{ "id": "a006690b-895d-4508-bfce-b7a3952f4474", "created_at": "2026-04-06T00:18:54.096196Z", "updated_at": "2026-04-10T13:12:19.055855Z", "deleted_at": null, "sha1_hash": "fcdc48050d4a7d14d7fb3a7d181e8691472925e4", "title": "Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversaries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90187, "plain_text": "Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens\r\nthe Door to Adversaries\r\nBy CrowdStrike Services - CrowdStrike Intelligence\r\nArchived: 2026-04-05 20:21:59 UTC\r\nEditor’s Note: VMware updated its knowledge base article, “Deployment of 3rd Party Agents and Anti-virus\r\nsoftware on the ESXi Hypervisor,” noting that the content is outdated and should be considered deprecated.\r\nVMware noted that the article “is expected to be updated in the future with current information.”\r\nVMware also linked to a February 2023 blog post providing suggested guidance on reported ESXiArgs\r\nransomware attacks and actions that concerned customers should take to protect themselves, including patching,\r\nupdating out-of-date or vulnerable systems, and enforcing security hygiene best practices. In the post, VMware\r\ndetailed security practices for protection of vSphere.\r\nSince 2020, CrowdStrike has increasingly observed big game hunting (BGH) threat actors deploying Linux\r\nversions of ransomware tools specifically designed to affect VMWare’s ESXi vSphere hypervisor (read Part 1 and\r\nPart 2 of this series).\r\nIn the first quarter of 2023, this trend has continued: Ransomware-as-a-service (RaaS) platforms including Alphv,\r\nLockbit and Defray — tracked by CrowdStrike Intelligence as ALPHA SPIDER, BITWISE SPIDER and SPRITE\r\nSPIDER, respectively — have been leveraged to target ESXi. This trend is especially noteworthy given that ESXi,\r\nby design, does not support third-party agents or antivirus software and VMware states in its documentation that\r\nantivirus software is not required. This, combined with the popularity of ESXi as a widespread and popular\r\nvirtualization and management system, makes the hypervisor a highly attractive target for modern adversaries\r\nWhat Is ESXi?\r\nESXi is a Type-1 hypervisor (aka a “bare-metal” hypervisor) developed by VMware. A hypervisor is software that\r\nruns and manages virtual machines (VMs). In contrast to Type-2 hypervisors, which run on a conventional host\r\noperating system, a Type-1 hypervisor runs directly on a dedicated host’s hardware. ESXi systems are commonly\r\nmanaged by vCenter, a centralized server administration tool that can control multiple ESXi devices. While ESXi\r\nis not a Linux operating system, it is possible to run some Linux-compiled ELF binaries within the ESXi\r\ncommand shell.\r\nSeveral relevant VMWare products associated with the ESXi platform include:\r\nESXi (or vSphere Hypervisor): acts as a server consisting of a hypervisor component, an identity and\r\nadministrative component and a resource management component tied to the server’s hardware\r\nvCenter: the identity and administrative component as well as a complete resource manager for a fleet of\r\nESXi servers\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 1 of 7\n\nONE Access (or Identity Manager): provides single sign-on (SSO) solutions to connect to vCenter or\r\nESXi\r\nHorizon: VMware's solution for full virtual architecture management\r\nThe State of ESXi Security\r\nVMWare advises, “Antivirus software is not required with the vSphere Hypervisor and the use of such software\r\nis not supported1\r\n.”\r\nIn addition to the lack of security tools for ESXi, enforced through this lack of support, several vulnerabilities are\r\nbeing actively exploited by threat actors. In February 2023, the French Computer Emergency Response Team\r\n(CERT-FR) reported a ransomware campaign — publicly tracked as ESXiArgs — was observed targeting internet-exposed VMware ESXi hypervisors vulnerable to CVE-2020-3992 or CVE-2021-21974.\r\nBoth vulnerabilities target the OpenSLP service in ESXi hypervisors. CVE-2021-21974 allows an unauthenticated\r\nnetwork-adjacent adversary to execute arbitrary code on affected VMware ESXi instances, but has not been\r\npreviously exploited in the wild (ITW).\r\nCVE-2020-3992 — which has been exploited ITW — allows an unauthenticated adversary residing in the\r\nmanagement network with access to port 427 on an ESXi machine to trigger a use-after-free issue in the OpenSLP\r\nservice, resulting in remote code execution (RCE). Public reporting has also previously identified ITW CVE-2019-5544 exploitation2\r\n, which similarly impacts the OpenSLP service and facilitates RCE on compromised\r\nsystems.\r\nIn publicly reported cases of CVE-2020-3992 and CVE-2021-21974 exploitation, threat actors deployed a Python\r\nbackdoor named vmtools.py to the file path /store/packages/; this filename and file path match the contents of a\r\nshell script a user on a public forum shared in relation to current ESXiArgs activity.\r\nThe Problem Is Getting Worse\r\nVMware virtual infrastructure products are highly attractive targets for attackers due to the predominance of this\r\nvendor in the virtualization field and because VMware’s product line is often a crucial component of an\r\norganization's IT infrastructure virtualization and management system.\r\nMore and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation\r\nof ESXi interfaces, and ITW vulnerabilities for ESXi create a target-rich environment. In April 2023, for example,\r\nCrowdStrike Intelligence identified a new RaaS program named MichaelKors, which provides affiliates with\r\nransomware binaries targeting Windows and ESXi/Linux systems. Other RaaS platforms capable of targeting\r\nESXi environments, such as Nevada ransomware, have also been launched.\r\nIn late September 2022, Mandiant researchers discovered and documented a novel malware ecosystem primarily\r\ntargeting VMware ESXi and VMware vCenter servers, deployed as a malicious remote administration tool\r\n(RAT)3. The RAT allows for persistence on compromised servers as well as a means to interact with the\r\nunderlying virtual machines and to extract sensitive information.\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 2 of 7\n\nIn late 2022, CrowdStrike Intelligence observed ALPHA SPIDER use Cobalt Strike variants to perform post-exploitation activities on ESXi servers as well as SystemBC variants to maintain persistence in networks via\r\ncompromised vCenter servers. Moreover, SCATTERED SPIDER leveraged the open-source proxy tool rsocx to\r\nmaintain access to victim ESXi servers.\r\nCrowdStrike Intelligence also assesses that a myriad of named adversaries — including NEMESIS KITTEN,\r\nSILENT CHOLLIMA and eCrime actors such as PROPHET SPIDER — have used Log4Shell (CVE-2021-\r\n44228) to compromise VMware Horizon instances across a wide range of sectors and regions.\r\nTargeting virtual infrastructure components offers an attacker numerous advantages, including multiplying the\r\nimpact of a single compromise or subverting detection and prevention mechanisms, as targeted components are\r\noften not sufficiently protected by security solutions. Because VMware products have been subject to critical\r\nvulnerabilities in the past, adversaries will likely continue to target any potential weaknesses, as successful\r\ncompromises typically provide access to high-value resources.\r\nAttack Vectors\r\nCredential Theft\r\nThe most straightforward attack vector against an ESXi hypervisor is the theft of user credentials. Following\r\ncredential theft, an adversary can simply authenticate against the server to advance the attack based on the\r\nattacker’s objectives. If an attacker has sufficient privileges to enable and access the SSH console, arbitrary code\r\ncan be executed directly, even on the most recent ESXi versions.\r\nIf the compromised account provides access to the VM’s network management capabilities, the attacker can\r\npotentially reconfigure the VM to act as a proxy for accessing the internal network. Furthermore, if a\r\ncompromised account only provides access to a set of VMs, configuration weaknesses or vulnerabilities affecting\r\nthe virtualized OS can be targeted to advance into the target network.\r\nOnce an adversary with limited privileges has gained access to an ESXi server, privilege escalation is typically the\r\nessential intermediate step between initial access and reaching the actual objective. The cross-site scripting (XSS)\r\nvulnerabilities tracked as CVE-2016-7463, CVE-2017-4940 and CVE-2020-3955 can potentially be targeted as a\r\nmeans to trick a privileged user to execute code. CVE-2020-3955, for example, can be leveraged by first\r\nembedding a malicious payload in the VM properties (such as its hostname) and then tricking a system\r\nadministrator to access these malicious properties through the VMware administrative interface. None of these\r\nXSS vulnerabilities are known to be exploited ITW. An additional privilege escalation vulnerability — CVE-2021-22043 — allows a user with access to settings to escalate privileges; however, as of this writing, proof-of-concept (POC) code or weaponized exploit code targeting this vulnerability is not publicly available. Furthermore,\r\nCrowdStrike Intelligence is not aware of ITW exploitation activity involving this specific weakness.\r\nAccording to industry reporting, credential theft appears to be the primary attack vector employed by attackers\r\ntargeting ESXi servers4. Furthermore, incidents observed by CrowdStrike Intelligence demonstrate that attackers\r\ntypically gain access to a target network by other means and then attempt to collect ESXi credentials to achieve\r\nthe final objective, such as deploying ransomware; in all of these cases, the obtained credentials were sufficiently\r\nprivileged to directly execute arbitrary code.\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 3 of 7\n\nVirtual Machine Access\r\nAs outlined in the “What Is ESXi?” section, VMs can be accessed in two ways: directly, or through ESXi via the\r\nadministrative interface. The description of credential theft above applies to the latter method and will not be\r\nrepeated here.\r\nIf VMs can be accessed directly, the following two scenarios are possible:\r\nIf the VM is not sufficiently segregated from the rest of the internal network, it can potentially act as a\r\nproxy for laterally moving through the network, rendering attacks on the ESXi server unnecessary.\r\nIf an accessible, properly segregated VM is the only entry point into a network — and therefore does not\r\nallow the attacker to penetrate the network further — the attacker must directly target the ESXi hypervisor\r\nto run code at hypervisor level. The latter must be managed (i.e., there is a network path to more machines\r\nwithin the network from the ESXi hypervisor). In order to attack the underlying hypervisor from a VM,\r\nadversaries typically need a VM escape exploit.\r\nThere are two methods to realize VM escapes: The first is to target the virtualization component of the hypervisor,\r\nsuch as targeting a vulnerability affecting the hypervisor’s hardware emulation components. Such an exploit often\r\nrequires kernel-level privileges on the VM, which means an additional exploit is required to target the VM. The\r\nsecond method is to target a vulnerability affecting the hypervisor that is reachable through the network and uses\r\nthe VM to transmit malicious network packets to the hypervisor.\r\nOf the approximately 40 vulnerabilities potentially facilitating VM escape through the virtualization component,\r\nonly two — CVE-2012-1517 and CVE-2012-1516 — target a communication component between the VM and\r\nthe hypervisor on older versions of ESXi (3.5 to 4.1). All other vulnerabilities target emulated devices, such as\r\nUSB (CVE-2022-31705, CVE-2021-22041, CVE-2021-22040), CD-ROM (CVE-2021-22045) or SVGA (CVE-2020-3969, CVE-2020-3962).\r\nSince version 6.5 of ESXi introduced VMX sandboxing, a potential VM-escape attack leveraging the\r\nvirtualization component of ESXi involves at least three different exploits, as illustrated below:\r\n1. The attacker compromises a VM at kernel level through a first exploit.\r\n2. Next, the attacker targets a device within the VM through a second exploit to obtain code execution in the\r\nVMX process.\r\n3. The attacker then performs a third exploit allowing for VMX sandbox escape.\r\n4. Finally, the attacker might require a fourth exploit to escalate privileges on the hypervisor.\r\nAs of this writing, no publicly available POC code for such an exploit chain exists, and documentation of these\r\ntypes of vulnerabilities is scarce. Due to the complexity of this attack, only advanced actors — such as nation-state adversaries — likely possess the required capabilities.\r\nHow to Protect Your Cluster\r\nListed below are CrowdStrike’s top five recommendations that organizations should implement to mitigate the\r\nsuccess or impact of hypervisor jackpotting.\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 4 of 7\n\nAvoid direct access to ESXi hosts. Use the vSphere Client to administer ESXi hosts that are managed by a\r\nvCenter Server. Do not access managed hosts directly with the VMware Host Client, and do not change\r\nmanaged hosts from the Direct Console User Interface (DCUI). (Note: This is a VMware-specific\r\nrecommendation.)\r\nIf direct access to an ESXi host is necessary, use a hardened jump server with multifactor\r\nauthentication (MFA). ESXi access should be limited to a jump server used for only administrative or\r\nprivileged purposes with full auditing capabilities and MFA enabled. Network segmentation should ensure\r\nthat any SSH, Web UI and API access to ESXi or vCenter all must originate from the jump server. In\r\naddition, SSH access should be disabled, and any enablement of SSH access should trigger alerts and be\r\ninvestigated urgently.\r\nEnsure vCenter is not exposed to the internet over SSH or HTTP. CrowdStrike has observed\r\nadversaries gaining initial access to vCenter using valid accounts or exploiting RCE vulnerabilities (e.g.,\r\nCVE-2021-21985). Although these vulnerabilities have been addressed by VMware, these services should\r\nnot be exposed to the internet to mitigate risk.\r\nEnsure ESXi datastore volumes are regularly backed up. Specifically, virtual machine disk images and\r\nsnapshots should be backed up daily (more frequently if possible) to an offsite storage provider. During a\r\nransomware event, security teams should have the ability to restore systems from backups, while\r\npreventing the backups themselves being encrypted.\r\nIf encryption is known or suspected to be in progress, and access is not possible to kill malicious\r\nprocesses, a potential option is to physically disconnect the storage from the ESXi host, or even cut\r\npower to the ESXi host. Threat actors will often change the root password once they get access,\r\npotentially locking administrators out of the system. While physical disconnection of disks could\r\npotentially cause issues or loss of data not yet written to backend storage, it will stop the ransomware from\r\ncontinuing to encrypt VMDKs. Shutting down guest VMs will not help, as the encryption is happening on\r\nthe hypervisor itself. Ransomware for ESXi will typically include capabilities to shut down guest VMs to\r\nunlock the disk files and allow encryption to proceed.\r\nAdditional ESXi security recommendations are available from VMware at https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-B39474AF-6778-499A-B8AB-E973BE6D4899.html.\r\nConclusion\r\nAdversaries will likely continue to target VMware-based virtualization infrastructure. This assessment is made\r\nwith high confidence based on the increased adoption of virtualization technology by organizations transferring\r\nworkloads and infrastructure into cloud environments, VMware’s predominance in the field of enterprise\r\nvirtualization solutions, and the routine targeting of virtualization products by targeted intrusion and eCrime actors\r\ntracked by CrowdStrike Intelligence.\r\nAdditionally, CrowdStrike Intelligence observed a noticeable increase in BGH ransomware actors targeting ESXi\r\nservers in 2022. The potentially multiplied effects of an attack — facilitated by compromising infrastructure\r\noperating multiple critical VMs — further support this assessment.\r\nCredential theft is the most straightforward attack vector for targeting infrastructure management and\r\nvirtualization products. However, since VMware products have been subject to critical vulnerabilities in the past,\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 5 of 7\n\nadversaries and industry researchers will likely continue to investigate and uncover potential weaknesses in the\r\nfuture. This assessment is made with high confidence, as successful compromises of enterprise virtualization\r\nproducts typically provide access to high-value targets and therefore make vulnerabilities affecting corresponding\r\nproducts highly attractive assets for adversaries. Notably, VMware ESXi 6.5 and 6.7 and vSphere 6.5 and 6.7\r\nreached end of general support on October 15, 2022 — essentially ending security updates for the affected\r\nproducts.5\r\nSince virtualization technology is often a crucial part of an organization's IT infrastructure, it is critical to\r\nregularly apply security updates and conduct security posture reviews — even if these processes affect the\r\navailability of network services and components.\r\nCrowdStrike Intelligence Confidence Assessment\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High confidence in\r\nthe quality and quantity of source information supporting a judgment does not imply that that assessment is an\r\nabsolute certainty or fact. The judgment still has a marginal probability of being inaccurate.\r\nModerate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of\r\nsufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is\r\nused to express that judgments carry an increased probability of being incorrect until more information is\r\navailable or corroborated.\r\nLow Confidence: Judgments are made where the credibility of the source is uncertain, the information is too\r\nfragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is\r\nuntested. Further information is needed for corroboration of the information or to fill known intelligence gaps.\r\nAdditional Resources\r\nTo learn more about eCrime adversaries tracked by CrowdStrike Intelligence, visit the CrowdStrike\r\nAdversary Universe.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCrowdStrike Falcon® Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\n1. https://kb.vmware.com/s/article/80768\r\n2. https://www.bleepingcomputer.com/news/security/new-python-malware-backdoors-vmware-esxi-servers-for-remote-access/\r\n3. https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence\r\n4. https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html\r\n5. https://core.vmware.com/blog/reminder-vsphere-6567-end-general-support\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 6 of 7\n\nSource: https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/" ], "report_names": [ "hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8", "created_at": "2023-03-04T02:01:54.115678Z", "updated_at": "2026-04-10T02:00:03.360898Z", "deleted_at": null, "main_name": "Prophet Spider", "aliases": [ "GOLD MELODY", "UNC961" ], "source_name": "MISPGALAXY:Prophet Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "3940f08b-39aa-492c-8699-86bfe515fa70", "created_at": "2023-01-06T13:46:39.470535Z", "updated_at": "2026-04-10T02:00:03.339964Z", "deleted_at": null, "main_name": "BITWISE SPIDER", "aliases": [], "source_name": "MISPGALAXY:BITWISE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47b52642-e5b8-4502-b714-b625002d86aa", "created_at": "2024-06-19T02:03:08.086579Z", "updated_at": "2026-04-10T02:00:03.812509Z", "deleted_at": null, "main_name": "GOLD MELODY", "aliases": [ "PROPHET SPIDER", "UNC961" ], "source_name": "Secureworks:GOLD MELODY", "tools": [ "7-Zip", "AUDITUNNEL", "BURP Suite", "GOTROJ", "JSP webshells", "Mimikatz", "Wget" ], "source_id": "Secureworks", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fcdc48050d4a7d14d7fb3a7d181e8691472925e4.pdf", "text": "https://archive.orkl.eu/fcdc48050d4a7d14d7fb3a7d181e8691472925e4.txt", "img": "https://archive.orkl.eu/fcdc48050d4a7d14d7fb3a7d181e8691472925e4.jpg" } }