{ "id": "d4e731f7-4817-41a7-80a0-278a9a0a7bd6", "created_at": "2026-04-06T00:17:32.775128Z", "updated_at": "2026-04-10T13:11:55.82072Z", "deleted_at": null, "sha1_hash": "26299bad048d344bad9c0355690d8dc34cf797b2", "title": "MassLogger - Frankenstein's Creation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2509448, "plain_text": "MassLogger - Frankenstein's Creation\r\nArchived: 2026-04-05 19:32:57 UTC\r\nAn in-depth look into a new piece of malware named MassLogger. We’ll look at what functions it has and how\r\nthey’re achieved, while also describing its control flow and source code.\r\nForeword\r\nI am back with another malware analysis post. I apologise for the time in between posts, I have been busy working\r\non my threat tracker (threatshare). This post took some time to put together, and I would like to say a huge\r\nshoutout to Casperinous for his time and effort helping me find the correct samples and aiding in the analysis of\r\nthis piece of malware and a huge thank you to Steve Ragan (twitter) who edited and reviewed this post!\r\nOverview\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 1 of 22\n\nIn the space of commercial malware we see a lot of names coming and going. One of the recent pieces of malware\r\nthat has popped up is MassLogger. MassLogger has been created by an actor named NYANxCAT who is very\r\nactive in the underground community. This actor has published a lot of malicious code under the guise of\r\n\"educational\" purposes to Github. But now this veil of education has fallen away, and NYANxCAT is selling their\r\nmalware on some entry-level hacking forums. Here's the thread (link). Here are a few excerpts from their main\r\nthread.\r\nFunctionality\r\nWe see the actor advertising plenty of functionality along with the programs MassLogger can steal from and how\r\nthe malware will attempt to avoid various analysis methods.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 2 of 22\n\nTOS\r\nThere is also the inclusion of a classic TOS that the author thinks will cover themself if they get into trouble (it\r\nwon't). Along with making sure that no one can get refunds or \"trash\" their \"sales thread\". The beginning price of\r\nMassLogger is $30 for 3 months of use along with the option of $50 for lifetime use. When MassLogger is\r\npurchased, the author will provide a builder for use. They have posted a promotional video which I have re-uploaded so as to not give the creator any potential advertisement.\r\nTake notes of the options available in the builder, as I will be referencing how this functions, and how the malware\r\ndetermines what functionality it should use.\r\nMassLogger\r\nMassLogger is written in .NET, which uses managed code. I can reverse the sample with relative ease, and get a\r\nclose to source code representation of the binary. But like any malware, the creator has used packers and other\r\ntools to try to obfuscate their code. So it helps that the creator is a big fan of sharing his code on sites like GitHub.\r\nTo achieve some of the functionality in MassLogger, the creator has copied and pasted his code from GitHub and\r\nfrankensteined it together to create MassLogger. Because of this, we can use the code he has publicly shared, to\r\nget an idea of what things looked like before compilation. \r\nThanks to Casperinous I was also able to get a sample of MassLogger that didn't have as much obfuscation as\r\nother samples. This sample is what I’ll be using for my analysis of the final MassLogger payload.  Looking at the\r\ncomparison, it was still somewhat obfuscated. Here is the before and after of the sample once de4dot was used on\r\nit.\r\nde4dot before \u0026 after\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 3 of 22\n\nOnce I had used de4dot on the binary I then began to go through the sample and rename methods, functions,\r\nclasses until the names painted a picture of what was going on within the sample. Let's take a look at the main\r\nfunction, we can see that the creator has used some techniques to make it harder to follow the control flow of the\r\nprogram. Here's what the first few lines of main looks like. \r\nMain\r\nThe sample makes use of goto statements to jump around the program making it harder to trace. The developer\r\nalso creates wrappers for function calls so that you have to take one extra step to get to the desired function. There\r\nare other techniques used to make the reversal harder, but I will cover them later in this article. In the image\r\nabove, you’ll notice that once we enter the for loop, the program will then call InitializeSettings. This function will\r\ndecrypt the malware's configuration. The configuration is used to determine what functionality is used, along with\r\nother important information. Here is a list (link) of the functionality I have discovered.\r\nConfig Decryption\r\nMassLogger determines its functionality through an internal config that returns values according to the\r\nfunctionality selected in the building stage. Because the creator does not want you to be able to easily extract the\r\nconfig, he has used some methods to encrypt the config and then decrypt it during runtime. Looking at the config\r\nsection in dnspy, we see that there are a lot of strings which appear to be base64 encoded.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 4 of 22\n\nEncrypted config strings\r\nHere is a full list of all the config variable names (link). MassLogger initializes a bunch of empty strings that will\r\nthen be populated by the config decrypt function. \r\nEmpty config strings\r\nThe decryption function which I have named InitializeSettings, looks like this. We can see that it initially gets the\r\nkey and then uses it to create an AES object for decryption.\r\nInitialize settings\r\nHere we can see an important function named AESGetString. This function is used to decrypt all config strings.\r\nAfter this function is used to decrypt the sample version another function named AESDecrypt is\r\nused. AESDecrypt is a wrapper to call AESGetString with the provided AES object. Let's take a look\r\nat AESGetString as it seems to be what is handling the decryption of the config strings.\r\nAESGetString\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 5 of 22\n\nOn the right hand side of the parameters provided to the GetString function, we can see that initially, the config\r\nstring is Base64 decoded and then passed into a decrypt function. Because AES uses a key to be able to decrypt its\r\nconfig, I have set a breakpoint at the return of a string from the Decrypt function. This will allow me to inspect the\r\nAES object which will contain the decryption key which was being created at the start of InitializeSettings. \r\nDecrypt key\r\nWithin the AES object the key is a byte variable named _key this variable contains what we are looking for. The\r\nIV is also generated each time the decrypt function is called and using these two pieces of information I have then\r\ncreated a simple config decryption script in CyberChef (link). \r\nCyberChef recipe\r\nHere is a link to the recipe which can be used to decrypt the config of this version of MassLogger. Now that I have\r\na recipe to decrypt the MassLogger config strings, let's try and use it to decrypt the version of this sample.\r\nDecrypted version\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 6 of 22\n\nAlong with the version, I can also determine other parts of the config. I can see what functionality the builder has\r\nenabled/disabled, along with credentials used for SMTP/FTP exfiltration. Luckily, checking some of the config\r\nstrings, we can see that anti debug and anti-vm are disabled, which will reduce a lot of hassle trying to reverse and\r\ndebug the sample. \r\nWindows Defender Exclusion\r\nOnce the config has been decrypted the malware then grabs some information about the PC and runs mutex. After\r\nthis, if the Windows Defender exclusion functionality is enabled in the config, and the malware is running as\r\nadmin then the malware will attempt to add itself into Windows Defender's exclusions. \r\nWindows Defender Exclusion Checks\r\nMost of the functions in MassLogger will document if they're enabled within the log file, along with any\r\nnecessary environment options required for the functionality to succeed. If you look at the above image, on the\r\nsecond line you'll see that MassLogger has some dynamic settings that are set during runtime. One of these is the\r\nMainDirectory variable that'll be set to the directory containing the running malware. If the checks fail, then it's\r\nlogged and the function returns. If the checks succeed then MassLogger will add itself to exclusions.\r\nExclusion\r\nA new object is created named PSProcessStart. This is an object that will start a powershell process according to\r\nthe provided variables. After this there's a call to CombineObjects to combine the provided strings. To add an\r\nexclusion to Windows Defender through PowerShell, you must make use of the Add-MpPreference cmdlet. This\r\ncmdlet allows you to add preferences to Windows Defender, one of these being ExclusionPath, which will exclude\r\nthe given path from Windows Defender scans. Once this exclusion has been successfully added, then the success\r\nis logged and the function returns. \r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 7 of 22\n\nAntis\r\nMassLogger uses a few techniques to hide and interrupt analysis. These range from anti-VM to anti-debug and\r\nanti-sandboxie.\r\nLet's first take a look at the anti-debugger, this is the flow that will be used if the setting is enabled.\r\nAnti-Debugger\r\nWe will arrive at IL_94 if the anti-debugger setting is enabled. Then there is an if statement that calls a function I\r\nhave named DebuggerPresent. If this function returns true, then the program goes to IL_9C which as you can see\r\nabove will make the malware exit and self-destructs. Taking a look into DebuggerPresent we can see a simple\r\ncall.\r\nCheck Remote Debugger Present\r\nMassLogger has imported the CheckRemoteDebuggerPresent from kernel32.dll and used it with parameters of a\r\nhandle to the current running process and a referall to an empty boolean. The flag is then returned and the result of\r\nthe API call is used in the previously mentioned if statement. This check is going to exit the process if a debugger\r\nis present. Although in theory this may work for someone new to debugging and reversing malware, in practice\r\nthis function can just be removed so that I didn't have to actually deal with it trying to hinder my analysis. \r\nAntiVM\r\nIn the image above you can see that AntiVM is called within an if statement. The result of the function will either\r\ncause us to go to IL_1D or IL_D6. IL_D6 calls the ExitSelfDestruct function to exit the program and IL_1D will\r\ncontinue with the flow of the program. Let's take a look at some of the methodology of the AntiVM. \r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 8 of 22\n\nDetect Virtual Machine\r\nThis is the original code from the creators' GitHub. It utilises the ManagementObjectSearcher class to be able to\r\nquery information about the PC through WMI. It selects everything from Win32_ComputerSystem, and then\r\niterates through the retrieved items. In each item, it checks the manufacturer and converts it to a lowercase string.\r\nThis string is then compared to \"microsoft corporation\".\r\nModels are also queried if they contain \"VIRTUAL\". After these two checks there are two more checks if the\r\nmanufacturer contains the \"vmware\" string and if the model string is equal to \"VirtualBox\". These checks will\r\ndetermine whether the sample is running within either VMware or VirtualBox environments. If this function\r\nreturns true within the malware then the program will exit and delete itself.\r\nDetect Sandboxie\r\nThis check is called and if the result is true then the program will self-destruct like it does with the other VM\r\nchecks. The chosen methodology of checking if Sandboxie is running is to try to get a module handle for a DLL\r\nthat runs within Sanboxie. If this handle fails (returns 0) then the function will return false indicating that the\r\nprogram is not running within Sandboxie. \r\nUSB Spread\r\nThe author of MassLogger has tried to pack in as much functionality as possible. One of these functions is to\r\nspread via connected USB. This is an old technique, but may prove to be quite effective given the right victim.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 9 of 22\n\nThis functionality is again enabled within the builder. The malware will check whether the functionality has been\r\nenabled and if so it'll jump into the first method within the USB spreader class. Again looking at the creators\r\nGitHub page we can get the original code. The first thing the function does is run the Initialize function. Within\r\nthe Initialize function it calls ExplorerOptions.\r\nExplorer Options\r\nThis function makes sure that explorer doesn't display extensions, hidden folders or files. Once these settings are\r\nconfirmed it'll go on to look through the attached drives, checking whether they are a removable USB.\r\nUSB Spread\r\nOnce it finds a removable USB, it'll search its directory checking if the work directory exists, if not then it'll create\r\nthis directory with its display hidden. It will then check if within this work directory another directory exists that'll\r\ncontain all of the icons used for spreading. If the directory doesn't exist it'll create it. Again it will check if the\r\nmalware exists within this work directory, if not it will copy itself into the work directory. Lastly it then checks\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 10 of 22\n\nwhether the payload is within the directory, if not it'll drop the payload into the directory. Let's take a look at the\r\npayload.\r\nUSB Spread Payload\r\nThis payload is what we commonly refer to in malware as a binder, it will run the original file and the malware.\r\nMaking it seem as though the program runs what the user expects along with the malware hidden in the\r\nbackground. Once this is done the spreader will begin to infect all the files within the USB.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 11 of 22\n\nInfect Files\r\nThe function recursively iterates through all of the files on the USB, checking whether they have been infected. If\r\nnot, then the file will have its icon extracted to the icons directory within the hidden work folder on the USB. The\r\nmalware then moves the file into the hidden work directory and compiles a replacement that uses the same icon as\r\nthe original file, along with commands to open the original file from within the work directory whilst also running\r\nthe payload. This means that all the files will be replaced on the USB with infected versions that will then be run\r\nif the infected user shares the USB with anyone. \r\nPersistence\r\nMassLogger offers the user the ability to maintain persistence on the infected machine. This is achieved by\r\nmaking sure that the malware runs on boot. Looking in the malware for this, there is a class dedicated to it that is\r\nonly called if the functionality is enabled within the config. The first thing it does is get the folder that the\r\nmalware is going to be copied to. Stereotypically this is within AppData.\r\nInstall Folder\r\nIt'll then get the executable path and check whether the install path matches the current running program's path. If\r\nthey do not match then we get all running processes. Iterating through each process checking if the processes' file\r\nname matches the current running process. If so then it'll kill the running process. After this the malware checks if\r\nthe program is running as admin, if it isn't then it'll use the following to open a registry key.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 12 of 22\n\nOpen Sub Key\r\nReversing the used string we get: \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\". This is the key used to\r\ndetermine what files are used for startup. MassLogger sets the registry key to the location of the copied file in\r\nAppData.\r\nSet Registry Key\r\nOnce this has been done the MassLogger will read all bytes of the original file and then write them to the install\r\nfolder found within the config. A setting is then checked to see whether MassLogger should delete the zone\r\nidentifier for the newly written binary in AppData, which will cause forensics on the file to be slightly more\r\ndifficult.\r\nMassLogger then creates a directory for a batch file within AppData, here is the directory it generated for me:\r\n\"C:\\Users\\admin\\AppData\\Local\\Temp\\tmpD8A7.tmp.bat\". A stream writer is then created for the generated file\r\nand the following is written to it.\r\nBatch Script\r\n@echo off is just an indicator to not output the used commands, then the script waits 3 seconds by using\r\nthe timeout command. Once this has been done we see the START command being used to run the new copied file\r\nin AppData. The batch script then CD's into the directory containing the batch script and deletes itself.The batch\r\nscript is then run by the malware with a hidden window, once this has been done then the malware will exit. \r\nDownload \u0026 Execute\r\nMassLogger first initialises some settings for the function.\r\nDownloader Settings\r\nOnce these have been set MassLogger will go on to check if the downloader setting has been enabled along with if\r\nthe DownloaderOnce setting is enabled. MassLogger doesn't use a recurring call to a C2 to get the file to\r\ndownload, and instead will ask for a URL upon building. The malware checks the location of where it would\r\ndownload a file to, if a file doesn't exist, it'll create a HTTP GET request to the download link found in the config.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 13 of 22\n\nIf the download fails, then this'll be logged and the function will return. If not, then the malware will get the\r\nresponse from the request and copy it to a memory stream. This memory stream is then written to a file stream\r\nwhich is located in the download path from the config. \r\nOnce this has been accomplished MassLogger proceeds to create a VB script within the temp folder and begin\r\nwriting to it.\r\nDownloader VB Script\r\nThis script will run the downloaded file and then delete itself. The malware creates a process to run this script and\r\nthen logs that it has successfully ran the downloaded file. \r\nKeylogger\r\nMassLogger's main feature is its keylogger. We begin with the usual check to see if the keylogger has been\r\nenabled, and if it has, we then jump into an endless for loop. The keylogger uses a string builder to log any key\r\npresses. Thanks to the very generous creator of this malware we can simply check his GitHub to find the full\r\nsource of the keylogger. The first important thing the keylogger does is create a low level keyboard process. This\r\nis set to HookCallback. This function will take key presses and translate them into strings that can be written to\r\nthe string builder.\r\nHook Callback\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 14 of 22\n\nWithin HookCallback we see a few checks and then some flags set to whether the caps lock or shift button are\r\npressed on the keyboard. The current key is mapped from another function, and checked to see if it should be\r\nlogged as a special key e.g the enter key, or if it should be uppercase because of caps lock or the shift button being\r\nused. Before the key is written to the log the malware will get the current window title and log, it if it has changed.\r\nSet Hook\r\nThe author chooses to use a very common method of implementing a keylogger by calling the windows\r\nAPI SetWindowsHookEx using the WHKEYBOARDLL, which will get low-level keyboard events. The handle is\r\nthen passed to the current process. \r\nBot Killer\r\nIf the infected user has managed to install malware once, then it is likely that they have infected themselves\r\nmultiple times. The author of MassLogger knows this, and doesn't want his malware to be sharing an infected\r\nsystem with other malware. He has included a \"BotKiller\" which is a piece of code that will look for and remove\r\nmalware. This functionality is usually uncommon due to most competing malware having reasonably good\r\nmethods of hiding themselves. Again this functionality is optional and if enabled then the function will be run.\r\nLet's take a look again at the creators GitHub where he has pasted the source code for their \"BotKiller\". \r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 15 of 22\n\nRun Botkiller\r\nThe main function is RunBotkiller, which will go through all running processes and then call the Inspection\r\nfunction on them.\r\nInspection\r\nFirst the inspection function checks whether the inspected file is itself. Then the file directory is compared to\r\napplication data and user profile directories, if the file is within these directories then it is labeled as a threat. Next\r\nthe filename is compared to wscript.exe which is used to run VB scripts. Lastly the location of the file is again\r\ncompared with another folder and if the file's location begins with this directory then it is labeled a threat. This\r\nmethod of detecting possible threats is very problematic and I'm sure will cause false positives. If the file has been\r\nlabeled a threat by Inspection it will be checked to see whether its window is visible. If not then RemoveFile, will\r\nbe called which will kill the process, remove it from startup in the registry and then delete the file off disk. \r\nPassword Recovery\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 16 of 22\n\nMassLogger supports many programs that it can steal credentials from. I'll concentrate on the more commonly\r\nused programs, as the author has implemented the same methodology of retrieving credentials for multiple\r\nprograms. The first program MassLogger attempts to steal from is Telegram. MassLogger starts by getting the\r\nfollowing directory: \"C:\\Users\\admin\\AppData\\Roaming\\Telegram Desktop\\tdata\" and checking if it exists. If it\r\ndoes exist then the malware will begin to zip the files within this directory and write the following to the log:\r\n\"Usage: Download 'Telegram Desktop' and unzip all files in 'Telegram.zip' to AppData\\\\Roaming\\\\Telegram\r\nDesktop\\\\tdata\"\r\nNext up is Pidgin, it begins by checking if the stealer setting is enabled. Like Telegram the malware gets the\r\nfollowing directory: \"C:\\Users\\admin\\AppData\\Roaming\\.purple\\accounts.xml\" and checks if it exists. If the file\r\ndoes exist, it is read using an XML node and the contents are written to the log.\r\nOnce Pidgin has been stolen from MassLogger will then go after FileZilla. Like the previous programs malware\r\nwill get the following directories: \"C:\\Users\\admin\\AppData\\Roaming\\FileZilla\\recentservers.xml\" and\r\n\"C:\\Users\\admin\\AppData\\Roaming\\FileZilla\\sitemanager.xml\". Once these have been checked to exist then the\r\nfunction will once again use an XML node to iterate through them and write the credentials into the log. \r\nDiscord is the next target of the malware, the creator has the code for this function on his GitHub so I'll look there\r\nto reverse it.\r\nDiscord File Search\r\nWe first see the SearchForFile function being used to find a leveldb file that Discord uses to store credentials. It\r\ndoes this by getting the directory location for the local storage of discord. It checks if this directory exists and then\r\nwill iterate through each of files that have an ldb file extension. Then reading these it will check if they contain the\r\n\"oken\" string to determine if it is the correct file. Once the correct file has been found then regex will be used to\r\nextract the token from the file and this will be logged.\r\nNordVPN is then attempted to be stolen from by MassLogger. This is done by getting the following directory:\r\n\"C:\\Users\\admin\\AppData\\Roaming\\NordVPN\" and the user.config within it is read by XML and the credentials\r\nare written into the log.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 17 of 22\n\nMassLogger will now proceed to attempt to extract credentials from Outlook, it does this by first initialising an\r\narray of registry locations.\r\nOutlook Array\r\nWe then see another array with the following.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 18 of 22\n\nMassLogger will then go through the registry locations looking for keys. It will then proceed to use the array of\r\nstrings to then look through each key with regex. Searching for passwords which will then be logged. \r\nThe malware will also go after browsers, the first one it targets is Firefox. It will begin with getting the following\r\ndirectory: \"C:\\Users\\admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\", then checking if it exists. Once this has\r\nbeen done the malware will use signons.sqlite and grab any stored credentials. Decrypting them with DES. The\r\nsame is done for all chromium browsers.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 19 of 22\n\nChromium Browsers\r\nThe login data storage location is found and opened. MassLogger will then query credentials and other\r\ninformation from these databases and use Bcrypt to decrypt them.\r\nExfiltration\r\nMassLogger has many methods of getting the stolen information to the actor using the malware. Currently\r\nMassLogger uses 3 methods: FTP, SMTP \u0026 HTTP. The first two are somewhat simple where credentials for the\r\nchosen method will be stored in the config and then used to send an email or upload the zip to the receiver. HTTP\r\nis more interesting because the author has created a PHP control panel to receive logs from the malware. Here is\r\nwhat the corresponding panel for this version looks like.\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 20 of 22\n\nLogin\r\nMain\r\nThe control panel will receive zips uploaded by the malware and allow you to view the log and download all the\r\ncontents. Information about an infected machine is placed in the zip filename in the following format:\r\nuser_country_hwid_date_extra.zip\r\nEpilogue\r\nIf you're reading this I'd like to begin by thanking you for making it to the end. I hope you enjoyed this writeup,\r\nand got some useful information out of it. I am very proud of this post and hope to take more in depth looks into\r\nmalware in the future. Since the writing of this post MassLogger has had some small updates along with a new\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 21 of 22\n\ncontrol panel. The analysis in this post still applies and I may update this post if there are any larger updates to\r\ncover. Until the next one, thank you!\r\nIOC\r\n584491098F9A72F404DE3354290806BE\r\nsales@bhavnatutor.com\r\nSource: https://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nhttps://fr3d.hk/blog/masslogger-frankenstein-s-creation\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://fr3d.hk/blog/masslogger-frankenstein-s-creation" ], "report_names": [ "masslogger-frankenstein-s-creation" ], "threat_actors": [ { "id": "a7d4fe31-d92f-425a-ba8c-c70219f52fb8", "created_at": "2022-10-25T15:50:23.466009Z", "updated_at": "2026-04-10T02:00:05.250808Z", "deleted_at": null, "main_name": "Frankenstein", "aliases": [ "Frankenstein" ], "source_name": "MITRE:Frankenstein", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26299bad048d344bad9c0355690d8dc34cf797b2.pdf", "text": "https://archive.orkl.eu/26299bad048d344bad9c0355690d8dc34cf797b2.txt", "img": "https://archive.orkl.eu/26299bad048d344bad9c0355690d8dc34cf797b2.jpg" } }