{ "id": "189affc6-f7d6-479d-84e7-8bc0b9ce8e1a", "created_at": "2026-04-06T00:16:56.533544Z", "updated_at": "2026-04-10T13:12:02.031087Z", "deleted_at": null, "sha1_hash": "0c369be913a7b66d090e3930c4ae74baf379701a", "title": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2303991, "plain_text": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet\r\nAISURU\r\nBy Wang Hao\r\nPublished: 2025-09-15 · Archived: 2026-04-05 23:20:05 UTC\r\nOverview\r\nSince 2025, peak bandwidth for global DDoS attacks has repeatedly broken historical records, rising from 3.12\r\nTbps at the start of the year to a staggering 11.5 Tbps recently. In multiple high-impact or record-breaking attack\r\nincidents, we consistently observed a botnet named AISURU operating behind the scenes.\r\nCloudflare Mitigates 11.5 Tbps DDoS Attack\r\nXLAB Attack Incident Monitoring Data\r\nThe AISURU botnet was first disclosed by XLab in August 2024 and participated in DDoS attacks against the\r\ndistribution platform for the game \"Black Myth: Wukong.\" Since March of this year, XLab's Cyber Threat Insight\r\nand Analysis System(CTIA) has continuously captured new samples of the botnet. Multiple sources indicate the\r\ngroup allegedly compromised a router firmware update server in April and distributed malicious scripts to expand\r\nthe botnet. The node count is currently reported to be around 300,000.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 1 of 17\n\nMore alarmingly, some AISURU samples embed \"Easter egg\" messages that go beyond pure attack intent and\r\nattempt to convey certain ideological content. Given this serious situation, we decided to write this report to\r\npublicly share our findings with the security community and call on all parties to join forces to combat this\r\nincreasingly rampant cybercriminal activity.\r\nAnonymous Source \u0026 XLab Visibility\r\nXLab has long been deeply involved in DDoS research and continually publishes reliable, in-depth analysis,\r\nearning a strong reputation among defenders and within attacker circles. Recently, an anonymous informed source\r\nprovided intelligence about the AISURU/AIRASHI botnet, hoping to dismantle AISURU similarly to the effort\r\nagainst the Fodcha botnet. This lead allowed us to get closer to the group behind AISURU and unveil the botnet's\r\noperations.\r\nAnonymous Source\r\nWe have got the authorization from the source that it's okay to publish the conversations.\r\nAccording to the anonymous source, the AISURU group has three key figures codenamed Snow, Tom, and Forky.\r\nIn 2022, Forky met Snow and Tom when they were still small-time. After several successful collaborations\r\nincluding the catddos botnet, the three formed the AISURU team.\r\nSnow: responsible for botnet development\r\nTom: responsible for vulnerabilities, including discovering 0-days and integrating N-days\r\nForky: responsible for botnet sales\r\nIn April 2025, Tom successfully breached a totolink router firmware update server and set the firmware upgrade\r\nURL to download and execute a malicious script. This means any totolink router that performed the update could\r\nbe infected by AISURU.\r\nThis intrusion rapidly increased AISURU's scale, surpassing 100,000 devices in a short time. Faced with such a\r\nvast size, the group was somewhat unprepared and had to work overtime configuring strategies on several C2 IPs\r\nand using GRE TUNNEL to distribute traffic.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 2 of 17\n\nThe members of the AISURU group act flamboyantly and often launch highly destructive attacks on ISPs under\r\nthe pretext of \"for fun.\" As they even mentioned in their samples, \"I don't feel right as myself, with my failing\r\nmental health,\" they are often being mockingly referred to as \"mentally unstable,\" which has earned them a very\r\nbad reputation in the DDoS community, making countless enemies.\r\nBy late April, AISURU’s \"enemies\" began leaking details on social media. The first shot came under a Cloudflare\r\npost about mitigating a record 5.8 Tbps attack, where someone replied: “This came from 340k Totolink routers!”\r\nA few days later, they dropped heavier evidence—a leaked screenshot of the botnet panel showing over 300,000\r\nactive bots, including about 30,000 from China. With the taunt \"welcome to totolink botnet\" and tags to\r\nTotolink and Interpol , the leaks were clearly aimed at drawing public and law enforcement attention to take\r\ndown AISURU.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 3 of 17\n\nCurrently, the totolink update server vulnerability has been patched. The AISURU group jokingly posted RIP\r\nTOTOLINK 2025-2025 , but the botnet's scale was not affected and remains around 300k nodes.\r\nBefore the record 12.1 Tbps event in September 2025, AISURU ran several attack tests, including an attack on\r\nsecurity journalist Brian Krebs' personal site; the attack traffic set \"world records\" at those times.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 4 of 17\n\nInterestingly, \"Ethan J Foltz\" is the real name of the Rapper Botnet's author, who was arrested on 2025-08-06; the\r\nID \"Ethan J Foltz\" used below was actually Snow, who used it to mock Rapperbot — possibly a reason AISURU\r\ndrew ire in the DDoS community.\r\nXLab Visibility\r\nFor readers wondering about the credibility of the anonymous source — \"This is an interesting rumor, but how\r\nreliable is it?\" — while we may not be able to verify the persons, XLab's Cyber Threat Insight and Analysis\r\nSystem provides solid visibility into samples, C2 servers, and attack events . Using the group's key activities\r\nas anchors and cross-referencing datasets, we believe the attack incident intelligence provided by the\r\nanonymous source is highly credible.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 5 of 17\n\n1: Malicious script t.sh implanted into totolink update server in April 2025\r\nFrom the 26th, the script began using the domain updatetoto.tw. We used domain ranking system Tranco to\r\nmeasure its activity.\r\nUsing the ranking from April 29 to May 30 as an example, the downloader domain updatetoto.tw — created on\r\nApril 25 — rose to rank 672,588 globally within one month, proving the AISURU group's infection campaign was\r\nhighly successful.\r\n2: C2 IPs enabling GRE TUNNEL in April 2025\r\nThe AISURU group configured GRE Tunnels on four IPs: 151.242.2.22 to 151.242.2.25. These serve as C2\r\nservers.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 6 of 17\n\nIn April, we also captured the C2 domain approach.ilovegaysex[.]su; its TXT record, once decoded, covered these\r\nfour IPs, indicating the C2 belonged to the AISURU group.\r\n3: May 2025 attack on KrebsOnSecurity\r\nBy tracking commands from the malicious ilovegaysex domain's C2 servers, we detected an attack on security\r\nreporter Brian Krebs' personal blog in May.\r\n4: September 2025 attack on 185.211.78.117\r\nBy tracking commands from C2 servers, we observed an attack in September against 185.211.78.117 with an\r\nastonishing 11.5 Tbps of traffic.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 7 of 17\n\nSample Propagation\r\nLeveraging the capabilities of the XLab's Cyber Threat Insight and Analysis System, we have observed that\r\nAisuru samples have recently been spreading primarily via NDAY vulnerabilities, while also possessing the ability\r\nto exploit 0DAY vulnerabilities. The 0DAY affecting cnPilot routers from Cambium Networks (USA), first\r\nexploited in June of last year, is still being actively used. Some of the vulnerabilities leveraged by Aisuru for\r\nsample propagation are as follows:\r\nVulnerability Affected Vendor Affected Devices\r\nAMTK-CAMERA-CMD-RCE\r\nA-MTK Camera\r\nCVE-2013-1599 D-Link DCS-3411 Firmware\r\nCVE-2013-3307 Linksys Linksys X3000\r\nCVE-2013-5948 T-Mobile Tm-Ac1900\r\nCVE-2017-5259 Cambiumnetworks Cnpilot R190V Firmware\r\nCVE-2022-44149 Nexxt Router\r\nCVE-2023-28771 Zyxel,Zyxel,Zyxel,Zyxel\r\nZyxel ATP,Zyxel USG FLEX,Zyxel\r\nVPN,Zyxel ZyWALL/USG\r\nCVE-2023-50381 Realtek rtl819x Jungle SDK v3.4.11\r\nLILIN-DVR-RCE LILIN DVR\r\nCVE-2022-35733 UNIMO DVR UDR-JA1004/JA1008/JA101\r\nCVE-2024-3721 TBK DVR\r\nCNPILOT-0DAY-RCE Cambium Networks cnPilot\r\nSANHUI-GATEWAY-DEBUG-PHP-RCE\r\nSANHUI Gateway Management Software\r\nTVT-OEM-API-RCE Shenzhen TVT DVR\r\nAttack Statistics\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 8 of 17\n\nThe Aisuru botnet has launched attacks worldwide, spanning multiple industries. Its primary targets have been\r\nlocated in regions such as China, the United States, Germany, the United Kingdom, and Hong Kong. The attacks\r\nshow no strong signs of selectivity, with several hundred targets hit on a daily basis.\r\nDDoS attack trends:\r\nGeographic distribution of victims:\r\nTechnical Analysis\r\nStarting on March 14, 2025, the AISURU group began distributing new bot samples. Comparing them with known\r\nsource code, we found updates mainly focused on encryption methods, and the updates can be divided into two\r\nmajor versions.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 9 of 17\n\n1. Version 1 updates: use ECDH-P256 for key exchange, then derive a shared ChaCha20 key for encrypting\r\nnetwork messages; DNS-TXT record decoding changed from base64+ChaCha20 to base64+XOR; new\r\nattack commands and message formats.\r\n2. Version 2 updates: streamlined network protocol by removing ECDH-P256 key exchange; modified xxhash\r\nalgorithm for message integrity verification; modified RC4 algorithm for decrypting sample strings and\r\ncommunication keys.\r\nVersion 1 lasted only about half a month; subsequent samples primarily used Version 2. The following analysis\r\nfocuses on Version 2 samples, emphasizing AISURU's anti-analysis techniques, encryption, and network protocol.\r\nEnvironment Detection\r\nOn startup, the sample checks whether the current process command line contains any of the following strings:\r\ntcpdump\r\nwireshark\r\ntshark\r\ndumpcap\r\nIt also checks the kernel's hardware identifier for strings such as:\r\nVMware\r\nVirtualBox\r\nKVM\r\nMicrosoft\r\nQEMU\r\nIf any of these are detected, the program exits to hinder dynamic analysis.\r\nKiller Evasion\r\nLinux has an OOM Killer (Out-Of-Memory Killer) that terminates processes when system memory is low. The\r\nsample disables this by writing -1000 to /proc/self/oom_score_adj to gain more runtime.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 10 of 17\n\nAs competitors often fight over compromised devices, device takeover is fiercely contested. For example,\r\nAISURU and Rapperbot have intense competition over nvms9000 devices. When AISURU takes a device, they\r\noften taunt Rapperbot publicly.\r\nMany botnets compile statically for cross-platform compatibility, avoid shared libraries, and delete their binary\r\nafter execution. Other botnets use these behaviors as signals to kill competitors. To counter those killer tactics,\r\nthe sample searches /lib/ for .so shared libraries and maps them into the current process; it does not delete\r\nits file and renames it to libcow.so . The process name is also checked; the sample replaces the process name\r\nwith one of several common names:\r\ntelnetd\r\nudhcpc\r\ninetd\r\nntpclient\r\nwatchdog\r\nklogd\r\nupnpd\r\ndhclient\r\nModified RC4 Algorithm\r\nCompared to previous AIRASHI versions, the new sample no longer uses the standard RC4 algorithm to decrypt\r\nstrings, nor does it use standard HMAC-SHA256 for message verification.\r\nThe new sample uses a modified RC4 algorithm with the key PJbiNbbeasddDfsc , which has not changed across\r\nmultiple versions and may be a nod to the Fodcha botnet. The algorithm retains RC4's 256-byte S-box but adds\r\nnew perturbations during initialization and keystream generation. An equivalent Golang implementation is shown\r\nbelow:\r\nfunc AIRASHI_RC4(data []byte) []byte {\r\nkey := make([]uint32, 4)\r\nkeyBytes := []byte(\"PJbiNbbeasddDfsc\")\r\nfor i := 0; i \u003c 4; i++ {\r\nkey[i] = binary.BigEndian.Uint32(keyBytes[i*4 : (i+1)*4])\r\n}\r\nS := make([]byte, 256)\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 11 of 17\n\ni := 13\r\nfor j := 0; j \u003c 256; j++ {\r\nS[j] = byte(i \u0026 0xff)\r\ni -= 89\r\n}\r\nj := 0\r\nfor i := 0; i \u003c 256; i++ {\r\nj = (j + int(S[i]) + int(key[i%4]\u003e\u003e(i%32))) % 256\r\nS[i], S[j] = S[j], S[i]\r\n}\r\nseed := uint32(0xE0A4CBD6)\r\nfor i := 0; i \u003c 5; i++ {\r\nfor k := 0; k \u003c 256; k++ {\r\nseed = 0x41C64E6D*seed + 12345\r\nt := (seed * uint32(S[k])) \u003e\u003e 24\r\nt1 := (seed ^ key[(i+k)%4] ^ uint32(S[k])) \u0026 0xff\r\nS[k] = byte(t1)\r\nj = (int(t1) + j + int(t)) \u0026 0xff\r\nS[k] = S[j]\r\nS[j] = byte(t1)\r\n}\r\n}\r\ni, j, k := 0, 0, 0\r\nm := uint32(1)\r\nresult := make([]byte, 0, len(data))\r\nfor _, byteVal := range data {\r\ni = (i + 1) % 256\r\nj = (j + int(S[i])) % 256\r\nk = (k + int(S[(i+j)%256])) % 256\r\nS[i], S[j] = S[j], S[i]\r\nm = rol32(m, 1)\r\nif (m \u0026 1) != 0 {\r\nm ^= 0xD800A4\r\n}\r\nt := (S[(k+j)%256] + S[(j+i)%256]) \u0026 0xff\r\nt1 := ((byte(m) ^ S[t]) \u003e\u003e 4) ^ rol8(byte(m)^S[t], 3)\u00260xff\r\nresult = append(result, byteVal^t1)\r\n}\r\nreturn result\r\n}\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 12 of 17\n\nThe decrypted example ciphertext below yields a taunting plaintext.\r\nAfter decrypting with AIRASHI_RC4, the plaintext reads provocatively: \"tHiS mOnTh At qiAnXin shitlab a NeW\r\naisurU vErSiOn hIt oUr bOtMoN sYsTeM dOiNg tHe CHAaCha sLiDe\". Our only reply: \"Are you feeling\r\nitchy?\"\r\nThe sample keeps the previous C2 decoding method: decrypt strings from a table, split by | to obtain multiple\r\nsubdomains and the main domain, then split subdomains by , to form FQDNs. Example:\r\ndecrypted str: sub1,sub2,sub3|domain.tld\r\nc2_1: sub1.domain.tld\r\nc2_2: sub2.domain.tld\r\nc2_3: sub3.domain.tld\r\nWhen parsing domains, the sample still uses encrypted TXT records. Prior blog samples used base64+ChaCha20\r\nfor decoding; the new version abandons ChaCha20 and uses XOR to obtain IPs. See the Appendix CyberChef\r\nrecipe for decoding details.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 13 of 17\n\nNetwork Speed Test\r\nRecent versions added an upload speed test feature using the public Speedtest service:\r\n1. GET /speedtest-servers-static.php to fetch test servers\r\n2. GET /speedtest/latency.txt to find the lowest-latency server\r\n3. POST random data to the lowest-latency server for 10s (some samples use 100ms)\r\nThis feature does not affect program execution or C2 connectivity; it only reports results back to C2. We believe\r\nthe purpose is to identify nodes with good network performance for later proxy instructions. C2 can assign high-quality nodes to serve as residential proxies.\r\nNetwork Protocol\r\nProtocol-wise, the flow remains similar to previous versions: obtaining a shared ChaCha20 key and confirmation,\r\nbut message formats and encryption algorithms were modified.\r\nA new message consists of three parts: a header, random bytes, and a body. The following image shows a decoded\r\nlogin packet:\r\nThe header has a fixed length of 8 bytes and contains four fields:\r\nmsgType (1 byte) + randSize (1 byte) + bodySize (2 bytes) + bodyHash (4 bytes)\r\nThe login packet structure includes the following fields:\r\nstruct login{\r\nuint32 stun_ip;\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 14 of 17\n\nuint32 botid_len;\r\nchar botid[botid_len];\r\nuint32 version;\r\nuint32 nodename_len;\r\nchar nodename[nodename_len];\r\nuint32 cwd_len;\r\nchar cwd[cwd_len];\r\nuint32 kernel_ver_len;\r\nchar kernel_ver[kernel_ver_len];\r\nuint16 reserve1;\r\nuint8 reserve2;\r\nbool support_udp;\r\n}\r\nNewly supported message types and descriptions:\r\nmsgType desc\r\n0 get shared net key\r\n1 key info\r\n2 confirm key\r\n3 login info\r\n4 heartbeat\r\n5 exit\r\n6 attack\r\n7 execute cmd\r\n8 new cnc\r\n9 reverse shell\r\n10 proxy\r\n101 report telnet scan\r\n201 report killer\r\n202 report netspeed\r\nYou can see the new samples support not only DDoS attacks but also Proxy functionality. As global law\r\nenforcement increases pressure on cybercrime, demand for anonymization services is rising. Where there is\r\ndemand, there is profit. Nodes controlled by botnets are natural building blocks for residential proxy services.\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 15 of 17\n\nFrom our case collection, this appears to be a trend in the DDoS scene in recent years: expanding business from\r\nsingle-purpose attacks to proxy offerings.\r\nWe implemented the AISURU protocol in the XLab instruction tracking system and, as expected, observed not\r\nonly conventional DDoS commands but also proxy-related instructions.\r\nClearly, AISURU is no longer satisfied with a single DDoS business model and is branching into proxy services to\r\nmonetize its large node pool.\r\nIoC\r\nC2\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 16 of 17\n\ncoerece[.ilovegaysex[.su\r\napproach[.ilovegaysex[.su\r\nministry[.ilovegaysex[.su\r\nlane[.ilovegaysex[.su\r\na.6mv1eyr328y6due83u3js6whtzuxfyhw[.ru\r\nReport/Download Server\r\nu[.ilovegaysex[.su\r\nupdatetoto[.tw\r\nProxy Relay C2\r\n194.46.59[.169 United Kingdom|England|Exeter AS206509|KCOM GROUP LIMITED\r\n104.171.170[.241 United States|Virginia|Ashburn AS7922|Comcast Cable Communications, LLC\r\n104.171.170[.253 United States|Virginia|Ashburn AS7922|Comcast Cable Communications, LLC\r\n107.173.196[.189 United States|New York|Buffalo AS36352|ColoCrossing\r\n64.188.68[.193 United States|District of Columbia|Washington AS46339|CSDVRS, LLC\r\n78.108.178[.100 Czech Republic|Praha, Hlavni mesto|Prague AS62160|Yes Networks Unlimited Ltd\r\nSample\r\n09894c3414b42addbf12527b0842ee7011e70cfd\r\n51d9a914b8d35bb26d37ff406a712f41d2075bc6\r\n616a3bef8b0be85a3c2bc01bbb5fb4a5f98bf707\r\nccf40dfe7ae44d5e6922a22beed710f9a1812725\r\n26e9e38ec51d5a31a892e57908cb9727ab60cf88\r\n08e9620a1b36678fe8406d1a231a436a752f5a5e\r\n053a0abe0600d16a91b822eb538987bca3f3ab55\r\nAppendix\r\nCyberChef\r\nhttps://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true,fal\r\nSource: https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nhttps://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" ], "report_names": [ "super-large-scale-botnet-aisuru-en" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434616, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c369be913a7b66d090e3930c4ae74baf379701a.pdf", "text": "https://archive.orkl.eu/0c369be913a7b66d090e3930c4ae74baf379701a.txt", "img": "https://archive.orkl.eu/0c369be913a7b66d090e3930c4ae74baf379701a.jpg" } }