CINXE.COM
New variant of Konni malware used in campaign targetting Russia - ThreatDown by Malwarebytes
<!doctype html> <html lang="en-US" class="scroll-smooth"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>New variant of Konni malware used in campaign targetting Russia - ThreatDown by Malwarebytes</title> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <!-- Start VWO Common Smartcode --> <script data-cfasync="false" nowprocket type='text/javascript'> var _vwo_clicks = 10; </script> <!-- End VWO Common Smartcode --> <!-- Start VWO Async SmartCode --> <link rel="preconnect" href="https://dev.visualwebsiteoptimizer.com" /> <script data-cfasync="false" nowprocket type='text/javascript' id='vwoCode'> /* Fix: wp-rocket (application/ld+json) */ window._vwo_code || (function () { var account_id=805334, // replace 1 with ${accountId} in release string version=2.1, settings_tolerance=2000, library_tolerance=2500, use_existing_jquery=false, hide_element='body', hide_element_style = 'opacity:0 !important;filter:alpha(opacity=0) !important;background:none !important;transition:none !important;', /* DO NOT EDIT BELOW THIS LINE */ f=false,w=window,d=document,v=d.querySelector('#vwoCode'),cK='_vwo_'+account_id+'_settings',cc={};try{var c=JSON.parse(localStorage.getItem('_vwo_'+account_id+'_config'));cc=c&&typeof c==='object'?c:{}}catch(e){}var stT=cc.stT==='session'?w.sessionStorage:w.localStorage;code={use_existing_jquery:function(){return typeof use_existing_jquery!=='undefined'?use_existing_jquery:undefined},library_tolerance:function(){return typeof library_tolerance!=='undefined'?library_tolerance:undefined},settings_tolerance:function(){return cc.sT||settings_tolerance},hide_element_style:function(){return'{'+(cc.hES||hide_element_style)+'}'},hide_element:function(){if(performance.getEntriesByName('first-contentful-paint')[0]){return''}return typeof cc.hE==='string'?cc.hE:hide_element},getVersion:function(){return version},finish:function(e){if(!f){f=true;var t=d.getElementById('_vis_opt_path_hides');if(t)t.parentNode.removeChild(t);if(e)(new Image).src='https://dev.visualwebsiteoptimizer.com/ee.gif?a='+account_id+e}},finished:function(){return f},addScript:function(e){var t=d.createElement('script');t.type='text/javascript';if(e.src){t.src=e.src}else{t.text=e.text}d.getElementsByTagName('head')[0].appendChild(t)},load:function(e,t){var i=this.getSettings(),n=d.createElement('script'),r=this;t=t||{};if(i){n.textContent=i;d.getElementsByTagName('head')[0].appendChild(n);if(!w.VWO||VWO.caE){stT.removeItem(cK);r.load(e)}}else{var o=new XMLHttpRequest;o.open('GET',e,true);o.withCredentials=!t.dSC;o.responseType=t.responseType||'text';o.onload=function(){if(t.onloadCb){return t.onloadCb(o,e)}if(o.status===200||o.status===304){_vwo_code.addScript({text:o.responseText})}else{_vwo_code.finish('&e=loading_failure:'+e)}};o.onerror=function(){if(t.onerrorCb){return t.onerrorCb(e)}_vwo_code.finish('&e=loading_failure:'+e)};o.send()}},getSettings:function(){try{var e=stT.getItem(cK);if(!e){return}e=JSON.parse(e);if(Date.now()>e.e){stT.removeItem(cK);return}return e.s}catch(e){return}},init:function(){if(d.URL.indexOf('__vwo_disable__')>-1)return;var e=this.settings_tolerance();w._vwo_settings_timer=setTimeout(function(){_vwo_code.finish();stT.removeItem(cK)},e);var t;if(this.hide_element()!=='body'){t=d.createElement('style');var i=this.hide_element(),n=i?i+this.hide_element_style():'',r=d.getElementsByTagName('head')[0];t.setAttribute('id','_vis_opt_path_hides');v&&t.setAttribute('nonce',v.nonce);t.setAttribute('type','text/css');if(t.styleSheet)t.styleSheet.cssText=n;else t.appendChild(d.createTextNode(n));r.appendChild(t)}else{t=d.getElementsByTagName('head')[0];var n=d.createElement('div');n.style.cssText='z-index: 2147483647 !important;position: fixed !important;left: 0 !important;top: 0 !important;width: 100% !important;height: 100% !important;background: white !important;';n.setAttribute('id','_vis_opt_path_hides');n.classList.add('_vis_hide_layer');t.parentNode.insertBefore(n,t.nextSibling)}var o='https://dev.visualwebsiteoptimizer.com/j.php?a='+account_id+'&u='+encodeURIComponent(d.URL)+'&vn='+version;if(w.location.search.indexOf('_vwo_xhr')!==-1){this.addScript({src:o})}else{this.load(o+'&x=true')}}};w._vwo_code=code;code.init();})(); </script> <!-- End VWO Async SmartCode --> <!-- The SEO Framework by Sybre Waaijer --> <meta name="robots" content="max-snippet:-1,max-image-preview:large,max-video-preview:-1" /> <link rel="canonical" href="https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" /> <meta name="description" content="This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia." /> <meta property="og:type" content="article" /> <meta property="og:locale" content="en_US" /> <meta property="og:site_name" content="ThreatDown by Malwarebytes" /> <meta property="og:title" content="New variant of Konni malware used in campaign targetting Russia - ThreatDown by Malwarebytes" /> <meta property="og:description" content="This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has…" /> <meta property="og:url" content="https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" /> <meta property="og:image" content="https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg" /> <meta property="og:image:width" content="736" /> <meta property="og:image:height" content="414" /> <meta property="og:image:alt" content="New variant of Konni malware used in campaign targetting Russia" /> <meta property="article:published_time" content="2021-08-19T17:00:00+00:00" /> <meta property="article:modified_time" content="2021-08-19T17:00:00+00:00" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@Threat_Down" /> <meta name="twitter:creator" content="@Threat_Down" /> <meta name="twitter:title" content="New variant of Konni malware used in campaign targetting Russia - ThreatDown by Malwarebytes" /> <meta name="twitter:description" content="This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has…" /> <meta name="twitter:image" content="https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg" /> <meta name="twitter:image:alt" content="New variant of Konni malware used in campaign targetting Russia" /> <script type="application/ld+json">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.threatdown.com/#/schema/WebSite","url":"https://www.threatdown.com/","name":"ThreatDown by Malwarebytes","inLanguage":"en-US","potentialAction":{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.threatdown.com/search/{search_term_string}/"},"query-input":"required name=search_term_string"},"publisher":{"@type":"Organization","@id":"https://www.threatdown.com/#/schema/Organization","name":"ThreatDown by Malwarebytes","url":"https://www.threatdown.com/"}},{"@type":"WebPage","@id":"https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/","url":"https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/","name":"New variant of Konni malware used in campaign targetting Russia - ThreatDown by Malwarebytes","description":"This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia.","inLanguage":"en-US","isPartOf":{"@id":"https://www.threatdown.com/#/schema/WebSite"},"breadcrumb":{"@type":"BreadcrumbList","@id":"https://www.threatdown.com/#/schema/BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":"https://www.threatdown.com/","name":"ThreatDown by Malwarebytes"},{"@type":"ListItem","position":2,"item":"https://www.threatdown.com/blog/category/threat-intelligence/","name":"Threat Intelligence"},{"@type":"ListItem","position":3,"name":"New variant of Konni malware used in campaign targetting Russia"}]},"potentialAction":{"@type":"ReadAction","target":"https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/"},"datePublished":"2021-08-19T17:00:00+00:00","dateModified":"2021-08-19T17:00:00+00:00","author":{"@type":"Person","@id":"https://www.threatdown.com/#/schema/Person/be3874ea8c6a0243d6d00dce58dd9c33","name":"Mark Stockley"}}]}</script> <!-- / The SEO Framework by Sybre Waaijer | 10.21ms meta | 0.37ms boot --> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel="alternate" type="application/rss+xml" title="ThreatDown by Malwarebytes » Feed" href="https://www.threatdown.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="ThreatDown by Malwarebytes » Comments Feed" href="https://www.threatdown.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="ThreatDown by Malwarebytes » New variant of Konni malware used in campaign targetting Russia Comments Feed" href="https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/feed/" /> <script> window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.threatdown.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); </script> <style id='wp-emoji-styles-inline-css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='all-css-2' href='https://www.threatdown.com/wp-includes/css/dist/block-library/style.min.css?m=1739294329g' type='text/css' media='all' /> <style id='td-blocks-plugin-article-subblock-style-inline-css'> /*!***************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/article-subblock/style.scss ***! \***************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-article-subblock { color: black; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-article-tiles-block-style-inline-css'> /*!******************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/article-tiles-block/style.scss ***! \******************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-article-tiles-block { color: black; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-banner-block-style-inline-css'> /*!***********************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/banner-block/style.scss ***! \***********************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-basket-col-subblock-style-inline-css'> /*!******************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/basket-col-subblock/style.scss ***! \******************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-basket-v2-block-style-inline-css'> /*!**************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/basket-v2-block/style.scss ***! \**************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-chevron-block-style-inline-css'> /*!************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/chevron-block/style.scss ***! \************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <link rel='stylesheet' id='all-css-14' href='https://www.threatdown.com/_static/??-eJydzE0KgCAQQOELNQ39ULmIzlKjhKSjNEZ1+yC3rdo+Ph6eEShwMpwwumO1LJg0LC7QJpALLod1GnNDCj7Ou5XAWaGk2xmwrM1VkkiBP5avBpp3/T2d/Fj1zdANqlX1A0DOQsQ=' type='text/css' media='all' /> <style id='td-blocks-plugin-cta-subblock-style-inline-css'> /*!***********************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/cta-subblock/style.scss ***! \***********************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-feature-subblock-style-inline-css'> /*!***************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/feature-subblock/style.scss ***! \***************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-feature-subblock-subblock { color: black; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-features-block-style-inline-css'> /*!*************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/features-block/style.scss ***! \*************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-features-block-block { color: black; } /*# sourceMappingURL=style-index.css.map*/ </style> <link rel='stylesheet' id='all-css-20' href='https://www.threatdown.com/_static/??-eJytzkEOwjAMBMAPYSwKgvaAeAuJTbBInSpOWvg9lXLlhHrdXY0Wlwl80sJacIo1iBoWAheTfxm0BF2VSNgyfKQ8th6tfCKDKPF77812+B9momF1tjJDvpOscyCZhTiDVbeV/eScYO5+f72N18Pl2J/74TR0X4QWgP0=' type='text/css' media='all' /> <style id='td-blocks-plugin-icon-row-block-style-inline-css'> /*!*************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/icon-row-block/style.scss ***! \*************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-icon-row-block { padding: auto; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-icon-subblock-style-inline-css'> /*!************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/icon-subblock/style.scss ***! \************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-icon-subblock { padding: auto; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-prefooter-v2-block-style-inline-css'> /*!*****************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/prefooter-v2-block/style.scss ***! \*****************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .text-white .wp-block-td-blocks-plugin-prefooter-block p { color: white; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-pricecard-block-style-inline-css'> /*!**************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/pricecard-block/style.scss ***! \**************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-prod-features-comp-block-style-inline-css'> /*!***********************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/prod-features-comp-block/style.scss ***! \***********************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-prod-features-comp-block { color: black; } /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-quote-block-style-inline-css'> /*!**********************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/quote-block/style.scss ***! \**********************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /* .wp-block-td-blocks-plugin-quote-block { }*/ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-section-v2-block-style-inline-css'> /*!***************************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/section-v2-block/style.scss ***! \***************************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <style id='td-blocks-plugin-stats-block-style-inline-css'> /*!**********************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/stats-block/style.scss ***! \**********************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ /*# sourceMappingURL=style-index.css.map*/ </style> <link rel='stylesheet' id='all-css-36' href='https://www.threatdown.com/wp-content/plugins/td-blocks-plugin/build/blocks/tab-area-block/style-index.css?m=1738689492g' type='text/css' media='all' /> <style id='td-blocks-plugin-tab-subblock-style-inline-css'> /*!***********************************************************************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/dist/cjs.js??ruleSet[1].rules[4].use[1]!./node_modules/postcss-loader/dist/cjs.js??ruleSet[1].rules[4].use[2]!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[4].use[3]!./src/blocks/tab-subblock/style.scss ***! \***********************************************************************************************************************************************************************************************************************************************************/ /** * The following styles get applied both on the front of your site * and in the editor. * * Replace them with your own styles or remove the file completely. */ .wp-block-td-blocks-plugin-tab-subblock { color: black; } /*# sourceMappingURL=style-index.css.map*/ </style> <link rel='stylesheet' id='all-css-40' href='https://www.threatdown.com/_static/??-eJzTLy/QzcxLzilNSS3WzyrWz01NyUxMzUnNTc0rQeEU5CRWphbp5qSmJyZX6uVm5uklFxfr6OPTDpRD5sM02efaGpobWxpZmhgbGwAAROEu5A==' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--background: #ffffff;--wp--preset--color--foreground: #252525;--wp--preset--color--primary: #2b3a67;--wp--preset--color--secondary: #1e3a8a;--wp--preset--color--trinary: #83f0f8;--wp--preset--color--hl-yellow: #efc148;--wp--preset--color--hl-green: #1ea50f;--wp--preset--color--hl-pink: #e7448b;--wp--preset--color--hl-magenta: #a02a5c;--wp--preset--color--hl-paleblue: #8dcffd;--wp--preset--color--hl-medblue: #009deb;--wp--preset--color--mb-blue: #0d3ecc;--wp--preset--color--legacy-blue: #172554;--wp--preset--color--ice-blue: #CCDFFD;--wp--preset--color--theme-light-gray: #f3f4f6;--wp--preset--color--theme-black: #000000;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--gradient--secondary-to-legacy: linear-gradient(to bottom, #1e3a8a, #172554);--wp--preset--gradient--legacy-to-secondary: linear-gradient(to bottom, #172554, #1e3a8a);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:root { --wp--style--global--content-size: 75rem;--wp--style--global--wide-size: 90rem; }:where(body) { margin: 0; }.wp-site-blocks > .alignleft { float: left; margin-right: 2em; }.wp-site-blocks > .alignright { float: right; margin-left: 2em; }.wp-site-blocks > .aligncenter { justify-content: center; margin-left: auto; margin-right: auto; }:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}.is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}.is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}.is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}.is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}.is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}.is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}.is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}.is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}body{padding-top: 0px;padding-right: 0px;padding-bottom: 0px;padding-left: 0px;}a:where(:not(.wp-element-button)){text-decoration: underline;}:root :where(.wp-element-button, .wp-block-button__link){background-color: #32373c;border-width: 0;color: #fff;font-family: inherit;font-size: inherit;line-height: inherit;padding: calc(0.667em + 2px) calc(1.333em + 2px);text-decoration: none;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-background-color{color: var(--wp--preset--color--background) !important;}.has-foreground-color{color: var(--wp--preset--color--foreground) !important;}.has-primary-color{color: var(--wp--preset--color--primary) !important;}.has-secondary-color{color: var(--wp--preset--color--secondary) !important;}.has-trinary-color{color: var(--wp--preset--color--trinary) !important;}.has-hl-yellow-color{color: var(--wp--preset--color--hl-yellow) !important;}.has-hl-green-color{color: var(--wp--preset--color--hl-green) !important;}.has-hl-pink-color{color: var(--wp--preset--color--hl-pink) !important;}.has-hl-magenta-color{color: var(--wp--preset--color--hl-magenta) !important;}.has-hl-paleblue-color{color: var(--wp--preset--color--hl-paleblue) !important;}.has-hl-medblue-color{color: var(--wp--preset--color--hl-medblue) !important;}.has-mb-blue-color{color: var(--wp--preset--color--mb-blue) !important;}.has-legacy-blue-color{color: var(--wp--preset--color--legacy-blue) !important;}.has-ice-blue-color{color: var(--wp--preset--color--ice-blue) !important;}.has-theme-light-gray-color{color: var(--wp--preset--color--theme-light-gray) !important;}.has-theme-black-color{color: var(--wp--preset--color--theme-black) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-background-background-color{background-color: var(--wp--preset--color--background) !important;}.has-foreground-background-color{background-color: var(--wp--preset--color--foreground) !important;}.has-primary-background-color{background-color: var(--wp--preset--color--primary) !important;}.has-secondary-background-color{background-color: var(--wp--preset--color--secondary) !important;}.has-trinary-background-color{background-color: var(--wp--preset--color--trinary) !important;}.has-hl-yellow-background-color{background-color: var(--wp--preset--color--hl-yellow) !important;}.has-hl-green-background-color{background-color: var(--wp--preset--color--hl-green) !important;}.has-hl-pink-background-color{background-color: var(--wp--preset--color--hl-pink) !important;}.has-hl-magenta-background-color{background-color: var(--wp--preset--color--hl-magenta) !important;}.has-hl-paleblue-background-color{background-color: var(--wp--preset--color--hl-paleblue) !important;}.has-hl-medblue-background-color{background-color: var(--wp--preset--color--hl-medblue) !important;}.has-mb-blue-background-color{background-color: var(--wp--preset--color--mb-blue) !important;}.has-legacy-blue-background-color{background-color: var(--wp--preset--color--legacy-blue) !important;}.has-ice-blue-background-color{background-color: var(--wp--preset--color--ice-blue) !important;}.has-theme-light-gray-background-color{background-color: var(--wp--preset--color--theme-light-gray) !important;}.has-theme-black-background-color{background-color: var(--wp--preset--color--theme-black) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-background-border-color{border-color: var(--wp--preset--color--background) !important;}.has-foreground-border-color{border-color: var(--wp--preset--color--foreground) !important;}.has-primary-border-color{border-color: var(--wp--preset--color--primary) !important;}.has-secondary-border-color{border-color: var(--wp--preset--color--secondary) !important;}.has-trinary-border-color{border-color: var(--wp--preset--color--trinary) !important;}.has-hl-yellow-border-color{border-color: var(--wp--preset--color--hl-yellow) !important;}.has-hl-green-border-color{border-color: var(--wp--preset--color--hl-green) !important;}.has-hl-pink-border-color{border-color: var(--wp--preset--color--hl-pink) !important;}.has-hl-magenta-border-color{border-color: var(--wp--preset--color--hl-magenta) !important;}.has-hl-paleblue-border-color{border-color: var(--wp--preset--color--hl-paleblue) !important;}.has-hl-medblue-border-color{border-color: var(--wp--preset--color--hl-medblue) !important;}.has-mb-blue-border-color{border-color: var(--wp--preset--color--mb-blue) !important;}.has-legacy-blue-border-color{border-color: var(--wp--preset--color--legacy-blue) !important;}.has-ice-blue-border-color{border-color: var(--wp--preset--color--ice-blue) !important;}.has-theme-light-gray-border-color{border-color: var(--wp--preset--color--theme-light-gray) !important;}.has-theme-black-border-color{border-color: var(--wp--preset--color--theme-black) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-secondary-to-legacy-gradient-background{background: var(--wp--preset--gradient--secondary-to-legacy) !important;}.has-legacy-to-secondary-gradient-background{background: var(--wp--preset--gradient--legacy-to-secondary) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='all-css-48' href='https://www.threatdown.com/_static/??-eJyVUEEOwjAM+xBdxEBCOyAewQu2NisRXVs1rQa/J5SBuAyJox3bkQ1zVOS1KwYZNDMY4gw6TDF49JmB891hM5Fv5LoBkevgs5wgumLJM7iQM+FIThKGQs58M2pMVW6e9tWIWAZHfIkJmRVjIjHGFCAke67ob+e7UwW9MUG0eMupVzlcUcAnWlV69cGMVuoss8g+tY/6VWZx9DG+xmPwOKvR9bZ6TtNxe9h1bbfftd0DwPqReQ==' type='text/css' media='all' /> <style id='weglot-css-inline-css'> .country-selector.weglot-dropdown .wgcurrent span { padding-right: 30px; } .country-selector.weglot-dropdown .wgcurrent { border: none; } .country-selector.weglot-dropdown ul { border-radius: 5px; } </style> <style id='custom-flag-handle-inline-css'> .weglot-flags.flag-0.en>a:before,.weglot-flags.flag-0.en>span:before {background-image: url(https://cdn.weglot.com/flags/rectangle_mat/us.svg); }.weglot-flags.flag-1.en>a:before,.weglot-flags.flag-1.en>span:before {background-image: url(https://cdn.weglot.com/flags/shiny/us.svg); }.weglot-flags.flag-2.en>a:before,.weglot-flags.flag-2.en>span:before {background-image: url(https://cdn.weglot.com/flags/square/us.svg); }.weglot-flags.flag-3.en>a:before,.weglot-flags.flag-3.en>span:before {background-image: url(https://cdn.weglot.com/flags/circle/us.svg); } </style> <link rel='stylesheet' id='all-css-50' href='https://www.threatdown.com/_static/??/wp-content/themes/mbc/style.css,/wp-includes/css/dashicons.min.css?m=1739555943' type='text/css' media='all' /> <script type="text/javascript" src="https://www.threatdown.com/_static/??/wp-content/plugins/lottiefiles/build/frontend-helper.js,/wp-content/plugins/weglot/dist/front-js.js?m=1739307015j" ></script><link rel="https://api.w.org/" href="https://www.threatdown.com/api/" /><link rel="alternate" title="JSON" type="application/json" href="https://www.threatdown.com/api/wp/v2/posts/70182" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.threatdown.com/xmlrpc.php?rsd" /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://www.threatdown.com/api/oembed/1.0/embed?url=https%3A%2F%2Fwww.threatdown.com%2Fblog%2Fnew-variant-of-konni-malware-used-in-campaign-targetting-russia%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://www.threatdown.com/api/oembed/1.0/embed?url=https%3A%2F%2Fwww.threatdown.com%2Fblog%2Fnew-variant-of-konni-malware-used-in-campaign-targetting-russia%2F&format=xml" /> <style>img#wpstats{display:none}</style> <link rel="pingback" href="https://www.threatdown.com/xmlrpc.php"><style type="text/css">.blue-message { background: none repeat scroll 0 0 #3399ff; color: #ffffff; text-shadow: none; font-size: 16px; line-height: 24px; padding: 10px; } .green-message { background: none repeat scroll 0 0 #8cc14c; color: #ffffff; text-shadow: none; font-size: 16px; line-height: 24px; padding: 10px; } .orange-message { background: none repeat scroll 0 0 #faa732; color: #ffffff; text-shadow: none; font-size: 16px; line-height: 24px; padding: 10px; } .red-message { background: none repeat scroll 0 0 #da4d31; color: #ffffff; text-shadow: none; font-size: 16px; line-height: 24px; padding: 10px; } .grey-message { background: none repeat scroll 0 0 #53555c; color: #ffffff; text-shadow: none; font-size: 16px; line-height: 24px; padding: 10px; } .left-block { background: none repeat scroll 0 0px, radial-gradient(ellipse at center center, #ffffff 0%, #f2f2f2 100%) repeat scroll 0 0 rgba(0, 0, 0, 0); color: #8b8e97; padding: 10px; margin: 10px; float: left; } .right-block { background: none repeat scroll 0 0px, radial-gradient(ellipse at center center, #ffffff 0%, #f2f2f2 100%) repeat scroll 0 0 rgba(0, 0, 0, 0); color: #8b8e97; padding: 10px; margin: 10px; float: right; } .blockquotes { background: none; border-left: 5px solid #f1f1f1; color: #8B8E97; font-size: 16px; font-style: italic; line-height: 22px; padding-left: 15px; padding: 10px; width: 60%; float: left; } </style> <!-- Jetpack Open Graph Tags --> <meta property="og:type" content="article" /> <meta property="og:title" content="New variant of Konni malware used in campaign targetting Russia" /> <meta property="og:url" content="https://www.threatdown.com/blog/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" /> <meta property="og:description" content="This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and …" /> <meta property="article:published_time" content="2021-08-19T17:00:00+00:00" /> <meta property="article:modified_time" content="2021-08-19T17:00:00+00:00" /> <meta property="og:site_name" content="ThreatDown by Malwarebytes" /> <meta property="og:image" content="https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg" /> <meta property="og:image:width" content="736" /> <meta property="og:image:height" content="414" /> <meta property="og:image:alt" content="New variant of Konni malware used in campaign targetting Russia" /> <meta property="og:locale" content="en_US" /> <meta name="twitter:text:title" content="New variant of Konni malware used in campaign targetting Russia" /> <meta name="twitter:image" content="https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg?w=640" /> <meta name="twitter:image:alt" content="New variant of Konni malware used in campaign targetting Russia" /> <meta name="twitter:card" content="summary_large_image" /> <!-- End Jetpack Open Graph Tags --> <link rel="icon" href="https://www.threatdown.com/wp-content/uploads/2023/11/favicon.svg?w=16" sizes="32x32" /> <link rel="icon" href="https://www.threatdown.com/wp-content/uploads/2023/11/favicon.svg?w=16" sizes="192x192" /> <link rel="apple-touch-icon" href="https://www.threatdown.com/wp-content/uploads/2023/11/favicon.svg?w=16" /> <meta name="msapplication-TileImage" content="https://www.threatdown.com/wp-content/uploads/2023/11/favicon.svg?w=16" /> <style id="wp-custom-css"> .wp-block-td-blocks-plugin-content-card-block .blue-teal-button-cta { text-wrap: nowrap; color: rgb(43 58 103) !important; } /* Apply negative top margin of 30px - HD */ .-top-30 { margin-top: -30px !important; } /* Apply negative top margin of 60px - HD */ .-top-60 { margin-top: -60px !important; } /* Apply negative top margin of 70px - HD */ .-top-70 { margin-top: -70px !important; } /* Apply negative top margin of 90px - HD */ .-top-90 { margin-top: -90px !important; } /* Apply negative top margin of 120px - HD */ .-top-120 { margin-top: -120px !important; } /* Apply negative top margin of 150px - HD */ .-top-150 { margin-top: -150px !important; } .yellow-underline { text-decoration: underline; text-decoration-color: #efc148; } .pr-1 { padding-right: 7px; !important; } .special-underline a { text-decoration: none !important; } .special-underline a:hover { text-decoration: underline !important; } .products-list .special-underline a { text-decoration: none !important; } .products-list .special-underline a:hover { text-decoration: underline !important; } .products-list .top-aligned { align-items: flex-start !important; } .products-list .top-aligned a { text-decoration: none !important; cursor: pointer; } .products-list .top-aligned a:hover { text-decoration: underline !important; } .vimeo { display: flex; justify-content: center; align-items: center; height: 100%; width: calc(100% - 40px); max-width: 800px; margin: 125px auto; transform: scale(1.5); } @media (max-width: 1200px) { .vimeo { width: calc(100% - 60px); transform: scale(1.75); } } @media (max-width: 992px) { .vimeo { width: calc(100% - 80px); transform: scale(1.5); } } @media (max-width: 650px) { .vimeo { width: calc(100% - 20px); transform: scale(1); } } .no-underline a { text-decoration: none !important; } .cyan-bullets { list-style-type: none; /* Remove default bullets */ padding: 0; /* Remove any default padding */ margin: 0; /* Remove any default margin */ } .cyan-bullets ul, .cyan-bullets ol { list-style-type: none; /* Ensure nested lists also do not show bullets */ } .cyan-bullets li { position: relative; /* Position relative for pseudo-element */ padding-left: 2.5rem; /* Space for the checkmark */ margin-bottom: 1.1rem; /* Space between list items */ list-style: none; /* Ensure list style is none for list items */ } .cyan-bullets li::before { content: ""; /* Empty content for the bubble */ position: absolute; /* Position the bubble */ left: 0; /* Align the bubble with the text */ top: 50%; /* Center the bubble vertically */ transform: translateY(-50%); /* Center the bubble vertically */ width: 1.7em; /* Size of the bubble */ height: 1.7em; /* Size of the bubble */ background-color: #83f0f8; /* Bubble color */ border-radius: 50%; /* Circular shape */ display: flex; /* Center the checkmark */ align-items: center; /* Center the checkmark */ justify-content: center; /* Center the checkmark */ } .cyan-bullets li::after { content: "\2714"; /* Unicode for a thicker checkmark */ position: absolute; /* Position the checkmark */ left: 0.40em; /* Adjust based on the bubble size */ top: 50%; /* Center the checkmark vertically */ transform: translateY(-50%); /* Center the checkmark vertically */ color: #1e3a8a; /* Checkmark color */ font-size: 0.8em; /* Reduced size of the checkmark */ font-weight: bold; /* Make the checkmark thicker */ } @keyframes bounce { 0%, 100% { transform: translateY(0); } 50% { transform: translateY(-10px); } } .bounce { animation: bounce 1.5s infinite; } .td-bg-fireworks { background-image: url(/wp-content/uploads/2024/10/MSP_graphic_full.png); background-repeat: no-repeat; background-position-x: center; background-position-y: top; background-size: max(80vw, 1200px) auto; } #hero-image { opacity: 0; animation: fadeIn 0.3s ease-in forwards; animation-delay: 0.3s; } @keyframes fadeIn { from { opacity: 0; } to { opacity: 1; } } .vwo_loaded.vwo_loaded_63_3 img { max-width: 70% !important; } </style> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MQ92VXZT');</script> <!-- End Google Tag Manager --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700;900&display=swap" rel="stylesheet"> <meta name=“trustpilot-one-time-domain-verification-id” content=“d9e57b6e-2de2-4328-800e-29f72337ea9c”/> </head> <body class="post-template-default single single-post postid-70182 single-format-standard wp-embed-responsive has-[#mobile-nav:checked]:md:overflow-hidden text-blue-950 jps-theme-mbc"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-MQ92VXZT" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <header class="fixed z-50 top-0 left-0 w-full h-24 bg-white shadow-md shadow-blue-900/50 md:h-16 md:shadow-none"> <div class="container h-full lg:max-w-none md:px-0"> <div class="relative h-full md:static"> <input id="mobile-nav" class="hidden peer/mobile-nav" type="checkbox"> <div id="mobile-nav-header" class="absolute h-full flex items-end inset-0 lg:items-start md:fixed md:z-50 md:inset-0 md:w-full md:h-16 md:bg-white md:shadow-md md:shadow-blue-900/60 md:px-4 md:items-center"> <div id="logo" class="absolute z-50 py-2 md:static md:flex-1"> <a href="https://www.threatdown.com/"> <img class="max-w-56 lg:max-w-44 md:max-w-36" src="https://www.threatdown.com/wp-content/themes/mbc/images/logo-header-threatdown-horizontal.svg" alt="ThreatDown Powered by Malwarebytes"> </a> </div> <label id="mobile-nav-btn" for="mobile-nav" class="hidden md:block" type="button" role="button" aria-label="Open mobile menu" tabindex="0" aria-pressed="true" aria-haspopup="true" aria-expanded="false" aria-controls="navbar"> <span class="firstline my-[7px] block h-[2px] w-[26px] bg-primary" style="transition: .3s ease-in-out"> </span> <span class="secondline my-[7px] block h-[2px] w-[26px] bg-primary" style="transition: .3s ease-in-out"> </span> <span class="thirdline my-[7px] block h-[2px] w-[26px] bg-primary" style="transition: .3s ease-in-out"> </span> </label> </div> <nav class="relative flex flex-col md:hidden md:absolute md:top-0 md:left-0 md:h-dvh md:overflow-y-auto md:overflow-x-hidden md:w-full md:pt-16 md:bg-white peer-checked/mobile-nav:md:block"> <div id="nav-utility" class="flex justify-end items-center gap-5 h-8 md:flex-col-reverse md:h-auto md:items-start md:gap-0"> <div class="group relative"> <button id="nav-main-login" class="text-sm text-blue-950 font-medium group-hover:border-b-2 group-hover:border-blue-950 transition-all duration-100 delay-200 md:hidden" style="letter-spacing: 0.03em;">SIGN IN</button> <div class="invisible z-40 opacity-0 -translate-y-1 absolute top-full right-0 group-hover:visible group-hover:translate-y-0 px-6 py-2 bg-white shadow-equal rounded w-56 transition-all group-hover:opacity-100 duration-300 delay-200 md:visible md:opacity-100 md:static md:w-auto md:shadow-none md:translate-y-0 md:px-4 md:py-0"> <ul class="*:border-b *:border-gray-200 last:*:border-none *:py-2"> <li> <a id="nav-login-nebula" class="block hover:underline rounded p-2" href="https://cloud.threatdown.com/auth/login"> Nebula sign in </a> </li> <li> <a id="nav-login-oneview" class="block hover:underline rounded p-2" href="https://oneview.malwarebytes.com/auth/login"> OneView sign in </a> </li> <li> <a id="nav-login-partner_portal" class="block hover:underline rounded p-2" href="https://partners.malwarebytes.com/English/"> Partner Portal sign in </a> </li> </ul> </div> </div> <div class="md:py-2 md:px-4 md:flex md:self-end md:*:z-0"> <!--Weglot 4.3.0--><aside data-wg-notranslate="" class="country-selector weglot-dropdown close_outside_click closed weglot-shortcode wg-" tabindex="0" aria-expanded="false" aria-label="Language selected: English"><ul role="none"></ul></aside> </div> </div> <div id="nav-main" class="flex text-blue-950 justify-end items-center gap-4 h-16 lg:gap-5 lg:pt-2 md:h-auto md:block md:bg-gradient-to-b md:from-slate-100 md:to-blue-50 md:border-b md:border-t md:border-blue-950"> <div class="flex group h-full items-center md:h-auto md:p-4 md:border-b md:border-gray-300"> <input id="mobile-subnav-products" class="hidden peer/mobile-subnav" type="checkbox"> <label for="mobile-subnav-products" class="text-lg py-1 cursor-pointer border-b-0 group-hover:border-b-2 border-blue-950 transition-all duration-100 delay-200 lg:text-base group-hover:md:border-b-0 md:w-full md:text-lg"> <h2>Products</h2> </label> <div class="invisible top-24 opacity-0 -translate-y-1 transition-all group-hover:opacity-100 duration-300 delay-200 group-hover:visible group-hover:translate-y-0 bg-white absolute w-full left-0 p-1 border-t-2 border-gray-300 shadow-lg shadow-blue-950/50 rounded-b-md md:block md:absolute md:top-0 md:left-[1000px] md:h-dvh md:overflow-y-auto md:overflow-x-hidden md:w-full md:pt-16 md:bg-white peer-checked/mobile-subnav:md:block peer-checked/mobile-subnav:md:left-0 md:transition-[left] md:duration-200 md:visible md:opacity-100 md:translate-y-0 md:rounded-none md:px-0"> <label for="mobile-subnav-products" class="hidden text-lg md:block p-4 md:bg-gradient-to-b md:from-slate-100 md:to-blue-50 md:border-b md:border-gray-300">< Products</label><div class='flex md:block'> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] menu-item menu-item-type-custom menu-item-object-custom text-primary font-bold text-xl mb-3"> <h2>Products</h2> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/endpoint-detection-and-response/">Endpoint Detection & Response (EDR)</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/endpoint-protection/">Endpoint Protection</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/vulnerability-assessment/">Vulnerability Assessment</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/patch-management/">Patch Management</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/application-block/">Application Block</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/dns-filtering/">DNS Filtering</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/mobile-security/">Mobile Security</a> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] menu-item menu-item-type-custom menu-item-object-custom text-primary font-bold text-xl mb-3"> <h2>Services</h2> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/managed-detection-and-response/">Managed Detection & Response (MDR)</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/managed-threat-hunting/">Managed Threat Hunting</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/premium-support/">Premium Support</a> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] menu-item menu-item-type-custom menu-item-object-custom text-primary font-bold text-xl mb-3"> <h2>Why ThreatDown</h2> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/vs/webroot/">vs Webroot</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/vs/bitdefender/">vs Bitdefender</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/vs/eset/">vs ESET</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><div style="margin-bottom: 67px"></div> <div style="padding-bottom: 0px"><a class="hover:underline font-semibold" href="https://www.threatdown.com/vs/">More competitor comparisons ></a></div> </div> </li> </ul> </div> </div> </div></div> </div> </div> <div class="flex group h-full items-center md:h-auto md:p-4 md:border-b md:border-gray-300"> <input id="mobile-subnav-platforms" class="hidden peer/mobile-subnav" type="checkbox"> <label for="mobile-subnav-platforms" class="text-lg py-1 cursor-pointer border-b-0 group-hover:border-b-2 border-blue-950 transition-all duration-100 delay-200 lg:text-base group-hover:md:border-b-0 md:w-full md:text-lg"> <h2>Platforms</h2> </label> <div class="invisible top-24 opacity-0 -translate-y-1 transition-all group-hover:opacity-100 duration-300 delay-200 group-hover:visible group-hover:translate-y-0 bg-white absolute w-full left-0 p-1 border-t-2 border-gray-300 shadow-lg shadow-blue-950/50 rounded-b-md md:block md:absolute md:top-0 md:left-[1000px] md:h-dvh md:overflow-y-auto md:overflow-x-hidden md:w-full md:pt-16 md:bg-white peer-checked/mobile-subnav:md:block peer-checked/mobile-subnav:md:left-0 md:transition-[left] md:duration-200 md:visible md:opacity-100 md:translate-y-0 md:rounded-none md:px-0"> <label for="mobile-subnav-platforms" class="hidden text-lg md:block p-4 md:bg-gradient-to-b md:from-slate-100 md:to-blue-50 md:border-b md:border-gray-300">< Platforms</label><div class='flex md:block'> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/platforms/">Nebula</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Single-tenant console that allows you to manage your organization’s endpoint security<br /></br></p> <p class="!mt-3"><a class="hover:underline font-semibold " href="https://cloud.threatdown.com/auth/login">Nebula customer sign in ></a></p> </div> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/platforms/">OneView</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Multi-tenant console for MSPs that provides centralized visibility and management capabilities across all your customer sites<br /></br></p> <p class="!mt-3"><a class="hover:underline font-semibold " href="https://oneview.threatdown.com/auth/login">OneView customer sign in ></a></p> </div> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-5 text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><img width="926" height="737" src="https://www.threatdown.com/wp-content/uploads/2025/01/Platforms_dashboards.png?w=926" class="attachment-valuexlabel size-valuexlabel" alt="" /></div> </li> </ul> </div> </div> </div></div> </div> </div> <div class="flex group h-full items-center md:h-auto md:p-4 md:border-b md:border-gray-300"> <input id="mobile-subnav-partners" class="hidden peer/mobile-subnav" type="checkbox"> <label for="mobile-subnav-partners" class="text-lg py-1 cursor-pointer border-b-0 group-hover:border-b-2 border-blue-950 transition-all duration-100 delay-200 lg:text-base group-hover:md:border-b-0 md:w-full md:text-lg"> <h2>Partners</h2> </label> <div class="invisible top-24 opacity-0 -translate-y-1 transition-all group-hover:opacity-100 duration-300 delay-200 group-hover:visible group-hover:translate-y-0 bg-white absolute w-full left-0 p-1 border-t-2 border-gray-300 shadow-lg shadow-blue-950/50 rounded-b-md md:block md:absolute md:top-0 md:left-[1000px] md:h-dvh md:overflow-y-auto md:overflow-x-hidden md:w-full md:pt-16 md:bg-white peer-checked/mobile-subnav:md:block peer-checked/mobile-subnav:md:left-0 md:transition-[left] md:duration-200 md:visible md:opacity-100 md:translate-y-0 md:rounded-none md:px-0"> <label for="mobile-subnav-partners" class="hidden text-lg md:block p-4 md:bg-gradient-to-b md:from-slate-100 md:to-blue-50 md:border-b md:border-gray-300">< Partners</label><div class='flex md:block'> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/partner-program/">Explore Partnerships</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Review program benefits, innovative technology, channel first mentality</p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/partner-program/msp/">Managed Service Providers</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Everything MSPs need to run their business seamlessly</p> </div> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/technology-integrations/">Technology Partners</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Explore our technology integrations<br /></br></p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/partner-program/partner-reseller/">Resellers</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Build growth, profitability, and customer loyalty</p> </div> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-5 text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><img width="356" height="247" src="https://www.threatdown.com/wp-content/uploads/2023/11/px-center.png?w=356" class="attachment-valuexlabel size-valuexlabel" alt="" /></div> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Retain and grow your business with tools, education, and support in the partner experience center.</p> <p class="!mt-3"><a class="hover:underline font-semibold " href="https://partners.threatdown.com/English/ ">Sign in to PXC ></a></p> </div> </li> </ul> </div> </div> </div></div> </div> </div> <div class="flex group h-full items-center md:h-auto md:p-4 md:border-b md:border-gray-300"> <input id="mobile-subnav-resources" class="hidden peer/mobile-subnav" type="checkbox"> <label for="mobile-subnav-resources" class="text-lg py-1 cursor-pointer border-b-0 group-hover:border-b-2 border-blue-950 transition-all duration-100 delay-200 lg:text-base group-hover:md:border-b-0 md:w-full md:text-lg"> <h2>Resources</h2> </label> <div class="invisible top-24 opacity-0 -translate-y-1 transition-all group-hover:opacity-100 duration-300 delay-200 group-hover:visible group-hover:translate-y-0 bg-white absolute w-full left-0 p-1 border-t-2 border-gray-300 shadow-lg shadow-blue-950/50 rounded-b-md md:block md:absolute md:top-0 md:left-[1000px] md:h-dvh md:overflow-y-auto md:overflow-x-hidden md:w-full md:pt-16 md:bg-white peer-checked/mobile-subnav:md:block peer-checked/mobile-subnav:md:left-0 md:transition-[left] md:duration-200 md:visible md:opacity-100 md:translate-y-0 md:rounded-none md:px-0"> <label for="mobile-subnav-resources" class="hidden text-lg md:block p-4 md:bg-gradient-to-b md:from-slate-100 md:to-blue-50 md:border-b md:border-gray-300">< Resources</label><div class='flex md:block'> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] text-base text-xl menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class="text-xl menu-item menu-item-type-custom menu-item-object-custom" href="/threat-center/">Threat Center</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Learn about the latest threat news</p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/threat-center/reports/">Reports</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/threat-detections/">Threat Detections</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/threat-center/executive-pov/">Executive POV</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/glossary/">Glossary</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/blog/">Blog</a> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] text-base text-xl menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class="text-xl menu-item menu-item-type-custom menu-item-object-custom" href="/resources/">Resource Center</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Learn more about ThreatDown</p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/resources/categories/case-studies/">Case Studies</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/resources/categories/products/">Products & Review</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/resources/categories/cybersecurity-tips-tricks/">Cybersecurity Tips & Tricks</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/resources/categories/webinars/">Webinars</a> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/about-us/">About Us</a> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-5 text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><img width="712" height="494" src="https://www.threatdown.com/wp-content/uploads/2025/02/NAV-SOM-2025.png?w=712" class="attachment-valuexlabel size-valuexlabel" alt="" /></div> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Dive into the threats that matter in the year of autonomous AI and “dark horse” ransomware.</p> <p class="!mt-3"><a class="hover:underline font-semibold " href="https://www.threatdown.com/dl-state-of-malware-2025/">Download now ></a></p> </div> </li> </ul> </div> </div> </div></div> </div> </div> <div class="flex text-lg group h-full items-center lg:text-base md:text-lg md:h-auto md:p-4 md:border-b md:border-gray-300"> <a class="cta-navbar-pricing-main menu-item menu-item-type-custom menu-item-object-custom" href="/pricing/">Pricing</a> <div> </div> </div> <div class="flex group h-full items-center md:h-auto md:p-4 md:border-b md:border-gray-300"> <input id="mobile-subnav-support" class="hidden peer/mobile-subnav" type="checkbox"> <label for="mobile-subnav-support" class="text-lg py-1 cursor-pointer border-b-0 group-hover:border-b-2 border-blue-950 transition-all duration-100 delay-200 lg:text-base group-hover:md:border-b-0 md:w-full md:text-lg"> <h2>Support</h2> </label> <div class="invisible top-24 opacity-0 -translate-y-1 transition-all group-hover:opacity-100 duration-300 delay-200 group-hover:visible group-hover:translate-y-0 bg-white absolute w-full left-0 p-1 border-t-2 border-gray-300 shadow-lg shadow-blue-950/50 rounded-b-md md:block md:absolute md:top-0 md:left-[1000px] md:h-dvh md:overflow-y-auto md:overflow-x-hidden md:w-full md:pt-16 md:bg-white peer-checked/mobile-subnav:md:block peer-checked/mobile-subnav:md:left-0 md:transition-[left] md:duration-200 md:visible md:opacity-100 md:translate-y-0 md:rounded-none md:px-0"> <label for="mobile-subnav-support" class="hidden text-lg md:block p-4 md:bg-gradient-to-b md:from-slate-100 md:to-blue-50 md:border-b md:border-gray-300">< Support</label><div class='flex md:block'> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] menu-item menu-item-type-custom menu-item-object-custom text-primary font-bold text-xl mb-3"> <h2>Get Help</h2> </li> <li class="mt-[3px] mb-[3px] text-base text-transparent desktop-placeholder menu-item menu-item-type-custom menu-item-object-custom "> <div><div style="color: white">.</div> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="https://support.threatdown.com/hc/en-us">Nebula Support</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Get help or ask questions about the Nebula platform</p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="https://support.threatdown.com/hc/en-us/p/oneview">OneView Support</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Get help or ask questions about the OneView platform</p> </div> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-[3px] menu-item menu-item-type-custom menu-item-object-custom text-primary font-bold text-xl mb-3"> <h2>Managed Services Terms & Conditions</h2> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/legal/managed-services-agreement/">Managed Service Teams</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Partner agreement for Managed Service Providers</p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="https://www.threatdown.com/wp-content/uploads/2023/11/ThreatDown-MTH-Service-Description-Nov2023.pdf">MTH Service Description</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Managed Threat Hunting overview, capabilities and support</p> </div> </li> <li class="mt-5 mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom text-lg font-bold bg-gradient-to-t from-secondary-400 to-secondary-700 bg-clip-text text-transparent underline-offset-4 decoration-2 decoration-transparent transition duration-500 hover:underline hover:decoration-secondary hover:transition hover:duration-500"> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="https://www.threatdown.com/wp-content/uploads/2024/10/Malwarebytes-MDR-Service-Overview-Oct2024.pdf">MDR Service Description</a> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Managed Detection and Response overview, capabilities and support</p> </div> </li> </ul> </div> </div> </div> <div class="flex divide-x px-0 bg-white w-96"> <div class="flex-1" role="menuitem"> <div class="h-full bg-white p-4 text-primary"> <ul class="py-1 pl-5 h-full list-none md:pl-0 md:border-none gradient-divider menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children"> <li class=" mb-5 text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><img width="712" height="494" src="https://www.threatdown.com/wp-content/uploads/2024/04/nav-nebula_sign_in.png?w=712" class="attachment-valuexlabel size-valuexlabel" alt="" /></div> </li> <li class="mt-[3px] mb-[3px] text-base menu-item menu-item-type-custom menu-item-object-custom "> <div><p>Login to your cloud console.</p> <p class="!mt-3"><a class="hover:underline font-semibold " href="https://cloud.threatdown.com/auth/login">Sign in ></a></p> </div> </li> </ul> </div> </div> </div></div> </div> </div> <div class="flex text-lg group h-full items-center lg:text-base md:text-lg md:h-auto md:p-4 md:border-b md:border-gray-300"> <div> </div> </div> <div class="md:p-4"> <a id="cta-navbar-getaquote-main-en" href="/custom-quote/" class="nav-btn bg-trinary text-primary hover-fade">Get a quote</a> </div> </div> </nav> </div> </div> </header> <div id="wrapper" class="min-h-[660px] pt-24 md:pt-16"> <div id="primary" class="min-h-[660px] overflow-x-clip"> <div id="main" class="container"> <div id="blog-header" class="my-6 grid grid-cols-3 gap-y-4 gap-x-8 sm:grid-cols-1 sm:gap-x-4"> <div class="breadcrumbs col-span-2"> <a class="no-underline hover:underline" href="/">Home</a> <span>></span> <a class="no-underline hover:underline" href="/blog/">Blog</a> </div> <div class="self-center"><!-- SEARCH --></div> </div> <div class="grid grid-cols-2-2/3 gap-8 sm:grid-cols-1 sm:gap-4"> <div> <main id="post-70182" class="prose prose-td mb-8 post-70182 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-intelligence tag-threat-intelligence"> <div class="max-w-none prose prose-td"> <figure class="wp-block-post-featured-image"><img loading="lazy" decoding="async" width="736" height="414" src="https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg?w=736" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="New variant of Konni malware used in campaign targetting Russia" style="object-fit:cover;" srcset="https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg 736w, https://www.threatdown.com/wp-content/uploads/2021/08/asset_upload_file84705_228403.jpeg?resize=300,169 300w" sizes="auto, (max-width: 736px) 100vw, 736px" /></figure> <div class="taxonomy-category wp-block-post-terms"><a href="https://www.threatdown.com/blog/category/threat-intelligence/" rel="tag">Threat Intelligence</a></div> <h2 class="wp-block-post-title">New variant of Konni malware used in campaign targetting Russia</h2> <div class="wp-block-post-excerpt"><p class="wp-block-post-excerpt__excerpt"> </p></div> <div class="wp-block-group is-layout-flex wp-block-group-is-layout-flex"><div class="wp-block-post-date"><time datetime="2021-08-20T00:00:00+00:00">August 20, 2021</time></div> <div class="wp-block-post-author-name"><a href="https://www.threatdown.com/blog/author/mstockleymalwarebytes-com/" target="_self" class="wp-block-post-author-name__link">Mark Stockley</a></div></div> <div class="wp-block-advgb-container advgb-blocks-container"> <p><em>This blog post was authored by Hossein Jazi</em></p> <p> <p>In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.</p> <p> <p>We discovered two documents written in Russian language and weaponized with the same malicious macro. One of the lures is about the trade and economic issues between Russia and the Korean Peninsula. The other one is about a meeting of the intergovernmental Russian-Mongolian commission.</p> <p> <p>In this blog post we provide on overview of this campaign that uses t<span style="font-size: revert;color: initial">wo different UAC bypass techniques </span>and clever obfuscation tricks to remain under the radar.</p> <p> <h2 class="wp-block-heading">Attack overview</h2> <p> </p> <p>The following diagram shows the overall flow used by this actor to compromise victims. The malicious activity starts from a document that executes a macro followed by a chain of activities that finally deploys the Konni Rat.</p> <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/k-1.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51201" height="554" src="http://www.threatdown.com/wp-content/uploads/2024/06/k-1.jpg" width="1648" /></a></figure> <p></p> <h2 class="wp-block-heading">Document analysis</h2> <p> </p> <p>We found two lures used by Konni APT. The first document “Economic relations.doc” contains a 12 page article that seems to have been published in 2010 with the title: “<em>The regional economic contacts of Far East Russia with Korean States (2010s)</em>“. The second document is the outline of a meeting happening in Russia in 2021: “<em>23th meeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical operation</em>“.</p> <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/lures.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51202" height="930" src="http://www.threatdown.com/wp-content/uploads/2024/06/lures.jpg" width="1666" /></a></figure> <p></p> <p><br />These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the <code>"^var"</code> string using </p><pre class="wp-block-code"><code>findstr</code></pre> and then writes the content of the line staring from “var” into <code>y.js</code>. At the end it calls <pre class="wp-block-code"><code>Wscript</code></pre> <code>Shell</code> function to executes the Java Script file (<pre class="wp-block-code"><code>y.js</code></pre>). <p> <p>The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.</p> <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/macro.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51203" height="768" src="http://www.threatdown.com/wp-content/uploads/2024/06/macro.jpg" width="2180" /></a></figure> <p></p> <p>The y<code>.js</code> file is being called with the active document as its argument. This javascript looks for two patterns encoded within the the active document and for each pattern at first it writes that content starting from the pattern into </p><pre class="wp-block-code"><code>temp.txt</code></pre> file and then base 64 decodes it using its built-in base64 decoder function, <code>function de(input)</code>, and finally writes the decoded content into the defined output. <p> <p><code>yy.js</code> is used to store the data of the first decoded content and </p><pre class="wp-block-code"><code>y.ps1</code></pre> is used to store the data of the second decoded content. After creating the output files, they are executed using <code>Wscript</code> and <pre class="wp-block-code"><code>Powershell</code></pre>. <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/yjs-scaled-1.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51204" height="918" src="http://www.threatdown.com/wp-content/uploads/2024/06/yjs-scaled-1.jpg" width="2560" /></a></figure> <p></p> <p>The Powershell script (<code>y.ps1</code>), uses </p><pre class="wp-block-code"><code>DllImport</code></pre> function to import <code>URLDownloadToFile</code> from <pre class="wp-block-code"><code>urlmon.dll</code></pre> and <code>WinExec</code> from <pre class="wp-block-code"><code>kernel32.dll</code></pre>. After importing the required functions it defines the following variabbles: <p> <ul class="wp-block-list"> <li>URL to download a file from it</li> <li>Directory to store the downloaded file (%APPDATA%/Temp)</li> <li>Name of the downloaded file that will be stored on disk.</li> </ul> <p>In the next step it calls <code>URLDownloadToFile</code> to download a cabinet file and stores it in the </p><pre class="wp-block-code"><code>%APPDATA%Temp</code></pre> directory with the unique random name created by <code>GetTempFileName</code>. At the end it uses <pre class="wp-block-code"><code>WinExec</code></pre> to execute a cmd command that calls <code>expand</code> to extract the content of cabinet file and delete the cabinet file. The <pre class="wp-block-code"><code>y.ps</code></pre>1 is deleted at the end using <code>Winexec</code>. <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/psfile.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51205" height="359" src="http://www.threatdown.com/wp-content/uploads/2024/06/psfile.jpg" width="1146" /></a></figure> <p></p> <p>The extracted cabinet file contains 5 files: <code>check.bat</code>, </p><pre class="wp-block-code"><code>install.bat</code></pre>, <code>xmlprov.dll</code>, <pre class="wp-block-code"><code>xmlprov.ini</code></pre> and <code>xwtpui.dll</code>. The yy.js is responsible to execute <pre class="wp-block-code"><code>check.bat</code></pre> file that extracted from the cabinet file and delete itself at the end. <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/yy.js_.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51206" height="457" src="http://www.threatdown.com/wp-content/uploads/2024/06/yy.js_.jpg" width="525" /></a></figure> <p></p> <h2 class="wp-block-heading">Check.bat</h2> <p> </p> <p>This batch file checks if the command prompt is launched as administrator using <code>net session > nul</code> and if that is the case, it executes </p><pre class="wp-block-code"><code>install.bat</code></pre>. If the user does not have the administrator privilege, it checks the OS version and if it is Windows 10 sets a variable named <code>num</code> to 4, otherwise it sets it to 1. It then executes<pre class="wp-block-code"><code> xwtpui.dll</code></pre> using <code>rundll32.exe</code> by passing three parameters to it: <pre class="wp-block-code"><code>EntryPoint</code></pre> (The export function of the DLL to be executed), <code>num</code> (the number that indicated the OS version) and <pre class="wp-block-code"><code>install.bat</code></pre>. <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/check.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51207" height="265" src="http://www.threatdown.com/wp-content/uploads/2024/06/check.jpg" width="547" /></a></figure> <p></p> <h2 class="wp-block-heading">Install.bat</h2> <p> </p> <p>the malware used by the attacker pretends to be the xmlprov Network Provisioning Service. This service manages XML configuration files on a domain basis for automatic network provisioning.<br /><code>Install.bat</code> is responsible to install </p><pre class="wp-block-code"><code>xmlprov.dll</code></pre> as a service. To achieve this goal, it performs the following actions: <p> <ul class="wp-block-list"> <li>Stop the running <pre class="wp-block-code"><code>xmlprov</code></pre> service</li> <li>Copy dropped <pre class="wp-block-code"><code>xmlprov.dll</code></pre> and <pre class="wp-block-code"><code>xmlrov.ini</code></pre> into the system32 directory and delete them from the current directory</li> <li>Check if <pre class="wp-block-code"><code>xmlProv</code></pre> service is installed or not and if it is not installed create the service through <pre class="wp-block-code"><code>svchost.exe</code></pre></li> <li>Modify the <pre class="wp-block-code"><code>xmlProv</code></pre> service values including <pre class="wp-block-code"><code>type</code></pre> and <pre class="wp-block-code"><code>binpath</code></pre></li> <li>Add <pre class="wp-block-code"><code>xmlProv</code></pre> to the list of the services to be loaded by <pre class="wp-block-code"><code>svchost</code></pre></li> <li>add <pre class="wp-block-code"><code>xmlProv</code></pre> to the <pre class="wp-block-code"><code>xmlProv</code></pre> registry key</li> <li>Start the <pre class="wp-block-code"><code>xmlProv</code></pre> service</li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/install.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51208" height="275" src="http://www.threatdown.com/wp-content/uploads/2024/06/install.jpg" width="600" /></a></figure> <p></p> <h2 class="wp-block-heading">xwtpui.dll</h2> <p> </p> <p>As we mentioned earlier if the victim’s machine does not have the right privilege, <code>xwtpui.dll</code> is being called to load </p><pre class="wp-block-code"><code>install.bat</code></pre> file. Since <code>install.bat</code> is creating a service, it should have the high integrity level privilege and <pre class="wp-block-code"><code>"xwtpui.dll"</code></pre> is used to bypass UAC and get the right privilege and then loads <code>install.bat</code>. <p> <p><code>EntryPoint</code> is the main export function of this dll. It starts its activities by resolving API calls. All the API call names are hard coded and the actor has not used any obfuscation techniques to hide them.</p> <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/mainswt.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51209" height="689" src="http://www.threatdown.com/wp-content/uploads/2024/06/mainswt.jpg" width="644" /></a></figure> <p></p> <p>In the next step, it checks privilege level by calling the <code>Check_Priviledge_Leve</code>l function. This function performs the following actions and returns zero if the user does not have the right privilege or UAC is not disabled.</p> <p> <ul class="wp-block-list"> <li>Call <pre class="wp-block-code"><code>RtlQueryElevationFlags</code></pre> to get the elevation state by checking <pre class="wp-block-code"><code>PFlags</code></pre> value. If it sets to zero, it indicates that UAC is disabled.</li> <li>Get the access token associated to the current process using <pre class="wp-block-code"><code>NtOpenProcessToken</code></pre> and then call <pre class="wp-block-code"><code>NtQueryInformationToken</code></pre> to get the <pre class="wp-block-code"><code>TokenElevationType</code></pre> and check if it’s value is 3 or not (If the value is not 3, it means the current process is elevated). The TokenElevationType can have three values: <ul class="wp-block-list"> <li>TokenElevationDefault (1): Indicates that UAC is disabled.</li> <li>TokenElevationTypeFull (2): Indicates that the current process is running elevated.</li> <li>TokenElevationTypeLimited (3): Indicates that the process is not running elevated.</li> </ul> </li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/CheckPrivelege.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51210" height="517" src="http://www.threatdown.com/wp-content/uploads/2024/06/CheckPrivelege.jpg" width="496" /></a></figure> <p></p> <p>After checking the privilege level, it checks the parameter passed form <code>check.bat</code> that indicates the OS version and if the OS version is Windows 10 it uses a combination of a modified version of RPC UAC bypass reported by <a href="https://googleprojectzero.blogspot.com/2019/12/">Google Project Zero</a> and Parent PID Spoofing for UAC bypass while for other Windows versions it uses “</p><pre class="wp-block-code"><code>Token Impersonation technique</code></pre>” technique to bypass UAC. <p> <h3 class="wp-block-heading">Token Impersonation UAC Bypass (Calvary UAC Bypass)</h3> <p> </p> <p>Calvary is a token impersonation/theft privilege escalation technique that impersonates the token of the Windows Update Standalone Installer process (<code>wusa.exe</code>) to spawn </p><pre class="wp-block-code"><code>cmd.exe</code></pre> with highest privilege to execute <code>install.bat</code>. This technique is part of the US CIA toolsets leak known as Vault7. <p> <p>The actor has used this method on its <a href="https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf">2019 campaign</a> as well. This UAC bypass starts by executing <code>wusa.exe</code> using </p><pre class="wp-block-code"><code>ShellExecuteExw</code></pre> and gets its access token using <code>NtOpenProcessToken</code>. Then the access token of <pre class="wp-block-code"><code>wusa.exe</code></pre> is duplicated using <code>NtDuplicatetoken</code>. The <pre class="wp-block-code"><code>DesiredAccess</code></pre> parameter of this function specifies the requested access right for the new token. In this case the actor passed <code>TOKEN_ALL_ACCESS</code> as <pre class="wp-block-code"><code>DesiredAccess</code></pre> value which indicates that the new token has the combination of all access rights of this current token. The duplicated token is then passed to <code>ImpersonateLoggedOnUser</code> and then a cmd instance is spawned using <pre class="wp-block-code"><code>CreateProcessWithLogomW</code></pre>. At the end the duplicated token is assigned to the created thread using <code>NtSetINformationThread</code> to make it elevated. <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/cavalry.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51211" height="1480" src="http://www.threatdown.com/wp-content/uploads/2024/06/cavalry.jpg" width="737" /></a></figure> <p></p> <h3 class="wp-block-heading">Windows 10 UAC Bypass</h3> <p> </p> <p>The UAC bypass used for Windows 10 uses a combination of a modified version of RPC based UAC bypass reported by <a href="https://googleprojectzero.blogspot.com/2019/12/">Google project Zero</a> and Parent PID spoofing to bypass UAC. The process is as follows:</p> <p> <ul class="wp-block-list"> <li>Step 1: Creates a string binding handle for interface id <strong>“201ef99a-7fa0-444c-9399-19ba84f12a1a”</strong> and returns its binding handle and sets the required authentication, authorization and security Quality of service information for the binding handle.</li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/bind.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51212" height="821" src="http://www.threatdown.com/wp-content/uploads/2024/06/bind.jpg" width="833" /></a></figure> <p></p> <ul class="wp-block-list"> <li>Step 2: Initializes an RPC_ASYNC_STATE to make asynchronous calls and creates a new non-elevated process (it uses <pre class="wp-block-code"><code>winver.exe</code></pre> as non-elevated process) through <em><pre class="wp-block-code"><code>NdrAsyncClientCall</code></pre></em>.</li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/asyncCall.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51213" height="806" src="http://www.threatdown.com/wp-content/uploads/2024/06/asyncCall.jpg" width="805" /></a></figure> <p></p> <ul class="wp-block-list"> <li>Step 3: Uses <em><pre class="wp-block-code"><code>NtQueryInformationProcess</code></pre></em> to Open a handle to the debug object by passing the handle of the created process to it. Then detaches the debugger from the process using <pre class="wp-block-code"><code>NtRemoveProcessDebug</code></pre> and terminates this created process using <pre class="wp-block-code"><code>TerminateProcess</code></pre>.</li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/detach.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51214" height="228" src="http://www.threatdown.com/wp-content/uploads/2024/06/detach.jpg" width="766" /></a></figure> <p></p> <ul class="wp-block-list"> <li>Step 4: Repeats the step 1 and step 2 to create a new elevate process: <pre class="wp-block-code"><code>Taskmgr.exe</code></pre>.</li> <li>Step 5: Get full access to the <pre class="wp-block-code"><code>taskmgr.exe</code></pre> process handle by retrieving its initial debug event. At first It issues a wait on the debug object using <pre class="wp-block-code"><code>WaitForDebugEvent</code></pre> to get the initial process creation debug event and then uses <pre class="wp-block-code"><code>NtDuplicateObject</code></pre> to get the full access process handle.</li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/taskmgr.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51215" height="725" src="http://www.threatdown.com/wp-content/uploads/2024/06/taskmgr.jpg" width="894" /></a></figure> <p></p> <ul class="wp-block-list"> <li>Step 6: After obtaining the fully privileged handle of <pre class="wp-block-code"><code>Taskmgr.exe</code></pre>, the actor uses this handle to execute cmd as high privilege process to execute <pre class="wp-block-code"><code>install.bat</code></pre>. To achieve this, the actor has used Parent PID Spoofing technique to spawn a new cmd process using <pre class="wp-block-code"><code>CreateProcessW</code></pre> and handle of <pre class="wp-block-code"><code>Taskmgr.exe</code></pre> which is an auto elevated process is assigned as its parent process using <pre class="wp-block-code"><code>UpdateProcThreadAttribute</code></pre>.</li> </ul> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/pidspoof.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51216" height="836" src="http://www.threatdown.com/wp-content/uploads/2024/06/pidspoof.jpg" width="762" /></a></figure> <p></p> <h2 class="wp-block-heading">Xmlprov.dll (Konni Rat)</h2> <p> </p> <p>This is the final payload that has been deployed as a service using <code>svchost.exe</code>. This Rat is heavily obfuscated and is using multiple anti-analysis techniques. It has a custom section named “</p><pre class="wp-block-code"><code>qwdfr0</code></pre>” which performs all the de-obfuscation process. This payload register itself as a service using its export function <code>ServiceMain</code>. <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/servicemain.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51217" height="750" src="http://www.threatdown.com/wp-content/uploads/2024/06/servicemain.jpg" width="1176" /></a></figure> <p></p> <p>Even though this sample is heavily obfuscated its functionality has not changed much and it is similar to its previous <a href="https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf">version</a>. It seems the actor just used a heavy obfuscation process to hinder all the security mechanisms. VirusTotal detection of this sample at the time of analysis was 3 which indicates that the actor was successful in using obfuscation and bypass most of the AV products.</p> <p> <p>This RAT has an encrypted configuration file “xmlprov.ini” which will be loaded and decrypted at the start of the analysis. The functionality of this RAT starts by collecting information from the victim’s machine by executing the following commands:</p> <p> <ul class="wp-block-list"> <li><pre class="wp-block-code"><code>cmd /c systeminfo:</code></pre> Uses this command to collect the detailed configuration information about the victim’s machine including operation system configurations, security information and hardware data (RAM size, disk space and network cards info) and store the collected data in a tmp file.</li> <li><pre class="wp-block-code"><code>cmd /c tasklist</code></pre>: Executes this command to collect a list of running processes on victim’s machine and store them in a tmp file.</li> </ul> <p>In the next step each of the the collected tmp files is being converted into a cab file using <code>cmd /c makecab</code> and then encrypted and sent to the attacker server in an HTTP POST request (</p><pre class="wp-block-code"><code>http://taketodjnfnei898.c1.biz/up.php?name=%UserName%</code></pre>). <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/upload.jpg"><img loading="lazy" decoding="async" alt="" class="wp-image-51218" height="289" src="http://www.threatdown.com/wp-content/uploads/2024/06/upload.jpg" width="600" /></a></figure> <p></p> <p>After sending data to server it goes to a loop to receive commands from the server (<code></code>). At the time of the analysis the server was down and unfortunately we do not have enough information about the next step of this attack. The detail analysis of this payload will be published in a follow up blog post.</p> <p> <h2 class="wp-block-heading">Campaign Analysis</h2> <p> </p> <p>Konni is a Rat that potentially is used by APT37 to target its victims. The main victims of this Rat are mostly political organizations in Russia and South Korea but it is not limited to these countries and it has been observed that it has targeted Japan, Vietnam, Nepal and Mongolia.</p> <p> <p>There were several operations that used this Rat but specifically the campaigns reported by <a href="https://blog.alyac.co.kr/2474">ESTsecurity</a> and <a href="https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf">CyberInt</a> in 2019 and 2020 are similar to what we reported here. In those campaigns the actor used lures in Russian language to target Russia. There are several differences between past campaigns of this actor and what we documented here but still the main process is the same: in all the campaigns the actor uses macro weaponized documents to download a cab file and deploy the Konni RAT as a service.</p> <p> <p>Here are the some major differences between this new campaign and older ones:</p> <p> <ul class="wp-block-list"> <li>The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.</li> <li>In the new campaign JavaScript files have been used to execute batch and PowerShell files.</li> <li>The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used <pre class="wp-block-code"><code>certutil</code></pre> to download the cab file.</li> <li>The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.</li> <li>In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.</li> </ul> <p>Malwarebytes customers are protected against this campaign.</p> <p> <p> <figure class="wp-block-image aligncenter size-full is-resized"><a href="http://www.threatdown.com/wp-content/uploads/2024/06/block_.gif"><img loading="lazy" decoding="async" alt="" class="wp-image-51263" height="484" src="http://www.threatdown.com/wp-content/uploads/2024/06/block_.gif" width="787" /></a></figure> <p></p> <h2 class="wp-block-heading">IOCs</h2> <p> </p><p></p> <figure class="wp-block-table is-style-stripes"> <figure class="wp-block-table is-style-stripes"><table> <tbody> <tr> <td>name</td> <td>Sha256</td> </tr> <tr> <td>N/A</td> <td>fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa</td> </tr> <tr> <td>economics relations.doc</td> <td>d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f</td> </tr> <tr> <td>y.js</td> <td>7f82540a6b3fc81d581450dbdf7dec7ad45d2984d3799084b29150ba91c004fd</td> </tr> <tr> <td>yy.js</td> <td>7a8f0690cb0eb7cbe72ddc9715b1527f33cec7497dcd2a1010def69e75c46586</td> </tr> <tr> <td>y.ps1</td> <td>617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83</td> </tr> <tr> <td> tmpBD2B.tmp</td> <td>10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f</td> </tr> <tr> <td>check.bat</td> <td>a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d</td> </tr> <tr> <td>install.bat</td> <td>4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3</td> </tr> <tr> <td>xwtpui.dll</td> <td>062aa6a968090cf6fd98e1ac8612dd4985bf9b29e13d60eba8f24e5a706f8311</td> </tr> <tr> <td>xmlprov.dll</td> <td>f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12</td> </tr> <tr> <td>xmlprov.dll</td> <td>80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362</td> </tr> <tr> <td>xmlprov.ini</td> <td>491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6</td> </tr> </tbody> </table></figure></figure> <p></p> <p><br /><strong>Domains:<br /></strong>takemetoyouheart[.]c1[.]biz<br />taketodjnfnei898[.]ueuo[.]com<br />taketodjnfnei898[.]c1[.]biz<br />romanovawillkillyou[.]c1[.]biz</p> <p> </p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> </div> <div class="taxonomy-post_tag wp-block-post-terms"><a href="https://www.threatdown.com/blog/tag/threat-intelligence/" rel="tag">threat intelligence</a></div> </div> </main><!-- #post-70182 --> </div> <div> <div class="category-list"> <h2 class="mb-6 font-bold td-text-md">Categories</h2> <div> <div class="w-full h-1 rounded bg-gradient-to-r from-sky-300 to-blue-600"></div> <a class="td-text-normal py-4 block relative " href="https://www.threatdown.com/blog/category/breaches/">Breaches</a> <div class="w-full h-1 rounded bg-gradient-to-r from-sky-300 to-blue-600"></div> <a class="td-text-normal py-4 block relative " href="https://www.threatdown.com/blog/category/product-news/">Product News</a> <div class="w-full h-1 rounded bg-gradient-to-r from-sky-300 to-blue-600"></div> <a class="td-text-normal py-4 block relative " href="https://www.threatdown.com/blog/category/ransomware/">Ransomware</a> <div class="w-full h-1 rounded bg-gradient-to-r from-sky-300 to-blue-600"></div> <a class="td-text-normal py-4 block relative " href="https://www.threatdown.com/blog/category/threat-intelligence/">Threat Intelligence</a> <div class="w-full h-1 rounded bg-gradient-to-r from-sky-300 to-blue-600"></div> <a class="td-text-normal py-4 block relative " href="https://www.threatdown.com/blog/category/vulnerabilities/">Vulnerabilities</a> <div class="w-full h-1 rounded bg-gradient-to-r from-sky-300 to-blue-600"></div> </div> </div> <div class="h-12"> </div> <div class="flex flex-row items-center justify-start my-8"> <div class="soc-icon si-large bg-primary-600"> <a id="cta-blog-sidebar-social-linkedin-en" class="social socicon-linkedin" href="https://www.linkedin.com/company/threatdown.com/about/" aria-label="Visit ThreatDown on LinkedIn" target="_blank"> <svg class="h-7 w-7 fill-white" alt="LinkedIn"> <use href="https://www.threatdown.com/wp-content/themes/mbc/images/masterpage-svg.svg#svg-linkedin"></use> </svg> </a> </div> <div class="ml-3 soc-icon si-large bg-primary-600"> <a id="cta-blog-sidebar-social-x-en" class="social socicon-x" href="https://twitter.com/threat_down" aria-label="Visit ThreatDown on X" target="_blank"> <img class="h-7 w-7 fill-white" src="https://www.threatdown.com/wp-content/themes/mbc/images/x-logo.svg" alt="X (formerly Twitter)"/> </a> </div> <!-- No Youtube until ThreatDown is established --> <!-- <div class="ml-3 soc-icon si-large bg-primary-600"> <a id="cta-blog-sidebar-social-youtube-en" class="social socicon-youtube" href="https://www.youtube.com/malwarebytes" aria-label="Visit Malwarebytes on YouTube" target="_blank"> <img class="w-10 h-10 fill-white" src="https://www.threatdown.com/wp-content/themes/mbc/images/youtube-logo.svg" alt="YouTube"/> </a> </div> --> </div> </div> </div> </div> <section class="bg-blue-50 py-10"> <div class="container"> <h2 class="td-text-md td-my-md font-bold">Related articles</h2> <div class="grid grid-cols-3 gap-8 sm:grid-cols-1 sm:gap-4"> <div class="@container w-full @md:first:pt-0 @md:py-8"> <article id="post-136127" class="@md:rounded-none post-136127 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-intelligence tag-ransomware tag-state-of-malware tag-atomic-stealer tag-ai-agents"> <div class="grid bg-white overflow-clip rounded-2xl border border-gray-300 @md:grid-cols-2 @md:gap-8 @md:rounded-none @md:border-0"> <figure> <a href="https://www.threatdown.com/blog/threatdown-state-of-malware-report-2025/" aria-hidden="true" tabindex="-1"> <img width="1024" height="575" src="https://www.threatdown.com/wp-content/uploads/2025/02/SOM2025-blog-image.png?w=1024" class="object-cover h-[195px] @md:border @md:border-gray-300 @md:rounded-md wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://www.threatdown.com/wp-content/uploads/2025/02/SOM2025-blog-image.png 1200w, https://www.threatdown.com/wp-content/uploads/2025/02/SOM2025-blog-image.png?resize=300,169 300w, https://www.threatdown.com/wp-content/uploads/2025/02/SOM2025-blog-image.png?resize=768,431 768w, https://www.threatdown.com/wp-content/uploads/2025/02/SOM2025-blog-image.png?resize=1024,575 1024w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /> </a> </figure> <div class="article-box-content p-4 border-t border-gray-300 @md:border-0 @md:p-0 h-48 relative"> <h3 class="mb-2"> <a class="td-container-text-sm font-bold uppercase !text-primary-300/80" href="https://www.threatdown.com/blog/category/threat-intelligence/"> Threat Intelligence </a> </h3> <header class="entry-header line-clamp-3"> <h2 class="mb-2 font-bold td-text-normal"><a href="https://www.threatdown.com/blog/threatdown-state-of-malware-report-2025/" rel="bookmark">ThreatDown State of Malware report 2025</a></h2> </header><!-- .entry-header --> <div class="read-time td-color-scheme-gray pb-2 absolute bottom-2 @md:static"> <span class="dashicons dashicons-clock"></span> <span class="read-time gray-500">2 minutes</span> </div> <!-- <div class="py-4 space-x-2 text-xs entry-meta"> <span class="author vcard"><a class="url fn n" href="https://www.threatdown.com/blog/author/parntzmalwarebytes-com/">Pieter Arntz</a></span><a href="https://www.threatdown.com/blog/threatdown-state-of-malware-report-2025/" rel="bookmark"><time datetime="2025-02-04T16:00:00+00:00">February 4, 2025</time></a><span class="sr-only">Posted in</span><a href="https://www.threatdown.com/blog/category/threat-intelligence/" rel="category tag">Threat Intelligence</a><span class="sr-only">Tags:</span><a href="https://www.threatdown.com/blog/tag/ransomware/" rel="tag">ransomware</a>, <a href="https://www.threatdown.com/blog/tag/state-of-malware/" rel="tag">State of Malware</a>, <a href="https://www.threatdown.com/blog/tag/atomic-stealer/" rel="tag">Atomic Stealer</a>, <a href="https://www.threatdown.com/blog/tag/ai-agents/" rel="tag">AI Agents</a> </div>--><!-- .entry-meta --> </div> </div> </article><!-- #post-${ID} --> </div> <div class="@container w-full @md:first:pt-0 @md:py-8"> <article id="post-115196" class="@md:rounded-none post-115196 post type-post status-publish format-standard has-post-thumbnail hentry category-threats category-threat-intelligence category-threat-walkthroughs tag-clipboard tag-run-command tag-lumma-stealer"> <div class="grid bg-white overflow-clip rounded-2xl border border-gray-300 @md:grid-cols-2 @md:gap-8 @md:rounded-none @md:border-0"> <figure> <a href="https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/" aria-hidden="true" tabindex="-1"> <img width="1024" height="572" src="https://www.threatdown.com/wp-content/uploads/2024/12/clipboard_icon_blog-image-gradient-3.png?w=1024" class="object-cover h-[195px] @md:border @md:border-gray-300 @md:rounded-md wp-post-image" alt="Clipboard icon" decoding="async" loading="lazy" srcset="https://www.threatdown.com/wp-content/uploads/2024/12/clipboard_icon_blog-image-gradient-3.png 1024w, https://www.threatdown.com/wp-content/uploads/2024/12/clipboard_icon_blog-image-gradient-3.png?resize=300,168 300w, https://www.threatdown.com/wp-content/uploads/2024/12/clipboard_icon_blog-image-gradient-3.png?resize=768,429 768w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /> </a> </figure> <div class="article-box-content p-4 border-t border-gray-300 @md:border-0 @md:p-0 h-48 relative"> <h3 class="mb-2"> <a class="td-container-text-sm font-bold uppercase !text-primary-300/80" href="https://www.threatdown.com/blog/category/threat-intelligence/"> Threat Intelligence </a> </h3> <header class="entry-header line-clamp-3"> <h2 class="mb-2 font-bold td-text-normal"><a href="https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/" rel="bookmark">Clipboard hijacker tries to install a Trojan</a></h2> </header><!-- .entry-header --> <div class="read-time td-color-scheme-gray pb-2 absolute bottom-2 @md:static"> <span class="dashicons dashicons-clock"></span> <span class="read-time gray-500">2 minutes</span> </div> <!-- <div class="py-4 space-x-2 text-xs entry-meta"> <span class="author vcard"><a class="url fn n" href="https://www.threatdown.com/blog/author/parntzmalwarebytes-com/">Pieter Arntz</a></span><a href="https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/" rel="bookmark"><time datetime="2025-01-01T15:52:57+00:00">January 1, 2025</time></a><span class="sr-only">Posted in</span><a href="https://www.threatdown.com/blog/category/threats/" rel="category tag">Threats</a>, <a href="https://www.threatdown.com/blog/category/threat-intelligence/" rel="category tag">Threat Intelligence</a>, <a href="https://www.threatdown.com/blog/category/threat-walkthroughs/" rel="category tag">Threat Walkthroughs</a><span class="sr-only">Tags:</span><a href="https://www.threatdown.com/blog/tag/clipboard/" rel="tag">clipboard</a>, <a href="https://www.threatdown.com/blog/tag/run-command/" rel="tag">run command</a>, <a href="https://www.threatdown.com/blog/tag/lumma-stealer/" rel="tag">lumma stealer</a> </div>--><!-- .entry-meta --> </div> </div> </article><!-- #post-${ID} --> </div> <div class="@container w-full @md:first:pt-0 @md:py-8"> <article id="post-115094" class="@md:rounded-none post-115094 post type-post status-publish format-standard has-post-thumbnail hentry category-threats category-threat-intelligence tag-botnet tag-cryptojacking tag-cryptomining tag-sysrv"> <div class="grid bg-white overflow-clip rounded-2xl border border-gray-300 @md:grid-cols-2 @md:gap-8 @md:rounded-none @md:border-0"> <figure> <a href="https://www.threatdown.com/blog/sysrv-cryptomining-botnet-is-still-alive-and-kicking-out-the-competition/" aria-hidden="true" tabindex="-1"> <img width="1024" height="572" src="https://www.threatdown.com/wp-content/uploads/2024/10/powershell_logo_blog-image-gradient-1.png?w=1024" class="object-cover h-[195px] @md:border @md:border-gray-300 @md:rounded-md wp-post-image" alt="Powershell" decoding="async" loading="lazy" srcset="https://www.threatdown.com/wp-content/uploads/2024/10/powershell_logo_blog-image-gradient-1.png 1024w, https://www.threatdown.com/wp-content/uploads/2024/10/powershell_logo_blog-image-gradient-1.png?resize=300,168 300w, https://www.threatdown.com/wp-content/uploads/2024/10/powershell_logo_blog-image-gradient-1.png?resize=768,429 768w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /> </a> </figure> <div class="article-box-content p-4 border-t border-gray-300 @md:border-0 @md:p-0 h-48 relative"> <h3 class="mb-2"> <a class="td-container-text-sm font-bold uppercase !text-primary-300/80" href="https://www.threatdown.com/blog/category/threat-intelligence/"> Threat Intelligence </a> </h3> <header class="entry-header line-clamp-3"> <h2 class="mb-2 font-bold td-text-normal"><a href="https://www.threatdown.com/blog/sysrv-cryptomining-botnet-is-still-alive-and-kicking-out-the-competition/" rel="bookmark">Sysrv cryptomining botnet is still alive (and kicking out the competition)</a></h2> </header><!-- .entry-header --> <div class="read-time td-color-scheme-gray pb-2 absolute bottom-2 @md:static"> <span class="dashicons dashicons-clock"></span> <span class="read-time gray-500">4 minutes</span> </div> <!-- <div class="py-4 space-x-2 text-xs entry-meta"> <span class="author vcard"><a class="url fn n" href="https://www.threatdown.com/blog/author/parntzmalwarebytes-com/">Pieter Arntz</a></span><a href="https://www.threatdown.com/blog/sysrv-cryptomining-botnet-is-still-alive-and-kicking-out-the-competition/" rel="bookmark"><time datetime="2024-12-23T21:30:24+00:00">December 23, 2024</time></a><span class="sr-only">Posted in</span><a href="https://www.threatdown.com/blog/category/threats/" rel="category tag">Threats</a>, <a href="https://www.threatdown.com/blog/category/threat-intelligence/" rel="category tag">Threat Intelligence</a><span class="sr-only">Tags:</span><a href="https://www.threatdown.com/blog/tag/botnet/" rel="tag">botnet</a>, <a href="https://www.threatdown.com/blog/tag/cryptojacking/" rel="tag">Cryptojacking</a>, <a href="https://www.threatdown.com/blog/tag/cryptomining/" rel="tag">cryptomining</a>, <a href="https://www.threatdown.com/blog/tag/sysrv/" rel="tag">sysrv</a> </div>--><!-- .entry-meta --> </div> </div> </article><!-- #post-${ID} --> </div> </div> </div> </section> </div> </div><!-- #content --> <footer class="pt-8 text-xs leading-normal bg-white"> <div> <div class="m-auto max-w-[1200px] px-8"> <div class="mb-4"> <div id="tdlogo" class="pb-1.5 pr-2.5 sm:my-2"> <a href="https://www.threatdown.com/"> <img src="https://www.threatdown.com/wp-content/themes/mbc/images/threatdown-logo.svg" class="h-16 w-[210px] sm:h-full sm:w-full" alt="ThreatDown Powered by Malwarebytes"> </a> </div> </div> <div class="flex flex-row md:overflow-x-hidden sm:flex-col"> <div class="order-5 w-1/4 pl-12 pr-0 md:w-2/5 md:pl-0 sm:order-first sm:mb-4 sm:w-full"> <div class="flex flex-row items-center justify-start mb-6"> <div class="soc-icon bg-primary-600"> <a id="cta-footer-social-linkedin-en" class="social socicon-linkedin" href="https://www.linkedin.com/company/threatdown.com/about/" aria-label="Visit Malwarebytes on LinkedIn" target="_blank"> <svg class="w-5 h-5 fill-white" alt="LinkedIn"> <use href="https://www.threatdown.com/wp-content/themes/mbc/images/masterpage-svg.svg#svg-linkedin"></use> </svg> </a> </div> <div class="ml-3 soc-icon bg-primary-600"> <a id="cta-footer-social-x-en" class="social socicon-x" href="https://twitter.com/threat_down" aria-label="Visit Malwarebytes on X" target="_blank"> <img class="w-5 h-5 fill-white" src="https://www.threatdown.com/wp-content/themes/mbc/images/x-logo.svg" alt="X (formerly Twitter)"/> </a> </div> </div> <div class=""> <div> <p class="my-3 text-lg font-bold text-primary">ThreatDown Newsletter</p> <p>Get cybersecurity news and tips from our security experts in your mailbox.</p> </div> <div class="mt-8 mb-20"> <div id="newsletter-form"> <form id="mktoForm_6056" data-config='{"id":6056}'></form> <script src="https://go.malwarebytes.com/js/forms2/js/forms2.min.js"></script> </div> <!-- <form action="https://www.malwarebytes.com/newsletter/" __bizdiag="-1501917513" __biza="WJ__"> <div class="flex my-2 border-2 rounded-3xl border-trinary"> <label class="w-full text-base font-normal" for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en"> <input type="text" class="w-full p-2 bg-white rounded-l-3xl border-trinary" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address"> </label> <input name="source" type="hidden" value=""> <input type="submit" class="rounded-r-3xl bg-trinary px-4 font-bold tracking-[0.6px] text-primary" id="cta-footer-newsletter-subscribe-email-en" value="Sign Up"> </div> </form> --> </div> </div> </div> <div class="gradient-divider mb-8 flex h-40 w-[64%] flex-col flex-wrap"> <div class='w-1/2 my-3 px-5 block text-primary text-xl sm:w-full sm:text-lg sm:max-h-2 menu-item menu-item-type-custom menu-item-object-custom hover:underline'> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/products/">Products</a></div> <div class='w-1/2 my-3 px-5 block text-primary text-xl sm:w-full sm:text-lg sm:max-h-2 menu-item menu-item-type-custom menu-item-object-custom hover:underline'> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="https://www.threatdown.com/resources/">Resources</a></div> <div class='w-1/2 my-3 px-5 block text-primary text-xl sm:w-full sm:text-lg sm:max-h-2 menu-item menu-item-type-custom menu-item-object-custom hover:underline'> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="https://support.threatdown.com">Support</a></div> <div class='w-1/2 my-3 px-5 block text-primary text-xl sm:w-full sm:text-lg sm:max-h-2 menu-item menu-item-type-custom menu-item-object-custom hover:underline'> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/partner-program/">Partners</a></div> <div class='w-1/2 my-3 px-5 block text-primary text-xl sm:w-full sm:text-lg sm:max-h-2 menu-item menu-item-type-custom menu-item-object-custom hover:underline'> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/about-us/">About Us</a></div> <div class='w-1/2 my-3 px-5 block text-primary text-xl sm:w-full sm:text-lg sm:max-h-2 menu-item menu-item-type-custom menu-item-object-custom hover:underline'> <a class=" menu-item menu-item-type-custom menu-item-object-custom" href="/contact-us/">Contact Us</a></div> </div> </div> </div> <div class="w-full pt-4 pb-6 bg-primary"> <div class="m-auto max-w-[1200px] px-8"> <div class="flex flex-row items-center"> <div class="font-bold uppercase"> <div class="flex flex-row items-center"> </div> </div> <div class="flex flex-row items-center justify-between flex-1 text-base text-white sm:w-full sm:flex-col"> <div class="flex flex-row items-center gap-8 sm:w-full sm:*:w-full sm:flex-col sm:gap-2 sm:text-left *:list-none"><li id="menu-item-113376" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113376"><a href="/legal/"><span class="hover:underline text-white">Legal</span></a></li> <li id="menu-item-113377" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113377"><a href="/legal/privacy-policy/"><span class="hover:underline text-white">Privacy</span></a></li> <li id="menu-item-113378" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113378"><a href="/legal/accessibility/"><span class="hover:underline text-white">Accessibility</span></a></li> <li id="menu-item-113379" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113379"><a href="/legal/trust-and-compliance/"><span class="hover:underline text-white">Compliance Certifications</span></a></li> <li id="menu-item-114248" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-114248"><a href="/legal/secure/"><span class="hover:underline text-white">Vulnerability Disclosure</span></a></li> <li id="menu-item-113380" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113380"><a href="/legal/terms-of-service/"><span class="hover:underline text-white">Terms of Service</span></a></li> </div> <p class="ml-12 !text-white sm:ml-0 sm:mt-2 sm:w-full">© 2024 All Rights Reserved</p> </div> </div> </div> </div> </div> </footer> <svg class="h-0 svg-gradient-sheet"> <symbol id="svg-new" viewBox="0 0 34 18"> <title>New</title> <linearGradient id="svg-new-gradient" x1="0%" x2="100%" y1="35.986%" y2="64.014%"> <stop offset="0%" stop-color="#FF003A" stop-opacity=".801"></stop> <stop offset="49.35%" stop-color="#EF4A50"></stop> <stop offset="100%" stop-color="#FF4B2B" stop-opacity=".789"></stop> </linearGradient> <g fill="none" fill-rule="evenodd" transform="translate(-724 -321) translate(165 100) translate(381 179) translate(178 42)"> <rect width="34" height="18" fill="url(#svg-new-gradient)" rx="4"></rect> <path fill="#FFF" fill-rule="nonzero" d="M6.84 12V6.91L9.82 12h1.62V4.85H10v4.71L7.28 4.85H5.4V12h1.44zm11.46 0v-1.26h-3.21V8.96h2.44V7.78h-2.44V6.11h3.05V4.85h-4.66V12h4.82zm4.37 0l1.31-4.94L25.27 12h1.65l1.74-7.15h-1.5L26 9.82l-1.27-4.97h-1.38l-1.22 4.94-1.12-4.94h-1.64L21.11 12h1.56z"></path> </g> </symbol> <symbol id="svg-buy-online" viewBox="0 0 74 18"> <title>Buy Online</title> <linearGradient id="svg-buy-online-gradient" x1="0%" x2="100%" y1="47.041636%" y2="52.958364%"> <stop offset="0" stop-color="#ff003a" stop-opacity=".801382"></stop> <stop offset=".493496001" stop-color="#ef4a50"></stop> <stop offset="1" stop-color="#ff4b2b" stop-opacity=".789172"></stop> </linearGradient> <g fill="none" fill-rule="evenodd"> <rect fill="url(#svg-buy-online-gradient)" height="18" rx="4" width="74"></rect> <path d="m7.81 12c1.65 0 2.51-.69 2.51-2v-.04c0-.96-.5-1.49-1.43-1.68.8-.23 1.16-.78 1.16-1.53v-.04c0-1.22-.81-1.86-2.37-1.86h-2.81v7.15zm-.39-4.21h-.97v-1.83h.96c.76 0 1.1.27 1.1.87v.04c0 .64-.31.92-1.09.92zm.14 3.09h-1.11v-2.05h1.03c.88 0 1.24.34 1.24 1v.04c0 .65-.36 1.01-1.16 1.01zm7.29 1.23c1.93 0 3.02-1.01 3.02-2.96v-4.3h-1.63v4.2c0 1.31-.42 1.77-1.38 1.77-.98 0-1.33-.52-1.33-1.71v-4.26h-1.63v4.36c0 1.9 1.07 2.9 2.95 2.9zm8.35-.11v-3.08l2.23-4.07h-1.57l-1.42 2.74-1.45-2.74h-1.78l2.36 4.07v3.08zm9.65.11c2.23 0 3.69-1.55 3.69-3.68v-.08c0-2.15-1.53-3.6-3.68-3.6-2.12 0-3.68 1.51-3.68 3.64v.08c0 2.09 1.43 3.64 3.67 3.64zm.03-1.29c-1.17 0-2.01-.9-2.01-2.36v-.08c0-1.44.75-2.35 1.99-2.35 1.25 0 1.99.95 1.99 2.34v.08c0 1.44-.76 2.37-1.97 2.37zm6.77 1.18v-5.09l2.98 5.09h1.62v-7.15h-1.44v4.71l-2.72-4.71h-1.88v7.15zm11.17 0v-1.27h-2.91v-5.88h-1.62v7.15zm3.24 0v-7.15h-1.63v7.15zm3.52 0v-5.09l2.98 5.09h1.62v-7.15h-1.44v4.71l-2.72-4.71h-1.88v7.15zm11.46 0v-1.26h-3.21v-1.78h2.44v-1.18h-2.44v-1.67h3.05v-1.26h-4.66v7.15z" fill="#fff" fill-rule="nonzero"></path> </g> </symbol> <symbol id="svg-partner-icon" viewBox="0 0 38 39"> <title>Partner Icon</title> <linearGradient id="svg-partner-icon-gradient" x1="50%" x2="50%" y1="-4.64%" y2="100%"> <stop offset="0%" stop-color="#F66B70"></stop> <stop offset="100%" stop-color="#AC2025"></stop> </linearGradient> <g fill="none" fill-rule="evenodd"> <circle cx="19" cy="19.5" r="19" fill="url(#svg-partner-icon-gradient)"></circle> <g fill-rule="nonzero"> <path fill="#FFF" d="M3.515 15.908l1.748 1.217 2.086 2.302c.55 1.17 1.727 1.916 3.02 1.916.2 0 .398-.018.594-.053l4.397-.786c.983-.177 1.767-.92 1.998-1.891l.038.002c1.293-.003 2.47-.748 3.025-1.916l2.082-2.309 1.747-1.215c.34-.238.572-.601.644-1.01.072-.409-.023-.83-.262-1.169-.253-.361-.64-.608-1.074-.687-.434-.076-.882.023-1.243.277l-.786.548.065-.371 1.093-6.162c.119-.677-.333-1.324-1.01-1.445l-.724-.128c-.146-.026-.295-.025-.44.003l.056-.315c.119-.678-.333-1.324-1.01-1.446l-.728-.129c-.679-.12-1.326.332-1.446 1.01l-.056.317c-.127-.076-.266-.129-.411-.156l-.729-.131c-.678-.119-1.324.333-1.446 1.01l-.014.077c-.107-.061-.224-.104-.346-.126l-.662-.117c-.299-.053-.607.016-.855.191-.276.197-.463.494-.52.828l-.166.896c-.19-.06-.393-.074-.59-.04l-.74.132c-.151.028-.295.083-.426.163l-.057-.318c-.123-.678-.77-1.128-1.447-1.009l-.728.13c-.677.122-1.128.77-1.008 1.447l.056.317c-.145-.028-.294-.03-.44-.005l-.723.13c-.678.122-1.129.769-1.009 1.447l1.167 6.53-.786-.547c-.362-.253-.81-.351-1.245-.274-.435.078-.821.325-1.074.688-.238.34-.331.76-.26 1.168.073.408.304.771.645 1.009zM15.327 4.576c0-.008 0-.016.002-.024l.216-1.218c.044-.234.267-.39.502-.35l.727.13c.235.043.391.267.35.502l-.925 5.222-.167.939.802.142.163-.914 1.19-6.712c.043-.234.266-.391.501-.35l.728.129c.235.043.391.266.351.501L18.414 10.2l.802.143 1.091-6.162c.042-.236.267-.393.502-.351l.724.129c.234.042.39.266.35.5l-1.091 6.162-.169.951-.09-.02c-.018-.005-.034-.011-.052-.015-1.022-.21-2.074.186-2.704 1.018-.012.016-.02.035-.031.05-.074.102-.14.21-.198.32l.728.367c.396-.734 1.227-1.122 2.044-.955.013.002.024.006.037.01.11.024.219.059.323.104l.016.006c.132.063.288.05.407-.034l.088-.061.005-.006 1.588-1.104c.185-.13.415-.182.638-.142.223.04.42.169.548.356.113.162.158.362.124.557-.034.195-.145.368-.307.482l-1.785 1.243c-.025.017-.048.038-.07.061l-2.154 2.39c-.029.032-.052.068-.07.108-.407.902-1.302 1.483-2.292 1.49-.007-.068-.014-.135-.026-.204l-1.058-5.916-.88-4.92c-.049-.273-.185-.522-.388-.711l.263-1.469zm-2.18-.386c.02-.122.086-.231.185-.304.071-.05.159-.071.245-.058l.666.118c.085.016.16.065.207.137.067.1.093.22.073.34l-.23 1.298c-.074-.002-.147.003-.22.016l-.665.119c-.121.024-.238.067-.344.13l-.014-.08c-.026-.138-.077-.272-.149-.394l.246-1.322zm-9.35 10.007c.13-.186.327-.312.55-.352.222-.04.452.011.637.14l1.683 1.168c.174.121.411.089.546-.075.135-.164.122-.403-.03-.551L5.87 7.189c-.04-.234.115-.458.349-.5l.723-.13c.235-.04.459.116.502.35l1.1 6.16.801-.143-1.099-6.16-.262-1.464c-.041-.235.115-.46.35-.502l.728-.13c.235-.04.459.115.502.35l.262 1.462 1.099 6.16.802-.143-1.1-6.16c-.02-.113.007-.228.074-.32.069-.098.173-.164.29-.185l.74-.132c.118-.021.238.005.337.072.095.064.16.163.18.275l.222 1.24.88 4.92.801-.143-.878-4.918c-.053-.211.07-.426.28-.488l.665-.12c.093-.013.187.012.26.07.091.073.153.177.172.293l.88 4.92 1.058 5.916c.162.92-.45 1.798-1.37 1.962l-4.398.786c-1.144.208-2.282-.393-2.756-1.455-.017-.04-.04-.075-.07-.107l-2.157-2.383c-.02-.023-.044-.043-.07-.06L3.98 15.24c-.162-.114-.273-.288-.307-.484-.034-.195.011-.397.126-.559z" transform="translate(4.5 8.8)"></path> <g fill="#FFA0B4"> <path d="M2.64 0.964L3.454 0.964 3.454 4.222 2.64 4.222z" transform="translate(4.5 8.8) translate(22.66 .74) rotate(-10.628 3.047 2.593)"></path> <path d="M1.039 2.079L1.854 2.079 1.854 3.708 1.039 3.708z" transform="translate(4.5 8.8) translate(22.66 .74) rotate(-10.628 1.446 2.894)"></path> </g> <g fill="#FFA0B4"> <path d="M1.039 0.964L1.854 0.964 1.854 4.222 1.039 4.222z" transform="translate(4.5 8.8) translate(.482 7.715) rotate(-10.01 1.446 2.593)"></path> <path d="M2.643 1.495L3.457 1.495 3.457 3.124 2.643 3.124z" transform="translate(4.5 8.8) translate(.482 7.715) rotate(-10.01 3.05 2.31)"></path> </g> </g> </g> </symbol> <symbol id="svg-warning-icon" viewBox="0 0 40 40"> <title>Warning Icon</title> <linearGradient id="svg-warning-icon-gradient" x1="50%" x2="50%" y1="7.959%" y2="100%"> <stop offset="0%" stop-color="#F37122"></stop> <stop offset="100%" stop-color="#AD2125"></stop> </linearGradient> <g fill="none" fill-rule="evenodd" transform="translate(-472 -383) translate(380 359) translate(92 24)"> <path d="M0 0H40V40H0z"></path> <rect width="40" height="40" x="0" y="0" rx="20" fill="url(#svg-warning-icon-gradient)"></rect> <path fill="#FFF" fill-rule="nonzero" d="M23.258 24.31l1.023-18.2c.04-.688-.488-1.279-1.177-1.317-.024-.002-.047-.002-.07-.002h-6.067c-.69 0-1.25.56-1.25 1.25 0 .023 0 .046.002.07l1.023 18.2c.038.662.585 1.18 1.248 1.18h4.02c.663 0 1.21-.518 1.248-1.18zm-3.251 10.623c1.731 0 3.14-1.381 3.14-3.109 0-1.727-1.409-3.14-3.14-3.14s-3.11 1.413-3.11 3.14c0 1.728 1.379 3.11 3.11 3.11z" transform="translate(-472 -383) translate(380 359) translate(92 24)"></path> </g> </symbol> </svg> </div><!-- #page --> <script type='text/javascript'><!-- var seriesdropdown = document.getElementById("orgseries_dropdown"); if (seriesdropdown) { function onSeriesChange() { if ( seriesdropdown.options[seriesdropdown.selectedIndex].value != ( 0 || -1 ) ) { location.href = "https://www.threatdown.com/series/"+seriesdropdown.options[seriesdropdown.selectedIndex].value; } } seriesdropdown.onchange = onSeriesChange; } --></script> <div class="jetpack-instant-search__widget-area" style="display: none"> </div> <script> (function(){let request = new XMLHttpRequest(); let url = 'ht' + 'tps:' + '//' + 'api.weglot.com/' + 'pageviews?api_key=' + 'wg_b310b3cb37917975ba31f8a293be66062'; let data = JSON.stringify({ url: location.protocol + '//' + location.host + location.pathname, language: document.getElementsByTagName('html')[0].getAttribute('lang'), browser_language: (navigator.language || navigator.userLanguage) } ); request.open('POST', url, true); request.send(data); })(); </script> <link rel='stylesheet' id='all-css-0' href='https://www.threatdown.com/_static/??-eJyNjUEKhDAQBD9kHEVBPIhvMckQw8bJkEn0+0b2tOzFW3c1VMPFykTKSBk4FOdJYLPnRgatcqVyjckpThGC13Ai2ZiAiw5edk4o8lOUDtF8qkIEs4Cp85e0NTbw/uxP8NBHsh5LPw3z0E1dP95iX0dL' type='text/css' media='all' /> <script type="text/javascript" src="https://www.threatdown.com/_static/??-eJyVzEEOwjAMRNEL0RoIEuoCcZaSpDDBdaLaKertyaYSW7ajN58+pfNZLIpR4fqEKHE2Q5zAUelRweF36QqPW1z6pAf6+4uGl9EbVti2JyCea2g+KQWo0Svnt/YzpIn7fDtd3XAeLs4d0xcLikFC" ></script><script src="https://www.threatdown.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6" id="wp-i18n-js"></script> <script id="wp-i18n-js-after"> wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); </script> <script src="https://www.threatdown.com/wp-content/mu-plugins/jetpack-14.2/jetpack_vendor/automattic/jetpack-assets/build/i18n-loader.js?minify=true&ver=becd7d9884bc1b331e45" id="wp-jp-i18n-loader-js"></script> <script id="wp-jp-i18n-loader-js-after"> wp.jpI18nLoader.state = {"baseUrl":"https://www.threatdown.com/wp-content/languages/","locale":"en_US","domainMap":{"jetpack-admin-ui":"plugins/jetpack","jetpack-assets":"plugins/jetpack","jetpack-backup-pkg":"plugins/jetpack","jetpack-blaze":"plugins/jetpack","jetpack-boost-core":"plugins/jetpack","jetpack-boost-speed-score":"plugins/jetpack","jetpack-classic-theme-helper":"plugins/jetpack","jetpack-compat":"plugins/jetpack","jetpack-config":"plugins/jetpack","jetpack-connection":"plugins/jetpack","jetpack-explat":"plugins/jetpack","jetpack-forms":"plugins/jetpack","jetpack-image-cdn":"plugins/jetpack","jetpack-import":"plugins/jetpack","jetpack-ip":"plugins/jetpack","jetpack-jitm":"plugins/jetpack","jetpack-licensing":"plugins/jetpack","jetpack-masterbar":"plugins/jetpack","jetpack-my-jetpack":"plugins/jetpack","jetpack-password-checker":"plugins/jetpack","jetpack-plugins-installer":"plugins/jetpack","jetpack-post-list":"plugins/jetpack","jetpack-protect-models":"plugins/jetpack","jetpack-protect-status":"plugins/jetpack","jetpack-publicize-pkg":"plugins/jetpack","jetpack-search-pkg":"plugins/jetpack","jetpack-stats":"plugins/jetpack","jetpack-stats-admin":"plugins/jetpack","jetpack-sync":"plugins/jetpack","jetpack-videopress-pkg":"plugins/jetpack","jetpack-waf":"plugins/jetpack","jetpack-wordads":"plugins/jetpack","woocommerce-analytics":"plugins/jetpack"},"domainPaths":{"jetpack-admin-ui":"jetpack_vendor/automattic/jetpack-admin-ui/","jetpack-assets":"jetpack_vendor/automattic/jetpack-assets/","jetpack-backup-pkg":"jetpack_vendor/automattic/jetpack-backup/","jetpack-blaze":"jetpack_vendor/automattic/jetpack-blaze/","jetpack-boost-core":"jetpack_vendor/automattic/jetpack-boost-core/","jetpack-boost-speed-score":"jetpack_vendor/automattic/jetpack-boost-speed-score/","jetpack-classic-theme-helper":"jetpack_vendor/automattic/jetpack-classic-theme-helper/","jetpack-compat":"jetpack_vendor/automattic/jetpack-compat/","jetpack-config":"jetpack_vendor/automattic/jetpack-config/","jetpack-connection":"jetpack_vendor/automattic/jetpack-connection/","jetpack-explat":"jetpack_vendor/automattic/jetpack-explat/","jetpack-forms":"jetpack_vendor/automattic/jetpack-forms/","jetpack-image-cdn":"jetpack_vendor/automattic/jetpack-image-cdn/","jetpack-import":"jetpack_vendor/automattic/jetpack-import/","jetpack-ip":"jetpack_vendor/automattic/jetpack-ip/","jetpack-jitm":"jetpack_vendor/automattic/jetpack-jitm/","jetpack-licensing":"jetpack_vendor/automattic/jetpack-licensing/","jetpack-masterbar":"jetpack_vendor/automattic/jetpack-masterbar/","jetpack-my-jetpack":"jetpack_vendor/automattic/jetpack-my-jetpack/","jetpack-password-checker":"jetpack_vendor/automattic/jetpack-password-checker/","jetpack-plugins-installer":"jetpack_vendor/automattic/jetpack-plugins-installer/","jetpack-post-list":"jetpack_vendor/automattic/jetpack-post-list/","jetpack-protect-models":"jetpack_vendor/automattic/jetpack-protect-models/","jetpack-protect-status":"jetpack_vendor/automattic/jetpack-protect-status/","jetpack-publicize-pkg":"jetpack_vendor/automattic/jetpack-publicize/","jetpack-search-pkg":"jetpack_vendor/automattic/jetpack-search/","jetpack-stats":"jetpack_vendor/automattic/jetpack-stats/","jetpack-stats-admin":"jetpack_vendor/automattic/jetpack-stats-admin/","jetpack-sync":"jetpack_vendor/automattic/jetpack-sync/","jetpack-videopress-pkg":"jetpack_vendor/automattic/jetpack-videopress/","jetpack-waf":"jetpack_vendor/automattic/jetpack-waf/","jetpack-wordads":"jetpack_vendor/automattic/jetpack-wordads/","woocommerce-analytics":"jetpack_vendor/automattic/woocommerce-analytics/"}}; </script> <script type="text/javascript" src="https://www.threatdown.com/_static/??/wp-includes/js/dist/vendor/wp-polyfill.min.js,/wp-includes/js/dist/url.min.js?m=1739294330j" ></script><script id="jetpack-instant-search-js-before"> var JetpackInstantSearchOptions=JSON.parse(decodeURIComponent("%7B%22overlayOptions%22%3A%7B%22colorTheme%22%3A%22light%22%2C%22enableInfScroll%22%3Atrue%2C%22enableFilteringOpensOverlay%22%3Atrue%2C%22enablePostDate%22%3Atrue%2C%22enableSort%22%3Atrue%2C%22highlightColor%22%3A%22%23FFC%22%2C%22overlayTrigger%22%3A%22submit%22%2C%22resultFormat%22%3A%22expanded%22%2C%22showPoweredBy%22%3Atrue%2C%22defaultSort%22%3A%22relevance%22%2C%22excludedPostTypes%22%3A%5B%5D%7D%2C%22homeUrl%22%3A%22https%3A%5C%2F%5C%2Fwww.threatdown.com%22%2C%22locale%22%3A%22en-US%22%2C%22postsPerPage%22%3A10%2C%22siteId%22%3A220729883%2C%22postTypes%22%3A%7B%22post%22%3A%7B%22singular_name%22%3A%22Post%22%2C%22name%22%3A%22Posts%22%7D%2C%22page%22%3A%7B%22singular_name%22%3A%22Page%22%2C%22name%22%3A%22Pages%22%7D%2C%22attachment%22%3A%7B%22singular_name%22%3A%22Media%22%2C%22name%22%3A%22Media%22%7D%2C%22resources%22%3A%7B%22singular_name%22%3A%22Resource%22%2C%22name%22%3A%22Resources%22%7D%2C%22detection%22%3A%7B%22singular_name%22%3A%22Detection%22%2C%22name%22%3A%22Detections%22%7D%7D%2C%22webpackPublicPath%22%3A%22https%3A%5C%2F%5C%2Fwww.threatdown.com%5C%2Fwp-content%5C%2Fmu-plugins%5C%2Fjetpack-14.2%5C%2Fjetpack_vendor%5C%2Fautomattic%5C%2Fjetpack-search%5C%2Fbuild%5C%2Finstant-search%5C%2F%22%2C%22isPhotonEnabled%22%3Afalse%2C%22isFreePlan%22%3Afalse%2C%22apiRoot%22%3A%22https%3A%5C%2F%5C%2Fwww.threatdown.com%5C%2Fapi%5C%2F%22%2C%22apiNonce%22%3A%22d673629fb6%22%2C%22isPrivateSite%22%3Afalse%2C%22isWpcom%22%3Afalse%2C%22hasOverlayWidgets%22%3Afalse%2C%22widgets%22%3A%5B%5D%2C%22widgetsOutsideOverlay%22%3A%5B%5D%2C%22hasNonSearchWidgets%22%3Afalse%2C%22preventTrackingCookiesReset%22%3Afalse%7D")); </script> <script src="https://www.threatdown.com/wp-content/mu-plugins/jetpack-14.2/jetpack_vendor/automattic/jetpack-search/build/instant-search/jp-search.js?minify=false&ver=da5ecd9f722e7fcb409e" id="jetpack-instant-search-js"></script> <script src="//stats.wp.com/w.js?ver=202508" id="jp-tracks-js"></script> <script type="text/javascript" src="https://www.threatdown.com/_static/??/wp-content/themes/mbc/js/script.min.js,/wp-includes/js/comment-reply.min.js?m=1739294330j" ></script><script src="https://stats.wp.com/e-202508.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script id="jetpack-stats-js-after"> _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"220729883\",\"post\":\"70182\",\"tz\":\"0\",\"srv\":\"www.threatdown.com\",\"hp\":\"vip\",\"j\":\"1:14.2.1\"}") ]); _stq.push([ "clickTrackerInit", "220729883", "70182" ]); </script> <script type="text/javascript" src="https://www.threatdown.com/_static/??-eJzTLy/QzcxLzilNSS3WzwKiwtLUokoopZebmaeXVayjj0+Rbm5melFiSSpUsX2uraG5saWRpYmxsUEWAK+aIiE=" ></script> <script type="text/javascript"> /* <![CDATA[ */ document.querySelectorAll("ul.nav-menu").forEach( ulist => { if (ulist.querySelectorAll("li").length == 0) { ulist.style.display = "none"; } } ); /* ]]> */ </script> <!--Weglot 4.3.0--><aside data-wg-notranslate="" class="country-selector weglot-dropdown close_outside_click closed weglot-default wg-" tabindex="0" aria-expanded="false" aria-label="Language selected: English"><ul role="none"></ul></aside> </body> </html>