{
	"id": "31cfe38e-bdfc-44fa-af1a-93bfbb6d6bc6",
	"created_at": "2026-04-06T00:11:06.338703Z",
	"updated_at": "2026-04-10T13:12:13.588241Z",
	"deleted_at": null,
	"sha1_hash": "27ed65ed8270e452fc7d510e845b3fdc5b3d6f16",
	"title": "BEATDROP (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30033,
	"plain_text": "BEATDROP (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:38:16 UTC\r\nAccording to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management\r\nservice Trello for C\u0026C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode\r\npayloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process.\r\nUpon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The\r\nsample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample\r\nchanges execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is\r\ntargeted per victim. Once the payload has been retrieved, it is deleted from Trello.\r\n[TLP:WHITE] win_beatdrop_auto (20251219 | Detects win.beatdrop.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop"
	],
	"report_names": [
		"win.beatdrop"
	],
	"threat_actors": [],
	"ts_created_at": 1775434266,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27ed65ed8270e452fc7d510e845b3fdc5b3d6f16.pdf",
		"text": "https://archive.orkl.eu/27ed65ed8270e452fc7d510e845b3fdc5b3d6f16.txt",
		"img": "https://archive.orkl.eu/27ed65ed8270e452fc7d510e845b3fdc5b3d6f16.jpg"
	}
}