{ "id": "e5d11dcd-1c8f-423b-b6da-567701137583", "created_at": "2026-04-06T00:19:59.651786Z", "updated_at": "2026-04-10T13:12:22.88936Z", "deleted_at": null, "sha1_hash": "fbad8df2abd0b5873afd9f89431e064caca83e38", "title": "SectorA01 Custom Proxy Utility Tool Analysis – Red Alert", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68805, "plain_text": "SectorA01 Custom Proxy Utility Tool Analysis – Red Alert\r\nArchived: 2026-04-05 16:39:54 UTC\r\nOverview\r\nSectorA01 is one of the most infamous state sponsored threat actor groups globally and is unique in the sense that\r\nit is one of the only state sponsored groups with large interests in financial crime. So with the continued interest\r\ninto SectorA01’s financial crime activities due to the recent potential misattribution of the Ryuk ransomware [1],\r\nwe decided to perform an analysis into one of the tools – a proxy utility executable – used exclusively by\r\nSectorA01 that recently caught our attention again.\r\nInterestingly, in the Hidden Cobra FASTCash report by the US-CERT [2] in October last year, there were two\r\nversions of a “Themida packed proxy service module” (i.e. x32 and x64 versions). Our analysis of those modules\r\nshowed code reuse of critical functions with the sample we are analyzing in this post, leading us to think that those\r\nsamples might be an evolution of this sample.\r\nSectorA01 Proxy Utility\r\nSectorA01 uses a variety of tools for different purposes, but one common custom tool used in the attacks targeting\r\nthe Polish banks in 2016-2017 [3], a Taiwanese Bank in 2017 [4], and Vietnamese banks in 2018 [5] is one of their\r\ncustom proxy utility executables.  \r\nThe latest unique sample of this proxy utility we could find was on December 10th, 2018 from Canada. This leads\r\nus to one of a few possible theories that Canadian bank(s) may have been one of the many unreported or reported\r\n[6] targets during the time period of the attack on the Taiwanese bank based on the compilation timestamps.  \r\nAs we can see from the FASTCash proxy samples below, at least one of their developers compiles the 64-bit\r\nsample immediately after compiling the 32-bit sample – behavior very normal for developers when compiling for\r\nmultiple systems. The same thing can be seen for the two samples on 20 Feb 2017, and so in fact instead of calling\r\nthem samples targeting a Taiwanese bank and potentially a Canadian bank, it may be more accurate to call it just\r\none of the many pairs of 32-bit and 64-bit proxy samples produced by the group.  \r\nA proxy was also used against an unnamed Southeast Asian bank [7] which appears to be an older version of the\r\nproxy, and against an Indian bank [8] which appears to be a newer version of the proxy based our code analysis\r\nfrom samples in the US-CERT FASTCash report.  \r\nBut despite the similarities, however, we are unable to definitively state that these samples were earlier (unnamed\r\nSoutheast Asian bank) or later (FASTCash attack, such as against the Indian bank) versions of the proxy. After all,\r\nSectorA01 has more than one proxy tool in its arsenal, such as the proxy used together with their TYPEFRAME\r\ntrojan [9] which has a separate code base.\r\nDescription Compilation Timestamp\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 1 of 7\n\nAttack on unnamed SEA bank (old version) 17 Sep 2014 16:59:33\r\nAttack on several Polish banks (variant) 24 Aug 2015 10:21:52\r\nAttack on Vietnamese banks (variant) 2 May 2016 03:24:39\r\nAttack on a Taiwanese Bank (32-bit) (variant) 20 Feb 2017 11:09:30\r\nSample Discovered from Canada (64-bit) (sample analyzed) 20 Feb 2017 11:09:41\r\nFASTCash (32-bit) (new version) 14 Aug 2017 17:14:04\r\nFASTCash (64-bit) (new version) 14 Aug 2017 17:14:12\r\nSample Background\r\nThis executable is a custom tunneling proxy utility tool in SectorA01’s toolkit. It can be used as either a tunneling\r\nproxy server to forward traffic to another destination, or as a tunneling proxy client which requests another\r\ninfected tunneling proxy server to perform requests.\r\nBesides being used as one of several ordinary proxy servers in a chain of servers to hide the source of attacks,\r\nagainst one example banking target from India in the FASTCash attacks, “a proxy server was created and\r\ntransactions authorized by the fake or proxy server”. In this scenario, the proxy utility seems to be not used just as\r\na secondary helper utility, but as the primary attack malware.\r\nSectorA01 normally packs these samples with either the Themida or Enigma Protector, but in this blog post we\r\nwill only be showing the analysis of the unpacked sample.\r\nProcess Arguments\r\nThis utility requires a single process argument in order for it to run. It attempts to decode the argument and only\r\ncontinues its execution path if the decoded argument match the format it is expecting.  \r\nThe argument is delimited by the “|” symbol, and the utility decodes up to four tokens with each token being\r\ndecoded individually. The first is required and used as the primary C2 server (malware acting as tunneling proxy\r\nserver) or as the URL to be requested (malware acting as tunneling proxy client), the optional second token is used\r\nas the proxy target information, the optional third token is used as proxy server information, and the optional\r\nfourth token is an optional proxy username and password.  \r\nEach deobfuscated token is separated by a colon “:”, which is used as the deobfuscated process arguments\r\ndelimiter.  \r\nint __stdcall WinMain_0(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd){\r\n //deobfuscate process arguments here\r\ndeobfuscation_complete:\r\n if ( strlen(deobfuscated_c2_1) != 0 \u0026\u0026 strchr(deobfuscated_c2_1, “:”) ){\r\n …\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 2 of 7\n\n}\r\nreturn 0;\r\n}\r\nThe decoding algorithm makes use of a rotating character in an eight character string “cEzQfoPw” and the loop\r\nindex to ensure that every deobfuscated character at a different index comes from a different two obfuscated\r\ncharacters.\r\nWe recreated this deobfuscation algorithm and created an obfuscation algorithm, which allowed us to forge our\r\nown process arguments. An example of a process argument which uses all four tokens could be\r\n“!y$t$A$s!z$S$e$U$Q$Y$1$W$U!}$d|!y#z$A$s!z$S$o$1$5$t$A$e$U!x|!y#\r\n{!}$Z$C$R$o$1$P#}$8$a!y!y|!00X!B0]0D!8#z$2$R0d$0$b!w!20c!70B0d”.\r\nExample Token\r\nDecoded C2\r\nInformation\r\nUsage\r\n!y$t$A$s!z$S$e$U$Q$Y$1$W$U!}$d 192.168.1.1:443\r\nC2 Server (1-2 arguments)\r\nProxy Target (3-4 arguments)\r\n!y#z$A$s!z$S$o$1$5$t$A$e$U!x 172.16.1.1:443 Proxy Target (2 arguments only)\r\n!y#{!}$Z$C$R$o$1$P#}$8$a!y!y 10.1.1.12:8080 Proxy Server (3-4 arguments)\r\n!00X!B0]0D!8#z$2$R0d$0$b!w!20c!70B0d sector%20a01:proxy\r\nProxy Authentication (4\r\narguments only)\r\nNote that since the algorithm transforms every two encoded characters into one decoded character based on its\r\ncharacter index, there are many possible two characters which will result in the same character, and finally\r\ncountless different strings which would decode to a single string.\r\nC2 Communication\r\nThe algorithm used for C2 communications is more straightforward – a combination of ADD/XOR repeatedly\r\nfrom each character in a hard coded 20 character byte array “{47 B0 62 0E 69 F3 22 8D 65 40 BF 39 24 A6 C3\r\nBB 8E 68 EB B5}” is used for decoding, and the opposite XOR/SUB repeatedly from the reversed byte array is\r\nused for encoding. The algorithm restarts for each character without context, so it essentially ends up being a\r\ncharacter substitution table.\r\nThere are eight commands to communicate with the C2 server, encoded by either the C2 server or the proxy client\r\nthen decoded by the other side. These commands are in the Russian language but as other researchers have\r\npointed out in the past, is simply a false flag.\r\nIn fact, in one of the analyzed malware used against an unnamed Southeast Asian bank, we see that what appears\r\nto be a much earlier versions of the proxy having seven numeric-only control codes while this sample has eight\r\nRussian language control codes, with the control codes in both samples having almost the same meaning.\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 3 of 7\n\nOperation Description Hex Values over the Network\r\nkliyent2podklyuchit Malware thread created notification (client)\r\nd1 14 23 b3 c7 b2 ac fe 70 0d 1c d1\r\n14 b3 d7 f9 38 23 ac\r\nNachalo Client has started (client) 92 ab f9 38 ab 14 0d\r\nssylka Tunneling proxy server has started (client) c9 c9 b3 14 d1 ab\r\npoluchit Get proxy target information (server) 70 0d 14 d7 f9 38 23 ac\r\nustanavlivat Set proxy target information (server) d7 c9 ac ab b2 ab 2a 14 23 2a ab ac\r\npereslat\r\nStart a new tunneling proxy server session\r\nin new thread (server)\r\n70 c7 be c7 c9 14 ab ac\r\nderzhat Maintain connection (server) 1c c7 be b6 38 ab ac\r\nvykhodit Exit (server) / Client has exited (client) 2a b3 d1 38 0d 1c 23 ac\r\nTunneling Proxy Server\r\nWhen this utility acts as a tunneling proxy server, it directly uses Windows Sockets 2 (“WS2_32”) to achieve their\r\nrudimentary proxy.\r\nsigned __int64 __fastcall c2_ssylka(LPVOID lpThreadParameter){\r\n SOCKET c2Socket = begin_c2(“ssylka”);\r\n …\r\n SOCKET targetProxySocket = retrieveProxySocket();\r\n …\r\n start_tunnel_proxy_server(c2Socket, targetProxySocket);\r\n …\r\n}\r\nsigned int __fastcall start_tunnel_proxy_server(SOCKET c2Socket, SOCKET targetProxySocket){\r\n …\r\n numBytesReceived = recv(c2Socket, \u0026dataToProxy, 0x2000, 0);\r\n …\r\n numBytesReceived = send(targetProxySocket, \u0026dataToProxy, numBytesReceived, 0);\r\n …\r\n}\r\nTunneling Proxy Client\r\nWhen this utility acts as a tunneling proxy client, it utilizes the more powerful embedded libcurl library (version\r\n7.49.1 for this sample, but not always the case) to command other infected tunneling proxy servers.\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 4 of 7\n\n__int64 __fastcall connect_to_proxy(__int64 fixedFunctionAddress, __int64 proxyTarget){\r\n …\r\n curl_setopt(handle, CURLOPT_URL, proxyTarget);\r\n …\r\n curl_setopt(handle, CURLOPT_PROXY, fixedFunctionAddress + 16); //refers to deobfuscated proxy server informati\r\n …\r\n curl_setopt(handle, CURLOPT_HTTPPROXYTUNNEL, 1);\r\n …\r\n if ( strlen((fixedFunctionAddress + 278)) != ) //if deobfuscated argument 4 is not empty\r\n curl_setopt(handle, CURLOPT_PROXYUSERPWD); //curl_setopt argument 3 = deobfuscated process argument 4, which\r\n …\r\n }\r\n …\r\n}\r\nThe CURLOPT_HTTPPROXYTUNNEL code causes the client to starts by using HTTP CONNECT to the proxy\r\nserver in order to request it to forward traffic to the proxy target.\r\n\u003eInternet Protocol Version 4, Src: x.x.x.x, Dst: 10.1.1.12\r\n\u003eTransmission Control Protocol, Src Port: xxxxx, Dst Port: 8080, Seq: 1, Ack: 1, Len: 59\r\n\u003eHypertext Transfer Protocol\r\n \u003eCONNECT 192.168.1.1:443 HTTP/1.1\\r\\n\r\n \u003e[Expert Info (Chat/Sequence): CONNECT 192.168.1.1:443 HTTP/1.1\\r\\n]\r\n Request Method: CONNECT\r\n Request URI: 192.168.1.1:443\r\n Request Version: HTTP/1.1\r\n Host: 192.168.1.1:443\\r\\n\r\nThe FASTCash Connection\r\nIn October last year, the US-CERT reported about the “FASTCash” campaign by SectorA01, which was\r\nessentially an ATM cash-out scheme whereby SectorA01 remotely compromised bank payment switch\r\napplications to simultaneously physically withdraw from ATMs in many countries and steal millions of dollars.\r\nSome of the artifacts used in the campaign included proxy modules, a RAT, and an installer application. When we\r\nperformed a preliminary analysis and compared the FASTCash proxy module to the proxy module analyzed in this\r\npost, we found algorithmic similarities between the decoding/encoding functions, the process argument\r\ndeobfuscation function, and the proxy function.\r\nHowever, the FASTCash proxy module also had more functions in them with new capabilities as described briefly\r\nin the US-CERT FASTCash Malware Analysis Report [10]. Additionally, our own analysis showed that they have\r\nalso updated the use of amateur-ish strings which were previously easily detectable from memory and obviously\r\nmalicious, to now hiding or removing those custom strings. This is their normal behavior as it has been known\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 5 of 7\n\nthat they are constantly modifying their own source code, and these similarities and developments leads us to\r\nthink that the FASTCash proxy module might be an evolution of their previous proxy module.\r\nSummary\r\nAttribution is a complex and controversial topic, but regardless, correctly attributing a threat to a particular threat\r\ngroup is a far easier task than correctly attributing the threat to or being linked to a particular nation state. Given\r\neven a single piece of complex enough custom malware believed to be in possession by only a single group and\r\ncontext behind the attack, it is possible to have some degree of confidence of which group was behind the attack.\r\nBut even custom malware source code can get stolen, the executable itself repackaged, or the functions recreated.\r\nIn a simpler scenario, false flags such as strings and metadata could also be placed.\r\nRegarding the initial attribution of the Ryuk ransomware, however, while others have focused on the\r\nmisattribution, our view is that even if it was correct it would simply have been a lucky guess. Basing attribution\r\nsolely on the usage of a single privately purchasable malware is fundamentally flawed, and the simple truth is that\r\nno organization in the world would be able to track every piece of malware to know what is being sold in the dark\r\nand deep web anyway.\r\nThat is why in order to have a higher degree of confidence of who is behind an attack, the entirety of the threat’s\r\ntactics, techniques, and procedures (TTPs) need to be analyzed across multiple events using both trusted public\r\nand vetted private sources.\r\nSectorA01 shows no signs of stopping their attacks against financial sectors worldwide and although they have\r\nbeen constantly modifying their code protectors, functions, and algorithms, there will be traces of similarities\r\nacross different versions of their tools. Our Threat Recon Team will continue tracking such events and malware\r\nand report on our findings.\r\nIndicators of Compromise (IoCs)\r\nUnpacked Sample (SHA-256)\r\n0d75d429c1cc3550b2961be84af777f8bed287a44a144b7a47988c601e1e9a27\r\nMemory Dump Samples from US-CERT FASTCash Report (SHA-256)\r\n9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26\r\n1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d\r\nPacked Sample from Polish banks attack (SHA-256)\r\nd4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2\r\nSample from Taiwanese bank attack (SHA-256)\r\n9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\r\nSample from Vietnamese banks attack (SHA-256)\r\nf3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 6 of 7\n\nAttack on Unnamed SEA Bank (TCP Tunnel Tool) (SHA-256)\r\n19bba0a7669a0109a6d2184bc0135ea4581449c8f5f0ef8a04af057447635cab\r\nReferences\r\nSource: https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nhttps://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/" ], "report_names": [ "sectora01-custom-proxy-utility-tool-analysis" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434799, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fbad8df2abd0b5873afd9f89431e064caca83e38.pdf", "text": "https://archive.orkl.eu/fbad8df2abd0b5873afd9f89431e064caca83e38.txt", "img": "https://archive.orkl.eu/fbad8df2abd0b5873afd9f89431e064caca83e38.jpg" } }