{ "id": "bf423547-48c9-4bb8-972a-bc470ac91430", "created_at": "2026-04-06T00:08:38.629912Z", "updated_at": "2026-04-10T03:38:19.556903Z", "deleted_at": null, "sha1_hash": "fa50328b58acb7bf1ac61ad47dd9e2e66beb7c32", "title": "Monthly news - November 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71553, "plain_text": "Monthly news - November 2023\r\nBy HeikeRitter\r\nPublished: 2023-11-02 · Archived: 2026-04-05 18:33:17 UTC\r\nBlog Post\r\nMicrosoft Defender XDR Blog\r\n8 MIN READ\r\nMicrosoft 365 Defender\r\nMonthly news\r\nNovember 2023 Edition\r\nThis is our monthly \"What's new\" blog post, summarizing product updates and various new assets we released\r\nover the past month across our Defender products. In this edition, we are looking at all the goodness from\r\nOctober 2023.  \r\nLegend:\r\nProduct\r\nvideos\r\nWebcast\r\n(recordings)\r\nDocs on Microsoft Blogs on Microsoft\r\nGitHub External\r\nProduct\r\nimprovements\r\nPreviews /\r\nAnnouncements\r\nMicrosoft 365 Defender\r\nOperationalizing Microsoft Security Copilot to Reinvent SOC Productivity. (Preview) Microsoft\r\nSecurity Copilot in Microsoft 365 Defender is now in preview. Microsoft 365 Defender users can take\r\nadvantage of Security Copilot capabilities to summarize incidents, analyze scripts and codes, use\r\nguided responses to resolve incidents, generate KQL queries, and create incident reports within the\r\nportal. Security Copilot is on an invitation-only preview. Learn more about Security Copilot in\r\nthe Microsoft Security Copilot Early Access Program Frequently Asked Questions.\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796\r\nPage 1 of 5\n\nUsing advanced hunting to secure OAuth apps. In this blog, we'll demonstrate how SOC teams can\r\nbenefit from App governance and its integration with Advanced Hunting to better secure SaaS apps.\r\n(Preview) You can now get email notifications for manual or automated actions done in Microsoft\r\n365 Defender. Learn how to configure email notifications for manual or automated response actions\r\nperformed in the portal. \r\n(Preview) Exchange Online permission management for Microsoft Defender for Office 365 is now\r\nsupported in Microsoft 365 Defender Unified role-based access control (RBAC). In addition to the\r\nexisting support for scenarios that are controlled by Exchange Online Protection (EOP) roles,\r\nconfigured in the Microsoft 365 Defender portal (under Permissions \u003e Email \u0026 collaboration roles),\r\nMicrosoft 365 Defender Unified RBAC now also supports the management of Exchange Online\r\n(EXO) roles and permissions, which could previously only be managed in the Exchange Admin\r\nCenter. Learn more in our documentation.\r\nThe Virtual Ninja Show Season 6 is coming to help wrap up your 2023! We go live November 6th\r\n– December 20th with tons of security features and tips to share with you! Visit the show site (site will\r\nget updated Nov 2nd, please check back!) to see all upcoming details and add events to your calendar. \r\nMicrosoft Security Experts\r\nNew FAQ for Defender Experts for XDR managed response. \r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Identity\r\nSimplified deployment with Defender for Identity.  In this blog we will show you the simple steps\r\nfor deploying Microsoft Defender for Identity within your environment.\r\nMicrosoft Defender for Cloud Apps\r\nAutomatic redirection from Defender for Cloud Apps to Microsoft 365 Defender is generally\r\navailable. All users accessing Microsoft Defender for Cloud Apps will be automatically rerouted\r\nto the Microsoft 365 Defender portal. Admins will still have the option to not automatically redirect\r\ntheir users. Learn more here.\r\nMicrosoft Defender for Office 365\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796\r\nPage 2 of 5\n\nAuthenticate Outbound Email to Improve Deliverability.  This blog explains how to set up email\r\nauthentication for your domain, so you can ensure that your messages are less likely to be rejected or\r\nmarked as spam by email providers like Gmail, Yahoo, AOL, Outlook.com.\r\nBlogs on Microsoft Security\r\nThreat Analytics Reports / Actor, activity \u0026 technique profiles (Portal access needed)\r\nThreat overview: Cloud identity abuse. With more organizations moving to hybrid or cloud-only\r\nmodels, it is becoming increasingly important to secure both cloud resources as well as cloud\r\nidentities. Cloud identity compromise was initially thought to be a technique reserved for only a\r\nhandful of advanced actors in the past such as Midnight Blizzard with the Solar Winds supply chain\r\ncompromise. However, other tracked actors including Peach Sandstorm, Storm-0219, and Octo\r\nTempest have recently shown sophisticated competency in the cloud across a large variety of industry\r\nverticals.\r\n \r\nActivity profile: Threat actors attempt SQL to cloud lateral movement. Microsoft security\r\nresearchers recently identified an attack where attackers attempted to move laterally to a cloud\r\nenvironment through a SQL Server instance. This attack technique demonstrates an approach we've\r\nseen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server. \r\n \r\nVulnerability profile: WS_FTP Server critical vulnerabilities. Multiple vulnerabilities are\r\nimpacting WS_FTP Server, a secure file transfer solution, according to a Progress Software advisory.\r\nTwo of the identified vulnerabilities affecting versions prior to 8.7.4 and 8.8.2 are rated critical: CVE-2023-40044 and CVE-2023-42657. These vulnerabilities could allow an unauthenticated attacker to\r\nlaunch remote commands and perform file operations outside of their authorized folder path.\r\n \r\nVulnerability profile: Pre-authentication RCE chain on SharePoint Server 2019. On September\r\n25, 2023 STAR Labs researcher Nguyễn Tiến Giang published a technical analysis describing a pre-authentication remote code execution exploit chain impacting vulnerable versions of SharePoint\r\nServer 2019.\r\n \r\nActivity profile: Diamond Sleet compromises TeamCity servers. Diamond Sleet, a North Korean\r\nbased threat actor, has compromised multiple servers running JetBrains TeamCity. The servers were\r\nlikely compromised from the recently disclosed vulnerability CVE-2023-42793. Once Diamond Sleet\r\nsuccessfully compromised the server, two payloads were downloaded from other infrastructure\r\ncompromised earlier by Diamond Sleet. Microsoft also observed Diamond Sleet deploying files to the\r\ncompromised servers that were used in dynamic link library (DLL) search-order hijacking attacks.\r\n  Actor profile: Storm-1575. The actor group Microsoft tracks as Storm-1575 is behind the\r\ndevelopment, support, and sale of a phishing-as-a-service (PhaaS) platform with adversary-in-the-https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796\r\nPage 3 of 5\n\nmiddle (AiTM) capabilities. This platform, known as Dadsec, has been active since approximately\r\nMay 5, 2023.\r\n \r\nActor profile: Pinstripe Lightning. The threat actor that Microsoft tracks as Pinstripe Lightning is a\r\nGaza-based actor active as far back as 2015. Pinstripe Lightning is known to target Palestinian\r\ngovernment agencies, universities, and pro-Fateh organizations in the West Bank. \r\n \r\nVulnerability profile: CVE-2023-41763 Skype for Business Elevation of Privilege\r\nvulnerability. Microsoft has released a patch for CVE-2023-41763, an elevation of privilege\r\nvulnerability in Skype for Business, which was reported by a third-party researcher in May 2022.\r\nProof of concept exploit code shows that this vulnerability enables server-side request forgery (SSRF)\r\nattacks which could cause a server to make requests to unintended locations. \r\n \r\nActor profile: Diamond Sleet. The actor that Microsoft tracks as Diamond Sleet (formerly ZINC) is\r\na North Korea-based activity group. Diamond Sleet is known to target media, defense, and\r\ninformation technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of\r\npersonal and corporate data, financial gain, and corporate network destruction.\r\n \r\nActivity profile: Storm-0062 attempts to exploit CVE-2023-22515 in Atlassian\r\nConfluence. Microsoft has observed nation-state actor Storm-0062 attempting to exploit CVE-2023-\r\n22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023.\r\nCVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center\r\nand Server. Any device with a network connection to a vulnerable application can exploit CVE-2023-\r\n22515 to create a Confluence administrator account within the application. The Storm-0062 campaign\r\ntargets government and defense industrial base organizations in North America and Europe. \r\n \r\nActor profile: Storm-0539. The actor that Microsoft tracks as Storm-0539 is a financially motivated\r\ngroup active since late 2021. Storm-0539 is known to primarily target retail organizations for gift card\r\nfraud and theft. Storm-0539 carries out extensive reconnaissance of targeted organizations in order to\r\ncraft convincing phishing lures and steal user credentials and tokens for initial access. The actor is\r\nwell-versed in cloud providers and leverages resources from the target organization’s cloud services\r\nfor post-compromise activities.\r\n \r\nVulnerability profile: CVE-2023-4863 and CVE-2023-5217 vulnerabilities in WebP and\r\nlibvpx. In September 2023, Google published CVE-2023-4863 and CVE-2023-5217 to address\r\nvulnerabilities in WebP (a compression format for images on the web) and libvpx (a software video\r\ncodec library) that may result in remote code execution. The subsequent impact to Microsoft products\r\nhas been documented in the Security Update Guide and the MSRC blog. Google is aware that exploits\r\nexist for both vulnerabilities.\r\n \r\nActor profile: Storm-0249. The actor Microsoft tracks as Storm-0249 (DEV-0249) is an access\r\nbroker active since 2021 and known for distributing BazaLoader, Gozi, Emotet, IcedID, and\r\nBumblebee malware. Storm-0249 typically uses phishing emails to distribute their malware payloads\r\nin opportunistic attacks. Microsoft observed Storm-0249 activity leading to hands-on-keyboard\r\nactivity by ransomware operators like Storm-0501 (DEV-0501).\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796\r\nPage 4 of 5\n\nActor profile: Storm-0589. The actor that Microsoft tracks as Storm-0589 (DEV-0589) is an activity\r\ngroup based out of Iran. Storm-0589 is known to target organizations in government, travel,\r\nhospitality, human resources, information technology, and telecommunications sectors in countries in\r\nAfrica, Asia, Europe, and the Middle East. Storm-0589 has used a combination of commodity and\r\ncustom tools, notably a custom scanner, in its operations. Given the profile of targeted organizations\r\nand the nature of known post-exploitation activity, Microsoft assesses that this group is seeking data\r\nthat can be used to identify and track individuals of interest.\r\n \r\nVulnerability profile: CVE-2023-20198 and CVE-2023-20273 Cisco IOS XE web UI feature\r\nvulnerabilities. CVE-2023-20198 and CVE-2023-20273 are critical vulnerabilities in Cisco IOS XE\r\nSoftware web UI that could let an attacker remotely access and elevate privileges on impacted\r\nsystems to achieve full compromise. Attackers reportedly exploited these then-zero-day vulnerabilities\r\nprior to their public disclosure. Microsoft has observed activity indicating threat actors are actively\r\ntargeting these security flaws, and many impacted devices remain exposed to the web.\r\n \r\nVulnerability profile: CVE-2023-38831 in WinRAR. CVE-2023-38831 is a vulnerability in the\r\nWinRAR compression tool, which an attacker can exploit to run arbitrary code using a weaponized\r\narchive file. The vulnerability was reportedly exploited as early as April 2023 prior to its public\r\ndisclosure. Since the disclosure in July 2023, exploitation activity increased in both widespread\r\nphishing operations as well as targeted spear phishing operations by threat actors such as Forrest\r\nBlizzard, Twill Typhoon, and Opal Sleet. Proof-of-concept code is widely available, further\r\ncontributing to adoption among threat actors.\r\n \r\nVulnerability profile: CVE-2023-4966 and CVE-2023-4967 in NetScaler ADC and NetScaler\r\nGateway. CVE-2023-4966 and CVE-2023-4967 are vulnerabilities in Citrix NetScaler ADC and\r\nNetScaler Gateway that, if exploited, can result in information disclosure and denial-of-service,\r\nrespectively. Citrix disclosed these issues in an October 10, 2023, advisory and has since provided\r\nbuilds addressing the flaws.\r\nUpdated Oct 29, 2024\r\nVersion 4.0\r\nEnjoying the article? Sign in to share your thoughts.\r\nSource: https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796" ], "report_names": [ "3970796" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "9b1d173a-51f2-4857-833e-62fbacf044d9", "created_at": "2024-02-02T02:00:04.094591Z", "updated_at": "2026-04-10T02:00:03.569152Z", "deleted_at": null, "main_name": "Storm-1575", "aliases": [], "source_name": "MISPGALAXY:Storm-1575", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb317a88-9474-4329-90a0-ae7e632ac75b", "created_at": "2024-02-02T02:00:04.082914Z", "updated_at": "2026-04-10T02:00:03.557196Z", "deleted_at": null, "main_name": "Storm-0539", "aliases": [], "source_name": "MISPGALAXY:Storm-0539", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4db51064-e43e-4495-8e1b-ba6e117e688f", "created_at": "2023-11-05T02:00:08.061541Z", "updated_at": "2026-04-10T02:00:03.394014Z", "deleted_at": null, "main_name": "Storm-0062", "aliases": [ "DarkShadow", "Oro0lxy" ], "source_name": "MISPGALAXY:Storm-0062", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2f84ab8-e990-4fa8-97db-81eb3166b207", "created_at": "2025-10-29T02:00:51.915334Z", "updated_at": "2026-04-10T02:00:05.318636Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [ "Storm-0501" ], "source_name": "MITRE:Storm-0501", "tools": [ "Impacket", "Tasklist", "Cobalt Strike", "Rclone", "Nltest", "AADInternals" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7e7782b0-8b0b-4e92-b58a-c696b6d70ea1", "created_at": "2025-05-29T02:00:03.18524Z", "updated_at": "2026-04-10T02:00:03.843199Z", "deleted_at": null, "main_name": "Storm-0249", "aliases": [ "DEV-0249" ], "source_name": "MISPGALAXY:Storm-0249", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "6a0c148e-64fe-40fa-a35a-4d9a6ddd7fb0", "created_at": "2024-10-04T02:00:04.769179Z", "updated_at": "2026-04-10T02:00:03.716865Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [], "source_name": "MISPGALAXY:Storm-0501", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa50328b58acb7bf1ac61ad47dd9e2e66beb7c32.pdf", "text": "https://archive.orkl.eu/fa50328b58acb7bf1ac61ad47dd9e2e66beb7c32.txt", "img": "https://archive.orkl.eu/fa50328b58acb7bf1ac61ad47dd9e2e66beb7c32.jpg" } }