{ "id": "45b74a41-5b50-4014-b26c-bd8bc6adb1d0", "created_at": "2026-04-06T00:06:59.985914Z", "updated_at": "2026-04-10T13:11:48.652805Z", "deleted_at": null, "sha1_hash": "fc16fa5d5bbca92275d1e8e490574ba7cfd5f807", "title": "Finding Malware: Unveiling NUMOZYLOD with Google Security Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2891794, "plain_text": "Finding Malware: Unveiling NUMOZYLOD with Google Security\r\nOperations\r\nBy codyli\r\nPublished: 2024-08-13 · Archived: 2026-04-02 10:36:51 UTC\r\nWelcome to the Finding Malware Series\r\nThe \"Finding Malware,\" blog series is authored to empower the Google Security Operations community to detect\r\nemerging and persistent malware threats. This post dives deep into the NUMOZYLOD malware family and the\r\ndetection opportunities available within the Google Security Operations (SecOps) platform. You can read the other\r\ninstallments to the series here. Happy hunting! \r\nAbout NUMOZYLOD\r\nAlso known as: FakeBat, EugenLoader, PaykLoader\r\nSince mid-2023, Mandiant Managed Defense has responded to a surge in malware infections originating from\r\nmalvertising campaigns. These attacks are opportunistic in nature, targeting users seeking popular business\r\nsoftware. The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a\r\nsecondary payload.\r\nMandiant tracks this PowerShell script as NUMOZYLOD and attributes its distribution to UNC4536, a threat\r\nactor operating under the moniker \"eugenfest.\" The actor is part of a Malware-as-a-Service (MaaS) operation,\r\ndistributing malware such as ICEDID, REDLINESTEALER, CARBANAK, LUMMASTEALER, or\r\nARECHCLIENT2.\r\nOur research into NUMOZYLOD reveals an interesting glimpse into the growing and thriving underground\r\neconomy, where threat actors actively seek out partners to fulfill the supply and demand for specialized tools and\r\nservices for their objectives. It also highlights how threat actors are exploiting MSIX to covertly bundle and\r\ndistribute malware alongside legitimate software.\r\nMalware Lifecycle\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 1 of 14\n\nFigure 1: NUMOZYLOD Attack Lifecycle\r\nInitial Compromise\r\nUNC4536's modus operandi involves leveraging malvertising to distribute trojanized MSIX installers disguised as\r\npopular software like Brave, KeePass, Notion, Steam, and Zoom. These trojanized MSIX installers are hosted on\r\nwebsites designed to mimic legitimate software hosting sites, luring users into downloading them.\r\nA key feature of MSIX is its ability to execute scripts with the help of the Package Support Framework (PSF).\r\nInstallers can instruct the PSF to run a script before the main application starts by adding a configuration item\r\ncalled startScript. Similarly, to run a script after the application finishes, add a configuration item called\r\nendScript.\r\nThreat actors have exploited this feature bundling a malicious payload, such as NUMOZYLOD, within the MSIX\r\npackage, which will be executed during the software installation process.\r\nTrojanized MSIX File Structure Review\r\nAnalyzing the structure of the NUMOZYLOD trojanized MSIX files structure provides interesting insights into\r\nhow threat attackers stage their resources and abuse MSIX features to gain initial access and evade detection.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 2 of 14\n\nFigure 2: MSIX File Structure embedded with a malicious PowerShell script, NUMOZYLOD.\r\nHere's a breakdown of its key MSIX components.\r\n1. AppxManifest.xml\r\nThis xml file is the heart of the MSIX installer. It specifies how the package is to be installed. Interesting\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 3 of 14\n\ninformation includes, but is not limited to: \r\nLanguage: The Resources section lists the languages supported by the application. The languages listed\r\ncould offer insight into the malware author's origin or the intended target audience for the malware's\r\ndistribution.\r\nFigure 3: Package language resource\r\nCapabilities: The application's manifest file should list any restricted capabilities. Malicious actors often\r\nexploit the 'runFullTrust' setting to bypass the isolation and security controls offered by app containers.\r\nFigure 4: Package capabilities\r\nEntryPoint, Executable: The 'Windows.FullTrustApplication' setting under the Application EntryPoint\r\nattribute enables an application to run with full trust, granting it elevated privileges and access to system\r\nresources. Meanwhile, the Executable attribute specifies the initial executable launched upon installation,\r\nwhich in this case is AiStubX86.exe, and the application ID is used to locate the app's launch setting\r\nwithin the config.json file.\r\nFigure 5:\r\nPackage EntryPoint, Executable and ID\r\nBuilt: Trojanized MSIX are often found to be built with Advanced Installer as indicated under the build\r\nmetadata.\r\nFigure 6: Package build\r\n2. Config.json\r\nconfig.json is a configuration file used by the PSF to handle things that standard MSIX installations cannot\r\ndirectly support, such as launching specific processes alongside the main application. In essence, the config.json\r\nfile instructs the MSIX installer to trigger the execution of the malicious PowerShell script during the installation\r\nof the software.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 4 of 14\n\nFigure 7: The config.json shows the trojanized MSIX is designed to execute a PowerShell script named\r\n\"Refresh2.ps1\" (NUMOZYLOD)\r\nand launch \"Trello\"\r\n3. StartingScriptWrapper.ps1\r\nThe StartingScriptWrapper.ps1 file is an essential component of the PSF that serves as a wrapper for executing\r\nPowerShell scripts specified in the config.json file.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 5 of 14\n\nFigure 8: The wrapper was observed to execute the malicious PowerShell script \"Refresh2.ps1\" (NUMOZYLOD)\r\nspecified in the config.json\r\n4. Virtual File System (VFS) folder\r\nThe VFS folder is a virtual storage space within an MSIX package. It holds the application's files and folders,\r\nseparating them from the main system. This isolation protects both the application and the system. Mandiant\r\nobserved that in some variants, files within the VFS folder (such as gpg.exe and iconv.dll) were written to\r\nlocations like AppData\\\\Local. These files may be intended for a later stage of a multi-stage malware attack, as\r\nwe observed the use of gpg.exe to decrypt the downloaded encrypted payload.\r\nOnce the trojanized installer package is prepared, the threat actor will distribute it through malvertising, waiting\r\nfor a victim to download and execute it. \r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 6 of 14\n\nFigure 9: Trello users are being targeted by malvertising attacks that redirect them to a fake website at\r\ntrello.confesapp[.]com.\r\nThis installation action will initiate the download of a secondary payload and any additional packages hidden\r\nwithin the MSIX installer. The below illustration demonstrates the triggering of the PowerShell payload during the\r\nexecution of the malicious installer.\r\nFigure 10: A PowerShell payload (NUMOZYLOD) was executed discreetly in the background during the\r\ninstallation of the legitimate software.\r\nEstablished Foothold\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 7 of 14\n\nUNC4536 operates as a malware distributor, leveraging NUMOZYLOD as one of its vehicles to deliver tailored\r\npayloads for their “business partners.” Managed Defense has observed a range of secondary payloads, to be\r\nexecuted through various techniques.\r\nIn the following section we will review two NUMOZYLOD variants and their previous delivery of the\r\nCARBANAK and LUMMASTEALER payloads.\r\nVariant 1: NUMOZYLOD distributing CARBANAK \r\nIn 2023, Managed Defense observed a campaign utilizing UNC4536's distribution network to spread the\r\nCARBANAK backdoor. This campaign exploited SEO poisoning tactics, directing unsuspecting victims to a\r\nmalicious website that mimicked the legitimate KeePass open-source password manager. The observed trojanized\r\ninstallers contained a NUMOZYLOD downloader that was configured to retrieve CARBANAK backdoor.\r\nThe following code snippet is from the NUMOZYLOD malware variant. Upon infecting a system, this variant\r\nwill transmit host information and then download and execute the CARBANAK malware via DLL Search Order\r\nHijacking.\r\nFigure 11: A code snippet of this NUMOZYLOD variant that leads to CARBANAK .\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 8 of 14\n\nExecution of this NUMOZYLOD variant would perform the following:\r\nRun WMI to gather host information including a list of installed antivirus software on the system. This\r\ninformation is then sent to its C2 via HTTP GET Request.\r\nDownload the secondary malicious payload encrypted with GPG from 4Sync, a file-sharing and storage\r\nservice.\r\nIn this example, it will decrypt and extract the contents to execute a legitimate WireShark binary\r\n(mergecap.exe) to load a malicious DLL payload (in this case, CARBANAK) through DLL search order\r\nhijacking.\r\nLastly, it sends an HTTP request to its C2 to notify the host that it is infected. \r\nVariant 2: NUMOZYLOD distributing LUMMASTEALER \r\nFigure 12: An obfuscation NUMOZYLOD variant\r\nIn another campaign, Managed Defense observed a heavily obfuscated NUMOZYLOD sample utilized to deliver\r\nthe LUMMASTEALER payload. Its use of numerous curly brackets makes analysis difficult. However, here are\r\ntwo effective methods to dynamically analyze the content of this obfuscated PowerShell script.\r\n1. Analyzing Obfuscated PowerShell Script - PowerShell Script Block LoggingTurn on PowerShell Script\r\nBlock Logging - Once Script Block Logging is enabled, PowerShell will log details about PowerShell operations,\r\nand the executed PowerShell commands. Using the Windows Event Viewer, a user can filter for eventID 4104 and\r\nreview the deobfuscated PowerShell script.The following screenshots illustrate how the NUMOZYLOD variant\r\nutilizes several obfuscation techniques to impede analysis and evade security measures.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 9 of 14\n\nFigure 13: Multiple layers of obfuscation to hinder analysis and evade detection\r\nHide contentShow content\r\nCommunity-Tip: If your Google Security Operations setup includes collecting Microsoft Windows Event data,\r\nsimply search for Event ID 4104. This allows you to easily review all PowerShell commands directly in the\r\nconsole! no muss, no fuss!\r\n2. Analyzing Obfuscated PowerShell Script - Reviewing AMSI events \r\nGenerating and analyzing Antimalware Scan Interface (AMSI) events - Alternatively, you can conduct dynamic\r\nanalysis with the help from AMSI events. This method not only enables users to review the deobfuscated\r\nPowerShell script, but also reveals whether AMSI successfully blocked the malicious content.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 10 of 14\n\nThe following screenshots show the same NUMOZYLOD variant after deobfuscation using the AMSI event\r\ngeneration and analysis method.\r\nFigure 14: Analyzing AMSI events\r\nEssentially, this obfuscated NUMOZYLOD variant downloads and executes a secondary PowerShell payload\r\nfrom a C2 server. The following screenshot illustrates this second-stage payload.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 11 of 14\n\nFigure 15: Multiple layers of obfuscation to hinder analysis and evade detection\r\nExecution of this NUMOZYLOD variant would perform the following:\r\nFirst, the malware downloads and executes a script from GitHub. This script uses hardware breakpoints to\r\ndisable AMSI (the Antimalware Scan Interface), a core Windows security feature. Disabling AMSI allows\r\nthe malware to run undetected by security software.\r\nSecond, it sets its target to the website telegra[.]ph and downloads the contents of the web page.\r\nNext, it searches the downloaded web page for any links ending in .dat (a common file extension for data\r\nfiles).\r\nFinally, it downloads the contents of each .dat file and executes the malicious code directly in memory.\r\nIn this NUMOZYLOD variant, the downloaded payload is identified as LUMMASTEALER, a known\r\ninfostealer malware.\r\nHost Reconnaissance\r\nNUMOZYLOD gathers system information, including operating system details, domain joined, and antivirus\r\nproducts installed. In some variants, it gathers the public IPv4 and IPv6 address of the host and sends this\r\ninformation to its C2.\r\nMaintain Presence\r\nIn some variants, NUMOZYLOD creates a shortcut(.lnk) in the StartUp folder as its persistence.\r\nComplete Mission\r\nAs a part of a Malware-as-a-Service (MaaS) operation, NUMOZYLOD completes its mission upon the successful\r\ndeployment of the second-stage malware from its C2 server and hands it over to its buyer for the subsequent\r\nmission.\r\nHunting Opportunities\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 12 of 14\n\nMandiant Hunt surfaces otherwise undetected malicious activity by employing a detection strategy that uses both\r\nstrong signals - high enough fidelity to be reviewed 1:1, and weak signals - low fidelity on their own, but provide\r\nbroad coverage of threat actor tactics. These signals or combinations thereof are used to sequentially funnel the\r\ngargantuan amount of customer telemetry data to a number of cases worthy of analyst review. Mandiant uses\r\nsecurity frameworks like MITRE ATT\u0026CK® to help label data, (discussed further below) find interesting\r\nsequences of activity, and share actionable results with customers\r\nThe NUMOZYLOD attack chain presents several opportunities for engineering strong detections. Examples of\r\ndetections used by Mandiant Hunt within Google Security Operations include:\r\nInitial Compromise: MSIX file distribution - Mandiant threat hunters review events surrounding MSIX\r\nfiles written to disk by unexpected or uncommon processes, or sourced from suspicious or untrusted sites.\r\nSuch events map to MITRE ATT\u0026CK® Technique T1204.002 - User Execution: Malicious File. Use the\r\nUDM query below in Google Security Operations to identify MSIX filewrites, which can be explored\r\nusing the Pivot functionality on fields like principal.process.file.full_path.\r\nmetadata.event_type = \"FILE_CREATION\" OR metadata.event_type = \"FILE_MODIFICATION\" AND\r\ntarget.file.full_path = /\\\\.msix$/ nocase\r\nInitial Compromise: \"StartingScriptWrapper.ps1\" - While the file itself is legitimate, Mandiant has\r\nobserved its use in malicious activity. Mandiant threat hunters review events related to its writing on a host\r\nto determine if the overall activity was benign or malicious. These events map to MITRE ATT\u0026CK®\r\nTechnique T1204.002 - User Execution: Malicious File. \r\nGoogle Security Operations users can find instances of this file written to disk with the following UDM\r\nquery:\r\nmetadata.event_type = \"FILE_CREATION\" OR metadata.event_type = \"FILE_MODIFICATION\" AND\r\ntarget.file.full_path = /startingscriptwrapper\\\\.ps1$/ nocase\r\nInitial Compromise: Virtual File System (VFS) folder - Uncommon events like writing of the GnuPG\r\nbinary gpg.exe or uncommon processes launching copy.exe or xcopy.exe were observed in compromises\r\nby malware such as NUMOZYLOD. These events map to MITRE ATT\u0026CK® Technique T1105 - Ingress\r\nTool Transfer. For this example, the following UDM query can provide a starting point:\r\n(target.file.full_path = /gpg\\\\.exe$/ nocase AND (principal.process.file.full_path =\r\n/copy\\\\.exe$/ nocase OR principal.process.file.full_path = /xcopy\\\\.exe$/ nocase)) AND\r\ntarget.file.full_path != /cygwin/ nocase AND target.file.full_path != /git\\\\\\\\usr\\\\\\\\bin/\r\nnocase\r\nEstablish Foothold: PowerShell - Throughout the evolution of NUMOZYLOD variants, Mandiant\r\nmaintained visibility with a multitude of detection logic mapped to MITRE ATT\u0026CK® Technique\r\nT1059.001 - Command and Scripting Interpreter: PowerShell. Suspicious arguments, execution of scripts\r\nin unexpected locations, and PowerShell activity with unexpected execution policies all present\r\nopportunities for detection logic to help amplify malicious signals.\r\nMandiant threat hunters use various signals captured in Google Security Operations to identify later stages of\r\ncompromise all the way through threat actor mission completion, if attackers progress to that point. \r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 13 of 14\n\nDetection Through Google Security Operations\r\nEnterprise and Enterprise Plus customers will benefit from these detections being applied automatically through\r\ncurated detections. Standard customers can use the YARA-L rules below to create single or multi-event rules to\r\ndetect the malware. You can even ask Gemini in Google Security Operations to do it for you. \r\nThis rule detects when StartingScriptWrapper.ps1 is executed with Advanced Installer.  \r\nrule POWERSHELL_EXECUTE_SCRIPTWRAPPER_FROM_WINDOWSAPPS_VIA_REMOTESIGNED_EXECUTION_POLICY {\r\nmeta: author = \"Mandiant\" description = \"This rule detects when startingscriptwrapper.ps1 is\r\nexecuted with Advanced Installer. The process is executed with MSIX files as package support\r\nframework and may point to an additional malicious powershell script within the ps1.\"\r\nmitre_attack_tactic = \"Execution\" mitre_attack_technique = \"Command and Scripting Interpreter\"\r\nmitre_attack_url = \"https://attack.mitre.org/techniques/T1059/001/\" mitre_attack_version =\r\n\"v14.1\" severity = \"High\" priority = \"High\" platform = \"Windows\" type = \"hunt\" events: (\r\n$e.metadata.event_type = \"PROCESS_LAUNCH\" ) and ( re.regex($e.target.process.command_line,\r\n`StartingScriptWrapper.ps1`) nocase and re.regex($e.target.process.file.full_path,\r\n`powershell`) nocase and re.regex($e.target.process.command_line, `RemoteSigned\\\\s\\\\-\r\nfile.*\\\\\\\\WindowsApps\\\\\\\\.*Powershell(.exe).*RemoteSigned\\\\s\\\\-file.*\\\\.ps1`) nocase ) and (\r\nre.regex($e.principal.process.file.full_path, `\\\\\\\\ai_stubs\\\\\\\\`) nocase or\r\nre.regex($e.principal.process.command_line, `\\\\\\\\ai_stubs\\\\\\\\`) nocase ) condition: $e }\r\nThis rule detects file creation of gpg.exe at the path %localappdata%.\r\nrule XCOPY_WRITING_GNUPG_PROCESS_METHODOLOGY { meta: author = \"Mandiant\" description = \"This\r\nrule is designed to detect on gpg.exe (GnuPG) being copied to the path %localappdata%. This\r\ntechnique has been previously observed in NUMOZYLOD compromises.\" mitre_attack_tactic =\r\n\"Command And Control\" mitre_attack_technique = \"Ingress Tool Transfer\" mitre_attack_url =\r\n\"https://attack.mitre.org/techniques/T1105/\" severity = \"Low\" platform = \"Windows\" type =\r\n\"hunt\" events: ( $e.metadata.event_type = \"FILE_CREATION\" or $e.metadata.event_type =\r\n\"FILE_MODIFICATION\" ) and ( re.regex($e.target.file.full_path, `gpg\\\\.exe$`) nocase and\r\nre.regex($e.target.file.full_path, `\\\\\\\\appdata\\\\\\\\local`) nocase and not\r\nre.regex($e.target.file.full_path, `\\\\\\\\localsum\\\\\\\\cygwin\\\\\\\\bin`) nocase and not\r\nre.regex($e.target.file.full_path, `temp\\\\\\\\rest\\\\\\\\bin`) nocase and not\r\nre.regex($e.target.file.full_path, `Git\\\\\\\\usr\\\\\\\\bin`) nocase and (\r\nre.regex($e.principal.process.file.full_path, `xcopy\\\\.exe$`) nocase or\r\nre.regex($e.principal.process.file.full_path, `copy\\\\.exe$`) nocase ) ) condition: $e }\r\nHave questions or feedback for the Managed Defense team? Comment on the blog or ask a question in the\r\nManaged Defense Forum. \r\nSource: https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551" ], "report_names": [ "789551" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "630987b6-1240-486a-ad47-bb63d6573e6b", "created_at": "2024-09-20T02:00:04.579123Z", "updated_at": "2026-04-10T02:00:03.697899Z", "deleted_at": null, "main_name": "UNC4536", "aliases": [], "source_name": "MISPGALAXY:UNC4536", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc16fa5d5bbca92275d1e8e490574ba7cfd5f807.pdf", "text": "https://archive.orkl.eu/fc16fa5d5bbca92275d1e8e490574ba7cfd5f807.txt", "img": "https://archive.orkl.eu/fc16fa5d5bbca92275d1e8e490574ba7cfd5f807.jpg" } }