{
	"id": "66ad540c-9b5f-4000-83d5-cf21dc37e690",
	"created_at": "2026-04-06T00:18:47.785993Z",
	"updated_at": "2026-04-10T03:33:12.490131Z",
	"deleted_at": null,
	"sha1_hash": "fdcdfaec0ba0af69d1c968377ff71c999f90b668",
	"title": "Malicious Campaign Targets Latin America: The seller, The operator and a curious link",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4794958,
	"plain_text": "Malicious Campaign Targets Latin America: The seller, The\r\noperator and a curious link\r\nBy Asheer Malhotra\r\nPublished: 2021-08-19 · Archived: 2026-04-05 13:06:20 UTC\r\nBy Asheer Malhotra and Vitor Ventura, with contributions from Vanja Svajcer.\r\nCisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and\r\nAsyncRAT.\r\nThe campaign targets travel and hospitality organizations in Latin America.\r\nTechniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a\r\ndistinct threat actor based out of Brazil.\r\nWe've also discovered a builder/crypter known as “Crypter 3losh rat” used to generate various stages of the\r\nhighly modularized infection chain used by the campaign operators.\r\nWe’ve also seen instances where the crypter author has operated their own malicious campaigns abusing\r\narchive[.]org.\r\nWhat’s new?\r\nCisco Talos recently observed a new set of campaigns targeting Latin American countries. These campaigns use a\r\nmultitude of infection components to deliver two widely popular commodity malware and remote access trojans\r\n(RATs): njRAT and AsyncRAT.\r\nWe also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection\r\nartifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author’s\r\nintent to bundle malware generation functionalities for easy distribution and use by operators, customers and\r\naffiliates.\r\nWe’ve also observed some resemblance to the tactics and techniques used by a known crimeware actor “Aggah,”\r\nespecially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with\r\na focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.\r\nHow did it work?\r\nThe campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the\r\nentry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working\r\ntowards disabling anti-virus protection features such as AMSI and eventually delivering the RAT payloads.\r\nWe’ve also observed some Aggah campaigns using similar infection chains including scripts and similar\r\ncommodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 1 of 32\n\neither compromised or attacker-controlled websites to host their components and payloads instead of using public\r\nhosting services such as Blogger, Pastebin and Web Archive.\r\nThe infection chains used in these campaigns are built using a .NET-based crypter called “3losh crypter rat” [SIC].\r\nThis crypter has been actively advertised on social media by the authors and used to generate infection chains for\r\ncampaigns operated by the crypter’s authors themselves.\r\nSo what?\r\nIt is important for defenders to identify distinct adversaries and their tactics. The usage of crypters makes it\r\ndifficult to do so since completely disjointed actors can now generate identical infection chains for unrelated\r\ncampaigns. Our research uncovers one such scenario where there are three distinct campaigns identified using the\r\n3losh crypter: the Latin American campaigns, the Aggah campaigns and those operated by the crypter authors.\r\nAll these campaigns however, aim to distribute commodity RAT families. Commodity malware families are\r\nincreasingly being used by both crimeware and APT groups to infect their targets. RATs in particular are\r\nextremely popular since they provide a wide range of functionalities to their operators to take advantage of the\r\ninfected systems. These functionalities can be used for malicious activities such as:\r\nPerforming preliminary reconnaissance to scope out victim networks and infrastructure.\r\nDeploying more malware such as ransomware and wipers to disrupt enterprise operations.\r\nExecuting arbitrary commands.\r\nExfiltrating confidential and proprietary information from enterprises.\r\nStealing credentials, opening up more systems and services to unauthorized access.\r\nDropper/Crypter developer threat actor\r\nThis threat actor uses the nickname “alosh.” We have found indications that they’ve been active since at least\r\n2018. This actor is the developer of the “3losh crypter rat” crypter. They advertise services on Facebook and\r\nYouTube where they keep several videos demonstrating evasion capabilities of the 3losh crypter or 3losh RAT.\r\nAlthough we can't establish a direct link between the actor and the current campaign, there are several links\r\nbetween this actor and previous campaigns, making this actor the developer and operator of some malware\r\ncampaigns.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 2 of 32\n\nFacebook image advertising the infection builder.\r\nTheir YouTube page shows several videos that explain how to use similar builders to bypass several commercial\r\nanti-virus products.\r\nThe crypter author’s YouTube page.\r\nWe discovered an email address of the crypter author inside one of these videos. Pivoting off this email, we found\r\na huge number of payloads hosted at archive[.]org.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 3 of 32\n\nYouTube video still from the crypter’s author displaying their email ID.\r\nThis leads us to conclude that, in some cases, the actor is the developer and operator — there are also plenty of\r\nvideos on Instagram and YouTube where the developer demonstrates that they have compromised several\r\nwebsites.\r\nOn the Web Archive, the actor uses two different usernames: 3losh-rat and alo0ch0011. During our research, the\r\npayloads were removed from the archive due to breach of terms and conditions. However, we still listed them\r\nbased on the cache. Most of these payloads had several stages finally delivering njrat.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 4 of 32\n\nCrypter author hosting malicious artifacts on archive[.]org.\r\nThe current campaign\r\nThe threat actor\r\nWe believe the threat actor behind the current campaign targeting Latin America is not the crypter developer. In\r\nfact, there are several indications that this actor is, in fact, a Brazilian. There are several technical and tactical\r\nlinks that support this assertion.\r\nTo begin with, one of the most prolific domains owned and operated by the threat actors  (updatewin32[.]xyz) was\r\nregistered in Brazil.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 5 of 32\n\nWhois record for domain updatewin32[.]xyz.\r\nTalos discovered several maldocs predominantly named in Portuguese. One such malicious document was called\r\n“Documento.doc” (Portuguese for “document”). Looking at the several files that constitute the doc file, there are\r\ntwo files called “AquiTaLimpo,” one with the XML extension and another with “.xml.rels” extension.\r\n“AquiTaLimpo” is Portuguese slang for “here is clean.”\r\nConstituent files in the open XML-based maldoc.\r\nThese XLSM files had VBA macro code that would download the main payload. The macro name is\r\n“EstaPastaDeTrabalho,” as it can be seen in the screenshot below, which roughly translates to “this work folder”\r\n— again translated from Portuguese.\r\nPortuguese stream and macro names used in the maldocs.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 6 of 32\n\nAdditional metadata indicates the creator and the last modified tags of the maldoc are also written in Portuguese,\r\nas can be seen below. These findings indicate that the operating environment, especially the maldoc generation\r\nsystems of the actor use the Portuguese language.\r\nMaldoc metadata showing the creator and “last modified by” party names in Portuguese.\r\nThe creator is a common Portuguese language name, however, the “last modified by” tag can be translated to\r\n“Knight from Troy,” implying a trojan. The same name appears on the properties of the XLSM files.\r\nMalware authors and campaign operators will frequently submit their payloads to public detection systems such as\r\nVirusTotal to check the efficacy of anti-virus products against its malware. This is a practice seen frequently\r\nacross many crimeware groups.\r\nThe Brazilian threat actor used this practice to submit test files with Portuguese names to VirusTotal in June and\r\nJuly 2021 — all files submitted from Brazil. These files are named “Exploit pronto para envio.rar,” which\r\ntranslates to “exploit ready to be sent.”\r\nEarly versions of the test maldocs were true test copies, simply executed calc.exe. At the time of writing, there\r\nwere approximately 11 files submitted with slight differences, all submitted from the same Brazilian origin around\r\nthe same time.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 7 of 32\n\nPreliminary versions of the test maldcos executing calc.exe.\r\nOngoing testing conducted by the actors consists of the same file names, author name, malicious domains and\r\nURLs as those used in the Latin American campaign embedded in them.\r\nA quick look at the metadata of these test files also confirms the usage of Brazilian Portuguese to build the test\r\nmaldocs.\r\nBrazilian Portuguese language code in the test maldocs.\r\nAs we said above, the crypter author advertises the crypter on social networks like Facebook, Instagram or\r\nYouTube. We’ve found Portuguese-speaking users either praising the crypter or asking for it.\r\nAs described in subsequent sections, the text on the email is in near perfect Brazilian Portuguese, the Visual Basic\r\nfor Applications (VBA) code in the PPAM file attached to the email, shows that it was written in a Portuguese\r\nlanguage office installation, since the VBA module is called “Módulo1,” which is Portuguese for “module1.”\r\nVictimology\r\nThe countries targeted by this set of attacks are primarily based in Latin America:\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 8 of 32\n\nTargeted countries.\r\nThe campaign uses maldocs posing as something as inconspicuous as reservation dates for hotels.\r\nA good example of a maldoc’s file name is “Fechas informativas para reservar Amérian Portal del Iguazú,'' which\r\nroughly translates to “Informative dates to reserve Amérian Portal del Iguazú”  (“Amérian Portal del Iguazú'' is a\r\nhotel in Argentina.). It is worth noting that the content of the email is in near perfect Brazilian Portuguse.\r\nThese campaigns focussing on Latin American countries usually use malspam as a means to deliver the malicious\r\nmacro-enabled document to their victims.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 9 of 32\n\nAn example of a malspam email delivering a PPAM maldoc as early as Jan. 19, 2021.\r\nInfection chain\r\nSome of the Word documents discovered for this campaign use a chain of relationships definitions to load\r\nembedded XLSM files which contain the actual VBA code that will download the payloads.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 10 of 32\n\nAdditional malicious XLSM files loaded during runtime.\r\nThe maldocs are Office Open XML documents consisting of two key relationship definition files -  the main one\r\ncalled “AquiTaLimpo.xml.rels,” and another one called “comments.xml.rels,” which will load the embedded\r\nXLSM files which contain the VBA code.\r\nMalicious relationship file linking to the embedded XLSM files.\r\nWhen the Word document is open, Excel is also loaded to open the XLSM files embedded in the document and\r\nwill launch the macro to download the payloads.\r\nWe also discovered a variety of the maldocs that are macro-enabled files such as PPAM and XLAM serving as\r\nentry points of the infection chain. PPAM files are add-on files used by Microsoft PowerPoint to add additional\r\nfunctionality such as custom macros, tools and commands. These macros enabled maldocs act as entry points to\r\nthe infection chain. Finally, the infection chain drops a popular RAT that can be njRAT or AsyncRAT.\r\nThe earliest infection chain discovered contains a macro that downloads and executes a remote HTA file from an\r\nattacker-controlled location.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 11 of 32\n\nMalicious macro in the PPAM.\r\nStage 1A: Malicious HTA\r\nThe malicious HTA is simply an escaped JavaScript snippet that, in turn, executes a VBScript (embedded in an\r\nHTA) to download and execute the next stage (Stage #2 PowerShell script) of the infection chain.\r\nStage #1A malicious HTA containing escaped JavaScript code.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 12 of 32\n\nUn-escaped VB code used to download and execute Stage 2 on the endpoint.\r\nStage 2: PS1 Script\r\nThe powershell script executed on the endpoint is the de-facto instrumentor of the infection chain.\r\nThis script performs the following actions on the endpoint:\r\n1. Change the current user’s Startup folders to those specified in the script by modify the registry values:\r\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders | Startup =\r\n\u003ccustom_directory\u003e\r\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders | Startup = \u003ccustom_directory\u003e\r\nwhere\r\n\u003ccustom_directory\u003e = Directory created by the malicious ps1 script.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 13 of 32\n\n1. Create a custom VBS (Stage #2A) in this modified Startup directory to execute a downloaded Powershell\r\n(ps1) script (Stage #3 e.g. “msi.ps1”) across reboots.\r\nVBScript created in a custom Startup folder to run a ps1 downloaded subsequently.\r\n1. The script will then check for the presence of five Anti-Virus products on the endpoint. Based on the AV\r\nfound it will download a specific version of the ps1 specified in the previous step (Step 2 and Stage 3 —\r\nmsi.ps1 above) and execute the VB script created in Stage 2A.\r\nAV product-based Stage 4 script download and execution.\r\nThe AV products checked by the script are:\r\nESET Security\r\nAvast\r\nMcAfee\r\nMalwarebytes\r\nAVG\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 14 of 32\n\n1. If no AV products are found on the endpoint, the script will perform the following actions:\r\n a. Create four configuration scripts on the endpoint.\r\n b. Script 1 is used to modify the “windir” path to execute itself when a user or application accesses the “windir”\r\nenvironment variable. The script also runs Script 3 if the current user is an Administrator.\r\nFigure 12: Modify the “windir” path to execute itself.\r\n c. Script 2 is used to create exclusions for Microsoft Defender for specific paths, executables and to deploy a\r\nspecific .Net framework:\r\nAdd-MpPreference -ExclusionPath C:\r\nAdd-MpPreference -ExclusionProcess powershell.exe\r\nAdd-MpPreference -ExclusionProcess Wscript.exe\r\nDism /online /enable-feature /featurename:NetFX3\r\n d. Script 3 is used to run Script 2.\r\n e. Script 4 is used to run Script 1.\r\n f. Execute Script 4 on the endpoint.\r\nThe execution of these scripts is convoluted and the following diagram illustrates the executions:\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 15 of 32\n\nMini-scripts execution order.\r\n g. Finally, the parent ps1 script will download another version of the Stage 4 script and execute it via the Stage\r\n2A VB script.\r\n h. Once the configuration scripts have completed execution, they are deleted from the endpoint.\r\nStage 3: PS1\r\nThe Stage 3 ps1 is simple and consists of three key components:\r\n1. Hexlified injector DLL: This DLL is used to run a specified process and inject the accompanying malware\r\ninto it.\r\n2. Hexlified malware payload: either njRAT or AsyncRAT.\r\n3. Base64-encoded or plaintext command to reflective load the injector DLL into the powershell process with\r\nthe target process’ image path and malware payload bytes passed as an argument to the injector. An\r\nexample of the reflective loading command used is:\r\n[Reflection.Assembly]::Load($H5).GetType('VBNET.PE').GetMethod('Run').Invoke($null,[object[]] (\r\n'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe',$H1))\r\nWhere\r\n$H5 = injector DLL bytes\r\n$H1 = malware payload bytes\r\naspnet_compiler.exe = target process to inject the payload into. May vary for different instances of the infections.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 16 of 32\n\nStage 3 ps1 script.\r\nThe overall infection chain is:\r\nComplete infection chain.\r\nWe have also observed minor variations in the infection chains where some of the (mini) scripts used in Stage 2\r\nare hosted independently, downloaded and executed during the infection process. This is another example of a\r\nthreat actor modularizing their infection chains to be able to control/update different stages of its attack.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 17 of 32\n\nThe executables accompanying the Stage 3 PowerShell script consist of:\r\nInjector DLL: This DLL accepts two arguments:\r\nThe filepath of a process to be spawned, hollowed and replaced with the accompanying malware payload.\r\nMalware payload bytes to be injected into the hollowed out target process.\r\nMalware payload: The actual malware payload to be deployed on the endpoint.\r\nThe DLL is a simple injector based on .NET. The DLL is usually obfuscated with .NET Reactor which can be\r\neasily deobfuscated using de4dot. There is only one exported method that takes the two arguments mentioned\r\nabove and deploys the malware payload into the target process.\r\nThe injection method is a straight process hollowing, following all the usual steps. If any error occurs during the\r\ninjection it will kill the target process and retry five times before giving up.\r\nInterestingly, the DLL which is a modified version of RunPE, also contains code to change ACL to kernel objects,\r\nwhich is never called, indicating either a work-in-progress or redundant code borrowed from somewhere else but\r\nnever used.\r\nMalware Payloads\r\nThe malware payloads found so far belong to two families AsyncRAT and njRAT.\r\nAsyncRAT and njRAT are well-known and highly prolific RATs used by crimeware groups and APTs.\r\nMany malware families use victim names or group IDs to identify different types of infections. This is done so\r\nthat campaign operators can easily identify infections for administration and deploy additional malware to their\r\nvictims.\r\nNow, AsyncRAT and njRAT both use these victim identification methods. While njRAT identifies victims using\r\nthe “victim name,” AsyncRAT uses a “group name” to keep track of infections and their respective groups.\r\nThe victim identifiers found embedded in the RATs were indicative of their targeting of Latin American countries.\r\nThis finding matches with the targeting tactics, themes and languages used in the maldocs employed in these\r\nattacks. Some of these victim identifiers (specific to Latin America) used are:\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 18 of 32\n\nThe infection chain builder\r\nTalos also discovered a builder used by the operators of the attacks to create multiple scripts used in various stages\r\nof the attack chain. This builder is named “Crypter 3losh RAT.” This builder contains a set of malicious scripts\r\nembedded in it in the form of resources which are modified based on the inputs provided by the operator to\r\ngenerate the various scripts. The builder is built in .NET and can carry out a variety of malicious actions, which\r\nwe will outline below.\r\nBuild Stage 1A scripts\r\nThe builder only supports the generation of the VBScripts used in the Stage 1A HTAs. The embedded VBScript\r\nmodified is an older version used in previous attack campaigns by the operators.\r\nThe builder accepts the URL for the next stage and generates a VBScript. The VBScript is displayed to the user in\r\na textbox on the UI but also saved to the builder’s working directory with the name “alosh-rat.vbs.”\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 19 of 32\n\nStage 1A VBScript generated in the bottom left text box based on the Stage 2 URL specified in the text box at the\r\ntop.\r\nBuild Stage 2 scripts\r\nThe second-stage scripts are built using an embedded PS1 script. This UI accepts two URLs for the Stage 3 PS1\r\nscripts and spits out a file called “3.txt” in the current user’s Desktop folder.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 20 of 32\n\nBuilder UI for creating the Stage 2 scripts with the Stage 3 scripts being used as inputs.\r\nBuild Stage 3 scripts\r\nThe Stage 3 scripts are perhaps the most important part of the infection chain. These scripts are responsible for\r\nunhexlifying the injector DLL and malware payload and in turn deploying both to infect the victim’s endpoint.\r\nAgain, the builder here uses two embedded PS1 scripts as templates. These templates already contain the hex\r\nrepresentation of the injector DLL. This builder UI accepts the a local filepath of (upto) two malware payloads to\r\nbe embedded in the generated Stage 3 scripts called “1.txt” and “2.txt,” respectively.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 21 of 32\n\nStage 3 builder UI accepting path to the RAT binaries.\r\nThe builder contains references to its creator on Facebook, YouTube and Skype. The YouTube page shows several\r\nvideos which explain how to use the builder to bypass several commercial anti-virus.\r\nThe Aggah connection\r\nMany distinct malware campaigns sometimes tend to have commonalities and overlap in their TTPs. At times, this\r\nis due to the use of the same publicly or semi-privately available tools, builders and malware-as-a-service. An\r\ninteresting commonality between the Latin American and Aggah campaigns seen recently are the Stage 3\r\nPowerShell scripts. They utilize the same structure, syntax and semantics, down to the exact variable names.\r\nIdentical Stage 3 PowerShell scripts are also present in the “3losh rat” crypter/Builder described previously. This\r\nindicates a common source of malicious code base for both these campaign sets or the use of a common crypter to\r\nbuild infection chains.\r\nThe malware families distributed by Aggah are also very similar to those seen in the Latin American campaigns,\r\ni.e. AsyncRAT and njRAT.\r\nThere are, however, a few distinctions between the two campaigns sets:\r\nAggah relies heavily on the use of URL redirection services in their campaigns. Specifically using bitly,\r\nj[.]mp etc. We have not observed the use of these services in the Latin American campaigns.\r\nAggah is also known to heavily abuse public hosting services such as Blogger, Pastebin, Web Archive etc.\r\nto host their malicious components. The Latin American campaigns however, indicate that the operators\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 22 of 32\n\ntend to use either compromised or attacker controlled websites to host their components and payloads.\r\nThus there are three distinct campaigns utilizing the same Crypter and infection scripts:\r\nThe campaigns conducted by the crypter author “Alosh” — also seen abusing archive[.]org to host their\r\nmalicious payloads.\r\nThe campaigns conducted by the Bralizian threat actor targeting Latin America.\r\nThe campaigns were conducted by the crimeware group “Aggah” using the same scripts found in the\r\n“3losh rat” crypter.\r\nConclusion\r\nThis campaign details a crypter used by operators to build infection artifacts for spreading malware in Latin\r\nAmerica with a focus on the travel and hospitality industry. The campaign started in October 2020 and is currently\r\nongoing. The fact that the actor is regional does provide the advantage of being able to write more targeted and\r\nperfect emails. This is a good example on how an actor can inflict losses to organizations without being part of an\r\nAPT or a crimeware syndicate.\r\nThe variety and the ease of generating infection artifacts via Crypters indicates that the attackers will likely\r\nexpand their net of victims to more industries and geographies.\r\nThe threat actor authoring the crypter primarily aims to sell it as a service. We’ve observed the authors’ advertise\r\ntheir crypters on Facebook, YouTube and other social media. However, we’ve also discovered that the crypter’s\r\nauthors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs.\r\nThe highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely\r\npopular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the\r\nAggah group indicating that the crypter author might have sold it to both parties.\r\nOrganizations should remain vigilant against such threats as they are likely to proliferate in the future.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 23 of 32\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 24 of 32\n\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click below:\r\nnjRAT\r\nAsyncRAT\r\nIOCs\r\nHashes\r\nMalicious Emails\r\n9080f4537909efb164d08911e81e67def4939543605456357ea50f076291fd85\r\nPPAM and XLAM files\r\n00627edeb9ce2f53fa615e6670ee58415be60f9a04c483b788e0e7add2992aba\r\n56aa47ed75e94dad361eacb1b5bc40044ae34e120d2cbd15105283c2c6727948\r\nac88d9e338570b2b79c60970db289beeaf8aa39e3f44d412c5a9f5881b480c5c\r\n147a300e77514e4ed827c6e250f781fbf8d7f0360b5e5d995e0242a3e81a0075\r\nfa6a0108e64c04d4510afc3e54a367196bfb21dda3638971489b7705687aa65c\r\n72c90f13ae2ae87c374ffb5b2e2db003882fadc040155149231587750f5ddbc7\r\nbdc3fd3eee890e62d0a81d80ae73b64c56c111940c4aea6fc5c367203dcd5513\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 25 of 32\n\neef5993a740d3420cbb18375600f40aafa098958be5a71c0105f12c7b9df1887\r\n61f1b9be329e3e6080f14c4af49acf641858157d3d94f7095ce64bbc1c6e7610\r\nf686254e7d47ad3bfa75a81ab7e0c7f97f786351fcf601ea8a001772e5c907d6\r\ne4d4cc7c45257ece991a5b93a713b78090aed990020d2c31fc5cf6f4bac99420\r\ne53ddc8d759efe84def8137b7ffb0e63740c1d24fb232d91028f4a7e4a01d4f1\r\n1c1975beb0ebd44f954ac7824c4f2687386dd1cda1e9b7133271537457fedc02\r\n73ac27b9c82d1ba56e9b632ab902220cffa20f33b5263c543c73b67b8e77219c\r\nf7bb7c7e066cea1a6874521cc8a5eef1714b758ae213b1b19026104c21ce01f1\r\n05f0bf4bbaf08e709c7dbcbfc40e562b714b590f9b9e8dd9dfe9fe550663642a\r\nb8fe3837f4a592788f5b9ca3b4f6bcd0515df4bbaeefdbf9f44b2ae214acb4b6\r\na448a9b6e883cf9c3bb5beef9764d22685e69e2ec213c91ad5d5bbc120634c0b\r\nf1b7bd87ea04aa5162b4baa2f37ea061bb9bddf14485a4a548850a0b44b2aa75\r\n4b3d35a8df8a029f52e5ebc6ae981d427691c9d536dcef4178c4424bc046f57c\r\na3abcf60dc3dcee74e9329ab48f71acfcd63653f2b47dd0846c38a208aac0d64\r\n07b5910e731c2f4bde25d9919703031d8ac73b6344d9c0abf2b39a7e9f8d3b4f\r\nfc40cc9e5547c3ea65850419c19c72af81073289e94421139166eaa228993126\r\n2f3b0ab840cdbfff6a0404f1049f9a6cee0184801f4554c4dec3165724be19bc\r\nStage 1A - HTA\r\n7670bba115c1df8eab2509e0d4f53c90f8f8fd22e09a730c3d495d9c951a1f03\r\nce733816ccb171af8e89f3a334bd00f82c63c20b02fa6345ba67d1bd6365addb\r\n7da245d4eeb382d2cb53de5c7bca042587887c7b52a2df784d58d843470e9c8e\r\n24ff6109c93174a7be6eaf11bb359394be235666241a6f1fd78581b18334ec5d\r\ne7abfae672aad5700fd71c9117b727f90b0de271f5232995d261324d708fb2cc\r\n7442306336019d939e92c7c0a2562be2198872bd7a7a12cbed29a1cdd2d11948\r\nf927ac2182f2a5b8d0da62608c9565ef856534051996c6a3c61f426df4d6f272\r\n038384b895edc2a8ff3090d3a13261871562eb6caab74b9101d416be7bfae139\r\nff93194ce80707a9f4e8ea4f2e63f8b3a48691ae3ae6cb2867a8c14301683b22\r\nfc78f0ca8c0a89722c66c029df32a2a8f3b07079d9afab57138a50032deb86d3\r\nc2577967641d4c528da21e257ddf399542cb5353b8f717e0cec1200ed8b04389\r\n3d43ad8d86b3c38e68477238cb2cf53bf0c87da437f0fab6f224a04b38376a81\r\nStage 2 - PS1\r\n624c271f9c06ab2300bb19b6555cf834d5c9a56cc3d0fa2b2fb916b63f73d416\r\ncb94afd551f9cf0c607c85415ed62d51c8c52c098c759544052281a6b7037032\r\n2c47541dd62d14f5495b23b60b414e2f86cc7b9d27822b88f65e423e041b8645\r\ne4171f3de977b6748459975c555126cafc578faffefa7dc93b1e46dd5b6d08ba\r\n37cd7836f979bb993cb9c38da0c4edad72f70eeb876faf1b2e21660e4efb7f6d\r\nd4bcd6ff073ae1a032b43c46440a6e1a70f3d3450106e0cf65c69a299417de23\r\n84c7cbd4484c84fa0fa8daebdf3aa0dd7eb0edc5be0957f224dbfe552b07144e\r\ne2129853b08f99aa4de49ff396608af37dc03dda6efa1fae1f82c5c4e7ab7fcd\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 26 of 32\n\nStage 2A - VBS\r\n6acba6585f5ae7cae0f1dac3af605861ae1f79847d75c082949ab8d2949aeff3\r\nStage 3 - PS1\r\n782af49032f0fffb21ff0f5c38d56e566f4a8b2e53f3a2e1986349cdde7f8e2e\r\n486e4f7f5219e6fb03e01a0b488b87a2d85663937a7cd972871ee8ba175cd4f1\r\na3643cb237606aaec04deff8246c539d3ccb72bfa0ce9c02a235c04d08b87909\r\n06e2db6aa09791067071c4082dba6863de879852e95e678dab267026d7005770\r\ncd1be7351b0175c83ce3f8a7cede5a4fbe39ef750bfa31c2b8707ad2e6217948\r\ne91de341151086d4381599bc0129709b5d67ca4a5ef4a8dc085839e7b903f701\r\n7f9b7d0a8b2d45728c729fcd8100726fd173ae089943349c5cc4162088cbf6e7\r\n4c6951ea6db1d70a6bb016ee2bff6473e83f5cc064699e53bd99ec68dc11c8ad\r\nf6860ba876f3a50faf37e5498c859d40ac4f3fe90c379245b35b74f84c28137a\r\n7be08b532949ac03c0861f63cdfe79395ee75d99ef040f1b921409338243b849\r\n0459d34b98ffd24f0b9ad063a36d62e6b699041c0eba211ddf6e7a25a063f0e3\r\nb56e6c2513a4f50e8d15bccbeb252ae087f34556c144578cd20b830bb3c69b45\r\n87183315cbf7b56aec5e47c658bce8890f04ce8355801d81d0ef93b90d6a3fff\r\n21170aca6f904d55c88e4809f28c844c2daa5ad0ebd96a2e479f28725fc417eb\r\n47b2d8028bf85302ed24bf9c145bbce184c756a6648d996085b9d0f93b1e50b5\r\nd4b2896b62990a75b9d5f858e575c039344a9fc9d219f7c25571f9c75c80b0b6\r\n60cd0888629e035c94a74ab6ba475e6a306a58eaf554dd5e35973d06401dcade\r\n46a571bee09c8b7284212a3e5f7054c6ffb3ccaafea93730253950279dff3363\r\n777ee27781b10eda1626b32433ed99dbcc969c4360734bbcc744789d38ef0cea\r\n7b701642379ec4270aaa6f436c969a60be516c5d48dc874a7a46114d7bc29edd\r\nedaab1e2458537d43981a1496c3eb7bd1d08876b42a36cebcbc538581c1f1bcc\r\nd1321dc8680d9ded1430b55eca3cd9fb8587eb4da27f522a87ec0fe9cbe08b42\r\n786c44c88fa9a51d69e1f110b47b0b6c33f504969f8e49de3835f0497f0ab8ea\r\nInjector DLLs\r\neb4616d6234927f1763fabe82d7f73f26980323af6411951f2db4e244ef29654\r\na25771c577fbbfb5cc28cdb598deb82192765e8bd376e78bc87909f62621b7a0\r\nd5f37a5630e46ef134e78b7d3828986afdfc33477f5b5776851b562ae8dc26b8\r\n9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c\r\n91ccd22f96c1b407da7825ce155e6685765235aa6525c09f2f632429ce79512b\r\n90674a2a4c31a65afc7dc986bae5da45342e2d6a20159c01587a8e0494c87371\r\n82bd8e28f81160039e462330daee5190d7f474e76723aea057ddeadb201bc55c\r\n24332968eb4cc46982b807d76da02fd1ad36235f04bc1e4962924355c9828733\r\ne3e91d69f464752c243cd40661334291be12466aa3d9294b86b419dae1f17c7e\r\nd5f37a5630e46ef134e78b7d3828986afdfc33477f5b5776851b562ae8dc26b8\r\n9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 27 of 32\n\nnjRAT\r\n0cf9e86a1db39f106933ed31fc94cd318fab33d5f000e1fce80b2e5827a1adfc\r\n418b71760c6de41ed293744610e252c7474decd221371ffa449411dde751be46\r\ndedb66e5c1313f5952cfa1b1280546c625d5b759cedb87e28950f1c18ef3caf7\r\n43175b875ea94a762963d8b15d84b8c1b0882fa850343a5ce75325fb63612519\r\n17506df03d616598708a6520f901b46bb1624a9f27dfc8a3875ce2c3f8c94fc2\r\nAsyncRAT\r\nb9520bacbd60af9792b105232d453b8b7e4e6b0b1e9e505fb50435d46c97b6e7\r\n5a3bf8a7e4c103a834f08854a13e67ee4f176611be01bf27f3c7def0c988c768\r\n5df520408cef3d532d41136ed3a2ac24f7a18d060bcf85778aa157c938b6e2dd\r\n2a9edc18b10a532f7632d6b44f2610ca3a823c2b2be7a3fd3126b55af2c68ede\r\na88857a647d4f0443d67c9d6b025abf76e16e05c0d1499eb2be67a10cd025745\r\n1b3d41d44659ff038cf8aafdc5ff021646771106d957783aecdff725158c216c\r\n991a6446da94bb297078bd1031019395b5ed58bd4a878df0cf8707448028b6ed\r\na6007d0497b7b79206b7a32dd30ca1d7f4d36e5c548c34be44b7cbf35393e7e2\r\ne31247241e58720b205eeedd3184923641fea7f027245d6896e54ae5538b4f52\r\n806a9803d28f2cdbbe98c4b86865c64be25e2c85e043ae7d76ed04018fd7c8f0\r\n542a389b63f586e36063cc6dc72337955951013f1684386e1d2b325c0510daf7\r\n143f92ade0221b8104c0add0ecbf5f75c84840ec2b9ceb2b1a3317f99d98a863\r\ncd889b56855cffe94ba55d0f4ea6ef13a4ea03e115a49788b1f073098541c83d\r\nb725efa51eafa756f41c4dcd43d01e28c15e90caf19df5bd615fcae8c5b1a1f0\r\nInfection Chain Builder/Crypter\r\n839703f5db34e54afdd9a691516cd986bcbecd9856f202d26ca312d9214487d0\r\nNetwork IOCs:\r\nMaldoc URLs\r\nhxxp://updatewin32[.]xyz/office365/1.doc\r\nhxxp://updatewin32[.]xyz/office365/10.doc\r\nhxxp://updatewin32[.]xyz/office365/11.doc\r\nhxxp://updatewin32[.]xyz/office365/12.doc\r\nhxxp://updatewin32[.]xyz/office365/13.doc\r\nhxxp://updatewin32[.]xyz/office365/14.doc\r\nhxxp://updatewin32[.]xyz/office365/15.doc\r\nhxxp://updatewin32[.]xyz/office365/16.doc\r\nhxxp://updatewin32[.]xyz/office365/2.doc\r\nhxxp://updatewin32[.]xyz/office365/3.doc\r\nhxxp://updatewin32[.]xyz/office365/4.doc\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 28 of 32\n\nhxxp://updatewin32[.]xyz/office365/5.doc\r\nhxxp://updatewin32[.]xyz/office365/6.doc\r\nhxxp://updatewin32[.]xyz/office365/7.doc\r\nhxxp://updatewin32[.]xyz/office365/8.doc\r\nhxxp://updatewin32[.]xyz/office365/9.doc\r\nStage 1A\r\nhxxps://updatewin32[.]xyz/async/paste.mp3\r\nhxxps://updatewin32[.]xyz/async/msgbox.txt\r\nhxxp://updatewin32[.]xyz/office365/msg.txt\r\nhxxp://updatewin32[.]xyz/office365/chile.mp3\r\nhxxps://www[.]diamantesviagens[.]com[.]br/terca.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/\r\nhxxps://www[.]diamantesviagens[.]com[.]br/Clean.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/scanner.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/sexta.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/rei2.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/qpq.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/tv.hta\r\nhxxps://www[.]diamantesviagens[.]com[.]br/fd.hta\r\nhxxp://updatewin32[.]xyz/injext.mp3\r\nhxxp://updatewin32[.]xyz/kilabword.mp3\r\nStage 2\r\nhxxp://updatewin32[.]xyz/3.txt\r\nhxxps://updatewin32[.]xyz/async/oms3.txt\r\nhxxps://updatewin32[.]xyz/async/async3.txt\r\nhxxps://elmerfloyd[.]com/wp/4.txt\r\nhxxps://acscompany[.]com[.]br/33.txt\r\nhxxps://celulosa-corp[.]com/3ASYNC.txt\r\nhxxp://updatewin32[.]xyz/office365/chile3.txt\r\nhxxp://updatewin32[.]xyz/n3.txt\r\nStage 2A\r\nhxxp://edc[.]com[.]ly/index/wp.txt\r\nhxxps://bestbue-sec[.]com/VVpost2.txt\r\nStage 2 mini scripts\r\nhxxp://wh890850[.]ispot[.]cc/~invoixec/kill/dInjector.png\r\nhxxp://wh890850[.]ispot[.]cc/~invoixec/kill/test.ps1\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 29 of 32\n\nhxxp://wh890850[.]ispot[.]cc/~invoixec/kill/run.ps1\r\nhxxp://wh890850[.]ispot[.]cc/~invoixec/kill/vb.txt\r\nStage 3\r\nhxxps://updatewin32[.]xyz/async/oms2.txt\r\nhxxps://updatewin32[.]xyz/async/oms1.txt\r\nhxxps://updatewin32[.]xyz/async/async2.txt\r\nhxxps://updatewin32[.]xyz/async/async1.txt\r\nhxxp://updatewin32[.]xyz/2.txt\r\nhxxp://updatewin32[.]xyz/1.txt\r\nhxxps://acscompany[.]com.br/22.txt\r\nhxxps://acscompany[.]com.br/11.txt\r\nhxxps://elmerfloyd[.]com/wp/1.txt\r\nhxxps://elmerfloyd[.]com/wp/2.txt\r\nhxxps://elmerfloyd[.]com/wp/3.txt\r\nhxxps://celulosa-corp[.]com/1ASYNC.txt\r\nhxxps://celulosa-corp[.]com/2ASYNC.txt\r\nhxxps://updatewin32[.]xyz/office365/chile2.txt\r\nhxxps://updatewin32[.]xyz/office365/chile1.txt\r\nhxxps://www[.]diamantesviagens[.]com[.]br/terca.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/RunPE.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/scanner.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/sexta.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/rei2.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/qap.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/tv.jpg\r\nhxxps://www[.]diamantesviagens[.]com[.]br/fd.jpg\r\nhxxp://updatewin32[.]xyz/n2.txt\r\nhxxp://updatewin32[.]xyz/n1.txt\r\nnjRAT C2\r\n111234cdt[.]ddns[.]net:4782\r\ngoogleservice64[.]ddns[.]net:5155\r\npotenzax63[.]linkpc[.]net\r\nAsyncRAT C2\r\n111234cdt[.].ddns[.]net:6606\r\n111234cdt[.].ddns[.]net:7707\r\n111234cdt[.].ddns[.]net:8808\r\ncdtpitbull[.]hopto[.]org:6606\r\ncdtpitbull[.]hopto[.]org:7707\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 30 of 32\n\ncdtpitbull[.]hopto[.]org:8808\r\ngoogleservice64[.]ddns[.]net:6606\r\ngoogleservice64[.]ddns[.]net:7707\r\ngoogleservice64[.]ddns[.]net:8808\r\naliveafterguard[.]tech:5553\r\n111234[.]ddns[.]net:6606\r\n111234[.]ddns[.]net:7707\r\n111234[.]ddns[.]net:8808\r\ncdt2021[.]hopto[.]org:6606\r\ncdt2021[.]hopto[.]org:7707\r\ncdt2021[.]hopto[.]org:8808\r\nmicomico[.]ddns[.]net:4000\r\nMalicious Google Drive URL hosting the PPAM:\r\nhxxps://drive[.]google[.]com/u/1/uc?id=1cU-jSCI6bT-yXlWCkJgay-xWb8KUYRVC\u0026export=download\r\narchive[.]org abuse URLs\r\nhxxps://archive[.]org/details/firasZIGGSNEW1\r\nhxxps://archive[.]org/download/firasZIGGSNEW1/firasZIGGSNEW1.txt\r\nhxxps://archive[.]org/details/firasZIGGSNEW\r\nhxxps://archive[.]org/details/firasZIGGSNEW/firasZIGGSNEW.txt\r\nhxxps://archive[.]org/details/startilyasasync\r\nhxxps://archive[.]org/details/4ilyasasync\r\nhxxps://archive[.]org/details/3ilyasasync\r\nhxxps://archive[.]org/details/2ilyasasync\r\nhxxps://archive[.]org/details/1ilyasasync\r\nhxxps://archive[.]org/details/4ilyas-normal\r\nhxxps://archive[.]org/details/3ilyas-normal\r\nhxxps://archive[.]org/details/2ilyas-normal\r\nhxxps://archive[.]org/details/1ilyas-normal\r\nhxxps://archive[.]org/details/4ilyascartgpu.\r\nhxxps://archive[.]org/details/3ilyascartgpu.\r\nhxxps://archive[.]org/details/2ilyascartgpu.\r\nhxxps://archive[.]org/details/1ilyascartgpu\r\nhxxps://archive[.]org/details/4ilyas\r\nhxxps://archive[.]org/details/3ilyas\r\nhxxps://archive[.]org/details/2ilyas\r\nhxxps://archive[.]org/details/1ilyas\r\nhxxps://archive[.]org/details/startupbasg\r\nhxxps://archive[.]org/details/Encodingbash\r\nhxxps://archive[.]org/details/encoding-voice\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 31 of 32\n\nhxxps://archive[.]org/details/1-voice\r\nhxxps://archive[.]org/details/2jack-voice\r\nhxxps://archive[.]org/details/encodingh-2firas\r\nhxxps://archive[.]org/details/Allbash\r\nhxxps://archive[.]org/details/startbash\r\nhxxps://archive[.]org/details/serverbash\r\nhxxps://archive[.]org/details/startupVoice\r\nhxxps://archive[.]org/details/@3losh-rat\r\nhxxps://archive[.]org/details/@alo0ch0011\r\nAttacker Email ID\r\nalo0ch[at]outlook[.]com\r\nSource: https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nhttps://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html\r\nPage 32 of 32\n\nAgain, the representation builder here uses of the injector two embedded DLL. This builder PS1 scripts UI accepts as templates. the a local These templates filepath of (upto) already contain two malware the hex payloads to\nbe embedded in the generated Stage 3 scripts called “1.txt” and “2.txt,” respectively.\n   Page 21 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html"
	],
	"report_names": [
		"rat-campaign-targets-latin-america.html"
	],
	"threat_actors": [
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdcdfaec0ba0af69d1c968377ff71c999f90b668.pdf",
		"text": "https://archive.orkl.eu/fdcdfaec0ba0af69d1c968377ff71c999f90b668.txt",
		"img": "https://archive.orkl.eu/fdcdfaec0ba0af69d1c968377ff71c999f90b668.jpg"
	}
}