{ "id": "26d7528d-373f-488d-95ed-fc3124f6083f", "created_at": "2026-04-06T00:12:59.91692Z", "updated_at": "2026-04-10T03:36:22.096883Z", "deleted_at": null, "sha1_hash": "f92648a3c3c91eb3d5aeb4435cbd2a904fb83eab", "title": "Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 134856, "plain_text": "Threat actor leverages coin miner techniques to stay under the\r\nradar – here’s how to spot them | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-11-30 · Archived: 2026-04-05 17:10:36 UTC\r\nCryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor\r\nactivity. They are not the most sophisticated type of threats, which also means that they are not among the most\r\ncritical security issues that defenders address with urgency. Recent campaigns from the nation-state actor\r\nBISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish\r\npersistence.\r\nBISMUTH, which shares similarities with OceanLotus or APT32, has been running increasingly complex\r\ncyberespionage attacks as early as 2012, using both custom and open-source tooling to target large multinational\r\ncorporations, governments, financial services, educational institutions, and human and civil rights organizations.\r\nBut in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both\r\nthe private sector and government institutions in France and Vietnam.\r\nBecause BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with\r\ncommon threat activities like phishing and coin mining should be elevated and inspected for advanced threats.\r\nMore importantly, organizations should prioritize reducing attack surface and hardening networks against the full\r\nrange of attacks. In this blog, we’ll provide in-depth technical details about the BISMUTH attacks in July and\r\nAugust 2020 and mitigation recommendations for building organizational resilience.\r\nWhile this actor’s operational goals remained the same—establish continuous monitoring and espionage,\r\nexfiltrating useful information as is it surfaced—their deployment of coin miners in their recent campaigns\r\nprovided another way for the attackers to monetize compromised networks. Considering some of the group’s\r\ntraditional targets are human and civil rights organizations, BISMUTH attacks demonstrate how attackers give\r\nlittle regard to services they impact.\r\nThe use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of\r\nblending in. This pattern of blending in is particularly evident in these recent attacks, starting from the initial\r\naccess stage: spear-phishing emails that were specially crafted for one specific recipient per target organization\r\nand showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets,\r\nbuilding even more believability to convince targets to open the malicious attachment and start the infection chain.\r\nThe other way that BISMUTH attempted to blend in and hide in plain sight was the heavy use of DLL side-loading, a technique in which a legitimate DLL is replaced with a malicious one so that the latter is loaded when\r\nthe associated application is run. In their recent attacks, BISMUTH utilized copies of various legitimate software\r\nto load malicious DLL files and perform tasks in the context of these legitimate applications. To perform DLL\r\nsideloading, BISMUTH introduced outdated versions of various applications, including Microsoft Defender\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 1 of 8\n\nAntivirus. They also leveraged the Sysinternals DebugView tool, the McAfee on-demand scanner, and Microsoft\r\nWord 2007.\r\nBlending in was important for BISMUTH because the group spent long periods of time performing discovery on\r\ncompromised networks until they could access and move laterally to high-value targets like servers, where they\r\ninstalled various tools to further propagate or perform more actions. At this point in the attack, the group relied\r\nheavily on evasive PowerShell scripts, making their activities even more covert.\r\nThe coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived\r\nto be less alarming because they’re “commodity” malware. If we learned anything from “commodity” banking\r\ntrojans that bring in human-operated ransomware, we know that common malware infections can be indicators of\r\nmore sophisticated cyberattacks and should be treated with urgency and investigated and resolved\r\ncomprehensively.\r\nInitial access\r\nBISMUTH attempted to gain initial access by sending specially crafted malicious emails from a Gmail account\r\nthat appears to have been made specifically for this campaign. It’s likely the group conducted reconnaissance\r\nusing publicly available sources and chose individual targets based on their job function. Each email was sent to\r\nonly one recipient at each target organization and used tailored subject lines and lure themes, for example:\r\nDự thảo hợp đồng (translates from Vietnamese to “Draft Contract”)\r\nỨng tuyển – Trưởng ban nghiên cứu thị trường (translates from Vietnamese to “Application form – Head\r\nof Market Research”)\r\nOf note, the group sent several replies to one of these emails, which indicated that they corresponded with some\r\ntargets before convincing them to open the malicious document attachment and inadvertently launch the payload.\r\nWhen opened, the malicious .doc file dropped several files in the hidden ProgramData folder: (1) MpSvc.dll, a\r\nmalicious DLL with the same name as a legitimate Microsoft Defender Antivirus DLL, and (2) a copy\r\nof MsMpEng.exe the legitimate Microsoft Defender Antivirus executable.\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 2 of 8\n\nThe malicious document then added a scheduled task that launched the MsMpEng.exe copy and sideloaded the\r\nmalicious MpSvc.dll. Because the latest versions of Microsoft Defender Antivirus are no longer susceptible to\r\nDLL sideloading, BISMUTH used an older copy to load the malicious DLL and establish a persistent command-and-control (C2) channel to the compromised device and consequently the network.\r\nUsing the newly established channel, the group dropped several files for the next stages of the attack, including\r\na .7z archive, a copy of Word 2007, and another DLL, wwlib.dll. While it used the same name as a legitimate\r\nMicrosoft Word DLL, wwlib.dll was a copy of KerrDown, a family of custom malware exclusive to BISMUTH.\r\nThis file was subsequently sideloaded by the dropped copy of Word 2007—a technique used by BISMUTH\r\nextensively to load malicious code from a DLL file in the context of a legitimate process like winword.exe.\r\nBISMUTH established another persistence method by dropping another copy of Word 2007 in a subfolder\r\nin ProgramData. The group then created a scheduled task that launched that copy in the same malicious manner\r\nevery 60 minutes – further increasing their chances of going undetected and maintaining their presence.\r\nDiscovery\r\nOnce established as a scheduled task, the co-opted Word 2007 process dropped and loaded a scanning tool popular\r\namong attackers, NbtScan.exe. BISMUTH then immediately used the scanning tool to scan an IP address range\r\nwithin the organization. Following this network scan, the Word 2007 process launched a malicious script using\r\na living-off-the-land-binary, rundll32.exe, resulting in a scan on a myriad of common ports, including 21, 22, 389,\r\n139, and 1433. BISMUTH listed devices with open ports in a .csv file.\r\nWhile network scanning was underway, the group performed other reconnaissance activities. They gathered\r\ninformation about domain and local administrators, checked whether users had local administrative privileges, and\r\ncollected device information—aggregating results in a .csv for exfiltration. In addition, the group once again\r\nused MsMpEng.exe with the malicious sideloaded DLL to connect to another device that appears to have been\r\ndesignated by BISMUTH at some point during the attack as an internal C2 foothold and exfiltration staging\r\ndevice.\r\nContinued lateral movement, discovery, and intel gathering\r\nAfter a month of continual discovery on compromised devices, the group moved laterally to a server and copied\r\nover a malicious DLL that masqueraded as the system file mpr.dll and a copy of the Sysinternals DebugView tool.\r\nThey dropped the tool onto different devices using SMB remote file copy, using file names related to popular\r\nJapanese video game characters and a seemingly random word. The actors then registered and launched malicious\r\nservices multiple times, launching DebugView tool to connect to multiple Yahoo websites and confirm Internet\r\nconnectivity, followed by a connection to their C2 infrastructure.\r\nAt this point, BISMUTH switched to running their attacks using PowerShell, quickly launching multiple script\r\ncmdlets. First, they dumped credentials from the Security Account Manager (SAM) database using\r\nthe Empire PowerDump command and then quickly deleted PowerShell event logs to erase records generated by\r\nScript Block Logging. They then continued their discovery efforts using a PowerShell script that gathered user and\r\ngroup information and sent the gathered data to .csv files.\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 3 of 8\n\nThe script collected the following information about each user:\r\ndescription, distinguishedname, lastlogontimestamp, logoncount, mail, name, primarygroupid, pwdlastset,\r\nsamaccountname, userprincipalname, whenchanged, whencreated\r\nAnd the following information about each domain group:\r\nadspath, description, distinguishedname, groupType, instancetype, mail, member, memberof, name, objectsid,\r\nsamaccountname,whenchanged, whencreated\r\nNext, the group exported directory forest and domain organizational unit (OU) information. They then started\r\nconnecting to dozens of devices using WMI. Following that, they collected credentials by dumping security logs\r\nunder Event ID 680, possibly targeting logs related to NTLM fallbacks. Lastly, the group used the system\r\ntool Nltest.exe to gather domain trust info and pinged multiple servers they have identified by name during\r\nreconnaissance. Some of these servers appear to be database and file servers that could have contained high-value\r\ninformation for espionage objectives typically pursued by BISMUTH.\r\nBISMUTH then installed a Cobalt Strike beacon. The group dropped a .rar file and extracted its contents—\r\nMcOds.exe, which is a copy of the McAfee on-demand scanner, and a malicious DLL—into\r\nthe SysWOW64 folder. The group then created a scheduled task that launched the copy of the McAfee on-demand\r\nscanner with SYSTEM privileges and sideloaded the malicious DLL. This persistence mechanism established a\r\nconnection to their Cobalt Strike server infrastructure. To clean up evidence, they deleted the dropped McAfee\r\nbinary.\r\nIn terms of targets for this campaign, there were some commonalities among targets located in Vietnam that\r\nMicrosoft has assessed to be tied to their previous designation as state-owned enterprises (SOEs). The observed\r\nBISMUTH activity in Vietnam targeted organizations that included former SOEs previously operated by the\r\ngovernment of Vietnam, entities that have acquired a significant portion of a former SOE, and entities that conduct\r\ntransactions with a Vietnamese government agency. Although the group’s specific objectives for these recent\r\nattacks cannot be defined with high confidence, BISMUTH’s past activities have included operations in support of\r\nbroader espionage goals.\r\nCoin miner deployment and credential theft\r\nAs mentioned, BISMUTH deployed coin miners during these attacks. To do this, they first dropped a .dat file and\r\nloaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP\r\nfile. They then used 7-Zip to extract a Monero coin miner from the ZIP file and registered the miner as a service\r\nnamed after a common Virtual Machine process. Each coin miner they deployed had a unique wallet address that\r\nearned over a thousand U.S. dollars combined during the attacks.\r\nAfter deploying coin miners as their distraction technique, BISMUTH then focused much of its efforts on\r\ncredential theft. They registered multiple malicious services that used %comspec%—a relative reference\r\nto cmd.exe commonly used by attackers—to run the renamed DebugView tool while loading a malicious DLL.\r\nThe group used DebugView and the malicious DLL in a fairly unexpected fashion to launch Base64-encoded\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 4 of 8\n\nMimikatz commands using one of several Windows processes: makecab.exe, systray.exe, w32tm.exe, bootcfg.exe,\r\ndiskperf.exe, esentutl.exe, and typeperf.exe.\r\nThey ran the following Mimikatz commands that require SYSTEM or Debug privileges:\r\nsekurlsa::logonpasswords full–lists all account and user password hashes, typically user and computer\r\ncredentials for recently logged on users\r\nlsadump::lsa /inject—injects LSASS to retrieve credentials and request the LSA Server to grab credentials\r\nfrom the Security Account Manager (SAM) database and Active Directory (AD)\r\nAfter running these commands, the co-opted DebugView tool connected to multiple attacker-controlled domains,\r\nlikely to exfiltrate stolen credentials.\r\nAs the affected organizations worked to evict BISMUTH from their networks, Microsoft security researchers saw\r\ncontinued activity involving lateral movement to other devices, credential dumping, and planting of multiple\r\npersistence methods. This highlights the complexity of responding to a full-blown intrusion and the significance of\r\ntaking quick action to resolve alerts that flag initial stages of an attack.\r\nBuilding organizational resilience against attacks that blend in\r\nBISMUTH attacks put strong emphasis on hiding in plain sight by blending in with normal network activity or\r\ncommon threats that attackers anticipate will get low-priority attention. The combination of social engineering and\r\nuse of legitimate applications to sideload malicious DLLs entail multiple layers of protection focused on stopping\r\nthreats at the earliest possible stage and mitigating the progression of attacks if they manage to slip through. Here\r\nare mitigation recommendations that organizations can implement to limit exposure:\r\nLimit the attack surface that attackers can leverage for initial access:\r\nEducate end users about protecting personal and business information in social media, filtering unsolicited\r\ncommunication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and\r\nother suspicious activity.\r\nConfigure Office 365 email filtering settings to ensure blocking of phishing \u0026 spoofed emails, spam, and\r\nemails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly\r\nacquired threat intelligence.\r\nTurn on attack surface reduction rules, including rules that can block advanced macro activity, executable\r\ncontent, process creation, and process injection initiated by Office applications.\r\nDisallow macros or allow only macros from trusted locations. See the latest security baselines for Office\r\nand Office 365.\r\nCheck perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to\r\nbrowse or download files. Such restrictions help inhibit malware downloads and command-and-control\r\nactivity.\r\nBuild credential hygiene to reduce risk during discovery stage:\r\nEnforce strong, randomized local administrator passwords. Use tools like LAPS.\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 5 of 8\n\nPractice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide,\r\nadmin-level service accounts.\r\nRequire multi-factor authentication through Windows Hello.\r\nStop attack sprawl and contain attacker movement:\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nMonitor for clearing of event logs. Windows generates security event ID 1102 when this occurs.\r\nDetermine where highly privileged accounts are logging on and exposing credentials. Monitor and\r\ninvestigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not\r\nbe present on workstations.\r\nUtilize the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent\r\nRPC and SMB communication among endpoints whenever possible. This limits lateral movement as well\r\nas other attack activities.\r\nTo better defend organizations against attacks that do everything to blend in once they gain access to a network,\r\norganizations can build defenses for preventing and blocking attacks at the initial access stage. Microsoft\r\nDefender for Office 365 provides defense capabilities that protect organizations from threats like credential\r\nphishing, business email compromise, and cyberattacks that begin with spear-phishing emails. Safe attachments\r\nand Safe links provide real-time protection using a combination of detonation, automated analysis, and machine\r\nlearning, which are especially useful for highly targeted, specially crafted emails. Campaign views show the\r\ncomplete picture of email campaigns, including timelines, sending patterns, impact to the organization, and details\r\nlike IP addresses, senders, URLs.\r\nThe broader Microsoft 365 Defender presents cross-domain threat intelligence and actionable information in\r\nconsolidated incidents view, empowering security operations teams to comprehensively respond to attacks. For\r\ncritical threats like BISMUTH campaigns, Microsoft researchers publish threat analytics reports that contain\r\ntechnical details, detection info, and mitigation status. Investigation tools like advanced hunting allow security\r\nteams to perform additional inspection of the environment for related or similar threats. Threat and vulnerability\r\nmanagement data show mitigation recommendations, including enabling relevant attack surface reduction rules,\r\nthat organizations can take to reduce risks.\r\nThese industry-leading capabilities in Microsoft 365 Defender are backed by Microsoft’s network of researchers\r\nand security experts who monitor the threat landscape and track threat actors like BISMUTH. Through Microsoft\r\n365 Defender, we transform threat intelligence into protections and rich investigation tools that organizations can\r\nuse to build organizational resilience. Learn how you can stop attacks through automated, cross-domain security\r\nand built-in AI with Microsoft Defender 365.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nwith Microsoft Threat Intelligence Center (MSTIC)\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 6 of 8\n\nMITRE ATT\u0026CK techniques observed\r\nInitial access\r\n001 Phishing: Spearphishing Attachment| Emails containing malicious Word documents with specific lure\r\nthemes and subject lines for each target\r\nExecution\r\n002 System Services: Service Execution| Use of Service Control Manager (services.exe) to launch\r\nSysinternals dbgview.exe\r\n001 Command and Scripting Interpreter: PowerShell| Use of PowerShell to run cmdlets used for data\r\nexfiltration and lateral movement\r\nPersistence\r\nT1053 Scheduled Task/Job| Scheduled task to execute payload every 60 minutes\r\nPrivilege escalation\r\n002/003 Valid Accounts: Local and Domains Accounts| Credentials stolen for privilege escalation using\r\nMimikatz\r\nDefense evasion\r\nT1070 Indicator Removal on Host| Stopping of malicious tasks after data exfiltration or payload retrieval,\r\ndeleting dropped malware from the disk, and clearing of PowerShell event logs\r\n002 Hijack Execution Flow: DLL Sideloading| Using winword.exe, dbgview.exe, msmpeng.exe to load\r\nmalicious DLLs\r\nCredential access\r\nT1003Credential Dumping | Use of Mimikatz to dump credentials\r\nDiscovery\r\nT1033 System Owner/User Discovery, T1049 System Network Connections Discovery| Use\r\nof whoami, netstat, ipconfig\r\nT1016System Network Configuration Discovery | Use of modified nbtscan\r\n002 Permission Groups Discovery: Domain Groups| Discovering domain groups with net users /domain\r\nCollection\r\n001 Data Staging: Local Data Staging| Storing harvested credentials and user/group information in a local\r\nCSV file\r\nData exfiltration\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 7 of 8\n\nT1041 Exfiltration Over C2 Channel| Data exfiltration to a C2 server established in the compromised\r\nnetwork\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.\r\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nhttps://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/" ], "report_names": [ "threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f86085e-95c5-4007-8bd7-86ad330ce4eb", "created_at": "2022-10-25T16:07:24.457008Z", "updated_at": "2026-04-10T02:00:04.998531Z", "deleted_at": null, "main_name": "Bismuth", "aliases": [ "Canvas Cyclone" ], "source_name": "ETDA:Bismuth", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434379, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f92648a3c3c91eb3d5aeb4435cbd2a904fb83eab.pdf", "text": "https://archive.orkl.eu/f92648a3c3c91eb3d5aeb4435cbd2a904fb83eab.txt", "img": "https://archive.orkl.eu/f92648a3c3c91eb3d5aeb4435cbd2a904fb83eab.jpg" } }