{ "id": "a6f4cd36-421f-4034-965e-842bb73bf9ce", "created_at": "2026-04-06T00:20:01.667355Z", "updated_at": "2026-04-10T03:32:22.185049Z", "deleted_at": null, "sha1_hash": "18fabb1bb3c5b08c12e61d1e7b4a2f3f382d0eaf", "title": "DOSTEALER (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37967, "plain_text": "DOSTEALER (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:51:00 UTC\r\nwin.dostealer (Back to overview)\r\nDOSTEALER\r\nAccording to Mandiant, DOSTEALER is a dataminer that mines browser login and cookie data. It is also capable\r\nof taking screenshots and logging keystrokes.\r\nReferences\r\n2022-12-12 ⋅ SOCRadar ⋅ SOCRadar\r\nDark Web Profile: APT42 – Iranian Cyber Espionage Group\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK CHAIRSMACK DOSTEALER GHAMBAR\r\nSILENTUPLOADER TAG-56\r\n2022-09-07 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nAPT42: Crooked Charms, Cons and Compromises\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK DOSTEALER GHAMBAR\r\nSILENTUPLOADER\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.dostealer\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dostealer\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dostealer" ], "report_names": [ "win.dostealer" ], "threat_actors": [ { "id": "1d2ac189-a99e-4e16-84c0-e06df96e688c", "created_at": "2023-11-14T02:00:07.086528Z", "updated_at": "2026-04-10T02:00:03.446956Z", "deleted_at": null, "main_name": "TAG-56", "aliases": [], "source_name": "MISPGALAXY:TAG-56", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434801, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18fabb1bb3c5b08c12e61d1e7b4a2f3f382d0eaf.pdf", "text": "https://archive.orkl.eu/18fabb1bb3c5b08c12e61d1e7b4a2f3f382d0eaf.txt", "img": "https://archive.orkl.eu/18fabb1bb3c5b08c12e61d1e7b4a2f3f382d0eaf.jpg" } }