{ "id": "e8ef3a6c-c52a-4eb3-9157-085db039a3f6", "created_at": "2026-04-06T00:12:23.521913Z", "updated_at": "2026-04-10T03:37:08.817609Z", "deleted_at": null, "sha1_hash": "1541fbfd67e4b64358e0f2321c378926411106d9", "title": "A Detailed Analysis of the RedLine Stealer - SecurityScorecard", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2753197, "plain_text": "A Detailed Analysis of the RedLine Stealer - SecurityScorecard\r\nArchived: 2026-04-05 13:37:27 UTC\r\nExecutive Summary: What is Redline Stealer?\r\nRedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from\r\nweb browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN\r\nclients. The binary also gathers data about the infected machine, such as the running processes, antivirus products,\r\ninstalled programs, the Windows product name, the processor architecture, etc. The stealer implements the\r\nfollowing actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The\r\nextracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.\r\nRedline Stealer Analysis and Findings\r\nSHA256: E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69 The initial\r\nexecutable is disguised as a Netflix checker and is a dropper for the main payload. The malware extracts a\r\nresource that will be decrypted and saved in the %AppData% directory:\r\nFigure 1\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 1 of 36\n\nFigure 2\r\nThe extracted resource is decrypted using the AES algorithm, with the key and IV being hard-coded in the\r\nexecutable:\r\nFigure 3\r\nThe decrypted payload is saved in a file called “winlogon.exe”. The RedLine stealer is spawned by the process:\r\nFigure 4\r\nThe malware is deobfuscated using the de4dot tool. The following modules reveal some hints about the stealer’s\r\nfunctionalities:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 2 of 36\n\nFigure 5\r\nThe stealer communicates with the C2 server using SOAP messages. The following SOAP requests can be\r\nspecified:\r\nFigure 6\r\nThe process stores data such as the antiviruses, a list of installed input languages, a list of installed programs, a list\r\nof running processes, and information about the processors and the graphics device in a class called ScanDetails,\r\nas highlighted below:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 3 of 36\n\nFigure 7\r\nThe malware can locate and exfiltrate documents, CSV files, text files, and other types specified by the C2 server:\r\nFigure 8\r\nThe malicious process could enable/disable some functionalities based on the SOAP response. For example, by\r\nspecifying a false value in the ScanWallets field, the binary doesn’t scan the system for crypto wallets:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 4 of 36\n\nFigure 9\r\nThe stealer stores the following data in a structure called ScanResult:\r\nAn ID that corresponds to the infected machine\r\nThe Release ID that is hard-coded in the binary\r\nThe machine name which is in fact the username associated with the process\r\nThe OS version\r\nThe culture of the current input language\r\nFigure 10\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 5 of 36\n\nWhen communicating with the C2 server, the stealer creates a BasicHttpBinding object that uses HTTP as the\r\ntransport for sending SOAP messages. Windows Communication Foundation (WCF) uses XmlDictionary\r\ninstances when serializing and deserializing SOAP messages. A new XmlDictionaryReaderQuotas object that\r\ncontains several quotas used by the XmlDictionaryReader class is created:\r\nFigure 11\r\nThe malicious binary creates a channel factory that will be used during the network communications by\r\ninitializing a new instance of the ChannelFactory class:\r\nFigure 12\r\nThe C2 server “siyatermi.duckdns[.]org:17044” and the Release ID are hard-coded in the malware. Other versions\r\nof the RedLine stealer stored them in an encrypted form:\r\nFigure 13\r\nAn example of network communications with the C2 server was downloaded from Any.Run sandbox and is\r\ndisplayed in figure 14. We can notice some IP addresses corresponding to VPNs or online sandboxes that the\r\nmalware wants to avoid:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 6 of 36\n\nFigure 14\r\nThe following image reveals the data exfiltration process performed by RedLine:\r\nFigure 15\r\nThe stealer creates a folder called “Yandex\\YaAddon” in the “AppData\\Local” directory:\r\nFigure 16\r\nThe file uses the BcryptOpenAlgorithmProvider API in order to load and initialize the AES CNG provider. The\r\nalgorithm’s chaining mode is set to Galois/counter mode (GCM):\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 7 of 36\n\nFigure 17\r\nBCryptImportKey is utilized to import a symmetric key from a data BLOB:\r\nFigure 18\r\nThe process can decrypt a block of data by calling the BCryptDecrypt routine:\r\nFigure 19\r\nThe malware obtains information such as the public IP of the machine, the country, zip code, etc. by querying the\r\nfollowing websites: https[:]//api.ip.sb/geoip, https[:]//api.ipify.org, or https[:]//ipinfo.io/ip. The\r\nWebClient.DownloadData method is used to download the resource:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 8 of 36\n\nFigure 20\r\nRedLine stealer searches the filesystem for the following directories: “Windows”, “Program Files”, “Program\r\nFiles (x86)”, and “Program Data”:\r\nFigure 21\r\nThe malware calls the GetDirectories and GetFiles methods in order to extract the targeted files. It creates a list\r\nthat contains the full path of the files:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 9 of 36\n\nFigure 22\r\nThe executable creates a unique temporary file by calling the GetTempFileName function. It copies a file to a new\r\nlocation using CopyFile:\r\nFigure 23\r\nThe process implements a XOR function between two objects. The result of the function is a string:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 10 of 36\n\nFigure 24\r\nThe JavaScriptSerializer.Deserialize method is utilized to convert the JSON string to an object of type T:\r\nFigure 25\r\nThe ShowWindow function is used to hide the current window (0x0 = SW_HIDE):\r\nFigure 26\r\n4 Types of Redline Stealer Information Stealing\r\nBrowsers\r\nThe stealer targets Chromium-based browsers (for example, Chrome and Opera) and Gecko-based browsers (for\r\nexample, Mozilla Firefox). The process is looking for the Opera GX browser in the following directories:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 11 of 36\n\nFigure 27\r\nThe malware specifies new browser paths in the ScanChromeBrowsersPaths and ScanGeckoBrowsersPaths node\r\nvalues from the SOAP response. The binary searches the file system for the following SQLite databases:\r\nFigure 28\r\nThe original_url, username_value, and password_value values are extracted from the logins table found in the\r\n“Login Data” database. These values are used in account.URL, account.Username and account.Password,\r\nrespectively:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 12 of 36\n\nFigure 29\r\nThe host_key, path, is_secure, expires_utc, name, and encrypted_value values are extracted from the Cookies file:\r\nFigure 30\r\nThe value and name entries from the autofill table found in the “Web Data” database are retrieved by the malware:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 13 of 36\n\nFigure 31\r\nThe card_number_encrypted, name_on_card, expiration_month, and expiration_year values from the credit_cards\r\ntable found in the “Web Data” database are retrieved by the process:\r\nFigure 32\r\nAfter gathering all the data, the process creates a scannedBrowser object that contains the browser name and\r\nprofile and the information extracted above:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 14 of 36\n\nFigure 33\r\nRedLine stealer obfuscates some strings by adding extra letters. It tries to locate the cookies.sqlite database in the\r\n“AppData\\Roaming” directory:\r\nFigure 34\r\nThe host, path, isSecure, expiry, name, and value entries are extracted from the moz_cookies table found in the\r\ncookies.sqlite file:\r\nFigure 35\r\nCryptocurrency Wallets\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 15 of 36\n\nThe stealer targets the following wallets, which are browser extensions: YoroiWallet, Tronlink, NiftyWallet,\r\nMetamask, MathWallet, Coinbase, BinanceChain, BraveWallet, GuardaWallet, EqualWallet, JaxxxLiberty,\r\nBitAppWallet, iWallet, Wombat, AtomicWallet, MewCx, GuildWallet, SaturnWallet, and RoninWallet (see figure\r\n36).\r\nFigure 36\r\nThe first target is Armory, which stores the wallet in the “%AppData%\\Armory” directory (“Recoursive” [sic]):\r\nFigure 37\r\nAtomic Wallet stores its files in the “%AppData%\\atomic” folder:\r\nFigure 38\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 16 of 36\n\nThe malware also targets the Exodus wallet, as shown in figure 39:\r\nFigure 39\r\nThe binary searches for the “com.liberty.jaxx” directory that corresponds to the Jaxx Liberty wallet:\r\nFigure 40\r\nGuarda Wallet stores its files in the “%AppData%\\Guarda” directory:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 17 of 36\n\nFigure 41\r\nThe binary is looking for files corresponding to the Coinomi wallet as well:\r\nFigure 42\r\nRedLine stealer uses the GetFolderPath function in order to find the “%AppData%\\Electrum\\wallets” folder:\r\nFigure 43\r\nThe malicious process tries to identify a folder that corresponds to an Ethereum wallet:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 18 of 36\n\nFigure 44\r\nThere is also a generic search that is looking for a file called “wallet.dat” or “wallet” in the “%AppData%”\r\ndirectory:\r\nFigure 45\r\nThe GetLogicalDrives method is utilized to retrieve the names of the logical drives on the local computer. The\r\nstealer can specify additional files/extensions that should be located in the “%DSK_23%” field:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 19 of 36\n\nFigure 46\r\nDifferent applications\r\nThe stealer extracts the Discord tokens and chat logs from the “.log” and “.ldb” files:\r\nFigure 47\r\nThe malicious process opens the “FileZilla ecentservers.xml” file:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 20 of 36\n\nFigure 48\r\nThe binary creates an XmlTextReader object and then an XmlDocument object. It loads the XML file opened\r\nabove and constructs a list of accounts:\r\nFigure 49\r\nThe malware extracts the following fields from the XML file: Host, User, Pass, and Port. These values are used to\r\npopulate account.Username, account.Password, and account.URL:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 21 of 36\n\nFigure 50\r\nRedLine stealer extracts the Steam client path from the “SteamPath” registry value:\r\nFigure 51\r\nThe SSFN and VDF files are targeted for exfiltration by the stealer:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 22 of 36\n\nFigure 52\r\nThe process is looking for the folder that contains the Telegram application. The session data including images\r\nand conversations is stored in the “tdata” directory:\r\nFigure 53\r\nThe executable also looks for the “Telegram Desktop\\tdata” directory on the machine:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 23 of 36\n\nFigure 54\r\nVPN software\r\nRedLine stealer searches the filesystem for the “%USERPROFILE%\\AppData\\Local\\NordVPN” directory, which\r\ncorresponds to the NordVPN software:\r\nFigure 55\r\nThe credentials stored in the “user.config” file are extracted by the malware, as highlighted in the figure below:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 24 of 36\n\nFigure 56\r\nThe credentials are decoded from Base64 and then stored in Account.Username and Account.Password:\r\nFigure 57\r\nThe malicious executable steals the OpenVPN config file found at “%AppData%\\OpenVPN Connect\\profiles”:\r\nFigure 58\r\nThe process tries to locate and exfiltrate the Proton VPN configuration files as well:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 25 of 36\n\nFigure 59\r\nHost information\r\nThe binary extracts the processor name and the number of cores by running the following WMI query:\r\nFigure 60\r\nThe name of the video controller and the memory size are retrieved via another WMI query:\r\nFigure 61\r\nThe malware obtains a list of antivirus/antispyware products and third-party firewalls:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 26 of 36\n\nFigure 62\r\nThe OpenSubKey method is utilized to open the “SOFTWARE\\Clients\\StartMenuInternet” registry key. The name\r\nof a browser is obtained via a function call to GetValue and then the path from the “shell\\open\\command” registry\r\nkey:\r\nFigure 63\r\nThe malicious process extracts the serial number of the physical disk drives:\r\nFigure 64\r\nThe list of running processes is retrieved by running the “SELECT * FROM Win32_Process” query. The malware\r\ncreates a list that contains the session ID of the current process, the process ID and the name of a process extracted\r\nfrom the query, and the command line:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 27 of 36\n\nFigure 65\r\nAnother similar function is used to obtain a list of running processes’ name and the path to the executable files:\r\nFigure 66\r\nOpenSubKey is utilized to open the “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall” registry key,\r\nwhich contains the installed programs. The purpose is to extract the program name and version:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 28 of 36\n\nFigure 67\r\nRedLine stealer gets a list of all installed input languages:\r\nFigure 68\r\nThe total amount of physical memory available to the OS is retrieved by running the “SELECT * FROM\r\nWin32_OperatingSystem” WMI query:\r\nFigure 69\r\nThe binary extracts the Windows product name and the processor architecture:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 29 of 36\n\nFigure 70\r\nThe process computes an MD5 hash by creating an MD5CryptoServiceProvider object and then calling the\r\nComputeHash method:\r\nFigure 71\r\nThe stealer computes the MD5 hash of a concatenation of the network domain name, the username, and the serial\r\nnumber extracted before. It is used as the machine ID and will appear in the network traffic:\r\nFigure 72\r\nThe executable location is retrieved from the “Assembly.GetExecutingAssembly.Location” property:\r\nFigure 73\r\nThe malicious binary retrieves the input language for the current thread, the current time zone name, and the OS\r\nversion. The extracted values are stored in a ScanResult structure:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 30 of 36\n\nFigure 74\r\nFigure 75\r\nThe ScanResult.MachineName value is set to the username extracted from the Environment.UserName property:\r\nFigure 76\r\nThe malware creates a new Graphics object from the current user session’s desktop using the Graphics.FromHwnd\r\nmethod. It retrieves the vertical height in pixels and the vertical height of the entire desktop in pixels using\r\nGetDeviceCaps (10 = VERTRES, 117 = DESKTOPVERTRES):\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 31 of 36\n\nFigure 77\r\nThe executable creates a rectangle representing the bounds of the primary screen:\r\nFigure 78\r\nThe Graphics.CopyFromScreen method is utilized to make a capture of the screen:\r\nFigure 79\r\nThe resulting image is saved to a memory stream in the PNG format (see figure 80). The buffer containing the\r\nscreenshot is encoded using Base64 and exfiltrated in the Monitor entry of the network traffic.\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 32 of 36\n\nFigure 80\r\nRemote Task Actions\r\nThe following actions are implemented by the stealer:\r\nFigure 81\r\nThe C2 server can specify an entry such as “\u003cURL\u003e|\u003cPathOfFile\u003e” in the network traffic. An additional file can\r\nbe downloaded from the URL by calling the WebClient.DownloadData method and then saved in the file path\r\nmentioned above:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 33 of 36\n\nFigure 82\r\nFigure 83\r\nThere is a second similar action called “DownloadAndEx”. The difference is that the new file is executed by\r\ncalling the Process.Start function:\r\nFigure 84\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 34 of 36\n\nFigure 85\r\nRedLine stealer can specify a command that is executed by the CMD.exe process. In this case, no window is\r\ncreated:\r\nFigure 86\r\nThe malicious process can open a specific URL by calling the Process.Start method:\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 35 of 36\n\nFigure 87\r\nIndicators of Compromise\r\nSHA256 E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69 Directory\r\ncreated %LocalApplicationData%\\Yandex\\YaAddon Process spawned %AppData%\\winlogon.exe C2 server\r\nsiyatermi.duckdns[.]org:17044  \r\nSource: https://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nhttps://securityscorecard.com/research/detailed-analysis-redline-stealer\r\nPage 36 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityscorecard.com/research/detailed-analysis-redline-stealer" ], "report_names": [ "detailed-analysis-redline-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1541fbfd67e4b64358e0f2321c378926411106d9.pdf", "text": "https://archive.orkl.eu/1541fbfd67e4b64358e0f2321c378926411106d9.txt", "img": "https://archive.orkl.eu/1541fbfd67e4b64358e0f2321c378926411106d9.jpg" } }