{ "id": "5e3eb926-04be-4174-ad56-6ccf0e857d46", "created_at": "2026-04-06T01:29:51.949283Z", "updated_at": "2026-04-10T03:37:09.460927Z", "deleted_at": null, "sha1_hash": "14fe73cf150441a3f21e67893c5157beda246bf3", "title": "RedLine Infostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1705696, "plain_text": "RedLine Infostealer\r\nBy Nidal Fikri\r\nPublished: 2021-09-27 · Archived: 2026-04-06 01:25:37 UTC\r\n16 minute read\r\nRedLine in a NutshellPermalink\r\nRedLine is a newly emerging infostealer. An infostealer malware is designed to gather information, and steal\r\nvaluable assets from an infected system. The most common form of infostealer is to gather login information, like\r\nusernames and passwords. RedLine was first being noticed at 2020 via COVID-19 phishing emails, and has been\r\nactive in 2021. RedLine is almost everywhere, and has appeared variously as trojanized services, games, and\r\ncracks. RedLine is used for extensive information stealing operations, like: credit card credentials, Crypto wallets,\r\nsensitive files, etc. Furthermore, RedLine also can be used as malware loader or dropper for extended malicious\r\nimpact. For instance, it can be used to infect the victim with additional malwares like ransomwares. The RedLine\r\nmalware family has been distributed and sold mostly via underground malware forums. Many samples of RedLine\r\nalso appear with legit-looking digital certificates. RedLine is considered as one of the most serious threats that are\r\ncurrently in the wild, therefore it is a must to know how it works, how to detect it, and how to protect your\r\norganization.\r\nRedLine Infection VectorPermalink\r\nRedLine is extremely versatile, and has been noted being delivered by numerous mechanisms. It is used in\r\nmultiple smaller campaigns by individuals who have purchased the malware from the underground malware\r\nforums. Due to this, there are a wide range of known infection vectors. Only few of them are stated below:\r\nTrojanized as popular services: Telegram, Signal, Discord (i.e. legit-looking installers).\r\nEmail phishing campaigns.\r\nAbusing Google Ads while hosting Trojanized or fake websites.\r\nSocial engineering campaigns to attack digital artists using Non-Fungible Tokens.\r\nDownloaded by malware loaders.\r\nTechnical SummaryPermalink\r\n1. Configuration Extraction: RedLine comes with embedded configuration, in this variant, the\r\nconfiguration is Base64 encoded plus an additional layer of XOR encryption with hard-coded key. These\r\nconfiguration contains the C\u0026C server and the malware Botnet ID , which it will communicate with to\r\nexfiltrate gathered information, and also for further remote commands.\r\n2. C2 Communication: After extracting the C\u0026C and before doing anything, RedLine will check if there is a\r\npossibility to reach its C\u0026C server. If there is an available connection, RedLine will then try to obtain the\r\nmalicious Scan Settings. These scan arguments contain flags that will be used to determine which\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 1 of 17\n\ninformation to be stolen. Moreover, the obtained scan arguments contain tuning parameters, to specify\r\ndesired data assets. For instance, search patterns to specify certain files to be exfiltrated, etc.\r\n3. Host Profiling: RedLine will gather information about the infected host, in order to decide further actions.\r\nMostly relying on Windows Management Instrumentation (WMI), it harvests and generates the following\r\ninformation: Hardware ID, Usernames, OS version, Installed languages, Installed programs, Current\r\nrunning processes, Anti-malware products, Graphics card info, Victim’s Location, IP address, etc. In\r\naddition to all these, RedLine contains functions to exclude Blacklisted countries as well as Blocked IPs\r\nfrom infection.\r\n4. Information Stealing: Here lies the bulk of its functionality. As being an information stealer, based on the\r\nobtained scan arguments, RedLine can exfiltrates the following information:\r\nFiles: Any specified files in the following directories: ProgramData, Program Files, Program\r\nFiles (x86) .\r\nBrowsers: Login credentials, Cookies, Auto-fill fields used by websites, and Credit card details.\r\nCrypto Wallets: Credentials of: Armory, Exodus, Ethereum, Monero, Atomic, BinanceChain, and a\r\nlot more.\r\nVPN Clients: Credentials of the following VPN clients: NordVPN, ProtonVPN, and OpenVPN.\r\nGaming Clients: It’s targeting the credentials of the famous Valve’s Steam gaming platform.\r\nInstant Messengers: Currently it’s targeting Telegram session data and Discord tokens.\r\nFTP Clients: Credentials of FileZilla FTP client.\r\n5. Remote Execution: After successful data exfiltration, RedLine will try to obtain additional remote\r\ncommands to execute within the infected machine. Going beyond information stealing, RedLine is able to\r\nperform the following remote actions:\r\nDownload additional files.\r\nDownload and execute PE files (i.e. additional malware like ransomware).\r\nOpen desired links (i.e. malicious websites).\r\nExecute remote commands via CMD.exe .\r\nTechnical AnalysisPermalink\r\nFirst look \u0026 UnpackingPermalink\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 2 of 17\n\nFigure(1): Results are at 2021-09-20 18:03:15 UTC. Different results may appear.\r\nThis sample comes -in disguise- as packed C/C++ file, which will be responsible to unpack and expose the real\r\nRedLine malware. However, the initial packed file as you can see in the last figure is flagged malicious by 20\r\nsecurity vendors according to VirusTotal. For simplicity sake, I’ve decided to use UnpacMe to do the unpacking\r\nprocess. The final unpacked file is found to a .NET application, which is the real RedLine malware that I will\r\nanalyze in details. I’ve decided to focus on RedLine data structures, to properly understand which \u0026 how data is\r\nbeing exfiltrated.\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 3 of 17\n\nFigure(2): RedLine code entry point.\r\nRedLine begins with hiding its UI from the infected user. It dynamically resolves GetConsoleWindow() and\r\nShowWindow() APIs do that. RedLine calls ShowWindow() with the parameter SW_HIDE=0 to effectively hide its\r\nwindow.\r\nFigure(3): The function used for decrypting the embedded configuration.\r\nThen, it uses the Decrypt() function to extract the embedded encrypted configuration. For this particular\r\nsample, the decrypted C\u0026C is \"188.124.36.242:25802\" and the decrypted Botnet ID is \"paladin\" . The Botent\r\nID is being used to track the malware and to better identify the infected machines.\r\nC2 CommunicationPermalink\r\nAfter successfully extracting the C\u0026C IP address, RedLine will check if it can reach the C\u0026C server using the\r\nfunctions RequestConnection() and TryGetConnection() . If there is an available connection, RedLine will\r\nthen try to obtain the malicious Scan Settings using the function TryGetArgs() . These settings simply represents\r\nthe full arsenal of RedLine, and what capabilities it possess. The available scan settings are below:\r\nFigure(4): For simplicity sake , this screenshot is taken using Sublime and not dnSpy in order to show only the\r\nuseful code.\r\nThese scan arguments contain flags that will be used to determine which information to be stolen. Each flag is\r\nused in certain functions to decide whether to perform the scanning functionality or not -I will show examples in a\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 4 of 17\n\nmoment. Moreover, the obtained scan arguments contain tuning parameters, to specify desired data assets. For\r\ninstance, they contain search patterns to specify files to be exfiltrated, paths for locating certain browsers, or a list\r\nof Blacklisted countries to exclude from infection, etc. After getting the scanning arguments (settings), RedLine\r\nproceeds to preform its main purpose, which is information stealing.\r\nInformation StealingPermalink\r\nFigure(5): The functions names \u0026 lots of code were obfuscated to make reverse engineering harder.\r\nRedLine contains many functions to collect and harvest almost every valuable asset in the infected machine. Some\r\nof these functions are very simple, regarding the purpose and the implementation. For instance,\r\nEnumerate_username() , Get_Malware_Path() , Enumerate_OS_Version() ,etc.\r\nYet, before proceeding to the scanning functionality once again, RedLine instantiates very important data\r\nstructures, which will be populated with the stolen assets and the gathered host profile. Below are the two\r\nimportant classes ScanResult and ScanDetails :\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 5 of 17\n\nFigure(6): The rest of the customized classes will be discussed in the coming sections.\r\nFor instance, Specified files by the scanning arguments will be populated into ScannedFile class in order to be\r\nexfiltrated and so on. The scannedFile class is included in the bigger ScanDetails class, which is also\r\nincluded in the bigger ScanResult class. It’s very important to understand the hierarchy of these nested classes,\r\nto draw a map of how the precious data assets are being organized and stolen from the infected machine.\r\nHost ProfilingPermalink\r\nRedLine contains more than 20 functions to perform almost full sweeping of the infected machine. Some of them\r\nare fairly simple, they just perform windows registry querying or they use documented APIs. For instance, since\r\nMicrosoft Edge is the default browser, the Enumerate_Browsers() function searches the registry keys\r\nHKEY_LOCAL_MACHINE\\Software\\Clients\\StartMenuInternet and its WoW6432 twin to find the installed\r\nbrowsers, in order to harvest their credentials later on. The Enumerate_Installed_Software() function uses the\r\nregistry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall to list every installed software in the\r\nsystem. Also, RedLine uses the Take_Screenshots() functions to take live screenshots of the infected system.\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 6 of 17\n\nFigure(7): Concatinating the WMI query for the ManagementObjectSearcher class instance.\r\nMoreover, the Enumerate_Security_Defenders() function uses the WMI to enumerate any installed security\r\nsolution. It allows it to get the installed Antivirus, AntiSpyware and Firewall (third party) software using the\r\nroot\\SecurityCenter or the root\\SecurityCenter2 namespaces.\r\nNot to forget, the Enumerate_Running_Processess() function which also uses the Win32_Process WMI class\r\nthat represents a process on an operating system. It gets the process name + PID + command line arguemtns in\r\norder to build a live full view of the infected machine. I think the attacker uses these information to decide further\r\nmalicious actions i.e. certain exploits.\r\nFigure(8): The if-statements control wether to stop the infection or not.\r\nLastly, one more interesting function is the Send() function which contains the above method. It uses the\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 7 of 17\n\nfollowing remote API https://api.ip.sb/geoip to gather very detailed geographical information about the\r\nvictim. The remote API returns XML data specifying many detailed information:\r\n{\"organization\":\"XXXXXXXX\",\"longitude\":XXXXXXX,\"city\":\"XXXXXX\",\"timezone\":\"XXXXXX\",\"isp\":\"XXXXXXX\",\"offset\":XXX\r\nExfiltrating FilesPermalink\r\nFigure(9): The contents of the file is being automatically read when the constructor is called with the filename\r\nstring parameter.\r\nIt’s important to know the inner structures of the ScannedFile class which is used to populate the exfiltrated\r\nfiles. As you can see in the above screenshot, once a file is being instantiated, nearly all of its important contents is\r\nstolen.\r\nFigure(10): The function shows the concatination of the searching paths.\r\nBased on the obtained scan arguments (settings) during the previous C2 communication, they contain search\r\npatterns to specify desired files to be stolen. RedLine currently use the search patterns to locate files in the\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 8 of 17\n\nfollowing directories only: Program Files (X86)/ , Program Files/ , and Program Data/ . The directory\r\nProgramData/ is for user-agnostic data generated during execution such as shared cache, shared databases,\r\nshared settings, shared preferences, etc.\r\nFigure(11): Once a ScannedFile instance is instantiated with a filename, all of the file contents is read.\r\nRedLine only needs to locate the specified files based on the search patterns then create a ScannedFile instance\r\nof the filtered filename. Once instantiated with the filename, almost all of the file contents is stolen because of the\r\nScannedFile constructor code.\r\nHarvesting BrowsersPermalink\r\nFigure(12): The collected data about the targeted browser.\r\nAlso, It’s very important to know the inner structures of the Browser class, which is used to populate the\r\nharvested browser credentials. Once a browser is targeted, RedLine steals its accounts credentials, credit card\r\ncredentials, cookies, and auto-fill data. RedLine targets Chromium based browsers as well as Gecko based\r\nbrowsers, which makes RedLine nearly targets most used browsers.\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 9 of 17\n\nFigure(13): Notice the passed scanning settings which were obtained by the C2 communication.\r\nFigure(14): Populating the Browser class.\r\nRedLine also uses more methods like DecryptChromium() in order to effectively harvest the targeted credentials.\r\nIt’s also being noticed that for Gecko based browsers, this sample only steals the cookies unlike the targeted\r\nChromium based browsers.\r\nStealing Crypto WalletsPermalink\r\nA crypto wallet is an application used to both cold store and retrieve digital cryptocurrency assets. RedLine of\r\ncourse targets these valuable assets because of the rise of people’s interest in cryptocurrency during the past few\r\nyears.\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 10 of 17\n\nFigure(15): The AllWallets class is used for generic crypto wallets.\r\nRedLine comes with many classes targeting many crypto wallets like: Armory, Exodus, Ethereum, Monero,\r\nAtomic, BinanceChain, Jaxx, Electrum, Guarda, etc. RedLine uses pre-defined search patterns and scan arguments\r\nto populate the wallets into ScannedFile instances. Each class in the previous figure is just used to initialize\r\ndefined search patterns to be passed to the regular Search() function which is used in files exfiltration.\r\nFigure(16): Overriding the GetScanArgs function with new search patterns.\r\nThese search patterns specify the credentials files which is being used for the specific wallet type. For every wallet\r\nclass, it is used to override the GetScanArgs() function which is used internally in the Search() function in\r\norder to filter for the appropriate wallet files. These filtered files will be exfiltrated.\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 11 of 17\n\nHarvesting Instant Messenger ClientsPermalink\r\nInstant Messenger (IM) clients like Discord and Telegram have seen a recent rise in popularity, with Discord\r\nboasting over 100 million active users. For Telegram, RedLine looks used the GetProcessesByName() function to\r\nget the ExecutablePath for Telegram running process. Then, it looks for the folder tdata . This is where the\r\nInstant Messenger stores its session data, including images and conversations:\r\nFigure(17): The function is passed the Telegram process name.\r\nIt’s also used to override the GetScanArgs() function which is used internally in the Search() function in order\r\nto filter for the targeted files.\r\nFor Discord, RedLine is stealing its tokens using the Discord.GetTokens() function. A Discord token is a phrase\r\nof letters and numbers that acts as an authorization code to access Discord’s servers. It effectively acts as an\r\nencryption of your username and password.\r\nSnatching VPN Clients CredentialsPermalink\r\nWith the rise in popularity in VPN services, RedLine doesn’t have any plans to miss this chance. RedLine targets\r\nthe VPN clients of the following services: NordVPN, OpenVPN, and ProtonVPN. For NordVPN client, RedLine\r\nuses obfuscated strings to locate the targeted XML files which contain the VPN credentials:\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 12 of 17\n\nFigure(18): This method of strings obfuscation is almost used everywhere in RedLine classes.\r\nThen, it uses decrypting functions to decipher the wanted credentials:\r\nFigure(19): The CryptoHelper class is used for various decryption and encryption operations within RedLine.\r\nYet, for OpenVPN and ProtonVPN, RedLine uses the same old method of overriding the GetScanArgs()\r\nfunction which is used internally in the Search() function in order to filter for the targeted files. Then, it\r\nexfiltrates the filtered files as ScannedFile instances which contains the VPN credentials.\r\nHarvesting Gaming ClientsPermalink\r\nSteam is a video game digital distribution service by Valve. By 2019, the service had over 34,000 games with over\r\n95 million monthly active users. Steam is regarded as one of the best gaming platforms in the industry. Steam has\r\nan in-built store with a lot of ‘Steam accounts’ having various other services and banking details related to it.\r\nRedLine attempts to go after the Steam Sentry File which is used to store credentials:\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 13 of 17\n\nFigure(20): RedLine overrides the GetScanArgs() function with defined search patterns. Then, exfiltrate the\r\ntargeted files.\r\nA VDF file is a data file format used by Valve’s Source game engine. It contains various kinds of game metadata,\r\nincluding data for resources, installation scripts, configuration scripts, and visualization elements.\r\nStealing FTP CredentialsPermalink\r\nA File Transfer Protocol client (FTP client) is a software utility that establishes a connection between a host\r\ncomputer and a remote server, typically an FTP server. An FTP client provides the dual-direction transfer of data\r\nand files between two computers over a TCP network or an Internet connection.\r\nFigure(21): RedLine checks the existance of two different paths to locate the targeted credentials.\r\nRedLine targets the free, open-source FileZilla application. RedLine uses the ScanCredentials() function to\r\nextract the required credentials and to populate them in Account class which will contain the URL + username +\r\npassword.\r\nRemote ExecutionPermalink\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 14 of 17\n\nRedLine extends its functionality beyond information stealing. Here, RedLine takes the role of a malware loader.\r\nA malware loader is the software which drops the actual malicious content on the system, then executes the first\r\nstage of the attack. Hence, RedLine is capable of delivering some additional serious threats to the infected\r\nmachine, like ransomwares for example. After successfully performing the information stealing operations,\r\nRedLine uses the TryGetTasks() function to obtain a list of UpdateTask class, which contains the required\r\narguments to successfully perform remote execution actions:\r\nFigure(22): The availabe remote actions aka update tasks.\r\nOnce a connection with its C\u0026C server has been established, RedLine can remotely perform the operations\r\ndescribed in the above figure. Below are the inner details of the DownloadAndExecuteUpdate class which is used -\r\nas the name suggests- to download a PE file and executes it in the infected machine:\r\nFigure(23): The passed argument consists of the malicious URL + the filename.\r\nRedLine can be used effectively as malware loader or dropper for further wanted malicious activities. Moreover, it\r\ncan be used to open desired links for various malicious or non-malicious purposes.\r\nConclusionPermalink\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 15 of 17\n\nRedLine is regarded as a true security threat to any machine. The capabilities of being able to steal almost every\r\nvaluable asset, and being able to load additional serious malwares or exploits are regarded most fatal. This threat\r\nhas been sold as individual packages with several pricing options, or as Malware-as-a-Service (MaaS) on a\r\nsubscription-based pricing package. With the rise of Maas underground forums, RedLine threats will not fade\r\naway in the very near future. Therefore, it is a must to know how it works, how to detect it, and how to protect\r\nyour organization.\r\nIoCsPermalink\r\nNo. Description Value\r\n1 Initial packed file 1d91ab82e01d7682deecbeef7b441f26e405c0053e0354e92fdb5cfe61b097b0\r\n2 Unpacked RedLine e9905446c858326e8f0fe12f6df777542180608381f1ccae4bda9a8356b04abc\r\n3 RedLine C\u0026C server 188.124.36.242:25802\r\nYARA RulePermalink\r\nrule redline : infostealer\r\n{\r\nmeta:\r\ndescription = \"This is a noob rule for detecting unpacked RedLine\"\r\nauthor = \"Nidal Fikri @cyber_anubis\"\r\nstrings:\r\n$mz = {4D 5A} //PE File\r\n$s1 = \"IRemoteEndpoint\"\r\n$s2 = \"ITaskProcessor\"\r\n$s3 = \"ScannedFile\"\r\n$s4 = \"ScanningArgs\"\r\n$s5 = \"ScanResult\"\r\n$s6 = \"DownloadAndExecuteUpdate\"\r\n$s7 = \"OpenUpdate\"\r\n$s8 = \"CommandLineUpdate\"\r\n \r\n$s9 = \"TryCompleteTask\"\r\n$s10 = \"TryGetTasks\"\r\n$s11 = \"TryInitBrowsers\"\r\n$s12 = \"InstalledBrowsers\"\r\n$s13 = \"TryInitInstalledBrowsers\"\r\n$s14 = \"TryInitInstalledSoftwares\"\r\n$s15 = \"TryGetConnection\"\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 16 of 17\n\ncondition:\r\n($mz at 0) and (10 of ($s*))\r\n}\r\nReferencesPermalink\r\nhttps://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer\r\nSource: https://cyber-anubis.github.io/malware%20analysis/redline/\r\nhttps://cyber-anubis.github.io/malware%20analysis/redline/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyber-anubis.github.io/malware%20analysis/redline/" ], "report_names": [ "redline" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438991, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14fe73cf150441a3f21e67893c5157beda246bf3.pdf", "text": "https://archive.orkl.eu/14fe73cf150441a3f21e67893c5157beda246bf3.txt", "img": "https://archive.orkl.eu/14fe73cf150441a3f21e67893c5157beda246bf3.jpg" } }