{ "type": "bundle", "id": "bundle--cf7c0e1e-4602-4e51-acd1-bd3de808b95f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--62791516-e53e-4728-ae58-19ce2cf2fa82", "created": "2025-11-15T02:03:14.609594Z", "modified": "2025-11-15T02:28:49.217997Z", "name": "RansomISAC", "identity_class": "organization" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--07b2a6fc-8fc9-4ac8-9a19-ae97064c246f", "value": "23.27.202.27" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2f602576-1f4f-43ab-8c8a-59e5a66545b1", "value": "api.trongrid.io" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e26580cb-b6a4-443f-ad9c-8ae8392d47a8", "value": "fullnode.mainnet.aptoslabs.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--60084b69-ae94-4275-ac71-e0c3d5bc8969", "value": "23.27.20.143" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--c29544b2-6785-4508-9dd4-eac983409afd", "value": "136.0.9.8" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--2cc5c760-1712-4cdd-8546-e80307fb7fc6", "value": "166.88.4.2" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b8216169-b8d5-438c-8646-d30abd0a1cd8", "value": "bsc-dataseed.binance.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e2fd9333-7fae-497e-b014-9fadffa31950", "value": "bsc-rpc.publicnode.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--18d42973-ae2d-4798-b17c-fa3598d74d76", "value": "ip-api.com" }, { "type": "url", "spec_version": "2.1", "id": "url--626a7140-1ac3-4516-8a1d-f2ca705ce9cd", "value": "http://ip-api.com/json" }, { "type": "url", "spec_version": "2.1", "id": "url--d839c504-71c7-4a7f-9d66-9300d7e0a796", "value": "https://bsc-dataseed.binance.org" }, { "type": "file", "spec_version": "2.1", "id": "file--48891109-a753-4d09-96f3-c7e1c7a46e01", "hashes": { "SHA-256": "f3c46284d1f89f33427b332a7b9357165a3d55a2b3a74f9d9b977b9673ad7c60" } }, { "type": "file", "spec_version": "2.1", "id": "file--d0996f7f-a725-48ec-b79e-a81c93d79d05", "hashes": { "SHA-256": "16df15306f966ae5c5184901747a32087483c03eebd7bf19dbfc38e2c4d23ff8" } }, { "type": "url", "spec_version": "2.1", "id": "url--fb3ca530-54f4-4294-8010-696c311c0d1a", "value": "https://api.trongrid.io/v1/accounts/TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP/transactions?only_confirmed=true&only_from=true&limit=1" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0a0cfaf8-b826-4505-962a-22cd1acf36ae", "created": "2026-06-24T17:27:28.23676Z", "modified": "2026-06-24T17:27:28.23676Z", "name": "YARA Rule", "pattern": "rule Actor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25\r\n{\r\nmeta:\r\nrule_id = \"10982aed-1c45-4864-a6ff-ffd19f38912d\"\r\ndate = \"19-10-2025\"\r\nauthor = \"Ransom-ISAC\"\r\ndescription = \"Detects cluster of DPRK Nexus malware based on known artifacts\"\r\nstrings:\r\n$XOR1 = {32 5b 67 57 66 47 6a 3b 3c 3a 2d 39 33 5a 5e 43}\r\n$XOR2 = {6d 36 3a 74 54 68 5e 44 29 63 42 7a 3f 4e 4d 5d}\r\n$XOR3 = {63 41 5d 32 21 2b 33 37 76 2c 2d 73 7a 65 55 7d}\r\n$XOR4 = {54 68 5a 47 2b 30 6a 66 58 45 36 56 41 47 4f 4a}\r\n$XOR5 = {34 23 75 4c 65 56 4d 5b 33 6c 45 53 4c 47 41}\r\n$XOR6 = {39 4b 79 41 53 74 2b 37 44 30 6d 6a 50 48 46 59}\r\n$XOR7 = {54 68 5a 47 2b 30 6a 66 58 45 36 56 41 47 4f 4a}\r\n$tron1 = \"TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP\" ascii wide\r\n$tron2 = \"TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG\" ascii wide\r\n$tron3 = \"TLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatS\" ascii wide\r\n$aptos1 = \"be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e\" ascii wide\r\n$aptos2 = \"3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3\" ascii wide\r\n$aptos3 = \"3414a658f13b652f24301e986f9e0079ef506992472c1d5224180340d8105837\" ascii wide\r\n$bsc1 = \"f46c86c886bbf9915f4841a8c27b38c519fe3ce54ba69c98d233d0ffc94d19fc\" ascii wide\r\n$bsc2 = \"d33f78662df123adf2a178628980b605a0026c0d8c4f4e87e43e724cda258fef\" ascii wide\r\n$bsc3 = \"a8cdabea3616a6d43e0893322112f9dca05b7d2f88fd1b7370c33c79076216ff\" ascii wide\r\n$telegram = \"7870147428:AAGbYG_eYkiAziCKRmkiQF-\" ascii wide\r\n$marker = \"*C250617A*\" ascii wide\r\n$obfs1 = \"_$af402041\" ascii wide\r\n$obfs2 = \"_$af813180\" ascii wide\r\n$obfs3 = \"_$_2d00[]\" ascii wide\r\ncondition:\r\nany of them\r\n}", "pattern_type": "yara", "valid_from": "2025-10-27T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fbce5949-7820-4b5b-b641-03437e65f107", "created": "2026-06-24T17:27:28.237579Z", "modified": "2026-06-24T17:27:28.237579Z", "name": "YARA Rule", "pattern": "rule Actor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25\r\n{\r\nmeta:\r\nrule_id = \"96fd2b7e-355e-43fc-a581-6ebda388b761\"\r\ndate = \"19-10-2025\"\r\nauthor = \"Ransom-ISAC\"\r\n//Payload1_1_1 Cross-Platfrom NodeJS RAT\r\ndescription = \"Detects cluster of obfuscated JS Scripts that are likely developed by a DPRK Nexus group\"\r\nfilehash = \"eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30\"\r\nstrings:\r\n$str1 = \"Promise\" ascii wide\r\n$str2 = \"['_V']\" ascii wide\r\n$str3 = \"['_R']\" ascii wide\r\n$str4 = \"atob\" ascii wide\r\ncondition:\r\nall of them\r\nand filesize < 100KB\r\n}", "pattern_type": "yara", "valid_from": "2025-10-27T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--73a7f121-7969-4dd3-8e63-f02a8bc9b6fe", "created": "2026-06-24T17:27:28.238196Z", "modified": "2026-06-24T17:27:28.238196Z", "name": "YARA Rule", "pattern": "rule Actor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25\r\n{\r\nmeta:\r\nrule_id = \"dbcf26b3-7b8c-447d-97ad-43de0d6e42e6\"\r\ndate = \"17-10-2025\"\r\nauthor = \"Ransom-ISAC\"\r\ndescription = \"Detects cluster of JS Scripts that are likely developed by a DPRK Nexus group\"\r\nfilehash = \"be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0\"\r\nstrings:\r\n$hex = {676c6f62616c2e5f56203d202743352d62656e6566697427} //global._V = 'C5-benefit'\r\n$js1 = \"global.r\" ascii\r\n$js2 = \"global._V\" ascii\r\n$var1 = \"C5-benefit\" ascii\r\n$var2 = \"C250617A\" ascii\r\n$var3 = \"CHQG3L42MMQ\" ascii\r\n$var4 = {68 74 74 70 3a 2f 2f 22 20 2b 20 ?? 20 2b 20 22 3a (32 37 30 31 37 | 44 44 43)} //IP:Port pattern\r\n$str1 = \"crypto\" ascii\r\n$str2 = \"socket\" ascii\r\n$str3 = \"hostname\" ascii\r\n$str4 = \"axios\" ascii\r\n$str5 = \"form-data\" ascii\r\ncondition:\r\n$hex\r\nor (\r\nany of ($js*)\r\nand any of ($var*)\r\nand any of ($str*)\r\n)\r\nand filesize < 75KB\r\n}", "pattern_type": "yara", "valid_from": "2025-10-27T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--be6ae087-5af0-4b2a-a0da-b9352d7d9516", "created": "2026-06-24T17:27:28.238774Z", "modified": "2026-06-24T17:27:28.238774Z", "name": "YARA Rule", "pattern": "rule Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25\r\n{\r\nmeta:\r\nrule_id = \"2c2a60ce-55cf-40ab-92c4-7ee961b0d00c\"\r\ndate = \"17-10-2025\"\r\nauthor = \"Ransom-ISAC\"\r\n//Payload 1_2_1_1 OmniStealer\r\ndescription = \"Detects cluster of Python Scripts that are likely developed by a DPRK Nexus group\"\r\nfilehash = \"236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f\"\r\nstrings:\r\n$dot1 = \".onetoc2\" ascii\r\n$dot2 = \".onenote\" ascii\r\n$dot3 = \".one\" ascii\r\n$dot4 = \".kbdx\" ascii\r\n$func1 = \"socket.gethostname()\" ascii\r\n$func2 = \"getpass.getuser()\" ascii\r\n$func3 = \"platform.platform()\" ascii\r\n$pc1 = \"pc_name\" ascii\r\n$pc2 = \"pc_info\" ascii\r\n$pc3 = \"pc_login\" ascii\r\n$x1 = \"metamask\" ascii\r\n$x2 = \"phantom\" ascii\r\n$x3 = \"exodus\" ascii\r\n$x4 = \"atomic\" ascii\r\n$x5 = \"bitcoin\" ascii\r\n$x6 = \"ethereum\" ascii\r\n$x7 = \"solana\" ascii\r\n$x8 = \"aptos\" ascii\r\n$x9 = \"electrum\" ascii\r\n$x10 = \"tronlin\" ascii\r\n$x11 = \"coinbase\" ascii\r\n$x12 = \"binance\" ascii\r\n$y1 = \"gitconfig\" ascii\r\n$y2 = \"tsconfig\" ascii\r\n$y3 = \"bootconfig\" ascii\r\n$y4 = \"pw-config\" ascii\r\n$z1 = \"cli_mode\" ascii\r\n$z2 = \"dev_mode\" ascii\r\n$z3 = \"cli_mode\" ascii\r\n$z4 = \"debug_mode\" ascii\r\ncondition:\r\n2 of ($dot*)\r\nand any of ($func*)\r\nand any of ($pc*)\r\nand 6 of ($x*)\r\nand 2 of ($y*)\r\nand 2 of ($z*)\r\nand filesize < 100KB\r\n}", "pattern_type": "yara", "valid_from": "2025-10-27T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2818787-3908-424e-9a67-20ccd325f009", "created": "2026-06-24T17:27:28.239342Z", "modified": "2026-06-24T17:27:28.239342Z", "name": "YARA Rule", "pattern": "rule Actor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25\r\n{\r\nmeta:\r\nrule_id = \"7919137c-de06-43cc-800a-76c726b45fbd\"\r\ndate = \"16-10-2025\"\r\nauthor = \"Ransom-ISAC\"\r\n//Payload 1_2_1_1 OmniStealer\r\ndescription = \"Detects cluster of Python Scripts that are likely developed by a DPRK Nexus group\"\r\nfilehash = \"742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20\"\r\nstrings:\r\n$bwr1 = \"microsoft-edge\" ascii\r\n$bwr2 = \"google-chrome\" ascii\r\n$bwr3 = \"Brave-Browser\" ascii\r\n$func1 = \"socket.gethostname()\" ascii\r\n$func2 = \"getpass.getuser()\" ascii\r\n$func3 = \"platform.platform()\" ascii\r\n$str1 = \"1Password\" ascii\r\n$str2 = \"secretstorage\" ascii\r\n$str3 = \"networkWallet\" ascii\r\n$str4 = \"readPassword\" ascii\r\n$str5 = \"cookie_files\" ascii\r\n$str6 = \"login_files\" ascii\r\n$str7 = \"credit_cards\" ascii\r\n$str8 = \"masterPassword\" ascii\r\n$str9 = \"moz_cookies\" ascii\r\n$str10 = \"http-upload\" ascii\r\n$str11 = \"tg-upload\" ascii\r\n$pass1 = \"ProtonPass\" ascii\r\n$pass2 = \"MEGAPass\" ascii\r\n$pass3 = \"DualSafe\" ascii\r\n$pass4 = \"FreePasswordManager\" ascii\r\n$pass5 = \"GoogleAuth\" ascii\r\n$params1 = \"osx_key_user\" ascii\r\n$params2 = \"osx_key_service\" ascii\r\n$params3 = \"os_crypt_name\" ascii\r\n$params4 = \"windows_keys\" ascii\r\n$params5 = \"osx_cookies\" ascii\r\n$params6 = \"windows_cookies\" ascii\r\n$params7 = \"linux_cookies\" ascii\r\n$params8 = \"osx_logins\" ascii\r\n$params9 = \"windows_logins\" ascii\r\n$params10 = \"linux_logins\" ascii\r\n$crpt1 = \"Bitwarden\" ascii\r\n$crpt2 = \"NordPass\" ascii\r\n$crpt3 = \"Dashlane\" ascii\r\n$crpt4 = \"kwallet\" ascii\r\n$pths1 = \"/.config/chromium/\" ascii\r\n$pths2 = \"/.config/opera/\" ascii\r\n$pths3 = \"/.config/BraveSoftware/\" ascii\r\n$pths4 = \"/.config/microsoft-edge\" ascii\r\n$pths5 = \"/.config/vivaldi/\" ascii\r\n$pths6 = \"%APPDATA%\\\\\\\\*\\\\\\\\*\\\\\\\\*\\\\\\\\User Data*\" ascii\r\n$walls1 = \"Dogecoin/wallets.dat\" ascii\r\n$walls2 = \"Bitcoin/wallets\" ascii\r\n$walls3 = \"Electrum/wallets\" ascii\r\n$walls4 = \"Exodus/exodus.wallet\" ascii\r\n$walls5 = \"Monero/wallets\" ascii\r\n$drv1 = \"iCloud Drive\" ascii\r\n$drv2 = \"SkyDrive\" ascii\r\n$drv3 = \"OneDrive\" ascii\r\n$drv4 = \"My Drive\" ascii\r\n$drv5 = \"Dropbox\" ascii\r\n$drv6 = \"pCloud\" ascii\r\n$drv7 = \"Box\" ascii\r\n$drv8 = \"iCloud\" ascii\r\n$drv9 = \"SkyDrive\" ascii\r\n$drv10 = \"GoogleDrive\" ascii\r\n$drv11 = \"Dropbox\" ascii\r\n$drv12 = \"Mega\" ascii\r\ncondition:\r\nany of ($bwr*)\r\nand any of ($func*)\r\nand 5 of ($str*)\r\nand 2 of ($pass*)\r\nand 5 of ($params*)\r\nand 2 of ($crpt*)\r\nand 3 of ($pths*)\r\nand 2 of ($walls*)\r\nand 6 of ($drv*)\r\nand filesize < 250KB\r\n/*------------------------Matches = 2---------------------------\r\n742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20 ---Communicating across found C2 infra\r\na7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3 ---Communicating across found C2 infra\r\n*/\r\n}", "pattern_type": "yara", "valid_from": "2025-10-27T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--06b25fd8-37b3-4fd1-b737-a61951f086ec", "hashes": { "SHA-256": "7a62286e68d879b45da710e1daa495978dcae31ae8f0709018a7d82343ec57e8" } }, { "type": "file", "spec_version": "2.1", "id": "file--8f58107a-492c-4aed-a1e0-f6bec5814085", "hashes": { "SHA-256": "be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e" } }, { "type": "file", "spec_version": "2.1", "id": "file--1ff2c15f-4ada-48f8-97fa-278613b89d77", "hashes": { "SHA-256": "3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3" } }, { "type": "file", "spec_version": "2.1", "id": "file--098e9cfa-01d3-41b3-9544-2c7c85c4d5a6", "hashes": { "SHA-256": "d33f78662df123adf2a178628980b605a0026c0d8c4f4e87e43e724cda258fef" } }, { "type": "file", "spec_version": "2.1", "id": "file--9506bf3d-9d1f-4a86-af77-7a08c77396f7", "hashes": { "SHA-256": "ce47fef68059f569d00dd6a56a61aa9b2986bee1899d3f4d6cc7877b66afc2a6" } }, { "type": "file", "spec_version": "2.1", "id": "file--22d277bc-7e0d-4ce0-bcc0-6141789542bc", "hashes": { "SHA-256": "3414a658f13b652f24301e986f9e0079ef506992472c1d5224180340d8105837" } }, { "type": "file", "spec_version": "2.1", "id": "file--937c8416-72a8-4f95-97aa-0381351499cc", "hashes": { "SHA-256": "8c0233a07662934977d1c5c29b930f4acd57a39200162cbd7d2f2a201601e201" } }, { "type": "file", "spec_version": "2.1", "id": "file--181707ad-34b5-4077-9451-4dfddbec259b", "hashes": { "SHA-256": "a8cdabea3616a6d43e0893322112f9dca05b7d2f88fd1b7370c33c79076216ff" } }, { "type": "file", "spec_version": "2.1", "id": "file--eba378d9-b69b-4804-825a-b38f626d25ae", "hashes": { "SHA-256": "ee3cc7c6bd58113f4a654c74052d252bfd0b0a942db7f71975ce698101aec305" } }, { "type": "file", "spec_version": "2.1", "id": "file--2b821526-e4c2-4534-9776-96f9e04af8c4", "hashes": { "SHA-256": "f46c86c886bbf9915f4841a8c27b38c519fe3ce54ba69c98d233d0ffc94d19fc" } }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--5d876188-8963-4e8b-bc34-dbc65721922f", "value": "karsy117@gmail.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--923b48c7-ed30-403d-a1f8-7e6d3d54847b", "value": "bootstrap.pypa.io" }, { "type": "file", "spec_version": "2.1", "id": "file--659f8255-a37d-4d80-9575-59039ad30643", "hashes": { "SHA-256": "be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0" } }, { "type": "file", "spec_version": "2.1", "id": "file--4089992d-dc5e-46b2-a9b3-40793fe9cf15", "hashes": { "SHA-256": "236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f" } }, { "type": "file", "spec_version": "2.1", "id": "file--cde7ab36-15b1-4c0c-a44d-e4492e56cd23", "hashes": { "SHA-256": "742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20" } }, { "type": "file", "spec_version": "2.1", "id": "file--618af409-420d-43a4-9ef6-1e4a65f35551", "hashes": { "SHA-256": "a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3" } }, { "type": "file", "spec_version": "2.1", "id": "file--d286a95a-56c5-4376-be44-7861f246c31d", "hashes": { "SHA-256": "eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--dc9f09e9-c894-53f2-b8c7-e83de1a6be9a", "created": "2026-06-24T17:27:28.250765Z", "modified": "2026-06-24T17:27:28.250765Z", "name": "DevPopper" }, { "type": "report", "spec_version": "2.1", "id": "report--c099e244-a7ed-4ba6-8a3a-b9105981930b", "created_by_ref": "identity--62791516-e53e-4728-ae58-19ce2cf2fa82", "created": "2026-06-24T17:27:28.274849Z", "modified": "2026-06-24T17:27:28.274849Z", "name": "Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 2)", "published": "2025-10-27T00:00:00Z", "object_refs": [ "identity--62791516-e53e-4728-ae58-19ce2cf2fa82", "ipv4-addr--07b2a6fc-8fc9-4ac8-9a19-ae97064c246f", "domain-name--2f602576-1f4f-43ab-8c8a-59e5a66545b1", "domain-name--e26580cb-b6a4-443f-ad9c-8ae8392d47a8", "ipv4-addr--60084b69-ae94-4275-ac71-e0c3d5bc8969", "ipv4-addr--c29544b2-6785-4508-9dd4-eac983409afd", "ipv4-addr--2cc5c760-1712-4cdd-8546-e80307fb7fc6", "domain-name--b8216169-b8d5-438c-8646-d30abd0a1cd8", "domain-name--e2fd9333-7fae-497e-b014-9fadffa31950", "domain-name--18d42973-ae2d-4798-b17c-fa3598d74d76", "url--626a7140-1ac3-4516-8a1d-f2ca705ce9cd", "url--d839c504-71c7-4a7f-9d66-9300d7e0a796", "file--48891109-a753-4d09-96f3-c7e1c7a46e01", "file--d0996f7f-a725-48ec-b79e-a81c93d79d05", "url--fb3ca530-54f4-4294-8010-696c311c0d1a", "indicator--0a0cfaf8-b826-4505-962a-22cd1acf36ae", "indicator--fbce5949-7820-4b5b-b641-03437e65f107", "indicator--73a7f121-7969-4dd3-8e63-f02a8bc9b6fe", "indicator--be6ae087-5af0-4b2a-a0da-b9352d7d9516", "indicator--a2818787-3908-424e-9a67-20ccd325f009", "file--06b25fd8-37b3-4fd1-b737-a61951f086ec", "file--8f58107a-492c-4aed-a1e0-f6bec5814085", "file--1ff2c15f-4ada-48f8-97fa-278613b89d77", "file--098e9cfa-01d3-41b3-9544-2c7c85c4d5a6", "file--9506bf3d-9d1f-4a86-af77-7a08c77396f7", "file--22d277bc-7e0d-4ce0-bcc0-6141789542bc", "file--937c8416-72a8-4f95-97aa-0381351499cc", "file--181707ad-34b5-4077-9451-4dfddbec259b", "file--eba378d9-b69b-4804-825a-b38f626d25ae", "file--2b821526-e4c2-4534-9776-96f9e04af8c4", "email-addr--5d876188-8963-4e8b-bc34-dbc65721922f", "domain-name--923b48c7-ed30-403d-a1f8-7e6d3d54847b", "file--659f8255-a37d-4d80-9575-59039ad30643", "file--4089992d-dc5e-46b2-a9b3-40793fe9cf15", "file--cde7ab36-15b1-4c0c-a44d-e4492e56cd23", "file--618af409-420d-43a4-9ef6-1e4a65f35551", "file--d286a95a-56c5-4376-be44-7861f246c31d", "threat-actor--dc9f09e9-c894-53f2-b8c7-e83de1a6be9a" ], "external_references": [ { "source_name": "source", "url": "https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-2/" } ] } ] }