{ "id": "53eac052-03aa-4f7a-9560-bdb786ccdaf2", "created_at": "2026-04-29T02:21:51.685533Z", "updated_at": "2026-04-29T08:23:01.289717Z", "deleted_at": null, "sha1_hash": "2a796f805f9a178c71abdd048b8f7f88455d6ce2", "title": "GlassWorm Loader Hits Open VSX via Developer Account Compromise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 689618, "plain_text": "GlassWorm Loader Hits Open VSX via Developer Account\r\nCompromise\r\nBy Kirill Boychenko\r\nPublished: 2026-01-31 · Archived: 2026-04-29 02:04:44 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nSocket’s Threat Research team identified a developer-compromise supply chain attack distributed via the Open\r\nVSX Registry, specifically a compromise of the developer’s publishing credentials. The Open VSX security team\r\nassessed the activity as consistent with a leaked token or other unauthorized access.\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 1 of 10\n\nOn January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious\r\nversions published to Open VSX that embed the GlassWorm malware loader. These extensions had previously\r\npresented as legitimate developer utilities (some first published more than two years ago) and collectively\r\naccumulated over 22,000 Open VSX downloads prior to the malicious releases.\r\nThe four impacted extensions are:\r\n1. FTP/SFTP/SSH Sync Tool ( oorzc.ssh-tools — v0.5.1)\r\n2. I18n Tools ( oorzc.i18n-tools-plus — v1.6.8)\r\n3. vscode mindmap ( oorzc.mind-map — v1.0.61)\r\n4. scss to css ( oorzc.scss-to-css-compile — v1.3.4)\r\nScreenshot of Open VSX Registry showing the oorzc namespace with four published extensions:\r\nFTP/SFTP/SSH Sync Tool (17K downloads), I18n Tools (3.6K), vscode mindmap (3.2K), and\r\nscss to css (1.3K). Open VSX rounds the download counts on the UI (the “K” figures), so the\r\ntotals can look higher in screenshots. When we sum the actual download numbers, the combined\r\ntotal is over 22K.\r\nWe reached out to the oorzc maintainer to flag that recent Open VSX releases of these extensions were\r\ncompromised and set to distribute a GlassWorm loader, consistent with a developer publishing-credential\r\ncompromise, such as a leaked publishing token or other unauthorized access to the release path.\r\nAcross all four extensions, the malicious update introduces staged loaders that decrypt and execute embedded\r\ncode at runtime, includes Russian-locale avoidance, resolves command and control (C2) pointers from Solana\r\ntransaction memos, and then executes additional remote code.\r\nThis tradecraft aligns with the recent GlassWorm cluster we have been tracking internally since December 2025.\r\nIn that work, we identified and reported earlier malicious Open VSX extensions tied to the same staging and\r\nblockchain-resolved infrastructure patterns, which reduce reliance on static indicators and enable rapid server-side\r\nupdates.\r\nDownstream payloads collected in this investigation show macOS-focused information stealing and persistence.\r\nThe payload harvests and exfiltrates browser cookies, history, and login databases, including wallet-extension data\r\nsuch as MetaMask, and it targets multiple browser families, including Mozilla Firefox and Chromium-based\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 2 of 10\n\nbrowsers. It also collects desktop cryptocurrency wallet files (Electrum, Exodus, Atomic, Ledger Live, Trezor\r\nSuite, Binance, TonKeeper), the user’s login keychain database, Apple Notes databases, Safari cookies, targeted\r\nuser documents from Desktop, Documents, and Downloads, and FortiClient VPN configuration files. Crucially, it\r\nalso targets developer credentials and configuration, including ~/.aws (credentials and config) and ~/.ssh\r\n(private keys, known_hosts , and related configuration), which raises the risk of cloud account compromise and\r\nlateral movement in developer and enterprise environments. The payload includes routines to locate and extract\r\nauthentication material used in common workflows, including inspecting npm configuration for _authToken and\r\nreferencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and\r\nrelease automation.\r\nThis incident also differs materially from GlassWorm activity previously documented. Earlier waves largely relied\r\non typosquatting and brandjacking, cloning or mimicking popular developer tools and attempting to appear\r\ntrustworthy by artificially inflating download counts.\r\nBy contrast, these four extensions were published under an established publisher account with a multi-extension\r\nhistory and meaningful adoption signals across ecosystems. The same publisher also maintains Visual Studio\r\nMarketplace listings with substantial install counts (as displayed on the listings at the time of review): vscode\r\nmindmap (7,696 installs), scss to css (3,810 installs), FTP/SFTP/SSH Sync Tool (4,948 installs), and I18n\r\nTools (1,570 installs). This observation is provided to illustrate the publisher’s apparent legitimacy and reach, not\r\nto suggest the Visual Studio Marketplace listings were compromised. Our findings in this report concern the Open\r\nVSX extensions.\r\nPublisher profile for oorzc on Visual Studio Marketplace (Visual Studio Code) listing four\r\nextensions: vscode mindmap , FTP/SFTP/SSH Sync Tool , scss to css , and I18n Tools .\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 3 of 10\n\nFollowing our January 30, 2026 report, the Eclipse Foundation / Open VSX Registry security team reviewed the\r\naffected extensions, concluded the activity was consistent with leaked tokens or other unauthorized publishing\r\naccess, and deactivated the publisher’s two Open VSX tokens. They removed the malicious releases and, because\r\nmultiple recent oorzc.ssh-tools versions scanned as malware and many versions were published, they removed\r\nall oorzc.ssh-tools versions and added it to the Open VSX malware list, while leaving earlier clean versions\r\navailable for the other three extensions. Based on our prior reporting of 13 earlier malicious Open VSX extensions\r\nassociated with the recent GlassWorm cluster, we have consistently seen the Open VSX security team respond\r\nquickly and take decisive action to protect the community, and we appreciate their rapid engagement and clear\r\ncoordination; security is a team sport.\r\nNot Glass, Not a Worm, Still Dangerous#\r\nGlassWorm has been abusing the Open VSX Registry supply chain since at least October 2025, when researchers\r\nfirst reported malicious extensions using concealed logic to steal developer credentials, and it has continued\r\nresurfacing in repeated waves through late 2025 and into early 2026.\r\nThe name is also increasingly misleading. The “glass” aspect originally pointed to invisible character tricks, but\r\nrecent iterations rely more on encrypted, staged loaders than on being visually undetectable. The “worm” label is\r\nsimilarly imperfect, and the Open VSX maintainers have publicly clarified that it was not self-replicating in the\r\ntraditional sense, instead it extended reach by stealing credentials and abusing publishing access.\r\nOn January 30, 2026, this escalation became clear. The threat actor published poisoned updates through an\r\nestablished publisher identity, and the Open VSX security team assessed the incident as consistent with leaked\r\ntokens or other unauthorized publishing access.\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 4 of 10\n\nSocket AI Scanner flags oorzc.ssh-tools@0.5.1 as malware, describing a staged loader that\r\ndecrypts and runs an embedded blob at activation time (hardcoded AES material and eval() ),\r\nsuppresses execution on Russian-language or Russia-adjacent systems, uses Solana transaction\r\nmemos as a dead drop for next-stage configuration, and then fetches and executes a follow-on\r\npayload in memory.\r\nStaged Execution Chain#\r\nStage 0: A Small Loader That Decrypts and Executes Code\r\nAll four .vsix files contained a near-identical loader inside extension.js . The loader uses AES-256-CBC to\r\ndecrypt a long hex string, converts the result to UTF-8, and immediately executes it with eval .\r\nBelow is an excerpt from the loader with the encrypted blob truncated for readability and with our added\r\ncomments.\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 5 of 10\n\nconst crypto = require(\"crypto\");\r\n// AES parameters embedded in the extension\r\nlet d = crypto.createDecipheriv(\r\n \"aes-256-cbc\",\r\n \"wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz\", // 32-byte key\r\n Buffer.from(\"dfc1fefb224b2a757b7d3d97a93a1db9\", \"hex\") // 16-byte IV\r\n);\r\n// Encrypted payload is a long hex string (truncated here)\r\nlet b = d.update(\r\n \"d4f0f5c6b7c5...\u003chex omitted\u003e...9f2a\",\r\n \"hex\",\r\n \"utf8\"\r\n);\r\nb += d.final(\"utf8\");\r\n// Executes the decrypted Stage 1 code\r\neval(b);\r\nStage 1: Environment Checks, Then a Blockchain Dead Drop\r\nOnce decrypted, Stage 1 performs host profiling and gating. The most notable logic checks for Russian language\r\nsettings and Russia-adjacent time zones, then exits early if the system matches. That is classic criminal OPSEC,\r\nand it lines up with the old Russian underworld saying, “Кто работает по ру, к тому приходит по утру”, roughly,\r\n“If you operate in RU, someone shows up at your door in the morning”.\r\nAn excerpt from the Stage 1 geofencing logic is shown below. This is taken directly from the decrypted Stage 1.\r\nfunction _isRussianSystem(){\r\n let russianIndicators = [\r\n \"ru_RU\",\r\n \"ru-RU\",\r\n \"ru\",\r\n \"Russian\",\r\n process.env.LANG,\r\n process.env.LANGUAGE,\r\n process.env.LC_ALL,\r\n process.env.LC_MESSAGES\r\n ];\r\n let isRussianLanguage = russianIndicators.some(indicator =\u003e\r\n indicator \u0026\u0026 indicator.toLowerCase().includes(\"ru\")\r\n );\r\n let timeZone = Intl.DateTimeFormat().resolvedOptions().timeZone;\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 6 of 10\n\nlet isMoscowTimeZone = timeZone \u0026\u0026 timeZone.includes(\"Europe/Moscow\");\r\n let utcOffset = (new Date).getTimezoneOffset() / -60;\r\n let isRussiaAdjacentTimezone = utcOffset \u003e= 2 \u0026\u0026 utcOffset \u003c= 12;\r\n return isRussianLanguage || isMoscowTimeZone || isRussiaAdjacentTimezone;\r\n}\r\nIf the host passes those checks, Stage 1 retrieves its next instruction from a transaction memo on Solana.\r\nPractically, this works like a dead drop. The extension does not need a hardcoded C2 URL, because the threat\r\nactor can rotate the next-stage link by writing a new memo on-chain. That design also pushes the “where do I\r\nfetch next” decision out of the extension and into threat actor-controlled infrastructure.\r\nStage 1 then focuses its next steps on macOS systems. The decrypted code explicitly checks the OS before\r\ncontinuing the chain, which aligns with what we later observed in the Stage 2 payload.\r\nif (os.platform() == \"darwin\") {\r\n // macOS-specific Stage 2 path follows\r\n}\r\nStage 2: What the macOS Payload Does Once Executed\r\nStage 2 is a Node.js JavaScript payload that functions as a macOS-focused data theft and persistence implant. It\r\nstages collected files, compresses them into an archive, and exfiltrates the results to threat actor-controlled\r\ninfrastructure.\r\nStaging and collection\r\nThe payload creates a working directory at /tmp/ijewf , collects a broad set of artifacts from the host, then\r\ncompresses the staged data into /tmp/out.zip in preparation for exfiltration.\r\nIn practice, the collection scope is broad and explicitly geared toward credential theft, session theft, and wallet\r\ntheft. The payload copies browser cookies, form history, and login databases across Firefox-family and\r\nChromium-based browsers, including wallet-extension artifacts (for example, MetaMask storage). It also targets\r\ndesktop cryptocurrency wallet data (including Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, and\r\nTonKeeper), macOS keychain material (the user’s login.keychain-db ), Apple Notes databases, Safari cookies,\r\nand FortiClient VPN configuration. Finally, it performs targeted document collection from Desktop, Documents,\r\nand Downloads, filtering by file extension and enforcing a total size limit, then stages everything for exfiltration\r\nas a single archive.\r\n// Stage 2 data-theft targets (selected examples observed in payload)\r\nconst targets = [\r\n // macOS credential store\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 7 of 10\n\n\"~/Library/Keychains/login.keychain-db\",\r\n // Apple Notes databases (often contain sensitive data)\r\n \"~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\",\r\n \"~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\",\r\n \"~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\",\r\n // Safari session material\r\n \"~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\",\r\n // FortiClient VPN configuration\r\n \"/Library/Application Support/Fortinet/FortiClient/conf/vpn.plist\",\r\n // Developer secrets and access material\r\n \"~/.aws\", // credentials and config\r\n \"~/.ssh\" // private keys, known_hosts, config\r\n];\r\n// The payload stages copies of these artifacts under /tmp/ijewf,\r\n// compresses them to /tmp/out.zip, then exfiltrates the archive.\r\n// Browser + wallet focus (high-level):\r\n// * Chromium: Cookies, Login Data, Web Data across multiple browser profiles\r\n// * Firefox-family: cookies.sqlite, formhistory.sqlite, key4.db, logins.json\r\n// * Wallets: Electrum, Exodus, Atomic, Ledger Live, Trezor Suite, Binance, TonKeeper\r\n// * Wallet extensions: MetaMask storage artifacts\r\nIt explicitly targets developer credentials and configuration, including AWS and SSH material, which raises the\r\nrisk of cloud account compromise and lateral movement in developer and enterprise environments. Examples\r\ninclude ~/.aws (credentials and config) and ~/.ssh (private keys, known_hosts , and related configuration). It\r\nalso collects additional high-value local sources, including macOS keychain data and application storage paths\r\nthat commonly contain credentials and session material.\r\nToken and Secret Access\r\nThe payload includes logic to locate and extract authentication material used in common developer workflows.\r\nFor example, it inspects npm configuration for _authToken and interacts with the npm registry, consistent with\r\nnpm token discovery and validation behavior. It also contains logic that references GitHub authentication artifacts,\r\nwhich is particularly high impact because GitHub tokens often provide access to private repositories, CI secrets,\r\nand release automation.\r\nExfiltration\r\nAfter collecting and compressing data, the payload exfiltrates the archive using curl to hardcoded IP-based\r\nendpoints. In the sample we analyzed, it POSTs to paths such as /p2p and /2p2 on 45[.]32[.]150[.]251 .\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 8 of 10\n\nPersistence\r\nStage 2 establishes persistence on macOS via a LaunchAgent. It writes a plist under ~/Library/LaunchAgents\r\n(e.g., com.user.nodestart.plist ) and uses it to start a bundled or downloaded Node runtime that executes the\r\npayload at login. This makes the impact persistent, unless defenders remove the LaunchAgent and any associated\r\nruntime and staging artifacts.\r\nOutlook and Recommendations#\r\nThis campaign shows a clear escalation in Open VSX supply chain abuse. The threat actor blends into normal\r\ndeveloper workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a\r\ndynamic dead drop to rotate staging infrastructure without republishing extensions. These design choices reduce\r\nthe value of static indicators and shift defender advantage toward behavioral detection and rapid response.\r\nThe immediate risk is credential and token theft from developer endpoints. Stolen AWS and SSH material can\r\nenable direct cloud compromise and lateral movement. Stolen GitHub and npm tokens can enable repository\r\ntakeover, poisoned commits, package publication abuse, and access to CI secrets. Even if the extensions run only\r\non workstations, the downstream blast radius can extend to build pipelines and end users if compromised\r\ncredentials are reused to ship tampered releases.\r\nIf you installed any extension listed in the IOC section, treat it as a credential exposure event. Remove the\r\nextension and delete its on-disk artifacts. On macOS, check for persistence under ~/Library/LaunchAgents ,\r\nincluding unfamiliar plists such as com.user.nodestart.plist , and investigate suspicious runtime paths that\r\nreference /tmp/ijewf or /tmp/out.zip .\r\nRotate credentials. Revoke and reissue GitHub tokens first, then npm tokens, then AWS keys, then any SSH keys\r\nthat can reach production or CI systems. Audit recent GitHub activity for new tokens, unexpected workflow\r\nchanges, and suspicious commits. Validate your CI configuration and release jobs for unauthorized modifications.\r\nAdd supply chain controls and use the Socket GitHub app to gate dependency changes in pull requests, use the\r\nSocket CLI in install workflows, and use the Socket browser extension to surface registry risk signals during\r\ndiscovery and installation.\r\nIndicators of Compromise (IOCs)#\r\nMalicious Open VSX Extensions (Suspected Developer Account oorzc Compromise)\r\n1. oorzc.ssh-tools — v0.5.1\r\n2. oorzc.i18n-tools-plus — v1.6.8\r\n3. oorzc.mind-map — v1.0.61\r\n4. oorzc.scss-to-css-compile — v1.3.4\r\nMalicious Open VSX Extensions (December 2025 — January 2026 Cluster)\r\n1. Angular-studio.ng-angular-extension\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 9 of 10\n\n2. awesome-codebase.codebase-dart-pro\r\n3. cudra-production.vsce-prettier-pro\r\n4. dev-studio-sense.php-comp-tools-vscode\r\n5. ko-zu-gun-studio.synchronization-settings-vscode\r\n6. littensy-studio.magical-icons\r\n7. pretty-studio-advisor.prettyxml-formatter\r\n8. sol-studio.solidity-extension\r\n9. studio-jjalaire-team.professional-quarto-extension\r\n10. studio-velte-distributor.pro-svelte-extension\r\n11. sun-shine-studio.shiny-extension-for-vscode\r\n12. tucyzirille-studio.angular-pro-tools-extension\r\n13. vce-brendan-studio-eich.js-debuger-vscode\r\nBlockchain Indicators\r\nSolana address: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC\r\nEmbedded Crypto Material\r\nAES key: wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz\r\nAES IVs (hex): c4b9a3773e9dced6015a670855fd32b\r\nIP Address\r\n45[.]32[.]150[.]251\r\nSource: https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nhttps://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise" ], "report_names": [ "glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-29T06:58:56.539549Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "ControlX", "TAG-22", "AQUATIC PANDA", "Red Dev 10", "RedHotel", "BountyGlad", "Red Scylla", "CHROMIUM", "BRONZE UNIVERSITY", "Charcoal Typhoon" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "FunnySwitch", "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-29T06:58:57.873095Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-29T06:58:57.491949Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-29T06:58:57.572831Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-29T06:58:57.866084Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-29T06:58:57.704537Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-29T06:58:57.716092Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429311, "ts_updated_at": 1777450981, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a796f805f9a178c71abdd048b8f7f88455d6ce2.pdf", "text": "https://archive.orkl.eu/2a796f805f9a178c71abdd048b8f7f88455d6ce2.txt", "img": "https://archive.orkl.eu/2a796f805f9a178c71abdd048b8f7f88455d6ce2.jpg" } }