{ "id": "b427fa59-7079-4808-986b-67b7ead9e973", "created_at": "2026-04-06T00:16:07.192731Z", "updated_at": "2026-04-10T03:37:33.352193Z", "deleted_at": null, "sha1_hash": "f94c7f454b5332e100a0e5cdb2f66f636df4e427", "title": "SUNBURST (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 300070, "plain_text": "SUNBURST (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 20:09:04 UTC\r\nFireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software\r\nframework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant\r\nperiod of up to two weeks, it uses a DGA to generate specific subdomains for a set C\u0026C domain. The backdoor\r\nretrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot\r\nthe machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal\r\nSolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple\r\nobfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple\r\ntrojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.\r\n2023-04-13 ⋅ ⋅ CERT.PL ⋅\r\nCERT Polska and SKW warn against the activities of Russian spies\r\nBOOMBOX EnvyScout SUNBURST 2022-09-10 ⋅ cocomelonc\r\nMalware development: persistence - part 10. Using Image File Execution Options. Simple C++ example.\r\nSUNBURST 2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken\r\nSpace Invaders: Cyber Threats That Are Out Of This World\r\nPoison Ivy Raindrop SUNBURST TEARDROP WastedLocker 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nSolar Phoenix\r\nSUNBURST TEARDROP UNC2452 2022-06-18 ⋅ R136a1 ⋅ Dominik Reichel\r\nUsing dotnetfile to get a Sunburst timeline for intelligence gathering\r\nSUNBURST 2022-04-27 ⋅ Mandiant ⋅ Mandiant\r\nAssembling the Russian Nesting Doll: UNC2452 Merged into APT29\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-12-29 ⋅ Palo Alto Networks Unit 42 ⋅ Daiping Liu, Jielong Xu, Wanjin\r\nLi, Zhanhao Chen\r\nStrategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends\r\nChrysaor SUNBURST 2021-09-02 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nAutodesk reveals it was targeted by Russian SolarWinds hackers\r\nSUNBURST 2021-07-27 ⋅ Gigamon ⋅ Joe Slowik\r\nGhosts on the Wire: Expanding Conceptions of Network Anomalies\r\nSUNBURST 2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman\r\nSolarwinds and SUNBURST attacks compromised my lab!\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-06-12 ⋅ YouTube (BSidesBoulder) ⋅ Kaspersky, Kurt Baumgartner\r\nSame and Different - sesame street level attribution\r\nKazuar SUNBURST 2021-06-01 ⋅ SANS ⋅ Jake Williams, Kevin Haley\r\nA Contrarian View on SolarWinds\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-05-31 ⋅ Wired ⋅ Andy Greenberg\r\nHacker Lexicon: What Is a Supply Chain Attack?\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 1 of 10\n\nEternalPetya SUNBURST 2021-05-14 ⋅ CISA ⋅ US-CERT\r\nAnalysis Report (AR21-134A): Eviction Guidance for Networks Affected by the SolarWinds and Active\r\nDirectory/M365 Compromise\r\nSUNBURST 2021-05-08 ⋅ The Record ⋅ Catalin Cimpanu\r\nSolarWinds says fewer than 100 customers were impacted by supply chain attack\r\nSUNBURST 2021-05-07 ⋅ SolarWinds ⋅ Solarwind\r\nAn Investigative Update of the Cyberattack\r\nSUNBURST 2021-04-22 ⋅ RiskIQ ⋅ RiskIQ\r\nSolarWinds: Advancing the Story\r\nSUNBURST 2021-04-15 ⋅ European Council ⋅ Council of the European Union\r\nDeclaration by the High Representative on behalf of the European Union expressing solidarity with the United\r\nStates on the impact of the SolarWinds cyber operation\r\nSUNBURST 2021-04-15 ⋅ North Atlantic Treaty Organization ⋅ NATO\r\nNorth Atlantic Council Statement following the announcement by the United States of actions with regard to\r\nRussia\r\nSUNBURST 2021-04-15 ⋅ Ministry of Foreign Affairs Republic of Poland ⋅ Ministry of Foreign Affairs Republic of Poland\r\nStatement on Solar Winds Orion cyberattacks\r\nSUNBURST 2021-04-15 ⋅ Ministry of foreign affairs of the Republic of Latvia ⋅ Ministry of foreign affairs of the Republic of Latvia\r\nLatvia’s statement following the announcement by the United States of actions to respond to the Russian\r\nFederation’s destabilizing activities (Deadlink)\r\nSUNBURST 2021-03-18 ⋅ Github (cisagov) ⋅ CISA\r\nCISA Hunt and Incident Response Program (CHIRP)\r\nSUNBURST 2021-03-18 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool\r\nSUNBURST 2021-03-17 ⋅ CISA ⋅ US-CERT\r\nSolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known\r\nTactics, Techniques, and Procedures (Dead Link)\r\nSUNBURST 2021-03-16 ⋅ Mimecast ⋅ Mimecast\r\nIncident Report\r\nSUNBURST 2021-03-10 ⋅ US-CERT ⋅ CISA\r\nRemediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise\r\nSUNBURST 2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Adam Pennington, Jen Burns, Katie Nickels\r\nSTAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT\u0026CK(R)\r\nCobalt Strike SUNBURST TEARDROP 2021-03-04 ⋅ Microsoft ⋅ Andrea Lelli, Microsoft 365 Defender Threat Intelligence\r\nTeam, Microsoft Threat Intelligence Center (MSTIC), Ramin Nafisi\r\nGoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence\r\nSUNBURST TEARDROP UNC2452 2021-03-01 ⋅ Microsoft ⋅ Microsoft\r\nDetect and defend against the recent nation-state cyber attack\r\nSUNBURST 2021-02-28 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 2 of 10\n\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-26 ⋅ YouTube (Oversight\r\nCommittee) ⋅ Oversight Committee\r\nWeathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign\r\nSUNBURST 2021-02-25 ⋅ BrightTALK (FireEye) ⋅ Andrew Rector, Mandiant, Matt Bromiley\r\nLight in the Dark: Hunting for SUNBURST\r\nSUNBURST 2021-02-25 ⋅ Microsoft ⋅ Microsoft Identity Security Team\r\nMicrosoft open sources CodeQL queries used to hunt for Solorigate activity\r\nSUNBURST 2021-02-25 ⋅ Microsoft ⋅ Microsoft\r\nCodeQL queries to hunt for Solorigate activity\r\nSUNBURST 2021-02-24 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nNASA and the FAA were also breached by the SolarWinds hackers\r\nSUNBURST 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-19 ⋅ THE NEW STACK ⋅ Dror Alon, Lior Sonntag\r\nBehind the Scenes of the SunBurst Attack\r\nSUNBURST 2021-02-17 ⋅ YouTube (The White House) ⋅ Anne Neuberger\r\nUpdate on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor\r\nSUNBURST 2021-02-17 ⋅ Netresec ⋅ Erik Hjelmvik\r\nTargeting Process for the SolarWinds Backdoor\r\nSUNBURST 2021-02-17 ⋅ apirro ⋅ Ariel Levy\r\nDetect and prevent the SolarWinds build-time code injection attack\r\nSUNBURST 2021-02-16 ⋅ Accenture ⋅ Alexandrea Berninger\r\nHard lessons learned: Threat intel takeaways from the community response to Solarigate\r\nSUNBURST TEARDROP 2021-02-16 ⋅ FireEye ⋅ Andrew Rector, Matt Bromiley, Robert Wallace\r\nLight in the Dark: Hunting for SUNBURST\r\nSUNBURST 2021-02-08 ⋅ US-CERT ⋅ US-CERT\r\nMalware Analysis Report (AR21-039A): SUNBURST\r\nSUNBURST 2021-01-29 ⋅ Aon ⋅ Alex Parsons, Carly Battaile, Partha Alwar\r\nCloudy with a Chance of Persistent Email Access\r\nSUNBURST 2021-01-28 ⋅ Check Point ⋅ Lior Sonntag\r\nDeep into the SunBurst Attack\r\nSUNBURST 2021-01-28 ⋅ YouTube (Microsoft Security Community) ⋅ Microsoft\r\nMicrosoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender\r\nSUNBURST 2021-01-26 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 3 of 10\n\nSunBurst industrial victims\r\nSUNBURST 2021-01-26 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nMimecast links security breach to SolarWinds hackers\r\nSUNBURST 2021-01-26 ⋅ Mimecast ⋅ Mimecast Contributing Writer\r\nImportant Security Update\r\nSUNBURST 2021-01-26 ⋅ Fidelis ⋅ Chris Kubic\r\nOngoing Analysis of SolarWinds Impacts\r\nSUNBURST 2021-01-25 ⋅ Netresec ⋅ Erik Hjelmvik\r\nTwenty-three SUNBURST Targets Identified\r\nSUNBURST 2021-01-25 ⋅ ZenGo ⋅ Tal Be'ery\r\nUngilded Secrets: A New Paradigm for Key Security\r\nSUNBURST 2021-01-24 ⋅ Medium vrieshd ⋅ VriesHD\r\nFinding SUNBURST victims and targets by using passive DNS, OSINT\r\nSUNBURST 2021-01-22 ⋅ Symantec ⋅ Threat Hunter Team\r\nSolarWinds: How Sunburst Sends Data Back to the Attackers\r\nSUNBURST 2021-01-22 ⋅ DomainTools ⋅ Joe Slowik\r\nChange in Perspective on the Utility of SUNBURST-related Network Indicators\r\nSUNBURST 2021-01-21 ⋅ NetbyteSEC ⋅ Fareed Fauzi\r\nSolarwinds Attack: Sunburst's DLL Technical Analysis\r\nSUNBURST 2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Cyber Defense Operations Center (CDOC),\r\nMicrosoft Threat Intelligence Center (MSTIC)\r\nDeep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop\r\nCobalt Strike SUNBURST TEARDROP 2021-01-19 ⋅ Github (fireeye) ⋅ FireEye\r\nMandiant Azure AD Investigator: Focusing on UNC2452 TTPs\r\nSUNBURST 2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nRaindrop: New Malware Discovered in SolarWinds Investigation\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-01-17 ⋅ a12d404 ⋅ Markus Piéton\r\nBackdooring MSBuild\r\nSUNBURST 2021-01-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nSolarWinds: Insights into Attacker Command and Control Process\r\nSUNBURST 2021-01-14 ⋅ Microsoft ⋅ Microsoft 365 Defender Team\r\nIncreasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender\r\nSUNBURST 2021-01-14 ⋅ DomainTools ⋅ Joe Slowik\r\nThe Devil’s in the Details: SUNBURST Attribution\r\nSUNBURST 2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist\r\nUNC2452: What We Know So Far\r\nCobalt Strike SUNBURST TEARDROP 2021-01-11 ⋅ Kaspersky Labs ⋅ Costin Raiu, Georgy Kucherin, Igor Kuznetsov\r\nSunburst backdoor – code overlaps with Kazuar\r\nKazuar SUNBURST 2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna\r\nNew Findings From Our Investigation of SUNBURST\r\nCobalt Strike SUNBURST TEARDROP 2021-01-11 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nSUNSPOT: An Implant in the Build Process\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 4 of 10\n\nSUNBURST 2021-01-11 ⋅ Netresec ⋅ Erik Hjelmvik\r\nRobust Indicators of Compromise for SUNBURST\r\nSUNBURST 2021-01-08 ⋅ US-CERT ⋅ US-CERT\r\nAlert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments\r\nSUNBURST SUPERNOVA 2021-01-08 ⋅ splunk ⋅ James Brodsky, John Stoner, Lily Lee, Marcus LaFerrera, Ryan Kovar\r\nA Golden SAML Journey: SolarWinds Continued\r\nSUNBURST 2021-01-07 ⋅ Symantec ⋅ Threat Hunter Team\r\nSolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar\r\nSUNBURST 2021-01-07 ⋅ TRUESEC ⋅ Sebastian Olsson\r\nAvoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)\r\nSUNBURST 2021-01-06 ⋅ Department of Justice ⋅ Department of Justice\r\nDepartment of Justice Statement on Solarwinds Update\r\nSUNBURST 2021-01-06 ⋅ Github (SentinelLabs) ⋅ SentinelLabs\r\nSolarWinds_Countermeasures\r\nSUNBURST 2021-01-06 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nATT\u0026CK Navigator layer for UNC2452\r\nSUNBURST 2021-01-06 ⋅ CISA ⋅ US-CERT\r\nSupply Chain Compromise\r\nSUNBURST 2021-01-05 ⋅ ⋅ Sangfor ⋅ Clairvoyance Safety Laboratory\r\nRed team's perspective on the TTPs in Sunburst's backdoor\r\nSUNBURST 2021-01-05 ⋅ CISA, FBI, NSA, ODNI\r\nJoint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security\r\nAgency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency\r\n(NSA)\r\nSUNBURST 2021-01-04 ⋅ Netresec ⋅ Erik Hjelmvik\r\nFinding Targeted SUNBURST Victims with pDNS\r\nSUNBURST 2021-01-01 ⋅ DomainTools ⋅ Joe Slowik\r\nConceptualizing a Continuum of Cyber Threat Attribution\r\nCHINACHOPPER SUNBURST 2021-01-01 ⋅ Mandiant ⋅ Mandiant\r\nM-TRENDS 2021\r\nCobalt Strike SUNBURST 2021-01-01 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nSupply Chain Attacks:Cyber Criminals Target the Weakest Link\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2020-12-31 ⋅ Microsoft ⋅ MSRC Team\r\nMicrosoft Internal Solorigate Investigation Update\r\nSUNBURST 2020-12-31 ⋅ IronNet ⋅ IronNet\r\nSolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action\r\nSUNBURST 2020-12-30 ⋅ Recorded Future ⋅ John Wetzel\r\nSOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution\r\nSUNBURST 2020-12-29 ⋅ Netresec ⋅ Erik Hjelmvik\r\nExtracting Security Products from SUNBURST DNS Beacons\r\nSUNBURST 2020-12-29 ⋅ CyberArk ⋅ Shaked Reiner\r\nGolden SAML Revisited: The Solorigate Connection\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 5 of 10\n\nSUNBURST 2020-12-28 ⋅ Microsoft ⋅ Microsoft 365 Defender Team\r\nUsing Microsoft 365 Defender to protect against Solorigate\r\nSUNBURST TEARDROP 2020-12-25 ⋅ Comae ⋅ Matt Suiche\r\nSUNBURST \u0026 Memory Analysis\r\nSUNBURST 2020-12-24 ⋅ FireEye ⋅ Jay Smith, Stephen Eckels, William Ballenthin\r\nSUNBURST Additional Technical Details\r\nSUNBURST 2020-12-23 ⋅ ⋅ Qianxin ⋅ Qi AnXin CERT\r\n从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战\r\nSUNBURST 2020-12-23 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nA Timeline Perspective of the SolarStorm Supply-Chain Attack\r\nSUNBURST TEARDROP 2020-12-23 ⋅ CrowdStrike ⋅ Michael Sentonas\r\nCrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory\r\nSUNBURST 2020-12-23 ⋅ Prevasio ⋅ Sergei Shevchenko\r\nDNS Tunneling In The SolarWinds Supply Chain Attack\r\nSUNBURST 2020-12-22 ⋅ Checkpoint ⋅ Check Point Research\r\nSUNBURST, TEARDROP and the NetSec New Normal\r\nSUNBURST TEARDROP 2020-12-22 ⋅ Symantec ⋅ Threat Hunter Team\r\nSolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection\r\nSUNBURST 2020-12-22 ⋅ Microsoft ⋅ Alex Weinert\r\nAzure AD workbook to help you assess Solorigate risk\r\nSUNBURST 2020-12-22 ⋅ Medium mitre-attack ⋅ Adam Pennington, Matt Malone\r\nIdentifying UNC2452-Related Techniques for ATT\u0026CK\r\nSUNBURST TEARDROP UNC2452 2020-12-22 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy\r\nSUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims\r\nSUNBURST 2020-12-22 ⋅ FBI ⋅ FBI\r\nPIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities\r\nSUNBURST 2020-12-22 ⋅ Zscaler ⋅ Zscaler\r\nThe Hitchhiker’s Guide to SolarWinds Incident Response\r\nSUNBURST 2020-12-22 ⋅ Prevasio ⋅ Sergei Shevchenko\r\nSunburst Backdoor, Part III: DGA \u0026 Security Software (Broken Link)\r\nSUNBURST 2020-12-21 ⋅ SophosLabs Uncut ⋅ SophosLabs Threat Research\r\nHow SunBurst malware does defense evasion\r\nSUNBURST UNC2452 2020-12-21 ⋅ Microsoft ⋅ Alex Weinert\r\nUnderstanding \"Solorigate\"'s Identity IOCs - for Identity Vendors and their customers.\r\nSUNBURST 2020-12-21 ⋅ McAfee ⋅ Arnab Roy, Mo Cashman\r\nHow A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise\r\nSUNBURST 2020-12-21 ⋅ Microsoft ⋅ MSRC Team\r\nSolorigate Resource Center\r\nSUNBURST TEARDROP 2020-12-21 ⋅ IronNet ⋅ Peter Rydzynski\r\nSolarWinds/SUNBURST: DGA or DNS Tunneling?\r\nSUNBURST 2020-12-21 ⋅ Fortinet ⋅ Udi Yavo\r\nWhat We Have Learned So Far about the “Sunburst”/SolarWinds Hack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 6 of 10\n\nCobalt Strike SUNBURST TEARDROP 2020-12-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka\r\nA Look into SUNBURST’s DGA\r\nSUNBURST 2020-12-20 ⋅ Twitter (@TychoTithonus) ⋅ Royce Williams\r\nSolarWinds/SunBurst FNV-1a-XOR hashes found in analysis\r\nSUNBURST 2020-12-19 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nThe SolarWinds cyberattack: The hack, the victims, and what we know\r\nSUNBURST 2020-12-18 ⋅ Cloudflare ⋅ Jesse Kipp, Nick Blazier\r\nA quirk in the SUNBURST DGA algorithm\r\nSUNBURST 2020-12-18 ⋅ DomainTools ⋅ Joe Slowik\r\nContinuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident\r\nSUNBURST 2020-12-18 ⋅ Kaspersky Labs ⋅ Costin Raiu, Igor Kuznetsov\r\nSunburst: connecting the dots in the DNS requests\r\nSUNBURST 2020-12-18 ⋅ Elastic ⋅ Camilla Montonen, Justin Ibarra\r\nCombining supervised and unsupervised machine learning for DGA detection\r\nSUNBURST 2020-12-18 ⋅ ThreatConnect ⋅ ThreatConnect\r\nTracking Sunburst-Related Activity with ThreatConnect Dashboards\r\nSUNBURST 2020-12-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)\r\nAnalyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft\r\nDefender helps protect customers\r\nSUNBURST SUPERNOVA TEARDROP UNC2452 2020-12-18 ⋅ Sentinel LABS ⋅ James Haughom\r\nSolarWinds SUNBURST Backdoor: Inside the APT Campaign\r\nSUNBURST 2020-12-18 ⋅ IBM ⋅ Gladys Koskas\r\nSUNBURST indicator detection in QRadar\r\nSUNBURST 2020-12-17 ⋅ US-CERT ⋅ US-CERT\r\nAlert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure,\r\nand Private Sector Organizations\r\nSUNBURST 2020-12-17 ⋅ Microsoft ⋅ Brad Smith\r\nA moment of reckoning: the need for a strong and global cybersecurity response\r\nSUNBURST 2020-12-17 ⋅ Twitter (@megabeets_) ⋅ Itay Cohen\r\nTweet on SUNBURST malware discussing some of its evasion techniques\r\nSUNBURST 2020-12-17 ⋅ McAfee ⋅ Cedric Cochin, Christiaan Beek, Raj Samani\r\nAdditional Analysis into the SUNBURST Backdoor\r\nSUNBURST 2020-12-17 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy\r\nSUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering\r\nSUNBURST 2020-12-17 ⋅ TRUESEC ⋅ Fabio Viggiani\r\nThe SolarWinds Orion SUNBURST supply-chain Attack\r\nSUNBURST 2020-12-17 ⋅ Netresec ⋅ Erik Hjelmvik\r\nReassembling Victim Domain Fragments from SUNBURST DNS\r\nSUNBURST 2020-12-17 ⋅ TrustedSec ⋅ Trustedsec\r\nSolarWinds Backdoor (Sunburst) Incident Response Playbook\r\nSUNBURST 2020-12-17 ⋅ splunk ⋅ John Stoner\r\nOnboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 7 of 10\n\nSUNBURST 2020-12-17 ⋅ Prevasio ⋅ Sergei Shevchenko\r\nSunburst Backdoor, Part II: DGA \u0026 The List of Victims\r\nSUNBURST 2020-12-16 ⋅ Github (RedDrip7) ⋅ RedDrip7\r\nA script to decode SUNBURST DGA domain\r\nSUNBURST 2020-12-16 ⋅ ReversingLabs ⋅ Tomislav Pericin\r\nSunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience\r\nSUNBURST 2020-12-16 ⋅ Intel 471 ⋅ Intel 471\r\nIntel471's full statement on their knowledge of SolarWinds and the cybercriminal underground\r\nSUNBURST 2020-12-16 ⋅ Twitter (@0xrb) ⋅ R. Bansal\r\nList of domain infrastructure including DGA domain used by UNC2452\r\nSUNBURST 2020-12-16 ⋅ Twitter (@FireEye) ⋅ FireEye\r\nTweet on SUNBURST from FireEye detailing some additional information\r\nSUNBURST 2020-12-16 ⋅ ⋅ Qianxin ⋅ Red Raindrop Team\r\n中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!\r\nSUNBURST 2020-12-16 ⋅ Microsoft ⋅ Shain Wray\r\nSolarWinds Post-Compromise Hunting with Azure Sentinel\r\nSUNBURST 2020-12-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nFireEye, Microsoft create kill switch for SolarWinds backdoor\r\nSUNBURST 2020-12-16 ⋅ Cloudflare ⋅ Jesse Kipp, Malavika Balachandran Tadeusz\r\nTrend data on the SolarWinds Orion compromise\r\nSUNBURST 2020-12-16 ⋅ Twitter @cybercdh) ⋅ Colin Hardy\r\nTweet on 3 key actions SUNBURST performs as soon as it's invoked\r\nSUNBURST 2020-12-16 ⋅ Cyborg Security ⋅ Josh Meltzer\r\nSUNBURST: SolarWinds Supply-Chain Attack\r\nSUNBURST 2020-12-16 ⋅ Pastebin ⋅ Anonymous\r\nPaste of subdomain \u0026 DGA domain names used in SolarWinds attack\r\nSUNBURST UNC2452 2020-12-15 ⋅ Corelight ⋅ John Gamble\r\nFinding SUNBURST Backdoor with Zeek Logs \u0026 Corelight\r\nSUNBURST 2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team\r\nsolarwinds-threathunt\r\nCobalt Strike SUNBURST 2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan\r\nTactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach\r\nCobalt Strike SUNBURST 2020-12-15 ⋅ Twitter @cybercdh) ⋅ Colin Hardy\r\nTweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.\r\nSUNBURST 2020-12-15 ⋅ Twitter @cybercdh) ⋅ Colin Hardy\r\nTweet on some more capabilties of SUNBURST backdoor\r\nSUNBURST 2020-12-15 ⋅ ⋅ 360 Threat Intelligence Center ⋅ Advanced Threat Institute\r\nOperation Falling Eagle-the secret of the most influential supply chain attack in history\r\nSUNBURST 2020-12-15 ⋅ Cyborg Security ⋅ Austin Jackson\r\nThreat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)\r\nSUNBURST 2020-12-15 ⋅ Prevasio ⋅ Sergei Shevchenko\r\nSunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware (Broken link)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 8 of 10\n\nSUNBURST 2020-12-14 ⋅ Twitter (@KimZetter) ⋅ Kim Zetter\r\nTweet thread on microsoft report on Solarwind supply chain attack by UNC2452\r\nSUNBURST 2020-12-14 ⋅ Cado Security ⋅ Christopher Doman\r\nResponding to Solarigate\r\nSUNBURST 2020-12-14 ⋅ Twitter (@ItsReallyNick) ⋅ Nick Carr\r\nTweet on summarizing post-compromise actvity of UNC2452\r\nSUNBURST 2020-12-14 ⋅ Twitter (@lordx64) ⋅ Taha Karim\r\nTweet on a one liner to decrypt SUNBURST backdoor\r\nSUNBURST 2020-12-14 ⋅ Olaf Hartong\r\nFireEye Sunburst KQL Detections\r\nSUNBURST 2020-12-14 ⋅ splunk ⋅ Ryan Kovar\r\nUsing Splunk to Detect Sunburst Backdoor\r\nSUNBURST 2020-12-14 ⋅ DomainTools ⋅ Joe Slowik\r\nUnraveling Network Infrastructure Linked to the SolarWinds Hack\r\nSUNBURST 2020-12-14 ⋅ Volexity ⋅ Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat\r\nResearch\r\nDark Halo Leverages SolarWinds Compromise to Breach Organizations\r\nSUNBURST 2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nThreat Brief: SolarStorm and SUNBURST Customer Coverage\r\nCobalt Strike SUNBURST 2020-12-14 ⋅ Sophos ⋅ Ross McKerchar\r\nIncident response playbook for responding to SolarWinds Orion compromise\r\nSUNBURST 2020-12-14 ⋅ TrustedSec ⋅ Nick Gilberti, Tyler Hudak\r\nSolarWinds Orion and UNC2452 – Summary and Recommendations\r\nSUNBURST 2020-12-14 ⋅ Youtube (Ali Hadi) ⋅ Ali Hadi\r\nLearning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor\r\nSUNBURST 2020-12-14 ⋅ Cisco Talos ⋅ Nick Biasini\r\nThreat Advisory: SolarWinds supply chain attack\r\nSUNBURST TEARDROP 2020-12-14 ⋅ Symantec ⋅ Threat Hunter Team\r\nSunburst: Supply Chain Attack Targets SolarWinds Users\r\nSUNBURST TEARDROP 2020-12-14 ⋅ Solarwind ⋅ Solarwind\r\nSecurity Advisory on SolarWinds Supply chain attack\r\nSUNBURST SUPERNOVA 2020-12-14 ⋅ Solarwind ⋅ Solarwind\r\nSecurity Advisory on SolarWinds Supply chain attack FAQ\r\nSUNBURST SUPERNOVA 2020-12-13 ⋅ VX-Underground\r\nDirectory: /samples/Exotic/UNC2452/SolarWinds Breach/\r\nSUNBURST 2020-12-13 ⋅ Microsoft ⋅ Microsoft Security Intelligence\r\nTrojan:MSIL/Solorigate.B!dha\r\nSUNBURST 2020-12-13 ⋅ CISA ⋅ CISA\r\nActive Exploitation of SolarWinds Software\r\nSUNBURST 2020-12-13 ⋅ Github (fireeye) ⋅ FireEye\r\nSUNBURST Countermeasures\r\nSUNBURST SUPERNOVA TEARDROP UNC2452 2020-12-13 ⋅ FireEye ⋅ Alex Berry, Alex Pennino, Alyssa Rahman,\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 9 of 10\n\nAndrew Archer, Andrew Rector, Andrew Thompson, Barry Vengerik, Ben Read, Ben Withnell, Chris DiGiamo, Christopher Glyer, Dan\r\nPerez, Dileep Jallepalli, Doug Bienstock, Eric Scales, Evan Reese, Fred House, Glenn Edwards, Ian Ahl, Isif Ibrahima, Jay Smith, John\r\nGorman, John Hultquist, Jon Leathery, Lennard Galang, Marcin Siedlarz, Matt Dunwoody, Matthew McWhirt, Michael Sikorski,\r\nMicrosoft, Mike Burns, Nalani Fraiser, Nick Bennett, Nick Carr, Nick Hornick, Nick Richard, Nicole Oppenheim, Omer Baig, Ramin\r\nNafisi, Sarah Jones, Scott Runnels, Stephen Eckels, Steve Miller, Steve Stone, William Ballenthin\r\nHighly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With\r\nSUNBURST Backdoor\r\nSUNBURST SUPERNOVA TEARDROP UNC2452 2020-12-08 ⋅ Securonix ⋅ Den Iyzvyk, Oleg Kolesnikov\r\nDetecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks\r\nSUNBURST 2020-12-01 ⋅ FireEye ⋅ FireEye\r\nSolarwinds Breach Resource Center\r\nSUNBURST 2020-01-22 ⋅ Thomas Barabosch\r\nThe malware analyst’s guide to PE timestamps\r\nAzorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP\r\n[TLP:WHITE] win_sunburst_w0 (20201215 | This rule is looking for portions of the SUNBURST backdoor\r\nthat are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on\r\nprocess, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill\r\nprocesses, write and delete files, set and create registry keys, gather system information, and disable a set of\r\nforensic analysis tools and services.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst" ], "report_names": [ "win.sunburst" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f94c7f454b5332e100a0e5cdb2f66f636df4e427.pdf", "text": "https://archive.orkl.eu/f94c7f454b5332e100a0e5cdb2f66f636df4e427.txt", "img": "https://archive.orkl.eu/f94c7f454b5332e100a0e5cdb2f66f636df4e427.jpg" } }