{ "id": "5cef11fb-29ab-40c5-9752-796caf2f8abd", "created_at": "2026-04-06T00:11:28.193949Z", "updated_at": "2026-04-10T13:12:44.469313Z", "deleted_at": null, "sha1_hash": "12fd8f88a851d17507fa78def231de5f6a30ce8f", "title": "Quick Update: Kraken Completes Its Rebrand to Anubis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 283907, "plain_text": "Quick Update: Kraken Completes Its Rebrand to Anubis\r\nArchived: 2026-04-05 16:21:11 UTC\r\nThreat Intelligence\r\nFebruary 22, 2022 |by ZeroFox Team\r\nIn a blog post dated February 16, 2022, ZeroFox Intelligence detailed Kraken, a new botnet targeting Windows\r\nthat we discovered in October 2021. The botnet is still undergoing active development, experimenting with new\r\nfeatures, and attempting to find a brand for itself. After our publication, ZeroFox learned that the botnet has\r\nundergone a rebranding to more closely align with its administration dashboard. Sometime between January 4,\r\n2022, and January 7, 2022, the operator(s) began using the names “Anubis” and “Pepega” for the project\r\ninternally.\r\nRecommendations\r\nEnsure antivirus and intrusion detection software is up to date with all patches and rule sets.\r\nEnable two-factor authentication for all organizational accounts to help mitigate phishing and credential\r\nstuffing attacks.\r\nMaintain regularly scheduled backup routines, including off-site storage and integrity checks.\r\nAvoid opening unsolicited attachments and never click suspicious links.\r\nLog and monitor all administrative actions as much as possible. Alert on any suspicious activity.\r\nReview network logs for potential signs of compromise and data egress.\r\nDetails\r\nZeroFox Intelligence has been following the development of this previously unknown botnet since October 2021.\r\nOriginally named “Kraken,” builds discovered between January 4, 2022, and January 7, 2022, reveal that the\r\ninternal name has changed.\r\nhttps://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/\r\nPage 1 of 4\n\nFigure 1. On the left, a build from January 4, 2022; on the right, a January 7, 2022, build.\r\nSource: ZeroFox Intelligence\r\nAs seen in Figure 1, the Golang project path has changed from\r\n“C:\\Users\\666\\Desktop\\Bobabubs\\kraken_2022” to “\\root\\anubis”, which more closely aligns with the\r\ndashboard after it received its own rebrand. The source code also appears to have been merged into one main file\r\nwith most of the function names being obfuscated, as opposed to the previously separated but clear functionality.\r\nAnother notable change made is to the main source file. The name “pepega” may be in reference to a Twitch\r\nemote of the same name, which is itself a variation of the meme “Pepe the Frog.”\r\nAnubis Dashboard No Longer Available\r\nShortly after our publication, ZeroFox Intelligence also observed that the Anubis dashboard is no longer available.\r\nAttempting to view the dashboard now results in a “404 page not found” message being displayed.\r\nNew Exfiltration Targets\r\nIn addition to the previously-added cryptocurrency wallets, Anubis now appears to be targeting specific\r\nChromium-based browsers. Builds obtained by ZeroFox Intelligence from February 17, 2022, onwards have\r\nadded the following paths targeting the Brave, Google Chrome, and Microsoft Edge browsers:\r\n\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Cookies\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\r\n\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cookies\r\nhttps://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/\r\nPage 2 of 4\n\nFigure 2. Multiple Chromium-based web browser paths appearing in the latest Anubis build\r\nSource: ZeroFox Intelligence\r\nUntil recently, Anubis relied entirely on secondary payloads such as Redline to steal data from victims. If this\r\ntrend of feature additions continues, Anubis may become capable of doing the job itself, ending its reliance on\r\nthird-party infostealers.\r\nConclusion\r\nThe additional capability to target a victim's browser data seems limited to just cookie data currently. Whether\r\nAnubis decides to collect more data (such as saved credentials and browser history) or even target more browsers\r\nbased on the Chromium source currently remains to be seen. Though the pace of Anubis’ development has slowed\r\ndown since its initial discovery, the various changes its operator(s) are making indicate they are still deciding what\r\nthe future of this botnet holds. ZeroFox will continue to monitor this emerging botnet as it evolves.\r\nMITRE ATT\u0026CK\r\nID Description\r\nT1027.002 Obfuscated Files or Information: Software Packing\r\nT1033 System Owner/User Discovery\r\nT1047 Windows Management Instrumentation\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nT1082 System Information Discovery\r\nhttps://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/\r\nPage 3 of 4\n\nT1113 Screen Capture\r\nT1132.001 Data Encoding: Standard Encoding\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1571 Non-Standard Port\r\nIOCs\r\nSHA256 Hashes\r\n5d99125b0d97ba0abfcf9916c1a05081c1cc117eb2afaaab39a6f95a60e42ab3\r\nTags: Threat Intelligence\r\nSee ZeroFox in action\r\nSource: https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/\r\nhttps://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/" ], "report_names": [ "quick-update-kraken-completes-its-rebrand-to-anubis" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434288, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12fd8f88a851d17507fa78def231de5f6a30ce8f.pdf", "text": "https://archive.orkl.eu/12fd8f88a851d17507fa78def231de5f6a30ce8f.txt", "img": "https://archive.orkl.eu/12fd8f88a851d17507fa78def231de5f6a30ce8f.jpg" } }