{ "id": "536e5094-0063-4752-8c4f-492ae30c636d", "created_at": "2026-04-06T00:18:55.778522Z", "updated_at": "2026-04-10T03:37:04.355456Z", "deleted_at": null, "sha1_hash": "fb9d0a67db421d9f567748d3fbab8dfd763699d3", "title": "Gamaredon group grows its game", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 407293, "plain_text": "Gamaredon group grows its game\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-02 11:00:23 UTC\r\nESET researchers have discovered several previously undocumented post-compromise tools used by the highly\r\nactive Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft\r\nOutlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office\r\naddress book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and\r\nremote templates into existing Office documents.\r\nTools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo,\r\nWin32/Pterodo or Win64/Pterodo by ESET’s products.\r\nThe Gamaredon group has been active since at least 2013. It has been responsible for a number of attacks, mostly\r\nagainst Ukrainian institutions, as evidenced in several reports from CERT-UA and from other official Ukrainian\r\nbodies over time.\r\nIn the last few months, there has been an increase in activity from this group, with constant waves of malicious\r\nemails hitting their targets’ mailboxes. The attachments to these emails are documents with malicious macros that,\r\nwhen executed, try to download a multitude of different malware variants.\r\nGamaredon has leveraged many different programming languages in the past few months, ranging from C# to\r\nVBScript, batch files and C/C++. The tools used by Gamaredon are very simple and are designed to gather\r\nsensitive information from compromised systems and to spread further.\r\nContrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar.\r\nEven though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it\r\nseems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to\r\nexfiltrate data. Could we be missing something?\r\nBackground\r\nFigure 1 illustrates a typical compromise chain in a Gamaredon campaign.\r\nFigure 1. Typical Gamaredon compromise chain\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 1 of 12\n\nWhile most of the recent publications have focused on the spearphishing emails together with the downloaders\r\nthey contain, this blogpost focuses on the post-compromise tools deployed on these systems.\r\nOutlook VBA module\r\nThe Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications\r\n(VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating\r\nmalicious campaigns.\r\nThis bundle of malicious code starts out with a VBScript that first kills the Outlook process if it is running, and\r\nthen removes security around VBA macro execution in Outlook by changing registry values. It also saves to disk\r\nthe malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in\r\nsome cases, a list of recipients that the emails should be sent to.\r\nNext, it relaunches Outlook with a special option, /altvba \u003cOTM filename\u003e, which loads the Gamaredon VBA\r\nproject. The malicious code is executed once the Application.Startup event is received. They have been using this\r\nmodule in three different ways to send malicious email to:\r\nEveryone in the victim’s address book\r\nEveryone within the same organization\r\nA predefined list of targets\r\nWhile abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new\r\ntechnique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook\r\nmacro to achieve it.\r\nFigure 2. Outlook VBA script creating the malicious email\r\nBased on the “send to all in contact list” behavior of this malicious VBA code, we believe that this module might\r\nhave led some organizations to think they were targeted by Gamaredon when they were merely collateral damage.\r\nFor example, recent samples uploaded to VirusTotal coming from regions that are not traditionally targeted by\r\nGamaredon, such as Japan, could be explained by the actions of this module.\r\nAs seen in Figure 2, the VBA code builds the email body and attaches the malicious document to the email. We’ve\r\nseen both .docx and .lnk files being used as attachments. These are very similar to the content of the malicious\r\nattachments used in Gamaredon’s initial spearphishing campaigns. Figure 3 shows an email generated by this\r\nmalicious component.\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 2 of 12\n\nFigure 3. Email generated by the Outlook VBA module with a Word document attachment that contains a remote\r\ntemplate\r\nThe email contains both English and Russian text. However, as illustrated in Figure 3, there is a problem with the\r\nRussian encoding. This was fixed in a later version of this module — another example of the Gamaredon group’s\r\nfast development pace and apparent lack of attention to detail.\r\nOffice macro injection module - CodeBuilder\r\nWe analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or\r\nremote templates into documents already present on the compromised system. This is a very efficient way of\r\nmoving laterally within an organization’s network as documents are routinely shared amongst colleagues. Also, as\r\nthese macros are run when opening the documents, it is a good way to persist on a system as some of these\r\ndocuments are likely to be opened multiple times and at different times.\r\nThese macro injection modules also have the functionality to tamper with the Microsoft Office macro security\r\nsettings. Thus, affected users have no idea that they are again compromising their workstations whenever they\r\nopen the documents. We have seen this module implemented in two different languages: C# and VBScript.\r\nC#\r\nThis module was delivered, like many other tools, in a 7z self-extracting archive. Inside, there was a password-protected RAR archive containing a few files. Notably, there were two text files, one for Word and one for Excel,\r\ncontaining the VBA source code of the malicious macro to be inserted into the targeted documents, and the .NET\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 3 of 12\n\nassembly responsible for finding and compromising existing documents. As illustrated in Figure 4, the assembly\r\nname is CodeBuilder.\r\nFigure 4. CodeBuilder functions in a version that is not obfuscated\r\nThis .NET module first reduces Office macro security settings for various document types by modifying the\r\nfollowing registry values:\r\nHKCU\\Software\\Microsoft\\Office\\\u003cversion\u003e\\\u003cproduct\u003e\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\\u003cversion\u003e\\\u003cproduct\u003e\\Security\\AccessVBOM\r\nIt iterates over all possible Office \u003cversion\u003e values for both Word and Excel \u003cproduct\u003e values. It then scans for\r\ndocuments with valid Word or Excel file extensions on all drives connected to the system. For the drive containing\r\nthe Windows installation, it scans only specific locations, namely the Desktop and Downloads folders. For the\r\nothers, it scans the entire drive. The malware moves each located document into the AppData folder, inserts\r\nmalicious Word or Excel macros into it using a Microsoft.Office.Interop object, and then moves the document\r\nback into its original folder. In the samples we analyzed, the injected macros were simple downloaders.\r\nBatch file/VBScript\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 4 of 12\n\nThe VBScript version of this module is similar in behavior to the .NET one. The main difference is that instead of\r\ninserting a malicious macro into existing documents, it inserts references to a remote template into them.\r\nFigure 5. VBScript using the Document.AttachedTemplate property to inject a reference to a remote template into\r\nexisting documents\r\nThis VBScript module also comes packaged in a self-extracting archive, containing one batch file and two VBS\r\nfiles responsible for iterating through documents and adding the remote template references to them.\r\nModule updates\r\nInterestingly, some of the custom tools described in Palo Alto Networks’ 2017 blogpost on Gamaredon are still\r\nbeing updated and in use today. Some show significant similarities while others are rewrites in different coding\r\nlanguages. The most prevalent tools downloaded and installed on compromised machines can be broadly grouped\r\ninto two different categories: downloaders and backdoors.\r\nDownloaders\r\nThere are many variations of their downloaders, most of them written in either C# or VBScript. This section will\r\ncover only two of their most original variants; the others have not evolved that much and are very simple.\r\nC# compiler module\r\nThis .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques\r\nsuch as junk code insertion and string obfuscation. It contains in its body the base64-encoded source code of a\r\ndownloader. It decodes that source code and compiles it directly on the system using the built-in\r\nMicrosoft.CSharp.CSharpCodeProvider class. It places the resulting executable in an existing directory and\r\ncreates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code\r\nstill has comments in it, illustrating the apparent sloppiness of Gamaredon’s operators.\r\nFigure 6. Part of the C# downloader source code included in the C# compiler module\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 5 of 12\n\nGitHub project module\r\nAs seen in Figure 7, this .NET executable uses a GitHub repository to obtain and execute a downloader. This\r\nrepository is now gone, but we were able to download a copy of it while it was still available.\r\nFigure 7. .NET module responsible for downloading and executing a payload stored on github.com\r\nThe repository contained a single file — readme.txt — that was a base64-encoded .NET downloader executable.\r\nThe role of the GitHub project module is to download this file, decode it and execute it.\r\nBackdoors – file stealers\r\nWhile some variations exist in functionalities, the main purpose of these modules is to enumerate all documents\r\non a compromised system and upload them to the C\u0026C server. These file stealers can also download and execute\r\narbitrary code from the C\u0026C server. As with many other tools used by the Gamaredon group, they come in four\r\ndifferent coding languages: C/C++, C#, batch file and VBScript.\r\nC/C++\r\nThis variant is the successor of the USBStealer module described here. Although the latest versions are now quite\r\ndifferent, examining samples of this module throughout its development clearly shows it originates from the same\r\nsource code.\r\nOne sample that illustrates this shift well is a 64-bit DLL with internal name Harvesterx64.dll, compiled in June\r\n2019. It still has most of the strings used in the older variants, but also exhibits two improvements that are still in\r\nthe newer ones. First, it now resolves Windows APIs via name hashing and second, it uses a basic text file instead\r\nof a SQLite database to track which files were already uploaded to the C\u0026C server.\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 6 of 12\n\nThe behavior of this module is quite straightforward: it scans the system for new Microsoft Office documents,\r\nboth on local and removable drives, and uploads them to the C\u0026C server. To know whether the document is new,\r\nthe module keeps, in a text file, one MD5 hash per file uploaded to the server. These MD5 hashes are not based on\r\nthe file content, but rather on a string composed of the file name, its size and its last modified time. The module’s\r\nstrings are stored in its .data section, encrypted with a simple XOR key. It also has the ability to download and\r\nexecute arbitrary code from its C\u0026C server.\r\nC#\r\nThis is a reimplementation in C# of the C/C++ version. The major difference is that it also takes screenshots of the\r\ncompromised computer every minute. As seen in Figure 8, the version we analyzed has five different threads with\r\nevocative names.\r\nFigure 8. C# backdoor thread creation routine\r\nBatch file/VBScript\r\nThis version comprises several scripts, written in both batch file form and VBScript. The ultimate goal is the\r\nsame, though: scanning the system for sensitive documents. The main mechanism is a batch file that searches for\r\nWord documents (*.doc*) on the system and stores their names in a text file (see Figure 9).\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 7 of 12\n\nFigure 9.Example inject.txt file containing the result of the backdoor’s document file scan\r\nThe package also contains encrypted script files named 1.log, 2.log, 3.log, 4.log and 5.log. Once decrypted, these\r\nscripts are obfuscated VBScript downloaders that are able to download and execute arbitrary code.\r\nNetwork infrastructure\r\nThe Gamaredon group uses many different domains, both free and paid, for its C\u0026C servers. Free domains are\r\nmostly DDNS from No-IP: hopto.org, ddns.net, myftp.biz, while paid domains are registered through the REG.RU\r\nregistrar and include the .fun, .site, .space, .ru, .website and .xyz TLDs.\r\nThey are constantly changing the domains used by their tools, but mostly on a small number of ASNs. Careful\r\nanalysis suggests they use separate domains for small groups of victims. Please check ESET’s GitHub account for\r\nan extensive list of domains used by the Gamaredon group.\r\nQuality of execution\r\nWe were able to collect numerous different samples of malicious scripts, executables and documents used by the\r\nGamaredon group throughout their campaigns. We noticed several mistakes in these, especially in scripts. It is of\r\ncourse impossible to know the exact reason behind these bugs or oversights, but the volume of samples the group\r\nproduces and their rapid development could explain it. The fact that there were comments left in the source code\r\nincluded in some C# compiler module samples or that the Russian encoding was wrong in email generated by the\r\nOutlook VBA module shows that there is no stringent review or testing before releasing their many tools and\r\nusing them in the wild.\r\nHowever, while these errors might lower their tools’ overall effectiveness, this group’s rapid execution and\r\nadaptation also has some advantages. The volume and relentlessness of the attacks can create a state of constant\r\ndread in their targets. And although the code is very simple, some techniques, such as script obfuscation, make it\r\nhard to fully automate the analysis, making the analyst’s job tedious.\r\nTheir GitHub project allowed us a glimpse into the rapid development of their tools. The code that was committed\r\nthere clearly showed the evolution of the C# downloader. The first versions showed no signs of obfuscation; then\r\nthe developers added different string obfuscations and junk code to make the analysis harder.\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 8 of 12\n\nIn terms of persistence, several different techniques are used, but the most common ones are scheduled tasks,\r\nautorun registry keys and leveraging the Startup folder. Although these techniques are very simple and have been\r\nknown for a long time, the Gamaredon group’s strategy of trying to install multiple scripts and executables on\r\neach system, and constantly updating them, significantly complicates the defender’s lives.\r\nConclusion\r\nDespite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such\r\nas their Outlook VBA module. However, as it is far from stealthy, in the long run it is no match for a capable\r\norganization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine\r\nand understanding what sensitive data is available, then spreading throughout the network. Could this just be a\r\nway to deploy a much stealthier payload?\r\nSpecial thanks to ESET Senior Malware Researcher Anton Cherepanov for his help in this research.\r\nIndicators of Compromise (IoCs)\r\nSHA-1 ESET detection name Comments\r\n6F75F2490186225C922FE605953038BDEB537FEE DOC/TrojanDownloader.Agent.ARJ\r\nOutlook\r\nVBA\r\nmodule\r\nDFC941F365E065187B5C4A4BF42E770035920856 Win32/Pterodo.XG.gen\r\nC# Office\r\nmacro\r\ninjection\r\nmodule\r\n9AFC9D6D72F78B2EB72C5F2B87BDC7D59C1A14ED Win32/Pterodo.ZM\r\nBatch file/\r\nVBScript\r\nOffice\r\nmacro\r\ninjection\r\nmodule\r\n3DD83D7123AEFBE5579C9DC9CF3E68BCAFC9E65E MSIL/Pterodo.CD\r\nC#\r\ncompiler\r\nmodule\r\n941F341770B67F9E8EE811B4B8383101F35B27CD MSIL/Pterodo.CA\r\nGitHub\r\nproject\r\nmodule\r\nDC8BD2F65FD2199CE402C76A632A9743672EFE2D Win32/Pterodo.XC\r\nC/C++\r\nbackdoor\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 9 of 12\n\nSHA-1 ESET detection name Comments\r\n336C1244674BB378F041E9064EA127E9E077D59D MSIL/Pterodo.DP\r\nC#\r\nbackdoor\r\n5FC1B6A55A9F5A52422872A8E34A284CDBDD0526 Win32/Pterodo.YE\r\nBatch file/\r\nVBScript\r\nbackdoor\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access\r\nT1193\r\nSpearphishing\r\nAttachment\r\nGamaredon group sends emails with malicious\r\nattachments to its targets.\r\nT1199 Trusted Relationship\r\nGamaredon group malware abuses a compromised\r\norganization’s email accounts to send emails with\r\nmalicious attachments to the victim’s contacts.\r\nExecution\r\nT1064 Scripting\r\nGamaredon group uses scripting heavily, mostly\r\nBatch files and VBScript.\r\nT1085 Rundll32\r\nGamaredon group malware uses rundll32 to launch\r\nmalicious DLLs, for example the C/C++ backdoor.\r\nT1106 Execution through API\r\nGamaredon group malware uses CreateProcess to\r\nlaunch additional components, for example to\r\nexecute payloads received from its C\u0026C servers.\r\nT1204 User Execution\r\nInitial compromise by the Gamaredon group usually\r\nrequires the user to execute a malicious email\r\nattachment.\r\nPersistence\r\nT1053 Scheduled Task\r\nGamaredon group malware registers several of its\r\nmodules (downloaders, backdoors, etc.) as scheduled\r\ntasks.\r\nT1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nGamaredon group uses Run keys and the Startup\r\nfolder to ensure its modules are executed at every\r\nreboot.\r\nT1137\r\nOffice Application\r\nStartup\r\nGamaredon group malware inserts malicious macros\r\ninto existing documents, providing persistence when\r\nthey are reopened.\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 10 of 12\n\nTactic ID Name Description\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nGamaredon group makes heavy use of compressed\r\narchives, some password protected, to deliver its\r\nmalicious payloads. Strings are routinely obfuscated\r\nor encrypted in these malicious modules.\r\nT1112 Modify Registry\r\nGamaredon group malware modifies several registry\r\nkeys to deactivate security mechanisms in Microsoft\r\nOffice related to macros.\r\nT1116 Code Signing\r\nGamaredon group uses signed binaries in its\r\nmalicious campaigns. One notable example is wget\r\nsamples signed with a valid certificate from Jernej\r\nSimončič and available here.\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nGamaredon group uses simple string deobfuscation\r\nand decryption routines in its modules.\r\nT1221 Template Injection\r\nGamaredon group adds remote templates to\r\ndocuments it sends to targets.\r\nT1500 Compile After Delivery\r\nGamaredon group C# compiler module contains an\r\nobfuscated downloader that it compiles using csc.exe\r\nand then executes.\r\nDiscovery T1083\r\nFile and Directory\r\nDiscovery\r\nGamaredon group uses its backdoors to\r\nautomatically list interesting files (such as Office\r\ndocuments) found on a system for future exfiltration.\r\nLateral\r\nMovement\r\nT1080 Taint Shared Content\r\nGamaredon group malware injects malicious macros\r\ninto all Word and Excel documents reachable by the\r\ncompromised system.\r\nT1534 Internal Spearphishing\r\nGamaredon group uses its Outlook VBA macro to\r\nsend email with malicious attachments to other\r\ntargets within the same organization.\r\nCollection\r\nT1005 Data from Local System\r\nGamaredon group malware actively searches for\r\nsensitive documents on the local system.\r\nT1025\r\nData from Removable\r\nMedia\r\nGamaredon group malware scans all drives for\r\nsensitive data and also watches for removable drives\r\nbeing inserted into a system.\r\nT1039 Data from Network\r\nShared Drive\r\nGamaredon group malware scans all drives A: – Z:\r\nfor sensitive data, so it will scan any network shares\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 11 of 12\n\nTactic ID Name Description\r\nmounted as drives.\r\nT1113 Screen Capture\r\nGamaredon group uses a backdoor that takes\r\nscreenshots every minute.\r\nT1119 Automated Collection\r\nGamaredon group deploys scripts on compromised\r\nsystems that automatically scan for interesting\r\ndocuments.\r\nCommand\r\nand Control\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nGamaredon group malware uses both HTTP and\r\nHTTPS for command and control.\r\nExfiltration T1020 Automated Exfiltration\r\nGamaredon group uses modules that automatically\r\nupload harvested documents to the C\u0026C server.\r\nSource: https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nhttps://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game" ], "report_names": [ "gamaredon-group-grows-its-game" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434735, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb9d0a67db421d9f567748d3fbab8dfd763699d3.pdf", "text": "https://archive.orkl.eu/fb9d0a67db421d9f567748d3fbab8dfd763699d3.txt", "img": "https://archive.orkl.eu/fb9d0a67db421d9f567748d3fbab8dfd763699d3.jpg" } }