{ "id": "747e1bf8-32da-4bba-9eee-398df8251ad3", "created_at": "2026-04-06T00:15:02.47124Z", "updated_at": "2026-04-10T03:34:03.067395Z", "deleted_at": null, "sha1_hash": "fd9610a78c34d9d27f4511be6b241a48f3d80c8f", "title": "Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2082762, "plain_text": "Curious Serpens’ FalseFont Backdoor: Technical Analysis,\r\nDetection and Prevention\r\nBy Tom Fakterman, Daniel Frank, Jerome Tujague\r\nPublished: 2024-03-21 · Archived: 2026-04-05 17:16:19 UTC\r\nExecutive Summary\r\nThis article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated\r\nthreat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage\r\ngroup that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious\r\nSerpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources\r\nsoftware, using a fake job recruitment process to trick victims into installing the backdoor.\r\nOur in-depth technical analysis will help security professionals better understand FalseFont and more effectively\r\ndefend against this threat. This article focuses on analysis of the newly discovered FalseFont backdoor and its\r\ncapabilities. Lastly, we’ll discuss ways to detect and prevent this targeted backdoor.\r\nPalo Alto Networks customers are better protected from the threats mentioned in this article in the following ways:\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block the\r\nmalware C2 traffic\r\nAdvanced URL Filtering and DNS Security categorize known C2 domains and IPs as malicious.\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and\r\nothers\r\nCortex XDR and Prisma Cloud Compute combined with the XSIAM platform help detect and prevent the\r\nthreats mentioned in this article\r\nThe Advanced WildFire machine learning-models and analysis techniques have been reviewed and updated\r\nin light of this new malware.\r\nRelated Unit 42 Topics Iran, Backdoors\r\nCurious Serpens  APT Group\r\nAKAs\r\nPeach Sandstorm, APT33, Elfin, HOLMIUM, MAGNALIUM,\r\nREFINED KITTEN\r\nCurious Serpens and FalseFont Background\r\nThe threat actor we track as Curious Serpens is also known by other names, such as Peach Sandstorm, APT33,\r\nElfin, HOLMIUM, MAGNALIUM or REFINED KITTEN. According to these reports, Curious Serpens has been\r\nactive since at least 2013. This threat actor is associated with espionage and has targeted organizations in the\r\nMiddle East, the United States and Europe.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 1 of 14\n\nIn December 2023, Microsoft Threat Intelligence noted that this threat actor began using a new backdoor and\r\nidentified the backdoor as FalseFont. By the end of January 2024, we saw the first public analysis of FalseFont.\r\nHere, we add to the analysis of FalseFont by sharing our observations, as well as additional information on the\r\ntraffic and processes that we have detected and prevented.\r\nThe FalseFont backdoor is written in ASP .NET Core. Its capabilities include the following:\r\nExecuting processes and commands on the infected machine\r\nManipulating the file system\r\nCapturing the screen\r\nStealing credentials from browsers\r\nStealing credentials for an aerospace-industry job application platform, which could contain sensitive\r\naerospace data\r\nFalseFont was observed in the wild, packed in a single native executable that is 182 MB in size. In addition to the\r\nmalware itself, this executable contains various .NET components and libraries essential for the malware to\r\noperate. FalseFont also uses ASP.NET Core SignalR, which is an open-source library for running web\r\napplications, for communication with its command and control server (C2).\r\nTargeting Aerospace and Defense Job Applicants\r\nThe FalseFont backdoor is a highly targeted backdoor, and so far it has been reported to target job applicants in\r\nthe aerospace and defense industries. FalseFont targets these applicants by impersonating a graphical user\r\ninterface (GUI) for submitting a job application to a U.S.-based aerospace company. Figure 1 shows the main\r\nwindow of the application.\r\nFigure 1. Login panel displayed after running the FalseFont executable on a Windows machine.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 2 of 14\n\nThreat actors often imitate legitimate products for malicious purposes. This does not imply a flaw or malicious\r\nquality to the legitimate product being abused.\r\nWhile the GUI is active for user interaction, in the background, the second and main component of the malware is\r\nrunning. As it runs, it is establishing persistence and registering itself to its C2 server.\r\nFalseFont’s execution is detected and prevented by Cortex XDR, as shown in Figures 2 and 3.\r\nFigure 2. The alert reveals the FalseFont executable attempting malicious behavior while Cortex\r\nXDR is in detect mode.\r\nFigure 3. Cortex XDR shows it blocked the execution of the FalseFont malware.\r\nFalseFont Technical Analysis\r\nThe GUI Component\r\nThe FalseFont executable presents a login interface impersonating an aerospace company, as previously shown in\r\nFigure 1. If a victim enters a username and password, the malware sends this data in JSON format through an\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 3 of 14\n\nHTTP POST request to the threat actor's C2 server on 64.52.80[.]30 over TCP port 8080. URLs for the regular\r\nlogin and guest login are different, as shown below in Figures 4 and 5.\r\nFigure 4. HTTP POST request generated when logging in as a guest from the FalseFont GUI.\r\nFigure 5. HTTP POST request generated when using the regular login from the FalseFont GUI.\r\nThe FalseFont GUI has a checkbox labeled Remember Me immediately below the login fields. If a victim checks\r\nthis box, the username and password are saved to a file named data.txt under %localappdata%. On future launches\r\nof the application, if the data.txt file already exists, the threat will send login data to the C2 server automatically. If\r\nthis file exists or the C2 server responds successfully, the threat collapses the login view and displays a resume\r\ncollection page shown in Figure 6.\r\nFigure 6. FalseFont GUI displays a resume collection page.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 4 of 14\n\nOnce a victim fills these fields out, FalseFont converts their contents into serialized JSON and sends it as a GET\r\nrequest to the C2 server’s IP address. If the C2 server responds, the GUI shows the text “Your information has\r\nbeen registered, our colleagues will contact you.” and the resume data is saved to a file named data2.txt under\r\n%localappdata%.\r\nThe Backdoor Component\r\nInitialization\r\nDuring initialization, FalseFont establishes a first handshake with its C2 domain. The malware collects and sends\r\nthe machine hostname, the login username and the operating system details. Figure 7 below shows the packet sent\r\nto the C2, including the attackers’ credentials hard-coded in FalseFont’s code.\r\nFigure 7. TCP stream of an HTTP POST request for the initial C2 handshake.\r\nFalseFont can use the following command-line arguments, which are referred to in the program’s code as\r\nAppReset and AppUpdate:\r\nSsQP's*(58vaP!tF4 (AppReset)\r\nSQP's*(58vaP!tF4 (AppUpdate)\r\nThese arguments let the malware know if the C2 server has sent a request for a reset or an update. Next, FalseFont\r\nattempts to create a mutex with the value 864H!NKLNB*x_H?5. In case the mutex already exists, and none of the\r\narguments mentioned above were received, the malware will terminate.\r\nPersistence\r\nFalseFont drops three copies of itself into the infected machine, using the following distinct paths:\r\n%username%\\AppData\\Roaming\\host.exe\r\n%username%\\AppData\\Local\\broker.exe\r\n%username%\\AppData\\Local\\Microsoft\\System.exe\r\nFigure 8 below shows the file writing operations as logged by Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 5 of 14\n\nFigure 8. Information from the Cortex XDR alert on FalseFont making three copies of itself.\r\nFalseFont will then establish persistence via the registry CurrentVersion\\Run key for all three copies by creating a\r\nnew value, as shown in Figure 9.\r\nFigure 9. Example of registry updates to keep FalseFont persistent on an infected Windows host.\r\nAfter startup only the backdoor component will run, excluding the malware’s GUI. In addition, if there are already\r\nvalues present in the Run key, it will edit the first of the existing keys so it will also execute the host.exe copy of\r\nFalseFont. Whichever starts up first will create a mutex that will terminate the other two instances.\r\nThe persistence mechanism of FalseFont following the infected machine’s reboot is detected by Cortex XDR as\r\nshown in Figure 10.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 6 of 14\n\nFigure 10. Cortex XDR alert showing persistent copies of FalseFont starting after a reboot.\r\nEncoding and Encryption Scheme\r\nFalseFont stores a hard-coded configuration as part of its code, which attempts to conceal some of its strings to\r\nhinder analysis of its functionality. The malware’s strings are encoded in Base64, and encrypted using a hard-coded AES key.\r\nThe authors did not do a great job concealing the threat’s functionality, as they labeled most of the methods with\r\nnames similar to the strings they decrypt and decode. Figure 11 below shows an example, with the string being\r\ndecoded and decrypted into OS error while executing:\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 7 of 14\n\nFigure 11. An example from FalseFont code where an embedded string is encrypted and encoded.\r\nCore Functionality\r\nFalseFont has an array of commands it can receive from the C2. These commands enable the attackers to perform\r\nthe following activities:\r\nExecuting commands and processes\r\nDownloading and uploading files\r\nReceiving information about the file system\r\nUpdating the malware\r\nStealing credentials\r\nCapturing the victim’s screen\r\nFalseFont can receive commands from the C2 in two different ways:\r\n1. Sending a GET request with the URI /api/Core/Command/Init to a specific API endpoint on the C2 every\r\n0-5 minutes\r\n2. Using a SignalR client\r\nThese two methods enable the attackers to interact with FalseFont in two different ways. By using method number\r\none, the attackers are able to communicate with the backdoor via a predefined list of commands that it will\r\nexecute every few minutes. With the second method that uses SignalR, the attackers are able to send each\r\ncommand to the backdoor in real time, without having to wait for the backdoor to send a request first.\r\nAs shown in Figure 12, the communication with the C2 is AES encrypted with a hard-coded key and then Base64\r\nencoded. The key together with the URL list used for C2 communications can be found in the Indicators of\r\nCompromise section.\r\nFigure 12. Code snippet of FalseFont shows the use of AES for encrypted communication.\r\nSupported Commands\r\nTable 1 below contains FalseFonts’s supported commands from querying the “/Core/Command/Init” URI.\r\nCommand Type Functionality\r\nExec\r\nExecutes a specified process with provided command-line arguments. Sets\r\nProcessStartInfo.UseShellExecute to false, indicating the process should\r\nbe run directly from the executable. Returns either standard output or\r\ncustom strings indicating success or failure.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 8 of 14\n\nExecUseShell\r\nExecutes a specified process with provided command-line arguments. Sets\r\nProcessStartInfo.UseShellExecute to true, indicating the operating system\r\nshell should be used to spawn the process. Returns either standard output\r\nor custom strings indicating success or failure.\r\nExecAndKeepAlive\r\nThis command doesn't appear to be fully implemented. It returns a\r\ncommand result of Not work and a status of 0.\r\nCMD\r\nIf the threat receives the parameter pass from the C2, it steals passwords\r\nfrom the Chrome, Brave and Edge User Data folders using code borrowed\r\nfrom a GitHub project. \r\nOtherwise, it executes cmd.exe with provided command-line arguments\r\nand returns console output or custom error messages. \r\nPowerShell\r\nExecutes powershell.exe using the provided arguments. Returns output or\r\ncustom error messages.\r\nKillByName\r\nAttempts to kill a process by name using Process.Kill. Returns\r\nsuccessfully terminated process IDs.\r\nKillById\r\nAttempts to kill processes by ID using Process.Kill. Returns successfully\r\nterminated process IDs.\r\nDownload\r\nDownloads and decompresses a file hosted on the C2 server. Returns a\r\nstring indicating success or failure.\r\nUpload\r\nUploads either a single file or directory, or a list of files and directories to\r\nthe C2 server. Data is exfiltrated in Base64 encoded and encrypted chunks\r\nof a size specified by the C2.\r\nDelete\r\nDeletes a specified file or directory. Returns a custom string indicating\r\nsuccess or failure.\r\nGetDirectories\r\nGenerates a recursive list of files and directories in a specified path, and\r\nreturns a string that is delimited using the “|” character.\r\nChangeTime\r\nUpdates the _timeInterval property controlling the SignalR client’s\r\nautomatic reconnect timer.\r\nSendAllDirectory\r\nEnumerates all logical drives and returns a list of all subdirectories and\r\nfiles to the C2.\r\nUpadateApplication\r\nDownloads, extracts and installs a new version of FalseFont. Executes\r\nusing the AppUpdate variable and terminates the current process.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 9 of 14\n\nRestart\r\nThe threat launches the first identified copy of itself found in a registry\r\nRun key, passing in the AppReset variable as an argument. Terminates the\r\ncurrent process.\r\nGetProcess Returns a list of all running processes to the C2, using GetProcess.\r\nSendAllDirectoryWithStartPath\r\nReturns a recursive list of subdirectories and files under a specified path,\r\nor multiple paths delimited by the “*” character.\r\ndefault Returns “Command not register.”\r\nTable 1. Commands supported by the C2’s init URI.\r\nSignalR Client\r\nSignalR is an ASP.NET library, commonly used for chat applications, enabling servers to push content to clients in\r\nreal time.\r\nAs opposed to the method mentioned in the section above that queries a specific API endpoint every few minutes,\r\nthe attackers are able to send a command to the backdoor in real time using SignalR.\r\nFalseFont uses SignalR’s default JSON-based text protocol, which means the attacker's server sends messages in a\r\nJSON format that is handled and parsed by different handlers registered by the client (FalseFont). Messages from\r\na SignalR server contain a name and additional parameters.\r\nAs shown in Figure 13, FalseFont registers five handlers using the HubConnectionExtensions.On method. Once\r\nregistered, the SignalR client will wait for messages from the server. When it receives a message, it will check if\r\nthe message name matches one of five possible values. If the name matches, the corresponding method is\r\nexecuted and the message parameter field is passed in as an argument.\r\nFigure 13. FalseFont’s registers handlers for SignalR messages.\r\nTable 2 below shows an overview of the handlers registered for FalseFont’s SignalR client.\r\nMethod Functionality\r\nCommand\r\nExecutes a command from the same list that is supported by querying\r\n/Core/Command/Init URI.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 10 of 14\n\nGetDir\r\nCollects a list of files and directories at a specified path. Sends a POST request with the\r\ndata to the /api/LiveDirectory/Send/Dir endpoint.\r\nGetHard\r\nEnumerates hard drives, including name, type and size. Sends a POST request with the\r\ndata to the /api/LiveDirectory/Send/Hard API endpoint.\r\nGetScreen\r\nCreates a new thread that captures screenshots at a specified interval over a specified\r\nduration of time. The screenshots are saved as JPEGs, converted to Base64 and sent to the\r\n/api/LiveDirectory/Send/Screen endpoint.\r\nStopSendScreen Disables the screen capture method.\r\nTable 2. Commands supported by the SignalR client.\r\nCredential Theft\r\nExamining FalseFont’s credential theft feature, we observed that if FalseFont receives the command CMD with\r\nthe parameter pass from the C2, it will attempt to steal credentials from popular web browsers.\r\nAdditionally, FalseFont will attempt to steal credentials by querying the Loginvault.db database, as shown in\r\nFigure 14.\r\nFigure 14. FalseFont code showing attempts to query the Loginvault.db file.\r\nConclusion\r\nThis article provides a technical analysis of FalseFont, a new backdoor developed by the suspected Iranian-affiliated threat actor known as Curious Serpens. We reviewed how FalseFont’s operators target the aerospace and\r\ndefense industries by attempting to mimic legitimate human resources software specific to these industries. This\r\ndisguised executable ultimately causes the installation of the backdoor under the guise of a job recruitment\r\nprocess.\r\nWe then dived into FalseFont’s core architecture, functionality and its elaborate interface to receive commands\r\nfrom the threat actors in real time. We also analyzed the framework that the threat actors chose for C2\r\ncommunication, which included the implementation of a dual communication mechanism.\r\nLastly, we also showed how the Cortex XDR platform can detect and prevent the malware’s different infection\r\ncomponents.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 11 of 14\n\nWe urge security professionals and defenders to carefully examine this report and leverage the information\r\npresented to improve existing practices in detection, prevention and hunting, ultimately fortifying their overall\r\nsecurity stance.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\nthreat.\r\nThe Cortex XDR platform can detect and prevent the execution flow described in the screenshots included in the\r\nprevious sections.\r\nCortex XDR and XSIAM detect user and credential-based threats by analyzing user activity from multiple data\r\nsources, including the following:\r\nEndpoints\r\nNetwork firewalls\r\nActive Directory\r\nIdentity and access management solutions\r\nCloud workloads\r\nCortex XDR and XSIAM build behavioral profiles of user activity over time with machine learning. By\r\ncomparing new activity to past activity, peer activity and the expected behavior of the entity, Cortex XDR and\r\nXSIAM detect anomalous activity indicative of credential-based attacks.\r\nThey also offer the following protections related to the attacks discussed in this post:\r\nPreventing the execution of known malicious malware\r\nHelping prevent the execution of unknown malware using Behavioral Threat Protection and machine\r\nlearning based on the Local Analysis module\r\nCortex XDR Pro and XSIAM detect post-exploit activity, including credential-based attacks, with behavioral\r\nanalytics.\r\nPrisma Cloud Defender agents with XSIAM and WildFire integration can detect and prevent malicious execution\r\nof the FalseFont binaries within Windows based VM, container and serverless cloud infrastructure.\r\nThe Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the\r\nmalware C2 traffic via the following Threat Prevention signature: 86805\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in\r\nlight of this new FalseFont backdoor. Multiple products in the Palo Alto Networks portfolio leverage Advanced\r\nWildFire to provide coverage against FalseFont and other threats.\r\nAdvanced URL Filtering and DNS Security categorize known C2 domains and IPs as malicious.\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 12 of 14\n\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nFalseFont packed executable SHA256 hash:\r\n364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614\r\nFalseFont unpacked executable SHA256 hash:\r\n4145e792c9e9f3c4e80ca0e290bd7568ebcef678affd68d9b505f02c6acaab12\r\nMutex:\r\n864H!NKLNB*x_H?5\r\nPersistence paths:\r\n%username%\\AppData\\Roaming\\host.exe\r\n%username%\\AppData\\Local\\broker.exe\r\n%username%\\AppData\\Local\\Microsoft\\System.exe\r\nC2 Domain:\r\nDigitalcodecrafters[.]com\r\nC2 IP:\r\n64.52.80[.]30\r\nC2 username:\r\nMX2\r\nC2 password:\r\nNooVtlXgx2T3IyN4I0Xf\r\nBase 64-encoded hard-coded AES IV:\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 13 of 14\n\nviOIZ9cX59qDDjMHYsz1Yw==\r\nBase 64-encoded hard-coded AES key:\r\n3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA=\r\nC2 URI Scheme:\r\nLogin/\r\nLoginAsGuest/\r\nrealtime/\r\napi/\r\n/Token\r\n/AgentRequestTime/Agent\r\n/Core/Command/Add/Result\r\n/Core/Command/Add/Schedule\r\n/Core/Command/Init\r\n/Core/Command/Last\r\n/Core/Command/Restart\r\n/FileStorage\r\n/FileStorage/Agent/Init/Upload\r\n/FileStorage/Agent/Upload\r\n/FileStorage/Agent/Download\r\n/LiveDirectory/Send/Dir\r\n/LiveDirectory/Send/Hard\r\n/LiveDirectory/Send/Screen\r\nSource: https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nhttps://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/" ], "report_names": [ "curious-serpens-falsefont-backdoor" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434502, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd9610a78c34d9d27f4511be6b241a48f3d80c8f.pdf", "text": "https://archive.orkl.eu/fd9610a78c34d9d27f4511be6b241a48f3d80c8f.txt", "img": "https://archive.orkl.eu/fd9610a78c34d9d27f4511be6b241a48f3d80c8f.jpg" } }