{ "id": "5dd73db8-446d-4b71-a825-a6ce509c6dc1", "created_at": "2026-04-06T00:08:20.509108Z", "updated_at": "2026-04-10T03:36:21.902443Z", "deleted_at": null, "sha1_hash": "ff14fc1b5eea6d19b233ac8f59fc9059e425eb6f", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 239563, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy TheNewRaikage\r\nArchived: 2026-04-05 21:43:54 UTC\r\nWe've found 3\r\nresults for \"tag:Ratsnif\"\r\nPulses ( 3\r\n)\r\nUsers ( 0\r\n)\r\nGroups ( 0\r\n)\r\nIndicators ( 0\r\n)\r\nMalware Families ( 0\r\n)\r\nIndustries ( 0\r\n)\r\nAdversaries ( 0\r\n)\r\nShow:\r\nAll\r\nSort:\r\nRecently Modified\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Ratsnif\r\nPage 1 of 5\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Ratsnif\r\nPage 2 of 5\n\n17 Subscribers\r\nAuthor Url\r\nRatsnif - New Network Vermin from OceanLotus\r\nFileHash-MD5: 49 | FileHash-SHA256: 4 | URL: 1 | Domain: 6 | Hostname: 42\r\nBlackberry Cylance threat researchers have analyzed the Ratsnif trojans, which offer a veritable swiss-army knife\r\nof network attack techniques. The trojans, under active development since 2016, combine capabilities like packet\r\nsniffing, gateway/device ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing.\r\n374,016 Subscribers\r\nAuthor Url\r\n1,344 Subscribers\r\nSort:\r\nMost Pulses\r\nSort:\r\nMost Members\r\nIndicators Search\r\nFilter by:\r\nReset Filters\r\nAll Time\r\nShow expired indicators\r\nIndicator Type\r\nAll (0)\r\nCIDR (0)\r\nCVE (0)\r\nDomain (0)\r\nEmail (0)\r\nFileHash-IMPHASH (0)\r\nFileHash-MD5 (0)\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Ratsnif\r\nPage 3 of 5\n\nFileHash-PEHASH (0)\r\nFileHash-SHA1 (0)\r\nFileHash-SHA256 (0)\r\nFilePath (0)\r\nHostname (0)\r\nIPv4 (0)\r\nIPv6 (0)\r\nMutex (0)\r\nNIDS (0)\r\nURI (0)\r\nURL (0)\r\nYARA (0)\r\nRole\r\nAdware\r\nBackdoor\r\nBruteforce\r\nCommand \u0026 Control\r\nDelivery Email\r\nDocument Exploit\r\nDomain Owner\r\nExploit Kit\r\nExploit Source\r\nFile Scanning\r\nHacking Tools\r\nHunting\r\nMacro Malware\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Ratsnif\r\nPage 4 of 5\n\nMalvertising\r\nMalware Hosting\r\nMemory Scanning\r\nPCAP Scanning\r\nPhishing\r\nRAT\r\nRansomware\r\nScanning Host\r\nTrojan\r\nUnknown\r\nWeb Attack\r\nWorm\r\nSort:\r\nRecently Modified\r\nSort:\r\nName Ascending\r\nSort:\r\nAscending\r\nSort:\r\nAscending\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:Ratsnif\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Ratsnif\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:Ratsnif" ], "report_names": [ "pulses?q=tag:Ratsnif" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "31da1b1f-743b-40ef-bd17-1e07c5500392", "created_at": "2024-06-19T02:00:04.382822Z", "updated_at": "2026-04-10T02:00:03.655982Z", "deleted_at": null, "main_name": "UAC-0020", "aliases": [ "SickSync", "Vermin" ], "source_name": "MISPGALAXY:UAC-0020", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434100, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff14fc1b5eea6d19b233ac8f59fc9059e425eb6f.pdf", "text": "https://archive.orkl.eu/ff14fc1b5eea6d19b233ac8f59fc9059e425eb6f.txt", "img": "https://archive.orkl.eu/ff14fc1b5eea6d19b233ac8f59fc9059e425eb6f.jpg" } }