{ "id": "0f045e41-365b-4851-9917-d1b74222640d", "created_at": "2026-04-06T00:10:37.087013Z", "updated_at": "2026-04-10T03:38:19.762402Z", "deleted_at": null, "sha1_hash": "ffa2e9edb0be4ec07977b0d7dc2d8b8e810db75c", "title": "Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6073660, "plain_text": "Deliver a Strike by Reversing a Badger: Brute Ratel Detection and\r\nAnalysis | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-10-04 · Archived: 2026-04-05 13:50:15 UTC\r\nA new adversary simulation tool is steadily growing in the ranks of popularity among red teamers and most\r\nrecently adversaries. Brute Ratel states on its website that it \"is the most advanced Red Team \u0026 Adversary\r\nSimulation Software in the current C2 Market.\" Many of these products are marketed to assist blue teams in\r\nvalidating detection, prevention, and gaps of coverage. Brute Ratel goes a level further in receiving consistent\r\nupdates to evade modern host-based security controls — a cat and mouse game. Adversaries pick up on these\r\nproducts quickly, as noted in a recent blog post by Team Cymru; Brute Ratel C4 (BRC4) servers are limited on the\r\ninternet compared to other offensive security tools like Cobalt Strike and Metasploit, but its popularity is growing.\r\nAs enterprise defenders who may or may not have access to these products, we have to be able to understand the\r\noperation of the tool and its procedures and behaviors.\r\nIn this blog, the Splunk Threat Research Team (STRT) will highlight how we utilized other public research to\r\ncapture Brute Ratel Badgers (agents) and create a Yara rule to help identify more on VirusTotal. Additionally, we\r\nreversed a sample to better understand its functions. STRT simulated a badger’s functionality using a newly\r\nreleased defender-driven C2 utility. Lastly, STRT describes analytics to help defenders identify behaviors related\r\nto Brute Ratel.\r\nAnalysis\r\nHunting for a Badger\r\nBrute Ratel is a commercial C2 framework available only to paying customers; yet, STRT needed a way to\r\nacquire a sample for analysis. Fortunately for us, security researchers like Spookysec.net, Unit42 and Mdsec have\r\nalready found samples and blogged about their analysis. STRT leveraged the sample found on the Analyzing a\r\nBrute Ratel Badger blog post and created an experimental generic Yara rule that can be used on VirusTotal to hunt\r\nfor other potential uploaded samples.\r\nrule possible_badger\r\n{\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 1 of 22\n\nstrings:\r\n //mov eax, 0x00\r\n // push eax\r\n //mov eax, 0x00\r\n // push eax\r\n //mov eax, 0x00\r\n // push eax\r\n //mov eax, 0x00\r\n // push eax\r\n //mov eax, 0x00\r\n // push eax\r\n //mov eax, 0x00\r\n // push eax\r\n $code = { B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00 00 00 00 50 B8 00\r\n condition:\r\n all of them\r\n}\r\nThe Yara rule above hunts for a series of move zero bytes instructions to the EAX register which are then pushed\r\nto the stack. These instructions were identified as part of the initial shellcode that sets up the BRC4 agent DLL\r\nmodule on the stack.\r\nThe figure below shows one of the files flagged by the Yara rule, an ISO file named fotos.iso.\r\nThe first submission of this file in VT was on July 20, 2022, from Poland.\r\nThe figure below shows the VirusTotal detection list of the ISO fotos.iso at the time of writing.\r\nUsing the Yara rule we were able to identify 31 similar samples and graph them using VirusTotal Graphs.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 2 of 22\n\nThe full VirusTotal graph may be found here.\r\nMalicious ISO File\r\nISO containers are a common way to deliver malware among threat actors. It enables them to archive malicious\r\nfiles and even bypass security features such as the Mark-of-the-Web. The found sample contains the legitimate\r\nMicrosoft signed OneDrive binary renamed as onedrive_fotos.exe as well as two hidden DLLs: version.dll and\r\nversions.dll files. The latter is also a Microsoft-signed legitimate DLL while the first one is a malicious library that\r\nwill execute the BRC4 agent.\r\nThis initial access vector leverages the DLL Side-Loading technique (T1574.002) to obtain code execution on the\r\nvictim host. Side-loading takes advantage of the DLL search order used by the loader by positioning both the\r\nvictim application and malicious payload alongside each other. When the victim mounts the ISO and executes the\r\nonedrive_fotos.exe binary, it will load the maliciously crafted version.dll.\r\nThe figure below shows the VirusTotal detection list of the version.dll library at the time of writing.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 3 of 22\n\nThe ISO file we analyzed is similar to the sample analyzed by Palo Alto’s Unit42 in their blog post covering Brute\r\nRatel with a few notable differences:\r\nThis ISO does not contain a shortcut LNK file and relies on the victim double clicking the\r\nonedrive_fotos.exe binary to load the malicious DLL.\r\nThe initial shellcode is embedded in the hidden DLL and not present as another file in the ISO archive.\r\nThe following image provides a high level overview of the initial access attack vector.\r\nFigure 2.1 and Figure 2.2 show the .ISO component files before and after enabling the “Show Hidden Files”\r\nsetting.\r\nInitial Shellcode Execution\r\nThe malicious version.dll file has an embedded unencrypted shellcode in its .data section that will be copied to an\r\nallocated memory address space with the PAGE_EXECUTE_READ protection to then be executed using the\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 4 of 22\n\ncallback function of the EnumChildWindows Windows API. This shellcode execution technique was first seen\r\nbeing used by the Lazarus group.\r\nFigure 3 shows the code snippet of the EnumChildWindows callback function used to execute the shellcode.\r\nThe shellcode will set up the Brute Ratel C4 DLL agent in the memory stack using several push mnemonics.\r\nAfterward, the shellcode will allocate an executable memory page space where it will move the DLL agent from\r\nthe stack byte per byte. Lastly, It will execute it using the undocumented API NtCreateThreadEx.\r\nFigure 4 is the code showing the last push command executed by the shellcode to finalize copying the BRC4 DLL\r\nagent to the stack.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 5 of 22\n\nOnce the DLL agent is placed in the executable memory page, we can export it to disk to perform static analysis.\r\nWe used the Detect It Easy tool to perform high level analysis of the extracted BRC4 DLL and obtain information\r\nsuch as the exported functions (Figure 4.1), the entropy of the file and each section (Figure 4.2), etc.\r\nFigure 4.1\r\nFigure 4.2\r\nFigure 5 shows the code that runs a syscall function to execute the NtCreateThreadEx Windows API with the\r\nstartAddress argument pointing to the “bruteloader” export function of the BRC4 DLL agent loaded in memory.\r\nThis thread also has an argument that points to the encoded and encrypted initial configuration that will be used\r\nfor its C2 communication and beaconing.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 6 of 22\n\nFigure 5\r\nThe DLL module we extracted from memory was submitted to VT in this link and can be seen in Figure 5.1.\r\nBRC4 DLL Agent Module\r\nInitial Configuration\r\nThe configuration data is encoded with base64 and encrypted with RC4 with the passphrase key\r\n“bYXJm/3#M?:XyMBF”. Figure 6 is the decrypted version of this configuration data that contains the command\r\nand control servers, port (HTTPS), user agent, cookie, and many more details.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 7 of 22\n\nFigure 6\r\nThe Brute Ratel DLL agent used by this malicious version.dll is composed of techniques to evade detection from\r\nendpoint detection and response (EDR), antivirus products, and even obfuscation and encryption to thwart static\r\ncode analysis.\r\nThe following section describes some of the capabilities the STRT found during our analysis of the BRC4 DLL\r\nmodule embedded in version.dll which include: gaining elevated privileges, collecting sensitive information,\r\nevading detections, and dumping processes, among others.\r\nBRc4 Agent Capabilities\r\nWindows API Abuse\r\nThe BRC4 agent employs several techniques to invoke and abuse native Windows APIs. To attempt to bypass\r\nsecurity solutions that rely on hooking common APIs, BRCc4 makes use of direct system calls. The BRC4 agent\r\ncan also dynamically resolve functions memory addresses using pre-computed hardcoded hashes. Figure 6.1\r\nshows the code snippet of its hashing algorithm it uses in parsing its needed API upon traversing the export table\r\nof its needed DLL modules.\r\nFigure 6.1\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 8 of 22\n\nCommon functionality implemented by C2 implants is the ability to verify the connectivity with another host\r\nusing the ICMP protocol. The BRC4 DLL agent implements this by using the native Windows API\r\nIcmpCreateFile and IcmpSendEcho.\r\nFigure 7 shows the code with the resolved API hash value on how to implement a PING to a target host using\r\nthose Windows APIs.\r\nFigure 7\r\nSeDebugPrivilege\r\nBy default, users can debug only the processes that they own. In order to debug other processes or processes\r\nowned by other users, a process needs to have a SeDebugPrivilege privilege token. This privilege token is abused\r\nby adversaries to elevate process access to inject malicious code or dump processes. Figure 8 shows how BRC4\r\nadjusts the token privilege of its process to gain debug privileges.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 9 of 22\n\nFigure 8\r\nParse Clipboard Data\r\nFigure 9 shows the code snippet BRC4 uses to parse or copy the clipboard data on the targeted host using the\r\nWindows API functions OpenClipboard and GetClipboardData.\r\nFigure 9\r\nRetrieve DNS CACHE RECORD\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 10 of 22\n\nFigure 10 shows the code snippet implemented by BRC4 to parse the DNS cache record of the infected host using\r\nthe undocumented DnsGetcacheDataTable Windows API.\r\nFigure 10\r\nDuplicate Token\r\nToken manipulation is a technique used to create a new process with a token “taken” or “duplicated” from another\r\nprocess. This is a common technique leveraged by adversaries, red teamers, and malware families to elevate the\r\nprivileges of their processes.\r\nFigure 11 shows the code function that duplicates the token of “winlogon.exe” or “logonui.exe” and uses that\r\ntoken to a new process using CreateProcessWithTokenW API.\r\nFigure 11\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 11 of 22\n\nPatch ETWEventWrite API\r\nAnother interesting feature of the BRC4 DLL agent is that it can evade Event Tracing for Windows (ETW) and\r\nAMSI Windows mechanisms by patching known API responsible for generating or tracing system events.\r\nFigure 12 shows the code of this DLL agent that patches “EtwEventWrite” API with “0xC3” opcode which is a\r\n“return instruction” to evade the ETW event trace logging.\r\n \r\nFigure 12\r\nParent Process ID Spoofing\r\nBRC4 is also capable of spoofing the parent process (PPID) for its newly created process to evade detections that\r\nare based on parent/child process relationships.\r\nThe code below in Figure 13 is the function that initializes the process attributes and thread creation for the parent\r\nprocess spoofing technique.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 12 of 22\n\nFigure 13\r\nRetrieves IPV4 to Physical Address Mapping Table\r\nFigure 14 shows the code snippet of the function that enumerates Address Resolution Protocol (ARP) entries or\r\nphysical address map table for IPV4 on the local system using the GetIpNetTable Windows API.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 13 of 22\n\nFigure 14\r\nBelow is the list of other capabilities we found in the BRC4 DLL module loaded by this malicious version.dll file:\r\nCheck the active and idle session of the user in the target host\r\nTCP bind connection\r\nCreate, copy, move and delete File\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 14 of 22\n\nCreate, delete, move directory\r\nGet and set current working directory\r\nGet domain information\r\nEnumerate Drivers with their file information\r\nCreate, start, modify, enumerate and delete services\r\nGet environment variable list\r\nChange workstation wallpaper\r\nGet host by name\r\nEnumerate logical drives\r\nGet process information\r\nGet process token privileges\r\nRetrieve global information for all users and groups in security databases like SAM\r\nList files in a directory\r\nWorkstation lock screen\r\nProcess minidump\r\nRetrieve NET BIOS information\r\nProcess Injection (QAPC, CreateRemoteThread, and CreateSection Techniques)\r\nEnumerate Registries\r\nGet system information\r\nTerminate a process\r\nTaking windows desktop screenshot\r\nExecute shell command (“RUNAS”)\r\nRetrieves the time of the last input event\r\nList installed software applications in the targeted host\r\nRetrieves the active processes on a specified RDP session\r\nBrute Ratel Simulation\r\nDetections written by the Splunk Threat Research Team need to pass the automated detection testing pipeline\r\nbefore they can be released. Building detections for some of the interesting TTPs we identified by analyzing\r\nBRC4 was no different; we needed a way to simulate these techniques in a lab environment in order to generate\r\nthe datasets used for testing and stored in the Attack Data Github repository.\r\nThis presented two key challenges:\r\n1. The C2 server of the BRC4 agent we analyzed was inaccessible or already offline during our analysis.\r\nFurthermore, even if it was online, we would have not been able to instruct the agent to execute the specific\r\ntasks we wanted to run.\r\n2. The Brute Ratel server-side application is a commercial product and the creator was unavailable for us to\r\nwrite detections against the product.\r\nIntroducing Atomic-C2\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 15 of 22\n\nTo approach these challenges, we decided to write our own minimal Command \u0026 Control framework using C++\r\nfor the implant and Python for the server: Atomic-C2. This tool will never be meant to be used as part of offensive\r\nengagements but rather to be used by blue teams to learn about how C2s work and be able simulate techniques\r\nwhen commercial or criminal toolsets are not available.\r\nFor this initial and Proof-Of-Concept version of Atomic-C2, we took some of the techniques we learned by\r\nreverse engineering the BRC4 agent and re-wrote (simulate) them in C++ with a server side component to trigger\r\nthem. Two examples are shown below.\r\nFigure 14.1 shows how we simulate the previously shown capability to harvest or parse the clipboard data.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 16 of 22\n\nFigure 14.2 shows how we simulate the capability responsible for parent process ID spoofing.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 17 of 22\n\nAs another example, Figure 15 shows the screenshot of how we simulate the technique of locking the screen of\r\nthe targeted workstation. The C2 server operator runs the “lock” command to instruct the agent running in the\r\nvictim host to execute the simulated workstation lock screen code.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 18 of 22\n\nFigure 16 shows a screenshot of the simulated QUEUE APC process code injection technique. The simulated code\r\nwill look for a cmd.exe process and inject shellcode that will execute a calc.exe.\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 19 of 22\n\nAtomic-C2 helped us simulate Brute Ratel techniques to obtain the datasets we needed to create detections and to\r\npass the automated testing process. At the moment, Atomic-C2 is an internal project, but we hope to release it in\r\nthe upcoming months.\r\nBrute Ratel C4 Analytic Story\r\nArmed with the knowledge gained from reversing the Brute Ratel sample and the datasets generated with Atomic-C2, the Splunk Threat Research Team developed a new analytic story to help security operations center (SOC)\r\nanalysts detect adversaries leveraging the Brute Ratel Command \u0026 Control framework. Specifically, the new\r\nAnalytic Story introduces 17 detection analytics across 10 MITRE ATT\u0026CK techniques.\r\nThere can be multiple approaches that rely on different data sources to hunt for Brute Ratel behavior. For this\r\nrelease, we wanted to focus on what we consider to be the most relevant data source: endpoint telemetry. Thus, we\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 20 of 22\n\nfocused on the following data sources:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security Event Id 4688, Sysmon, or any Common Information Model compliant EDR\r\ntechnology.\r\nWindows Security Event Log\r\nWindows System Event Log\r\nThe next table describes the data models and the Splunk Technical Add-Ons we used to develop the detection\r\nanalytics.\r\nAutomate with SOAR Playbooks\r\nAll of the previously listed detections create entries in the risk index by default, and can be used seamlessly with\r\nrisk notables and the Risk Notable Playbook Pack. The community Splunk SOAR playbooks below can be used in\r\nconjunction with some of the previously described analytics:\r\nWhy Should You Care?\r\nWith this article we enabled security analysts, blue teamers and splunk customers to identify the TTP’s used by\r\nthreat actors abusing BRC4 DLL agents.\r\nBy understanding its behaviors, we were able to generate telemetry and datasets to develop and test splunk\r\ndetections designed to defend and respond against this type of threats.\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank the following for their contributions to this post:\r\nTeoderick Contreras\r\nMauricio Velazco\r\nMichael Haag\r\nRod Soto\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 21 of 22\n\nLou Stella\r\nJose Hernandez\r\nPatrick Barreiss\r\nBhavin Patel\r\nEric McGinnis\r\nSource: https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nhttps://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html\r\nPage 22 of 22\n\n https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html \nAs another example, Figure 15 shows the screenshot of how we simulate the technique of locking the screen of\nthe targeted workstation. The C2 server operator runs the “lock” command to instruct the agent running in the\nvictim host to execute the simulated workstation lock screen code. \n Page 18 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html" ], "report_names": [ "deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434237, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ffa2e9edb0be4ec07977b0d7dc2d8b8e810db75c.pdf", "text": "https://archive.orkl.eu/ffa2e9edb0be4ec07977b0d7dc2d8b8e810db75c.txt", "img": "https://archive.orkl.eu/ffa2e9edb0be4ec07977b0d7dc2d8b8e810db75c.jpg" } }