZetaNile",
				"concealment_troy",
				"http_troy",
				"httpdr0pper",
				"httpdropper",
				"klovbot",
				"sRDI"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434527,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f912bab5eac56d6654ef3f4954193f5e9ab75cc1.pdf",
		"text": "https://archive.orkl.eu/f912bab5eac56d6654ef3f4954193f5e9ab75cc1.txt",
		"img": "https://archive.orkl.eu/f912bab5eac56d6654ef3f4954193f5e9ab75cc1.jpg"
	}
}