{ "id": "82363ea5-23d6-4786-8466-39095558d736", "created_at": "2026-04-06T02:10:52.527925Z", "updated_at": "2026-04-10T03:37:08.879004Z", "deleted_at": null, "sha1_hash": "222a4212face1d4bd8bffc4cf8d1f38eb4a7da5b", "title": "Rising Stealer in Q1 2022: BlackGuard Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3061279, "plain_text": "Rising Stealer in Q1 2022: BlackGuard Stealer\r\nBy S2W\r\nPublished: 2022-05-24 · Archived: 2026-04-06 01:30:12 UTC\r\n8 min read\r\nApr 1, 2022\r\nAuthor: Jiho Kim | S2W TALON\r\nLast Modified : 2022.04.01.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 1 of 22\n\nPhoto by Donnie Ray Crisp on Unsplash\r\nExecutive Summary\r\nBlackGuard Stealer, which collects and exfiltrates credentials and device information from infected PC,\r\nfirst appeared when the official seller posted a promotion article on the dark web forum in January 2022\r\nBlackGuard Stealer collects and exfiltrates not only credentials such as Browser user data, Local files,\r\nCrypto wallets, VPN accounts, Steam accounts, Discord tokens, FileZilla data, and Telegram session data,\r\nbut also device information such as OS version, System information, IPv4, country, and screenshot from\r\ninfected PC\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 2 of 22\n\nThe collected information is stored in a temporarily created folder. After collecting information, the folder\r\nis compressed to a *.zip file and exfiltrated through Telegram API.\r\nIntroduction of BlackGuard Stealer\r\nBlackGuard is one of the info stealers written in C#. It is mostly distributed through malicious software disguised\r\nas Windows Update file, Fake MS Office Installer, Computer cleaner software, etc.\r\nRecently, the info stealer abused the description of a YouTube video by attaching the download link that contains\r\nthe info stealer. In March 2022, a link to download a game hack program was posted in the YouTube video\r\ndescription, but when users downloaded and ran the software, 44Caliber Stealer was executed on the users’ PC.\r\nPress enter or click to view image in full size\r\nReference: https://asec.ahnlab.com/en/32499/\r\nYouTube link: https[:]//www[.]youtube[.]com/watch?v=YI8rJhQLsfg\r\nMalware download page: https[:]//anonfiles[.]com/J0b03cKexf\r\nBlackGuard Stealer, which is currently being distributed, is forked from 44Caliber Stealer. Both BlackGuard and\r\n44Caliber use the same method to collect credentials and device information. In addition, they store them in a\r\ntemporarily created folder and compress them to the *.zip file. But while BlackGuard uses Telegram’s\r\nsendDocument API, 44Caliber uses Discord Webhook API to exfiltrate.\r\nTimeline of BlackGuard Stealer\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 3 of 22\n\nSince it first appeared on the dark web forum in January 2022, BlackGuard Stealer has been updated its builder\r\nand web panel. In particular, considering that the proportion of samples discovered from March 2022 is\r\nincreasing, it can be seen that BlackGuard Stealer is currently active.\r\nPress enter or click to view image in full size\r\nThe most recent major update was on February 9, 2022. At that time, Wallet extensions of Chrome and Edge,\r\nEdge Beta were added, and the types of collected information became more diverse.\r\nBlackGuard Stealer on DDW\r\nThe user with the nicknames “BlackGUARD07” and “blackteam007” posted a Stealer promotion article in\r\nRussian-based forums, XSS and BHF, in January 2022. BlackGuard Stealer has different prices and additional\r\nservices depending on the period of use.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 4 of 22\n\nBlackGuard Stealer’s Pricing Policy\r\n$200 (for a month)\r\n— Build cleaning for an additional payment of $50\r\n$700 (forever)\r\n— All updates for free\r\n— Build cleaning for free\r\nThe official seller contacts buyers through Telegram Channel and Jabber. Both are only used for sales and\r\ninquiries, and announcements and updated information are posted on the forums.\r\nBlackGuard Stealer Official Seller’s Contact\r\nTelegram: @blackwalter\r\nJabber: blackwalter1@01337.io\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 5 of 22\n\nMalware analysis\r\n1. Sample Information\r\nFile Name: Soft.exe\r\nFile Type: PE32 executable .NET assembly\r\nFile Size: 1.18 MB\r\nCompiled Date: 2055–07–22 09:06:25\r\nMD5: eb6c563af372d1af92ac2b60438d076d\r\nSHA256: 67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71\r\n2. BlackGuard Stealer Execution Flow\r\n1. When the loader is executed, BlackGuard Stealer is dropped and executed.\r\n2. Help \u0026 Config Data are decoded and then used for collecting and exfiltrating credentials and device\r\ninformation.\r\n3. Anti Debugging: Checks the existence of DnSpy, a tool used for decompiling .NET assembly, and whether\r\nit is currently being debugged.\r\n4. Collects credentials and device information from infected PC and stores them in the ChikenDir folder\r\nspecified in Help Data.\r\n5. Compresses ChikenDir to the zip file.\r\n6. Exfiltrates the zip file through Telegram API.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 6 of 22\n\n3. Decode Help \u0026 Config Data\r\nIn the BlackGuard Stealer, the data used for collecting and exfiltrating credentials and device information are\r\nhard-coded. Help Data is used to collect and includes system directory paths, the ChikenDir folder path, and\r\ndevice information. Config data is mainly used to exfiltrate collected information through Telegram API and\r\nincludes Telegram Bot Token, Chat ID, and keywords for collecting files. Most of the data inside these classes are\r\nbase64-encoded and gzip-compressed.\r\n(*Help Data and Config Data are described in Appendix.A.)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 7 of 22\n\n4. Anti Debugging\r\nBefore BlackGuard collects credentials and device information, it uses Anti Debugging methods. It detects the\r\ndecompiler by checking if the “dnSpy.xml” file exists, and uses “Sleep()” and “DateTime.Now.Ticks” to\r\ndetermine whether it is being debugged.\r\n5. Collect Credentials and Device Information\r\nBlackGuard Stealer collects Browser user data, Local files, Crypto wallets, VPN, Steam, Discord, FileZilla,\r\nTelegram, system information, and screenshot. Every time each piece of information is collected, the number of\r\ninformation is counted and stored separately. The collected data stored in the ChikenDir folder is shown in the\r\nfigure below.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 8 of 22\n\nBrowsers Folder\r\nIn the Browsers folder, each browsers’ user data is stored. A subfolder is created for each type of browser, and the\r\ncollected user data is saved as *.txt files in each folder. While Chrome and Edge browsers’ user data includes CC,\r\nPassword, Cookie, History, Downloads, and AutoFill, and Gecko-based browsers additionally collect logins.json,\r\nwhich contains login information, key3.db, and key4.db.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 9 of 22\n\nAfter storing the collected user data in each browser’s folder, BlackGuard checks and transfers whether a specific\r\ndomain is included among the *.txt files.\r\n[Domain Check List]\r\nbtc.com\r\nbitpapa.com\r\nblock.io\r\nblockchain.com\r\nwww.chase.com\r\nwww.wellsfargo.com\r\nwww.capitalone.com\r\nwww.bankofamerica.com\r\ngmail.com\r\npay.google.com\r\nfacebook.com\r\nnavyfederal.org\r\npaypal.com\r\n(*Target browser list is described in Appendix.A.)\r\nFiles Folder\r\nBlackGuard browses Desktop, MyDocuments, and USERPROFILE\\source path to steal specific files. It copies\r\nfiles with a file size of less than 2.5MB and has an extension such as *.txt, *.config, and *.rdp to the Files folder.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 10 of 22\n\nWallets Folder\r\nIn the Wallets folder, BlackGuard creates a subfolder for each wallet type and copies the wallet.dat file.\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 11 of 22\n\n[Crypto Wallet List]\r\nArmory\r\nAtomicWallet\r\nBitcoinCore\r\nDashCore\r\nElectrum\r\nEthereum\r\nLitecoinCore\r\nXMRcoin (Monero)\r\nExodus\r\nZcash\r\nJaxx\r\nVPN Folder\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 12 of 22\n\nRemember me for faster sign in\r\nBlackGuard collects three types of VPN: software ProtonVPN, OpenVPN, and NordVPN. The files mainly\r\ncollected by BlackGuard are user.config and ovpn file, which contains the private keys. In the case of NordVPN,\r\nonly the username and password in the ovpn file are copied and stored in accounts.txt.\r\nSteam Folder\r\nFirst, check if Steam is installed on the infected PC. If Steam is installed, BlackGuard copies Steam-related\r\ninformation such as the name and metadata list of installed games, user account data, configuration data, ssnf files\r\ncontaining authorization information, and *.vdf file which includes resource data.\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 13 of 22\n\nDiscord Folder\r\nBlackGuard checks if *.log and *.ldb files are included in the directory list related to Discord. And if so, it copies\r\nDiscord Token data in the files and Discord Storage folder, then stored in the Discord folder.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 14 of 22\n\nFileZilla Folder\r\nTo collect FTP information, BlackGuard browses the FileZilla installation path and copies the host, port number,\r\nusername, password from recentservers.xml.\r\nTelegram Folder\r\nBlackGuard searches the installed path of the process containing “Telegram” to collect Telegram Session\r\ninformation. If it finds the path where Telegram cache, user data, and the files named “usertag”, “settings” and\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 15 of 22\n\n“key_data” are stored, copies and stores them in the Telegram folder.\r\nPress enter or click to view image in full size\r\nInformation.txt\r\nDevice information is stored in information.txt. It includes OS Version, CPU architecture, malware file location,\r\nscreen size, current date and time, HWID, IPv4, country, and malware execution time.\r\nScreenshot.png\r\nBlackGuard takes a screen capture of the current monitor according to the screen size and saves it as\r\nScreenshot.png.\r\nCategorizing the collected information by type\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 16 of 22\n\n6. Exfiltrate Information\r\nCompress the folder to the *.zip file\r\nBlackGuard compresses the ChikenDir folder that contains collected information to the zip file and exfiltrates it to\r\nthe Telegram C2 Server. The name format of zip file is [HWID]([Current Date]).zip\r\nTelegram Bot API\r\nBlackGuard sets up Telegram Bot URL to exfiltrate the zip file and send it using sendDocument API with POST\r\nmethod. The data sent together includes the number of collected information for each type, the collected target\r\nsoftware list, and the list of detected target domains. The message body sent to the Telegram Bot is as shown\r\nbelow.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 17 of 22\n\nTelegram Bot information used in this sample is as follows.\r\nusername: @Zeusdarknet_bot\r\nChat ID: 1068601339\r\nToken: 1068601339:AAGUm6n8fS0wwbMhDzm8XXbjUYb6Vb9–64Q\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 18 of 22\n\nConclusion\r\nBlackGuard Stealer has been active on the dark web forums since it appeared in January 2022.\r\nConsidering the type of information collected by BlackGuard and the recent status of distribution, there is a\r\npossibility that it will develop into high-impact info stealers such as Redline, Vidal, Raccoon, and Ficker.\r\nAppendix. A: Configuration Data \u0026 Browser List\r\n[Help Data]\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 19 of 22\n\n[Config Data]\r\nPress enter or click to view image in full size\r\nBrowser List\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 20 of 22\n\ndotnetbrowser-chromium, Chrome, Opera Software, Opera Software GX Stable, Firefox, ChromePlus, Iridiu\r\nAppendix. B: MITRE ATT\u0026CK MATRIX\r\nPress enter or click to view image in full size\r\nAppendix. C: IoCs\r\nSample Hash\r\n5293c26f29b4af6bc2f3f74ae1ed93537e6c311a695cc0a6920a635c57383617\r\n67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71\r\n3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44\r\n216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8\r\n352c936eaf45ffd2f99ba2a9e726eaa39af29d4c37a6ad5106849f07aa35896c\r\n3d3de136d6a22e6064a306452dab72dc70493b02f8f4a505f00bf3dc59e971d3\r\n52bd68ea60e7171ed2413cd5292b74ac9872928a1a723405fb73ad57419c5bc6\r\n7976a7aa5618c833edfebdbc29853c2f433ce1095a752a177deb76d7f68188be\r\n30023cfbcb45d75e461333e376fde3b053c33de84b88c64ef816c9f77e45b21f\r\n4f4d29507bafc223646d98f5fed78d52dd96caeee2072ff17b15718b45a1811f\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 21 of 22\n\nba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6\r\nd888dafb1f2ae06311d507e5d3dfa41c851df2175e8441255e2095c09a058d0a\r\n7f2542ed2768a8bd5f6054eaf3c5f75cb4f77c0c8e887e58b613cb43d9dd9c13\r\na00ef641b6163d787f2210d75eaf631ba1cb3a6f2d4a072226a885a056ee1c4d\r\nbbc8ac47d3051fbab328d4a8a4c1c8819707ac045ab6ac94b1997dac59be2ece\r\nb287dcb70b7a9ed7025171572a96f1447efa6adf88cd30aba591270052acfe8b\r\n0fc2a7d0dc1a3b0ec547deae8dc296a0b139f94f7f8609c91a8f04a8f939a3e9\r\n5b8d0e358948f885ad1e6fa854f637c1e30036bc217f2c7f2579a8782d472cda\r\n18db274624914ee6388bda20233db28307be4873bc053e05ad8f6761b217136f\r\n76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1\r\n62416ed5c114e347643b51879ee8a75e8a871ab7c02679402f99aaf697e9f9e8\r\nda5fdea2780ff2e36a3594283a24846c19953daf03063a875073deecc183c3ff\r\nc5c1a48c0062e113389988d4c70dbcc1a594da3b516dfe14185e622b9050b649\r\n918af1137f069eccc04220c280e13ed440a380aa0446cfa1d80b4e0ade6c3528\r\n15fc2939e2e67f1317f2e549b8214e83b8e1c493d94eeff2cf4a1cf58b94274f\r\n3f36af60743bfb923246e36bb860ff9021986c9e88c5a4176b67a4d0923125b8\r\nc1237d0e517abc7cd15bb55110196247b1f6ec397c28b8b2bdfba86dc5c8805f\r\n5ce632f1f10c96a7524bf384015c25681ef4771f09a6b86883a4da309d85452a\r\n26ebf8a0830652c9ea0de64dc0dca6d62caffc0aaa34abf43e7c410095c502ce\r\nd3b27ba36d01a6ed5492d662c20b38569b0019c29fe065e8f810b369fba76531\r\n4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac\r\nf2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d\r\n31c4edabd35f8a9d0695c96f21acd8787eec68b8028973470d64c4956d9f1cd1\r\nf47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b\r\nc98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66\r\n3335f6aff82ff30e3aa29e0cb487be0252ab7b6cf7fcbb074c5642c1f0d7d0c0\r\n9fff9895c476bee0cba9d3e209e841873f1756d18c40afa1b364bd2d8446997c\r\nC2s\r\nhttps://api.telegram.org/bot1068601339:AAGUm6n8fS0wwbMhDzm8XXbjUYb6Vb9-64Q\r\nhttps://api.telegram.org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw\r\nhttps://api.telegram.org/bot1822617155:AAF5DW4sJVsYGItkXWeX3elycmmu-6nOK8g\r\nhttps://api.telegram.org/bot1625195044:AAHK-2Z52Nk0cJXJ-G7Ad1kKnmzwMberIVU\r\nhttps://api.telegram.org/bot2113738307:AAEFFkU5zCHejtwoMag2cI5zpW4JKy8A5jI\r\nhttps://greenblguard.shop/\r\nhttps://blguard.shop/\r\nSource: https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nhttps://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5" ], "report_names": [ "rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441452, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/222a4212face1d4bd8bffc4cf8d1f38eb4a7da5b.pdf", "text": "https://archive.orkl.eu/222a4212face1d4bd8bffc4cf8d1f38eb4a7da5b.txt", "img": "https://archive.orkl.eu/222a4212face1d4bd8bffc4cf8d1f38eb4a7da5b.jpg" } }