{ "id": "06e9fd6e-de66-40d1-ade0-a4bb871a84d4", "created_at": "2026-04-06T00:15:15.474646Z", "updated_at": "2026-04-10T03:36:48.128467Z", "deleted_at": null, "sha1_hash": "2671c81a0abcba09a92bbed1eedb58daf4159c80", "title": "Stealth in Layers: Unmasking the Loader used in Targeted Email Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2256910, "plain_text": "Stealth in Layers: Unmasking the Loader used in Targeted Email\r\nCampaigns\r\nBy rohansinhacyblecom\r\nPublished: 2025-12-19 · Archived: 2026-04-05 21:14:57 UTC\r\nCRIL has identified a commodity loader being leveraged by various threat actors in targeted email campaigns.\r\nExecutive Summary\r\nCRIL (Cyble Research and Intelligence Labs) has been tracking a sophisticated commodity loader utilized by multiple high-capability threat actors. The campaign demonstrates a high degree of regional and sectoral specificity, primarily targeting\r\nManufacturing and Government organizations across Italy, Finland, and Saudi Arabia.\r\nThis campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office\r\ndocuments (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts. Despite the\r\nvariety of delivery methods, all vectors leverage a unified commodity loader.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThe operation’s sophistication is further evidenced by the use of steganography and the trojanization of open-source\r\nlibraries. Adding their stealth is a custom-engineered, four-stage evasion pipeline designed to minimize their forensic\r\nfootprint.\r\nBy masquerading as legitimate Purchase Order communications, these phishing attacks ultimately deliver Remote Access\r\nTrojans (RATs) and Infostealers.\r\nOur research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure\r\nshared across multiple threat actors.\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 1 of 13\n\nFigure 1 – Infection chain\r\nKey Takeaways\r\nPrecision Targeting \u0026 Geographic Scope: The campaign specifically targets the Manufacturing and Industrial\r\nsectors across Europe and the Middle East. The primary objective is the exfiltration of sensitive industrial data and\r\nthe compromise of high-value administrative credentials.\r\nVersatile Malware Distribution: The loaders serve as a multi-functional distribution platform. They have been\r\nobserved delivering a variety of RATs (and information stealers, such as PureLog Stealer, Katz Stealer, DC Rat,\r\nAsync Rat, and Remcos). This indicates the loader is likely shared or sold across different threat actor groups.\r\nSteganography \u0026 Infrastructure Abuse: To bypass traditional network security, the threat actors hosted image files\r\non legitimate delivery platforms. These images contain steganographically embedded payloads, allowing the\r\nmalicious code to slip past file-based detection systems by masquerading as benign traffic\r\nTrojanization of Open-Source Libraries: The actors utilize a sophisticated “hybrid assembly” technique. By\r\nappending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their\r\nauthentic appearance and functionality, making signature-based detection extremely difficult.\r\nFour-Stage Evasion Pipeline: The infection chain is engineered to minimize forensic footprint. It employs a high-velocity, four-stage process:\r\nScript Obfuscation: To hide initial intent.\r\nSteganographic Extraction: To pull the payload from images.\r\nReflective Loading: To run code directly in memory without touching the disk.\r\nProcess Injection: To hide malicious activity within legitimate system processes.\r\nNovel UAC Bypass Discovery: A unique User Account Control (UAC) bypass was identified in a recent sample.\r\nThe malware monitored system process creation events and opportunistically triggered UAC prompts during\r\nlegitimate launches, tricking the system or user into granting elevated privileges under the guise of a routine\r\noperation.\r\nTechnical Analysis\r\nTo demonstrate the execution flow of this campaign, we analyzed the sample with the following SHA256 hash:\r\nc1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a.\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 2 of 13\n\nInitial Infection vector\r\nThe campaign begins with targeted phishing emails sent to manufacturing organizations, masquerading as legitimate\r\nPurchase Order communications from business partners (see Figure 2).\r\nFigure 2 – Email with attachment\r\nExtraction of the RAR archive reveals a first-stage malicious JavaScript payload, PO No 602450.js, masquerading as a\r\nlegitimate purchase order document.\r\nStage 1: JavaScript and PowerShell execution\r\nThe JavaScript file contains heavily obfuscated code with special characters that are stripped at runtime. The primary\r\nobfuscation techniques involve split and join operations used to dynamically reconstruct malicious strings (see Figure 3).\r\nFigure 3 – Obfuscated JS script\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 3 of 13\n\nThe de-obfuscated JavaScript creates a hidden PowerShell process using WMI objects (winmgmts:root\\cimv2). It employs\r\nmultiple obfuscation layers, including base64 encoding and string manipulation, to evade detection, with a 5-second sleep\r\ndelay (see Figure 4).\r\nFigure 4 – De-obfuscated JS script\r\nStage 2: Steganographic payload retrieval\r\nThe decoded PowerShell script functions as a second-stage loader, retrieving a malicious PNG file from Archive.org. This\r\nimage file contains a steganographically embedded base64-encoded .NET assembly hidden at the end of the file (see Figure\r\n5).\r\nFigure 5 – Base64 decoded PowerShell script\r\nUpon retrieval, the PowerShell script employs regular expression (regex) pattern matching to extract the malicious payload\r\nusing specific delimiters (“BaseStart-‘+’-BaseEnd”). The extracted assembly is then reflected in memory via\r\nReflection.Assembly::Load, invoking the “classlibrary1” namespace with the class name “class1” method “VAI”\r\nThis fileless execution technique ensures the final payload executes without writing to disk, significantly reducing detection\r\nprobability and complicating forensic analysis (see Figure 6).\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 4 of 13\n\nFigure 6 – Base64 encoded content at the end of the PNG file\r\nStage 3: Weaponized TaskScheduler loader\r\nThe reflectively loaded .NET assembly serves as the third-stage loader, weaponizing the legitimate open-source\r\nTaskScheduler library from GitHub. The threat actors appended malicious functions to the original library source code and\r\nrecompiled it, creating a trojanized assembly that retains all legitimate functionality while embedding malicious capabilities\r\n(see Figure 7).\r\nFigure 7 – Classes present in Clean Task Scheduler (left) appended malicious content (right)\r\nUpon execution, the malicious method receives the payload URL in reverse and base64-encoded format, along with DLL\r\npath, DLL name, and CLR path parameters (see Figure 8).\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 5 of 13\n\nFigure 8 – Decoded URL and payload\r\nStage 4: Process injection and payload execution\r\nThe weaponized loader creates a new suspended RegAsm.exe process and injects the decoded payload into its memory\r\nspace before executing it (see Figure 9). This process hollowing technique allows the malware to masquerade as a legitimate\r\nWindows utility while executing malicious code.\r\nFigure 9 – Injecting payload into RegAsm.exe\r\nThe loader downloads additional content that is similarly reversed and base64-encoded. After downloading, the loader\r\nreverses the content, performs base64 decoding, and runs the resulting binary using either RegAsm or AddInProcess32,\r\ninjecting it into the target process.\r\nFinal payload: PureLog Stealer\r\nThe injected payload is an executable file containing PureLog Stealer embedded within its resource section. The stealer is\r\nextracted using Triple DES decryption in CBC mode with PKCS7 padding, utilizing the provided key and IV parameters.\r\nFollowing decryption, the data undergoes GZip decompression before the resulting payload, PureLog Stealer, is invoked\r\n(see Figure 10).\r\nFigure 10 – Triple DES decryption\r\nPureLog Stealer is an information-stealing malware designed to exfiltrate sensitive data from compromised hosts, including\r\nbrowser credentials, cryptocurrency wallet information, and comprehensive system details. The threat actor’s command and\r\ncontrol infrastructure operates at IP address 38.49.210[.]241.\r\nPureLog Stealer steals the following from the victim’s machines:\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 6 of 13\n\nCategory Targeted Data Detail\r\nWeb Browsers\r\nChromium-based\r\nbrowsers\r\nData harvested from a wide range of Chromium-based\r\nbrowsers, including stable, beta, developer, portable, and\r\nprivacy-focused variants.\r\nFirefox-based\r\nbrowsers\r\nData extracted from Firefox and Firefox-derived browsers\r\nBrowser\r\ncredentials\r\nSaved usernames and passwords associated with websites\r\nand web applications\r\nBrowser cookies\r\nSession cookies, authentication tokens, and persistent\r\ncookies\r\nBrowser autofill\r\ndata\r\nAutofill profiles, saved payment information, and form data.\r\nBrowser history\r\nBrowsing history, visited URLs, download records, and visit\r\nmetadata.\r\nSearch queries Stored browser search terms and normalized keyword data\r\nBrowser tokens Authentication tokens and associated email identifiers\r\nCryptocurrency\r\nWallets\r\nDesktop wallets\r\nWallet data from locally installed cryptocurrency wallet\r\napplications\r\nBrowser\r\nextension wallets\r\nWallet data from browser-based cryptocurrency extensions\r\nWallet\r\nconfiguration\r\nEncrypted seed phrases, private keys, and wallet\r\nconfiguration files\r\nPassword\r\nManagers\r\nBrowser-based\r\nmanagers\r\nCredentials stored in browser-integrated password\r\nmanagement extensions\r\nStandalone\r\nmanagers\r\nCredentials and vault data from desktop password manager\r\napplications\r\nTwo-Factor\r\nAuthentication\r\n2FA applications\r\nOne-time password (OTP) secrets and configuration data\r\nfrom authenticator applications\r\nVPN Clients VPN credentials\r\nVPN configuration files, authentication tokens, and user\r\ncredentials\r\nMessaging\r\nApplications\r\nInstant messaging\r\napps\r\nAccount tokens, user identifiers, messages, and\r\nconfiguration files\r\nGaming platforms\r\nAuthentication and account metadata related to gaming\r\nservices\r\nFTP Clients FTP credentials Stored FTP server credentials and connection configurations\r\nEmail Clients\r\nDesktop email\r\nclients\r\nEmail account credentials, server configurations, and\r\nauthentication tokens\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 7 of 13\n\nSystem\r\nInformation\r\nHardware details\r\nCPU, GPU, memory, motherboard identifiers, and system\r\nserials\r\nOperating system OS version, architecture, and product identifiers\r\nNetwork\r\ninformation\r\nPublic IP address and network-related metadata\r\nSecurity software Installed security and antivirus product details\r\nTracing the Footprints: Shared Ecosystem\r\nCRIL’s cross-campaign analysis reveals a striking uniformity of tradecraft, uncovering a persistent architectural blueprint\r\nthat serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains\r\nconstant.\r\nThis standardized methodology includes the use of steganography to conceal payloads within benign image files, the\r\napplication of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload\r\nURLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate\r\nadvanced process hollowing techniques.\r\nThis observation is also reinforced by research from Seqrite, Nextron Systems, and Zscaler, which documented identical\r\nclass naming conventions and execution patterns across a variety of malware families and operations.\r\nThe following code snippet illustrates the shared loader architecture observed across these campaigns (see Figure 11).\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 8 of 13\n\nFigure 11 – Loader comparison and similarities\r\nThis consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.\r\nUAC Bypass\r\nNotably, a recent sample revealed an LNK file employing similar obfuscation techniques, utilizing PowerShell to download\r\na VBS loader, along with an uncommon UAC bypass method. (see Figure 12)\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 9 of 13\n\nFigure 12 – C# code inside an xml file\r\nAn uncommon UAC bypass technique is employed in later stages of the attack, where the malware monitors process\r\ncreation events and triggers a UAC prompt when a new process is launched, thereby enabling the execution of a PowerShell\r\nprocess with elevated privileges after user approval (see Figure 13).\r\nFigure 13 – UAC bypass using User response\r\nConclusion\r\nOur research has uncovered a hybrid threat with striking uniformity of tradecraft, uncovering a persistent architectural\r\nblueprint. This standardized methodology includes the use of steganography to conceal payloads within benign image files,\r\nthe application of string reversal combined with Base64 encoding for deep obfuscation, and the delivery of encoded payload\r\nURLs directly to the loader. Furthermore, the actors consistently abuse legitimate .NET framework executables to facilitate\r\nadvanced process hollowing techniques.\r\nThe fact that multiple malware families leverage these class naming conventions as well as execution patterns across is\r\nfurther testament to how potent this threat is to the target nations and sectors.\r\nThe discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated\r\ndevelopment cycle. Organizations, especially in the targeted regions, should treat “benign” image files and email\r\nattachments with heightened scrutiny.\r\nRecommendations\r\nDeploy Advanced Email Security with Behavioral Analysis\r\nImplement email security solutions with attachment sandboxing and behavioral analysis capabilities that can detect\r\nobfuscated JavaScript, VBScript files, and malicious macros. Enable strict filtering for RAR/ZIP attachments and block\r\nexecution of scripts from email sources to prevent initial infection vectors targeting business workflows.\r\nImplement Application Whitelisting and Script Execution Controls\r\nDeploy application whitelisting policies to prevent unauthorized JavaScript and VBScript execution from user-accessible\r\ndirectories. Enable PowerShell Constrained Language Mode and comprehensive logging to detect suspicious script activity,\r\nparticularly commands attempting to download remote content or perform reflective assembly loading. Restrict the\r\nexecution of legitimate system binaries from non-standard locations to prevent their abuse in living-off-the-land (LotL)\r\nattacks.\r\nDeploy EDR Solutions with Advanced Process Monitoring\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 10 of 13\n\nImplement Endpoint Detection and Response (EDR) solutions that can detect sophisticated evasion techniques and runtime\r\nanomalies, enabling effective protection against advanced threats. Configure EDR platforms to monitor for process\r\nhollowing activities where legitimate signed Windows binaries are exploited to execute malicious payloads in memory.\r\nEstablish behavioral detection rules for fileless malware techniques, including reflective assembly loading and suspicious\r\nparent-child process relationships that deviate from normal system behavior.\r\nMonitor for Memory-Based Threats and Process Anomalies\r\nEstablish behavioral detection rules for fileless malware techniques, including reflective assembly loading, process\r\nhollowing, and suspicious parent-child process relationships. Deploy memory analysis tools to identify code injection into\r\nlegitimate Windows processes, such as MSBuild.exe, RegAsm.exe, and AddInProcess32.exe, which are commonly abused\r\nfor malicious payload execution.\r\nStrengthen Credential and Cryptocurrency Wallet Protection\r\nEnforce multi-factor authentication across all critical systems and encourage users to store cryptocurrency assets in\r\nhardware wallets rather than browser-based solutions. Implement monitoring for unauthorized access to browser credential\r\nstores, password managers, and cryptocurrency wallet directories to detect potential data exfiltration attempts.\r\nImplement Steganography Detection and Image Analysis Capabilities\r\nDeploy specialized steganography detection tools that analyze image files for hidden malicious payloads embedded within\r\npixel data or metadata. Implement statistical analysis techniques to identify anomalies in image file entropy and bit patterns\r\nthat may indicate the presence of concealed executable code. Configure security solutions to perform deep inspection of\r\nimage formats, particularly PNG files, which are frequently exploited for embedding command-and-control infrastructure or\r\nmalicious scripts in covert communication channels.\r\nMITRE Tactics, Techniques \u0026 Procedures\r\nTactic Technique Procedure\r\nInitial Access\r\n(TA0001)\r\nPhishing: Spearphishing Attachment\r\n(T1566.001)\r\nPhishing emails with malicious\r\nattachments masquerading as\r\nPurchase Orders\r\nInitial Access\r\n(TA0001)\r\nExploit Public-Facing Application (T1190)\r\nExploitation of CVE-2017-11882 in\r\nMicrosoft Equation Editor\r\nExecution\r\n(TA0002)\r\nUser Execution: Malicious File\r\n(T1204.002)\r\nUser opens JavaScript, VBScript, or\r\nLNK files from archive attachments\r\nExecution\r\n(TA0002)\r\nCommand and Scripting Interpreter:\r\nJavaScript (T1059.007)\r\nObfuscated JavaScript executes to\r\ndownload second-stage payloads\r\nExecution\r\n(TA0002)\r\nCommand and Scripting Interpreter:\r\nPowerShell (T1059.001)\r\nA hidden PowerShell instance was\r\nspawned to retrieve steganographic\r\npayloads\r\nExecution\r\n(TA0002)\r\nWindows Management Instrumentation\r\n(T1047)\r\nWMI used to spawn hidden\r\nPowerShell processes\r\nDefense Evasion\r\n(TA0005)\r\nObfuscated Files or Information (T1027)\r\nMulti-layer obfuscation using base64\r\nencoding and string manipulation\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 11 of 13\n\nDefense Evasion\r\n(TA0005)\r\nSteganography (T1027.003)\r\nMalicious payload hidden within\r\nPNG image files\r\nDefense Evasion\r\n(TA0005)\r\nReflective Code Loading (T1620)\r\nThe .NET assembly is reflectively\r\nloaded into memory without disk\r\nwrites\r\nDefense Evasion\r\n(TA0005)\r\nProcess Injection: Process Hollowing\r\n(T1055.012)\r\nPayload injected into legitimate\r\nWindows system processes\r\nDefense Evasion\r\n(TA0005)\r\nMasquerading: Match Legitimate Name or\r\nLocation (T1036.005)\r\nExecution through legitimate\r\nWindows utilities for evasion\r\nDefense Evasion\r\n(TA0005)\r\nAbuse Elevation Control Mechanism:\r\nBypass User Account Control (T1548.002)\r\nUAC bypass using process\r\nmonitoring and a user approval\r\nprompt\r\nDefense Evasion\r\n(TA0005)\r\nVirtualization/Sandbox Evasion: Time-Based Evasion (T1497.003)5-second sleep delay to evade\r\nautomated sandbox analysis\r\nCredential Access\r\n(TA0006)\r\nUnsecured Credentials: Credentials In\r\nFiles (T1552.001)\r\nExtraction of credentials from\r\nbrowser databases and configuration\r\nfiles\r\nCredential Access\r\n(TA0006)\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\n(T1555.003)\r\nHarvesting saved passwords and\r\ncookies from web browsers\r\nCredential Access\r\n(TA0006)\r\nCredentials from Password Stores (T1555)\r\nExtraction of credentials from\r\npassword manager applications\r\nDiscovery\r\n(TA0007)\r\nSystem Information Discovery (T1082)\r\nCollection of hardware, OS, and\r\nnetwork information\r\nDiscovery\r\n(TA0007)\r\nSecurity Software Discovery (T1518.001)\r\nEnumeration of installed antivirus\r\nproducts\r\nCollection\r\n(TA0009)\r\nData from Local System (T1005)\r\nCollection of cryptocurrency wallets,\r\nVPN configs, and email data\r\nCollection\r\n(TA0009)\r\nEmail Collection (T1114)\r\nHarvesting email credentials and\r\nconfigurations from email clients\r\nCommand and\r\nControl (TA0011)\r\nWeb Service (T1102)\r\nAbuse of Archive.org for payload\r\nhosting\r\nExfiltration\r\n(TA0010)\r\nExfiltration Over C2 Channel (T1041)\r\nData exfiltration to C2 server at\r\n38.49.210.241\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Comments\r\n5c0e3209559f83788275b73ac3bcc61867ece6922afabe3ac672240c1c46b1d3\r\nSHA-256\r\nEmail\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 12 of 13\n\nc1322b21eb3f300a7ab0f435d6bcf6941fd0fbd58b02f7af797af464c920040a\r\nSHA-256\r\nPO No 602450.rar\r\n3dfa22389fe1a2e4628c2951f1756005a0b9effdab8de3b0f6bb36b764e2b84a\r\nSHA-256Microsoft.Win32.TaskScheduler.\r\n \r\nbb05f1ef4c86620c6b7e8b3596398b3b2789d8e3b48138e12a59b362549b799d\r\nSHA-256\r\nPureLog Stealer\r\n0f1fdbc5adb37f1de0a586e9672a28a5d77f3ca4eff8e3dcf6392c5e4611f914\r\nSHA-256\r\nZip file contains LNK\r\n917e5c0a8c95685dc88148d2e3262af6c00b96260e5d43fe158319de5f7c313e\r\nSHA-256\r\nLNK File\r\nhxxp://192[.]3.101[.]161/zeus/ConvertedFile[.]txt URL Base64 encoded payload\r\nhxxps://pixeldrain[.]com/api/file/7B3Gowyz URL Base64 encoded payload\r\nhxxp://dn710107.ca.archive[.]org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64[.]png\r\nURL PNG file\r\nhxxps://ia801706.us.archive[.]org/25/items/msi-pro-with-b-64_20251208/MSI_PRO_with_b64[.]png\r\nURL PNG file\r\n38.49.210[.]241 IP Purelog Stealer C\u0026C\r\nReferences:\r\nhttps://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat\r\nhttps://www.seqrite.com/blog/steganographic-campaign-distributing-malware\r\nhttps://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis/\r\nSource: https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nhttps://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/" ], "report_names": [ "stealth-in-layers-unmasking-loader-in-targeted-email-campaigns" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434515, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2671c81a0abcba09a92bbed1eedb58daf4159c80.pdf", "text": "https://archive.orkl.eu/2671c81a0abcba09a92bbed1eedb58daf4159c80.txt", "img": "https://archive.orkl.eu/2671c81a0abcba09a92bbed1eedb58daf4159c80.jpg" } }