This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): OilRig; APT39; Void Manticore / Handala
- Tool type(s): Living-off-the-land utility
- Confidence level(s): Medium
- Source ID(s):
SRC-MITRE-G0049, SRC-MITRE-G0087, SRC-MITRE-G1055
Behavior
| Actor | Behavior Summary |
|---|
| APT39 | MITRE ATT&CK lists ftp as software used by this actor; track it as file transfer over FTP. |
| OilRig | MITRE ATT&CK lists ftp as software used by this actor; track it as file transfer over FTP. |
| Void Manticore / Handala | MITRE ATT&CK lists ftp as software used by this actor; track it as file transfer over FTP. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| APT39 | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G0087 |
| OilRig | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G0049 |
| Void Manticore / Handala | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G1055 |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| APT39 | Hunt for ftp execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| OilRig | Hunt for ftp execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| Void Manticore / Handala | Hunt for ftp execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
Handling Notes
| Actor | Handling Notes |
|---|
| APT39 | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| OilRig | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| Void Manticore / Handala | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
| Source | Publisher | Date | Reliability | Type | Last Reviewed |
|---|
SRC-MITRE-G0049 | MITRE ATT&CK | 2026-05-13 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G0087 | MITRE ATT&CK | 2026-05-14 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G1055 | MITRE ATT&CK | 2026-05-12 | A | Knowledge base | 2026-05-14 |
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.