{ "id": "21d75020-2a4b-4bb2-ad13-fc44166826ec", "created_at": "2026-04-06T00:11:03.771952Z", "updated_at": "2026-04-10T03:37:09.207233Z", "deleted_at": null, "sha1_hash": "320df28f75604078a4486fac24d8c96dcc47d5bc", "title": "August in November: New Information Stealer Hits the Scene | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 738500, "plain_text": "August in November: New Information Stealer Hits the Scene |\r\nProofpoint US\r\nBy December 07, 2016 Proofpoint Staff\r\nPublished: 2016-12-07 · Archived: 2026-04-05 12:46:35 UTC\r\nOverview\r\nDuring the month of November, Proofpoint observed multiple campaigns from TA530 - an actor we have\r\nnoted for their highly personalized campaigns [6] - targeting customer service and managerial staff at retailers.\r\nThese campaigns utilized “fileless” loading of a relatively new malware called August through the use of Word\r\nmacros and PowerShell. August contains stealing functionality targeting credentials and sensitive documents from\r\nthe infected computer.\r\nDelivery and Targeting\r\nDuring our analysis we found that many of the lures and subject lines of the emails used references to issues with\r\nsupposed purchases on the company’s website and were targeted at individuals who may be able to provide\r\nsupport for those issues. The lures also suggested that the attached document contained detailed information about\r\nthe issue. However, the documents contained macros that could download and install August Stealer.\r\nThe subject lines were personalized with the recipient's domain. Examples included:\r\nErroneous charges from [recipient’s domain]\r\n[recipient’s domain] - Help: Items vanish from the cart before checkout\r\n[recipient’s domain] Support: Products disappear from the cart during checkout\r\nNeed help with order on [recipient’s domain]\r\nDuplicate charges on [recipient’s domain]\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 1 of 11\n\nFigure 1: Example email used to deliver the macro-laden document\r\nFigure 2: Example email used to deliver the macro-laden document\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 2 of 11\n\nFigure 3: Example macro-laden document attachment used to deliver August\r\nThe macro used is very similar to the one we discussed in our previous post detailing sandbox evasion techniques\r\nused to deliver the Ursnif banking Trojan [1]. It filters out security researchers and sandboxes using checks\r\nincluding Maxmind, task counts, task names, and recent file counts. Notably, the macro used in this campaign\r\nlaunches a Powershell command to “filelessly” load the payload from a byte array hosted on a remote site. This\r\nactor previously used this technique to load POS payloads [2][3][4].\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 3 of 11\n\nFigure 4: Example PowerShell command used to download and execute the byte array\r\nFigure 5: Snippet of the network traffic returning the byte array used to load August\r\nThe screenshot above shows the payload downloaded from the remote site as a PowerShell byte array. In addition\r\nto the byte array itself, there are few lines of code that deobfuscate the array through an XOR operation, and\r\nexecute the “Main” function of the payload.\r\nAnalysis\r\nAugust is written in .NET, with samples obfuscated with Confuser [5]. We determined from the source code of a\r\nparticular sample that August can\r\nSteal and upload files with specified extensions to a command and control (C\u0026C) server\r\nSteal .rdp files\r\nSteal wallet.dat files\r\nSteal crypto currency wallets including Electrum and Bither\r\nGrab FTP credentials from applications including SmartFTP, FileZilla, TotalCommander, WinSCP, and\r\nCoreFTP\r\nGrab messenger credentials for Pidgin, PSI, LiveMessenger, and others\r\nCollect cookies and passwords from Firefox, Chrome, Thunderbird, and Outlook\r\nDetermine the presence of common security tools including Wireshark and Fiddler\r\nCommunicate the hardware ID, OS name, and victim's username to the C\u0026C server\r\nUse simple encryption of network data via base64 encoding, character replacement, adding a random key\r\n(passed to server encoded in the User-Agent field), and reversing the strings\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 4 of 11\n\nFigure 6: The “Main” function executed from the PowerShell command\r\nFigure 7: Determines the presence of security tools, and does not communicate with the C\u0026C if they are found\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 5 of 11\n\nFigure 8: Network data encryption\r\nFigure 9: Example encrypted traffic generated by August\r\nFigure 10: August configured to search and upload .txt and .doc files to the server\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 6 of 11\n\nFigure 11: August control panel with stolen credentials for FTP, messenger, mail, RDP, and other programs\r\nConclusion\r\nAugust is a new information stealer currently being distributed by threat actor TA530 through socially engineered\r\nemails with attached malicious documents. While this actor is largely targeting retailers and manufacturers with\r\nlarge B2C sales operations, August could be used to steal credentials and files in a wide range of scenarios. The\r\nmalware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion\r\ntechniques and a fileless approach to load the malware via PowerShell. All of these factors increase the difficulty\r\nof detection, both at the gateway and the endpoint. As email lures become increasingly sophisticated and\r\npersonalized, organizations need to rely more heavily on email gateways capable of detecting macros with\r\nsandbox evasion built in as well as user education that addresses emails that do not initially look suspicious.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques\r\n[2] https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\n[3] http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/\r\n[4] https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\n[5] https://confuser.codeplex.com/\r\n[6] https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 7 of 11\n\nIOC\r\nIOC\r\nType\r\nDescription\r\nc432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e SHA256\r\nExample\r\nDocument\r\nhxxp://thedragon318[.]com/exchange/owalogon.asp URL Payload URL\r\nhxxps://paste[.]ee/r/eY3Ui URL Payload URL\r\nhxxp://muralegdanskzaspa[.]eu/network/outlook.asp URL Payload URL\r\nhxxp://krusingtheworld[.]de/port/login.asp URL Payload URL\r\nhxxp://pg4pszczyna[.]edu[.]pl/config/config.asp URL Payload URL\r\nhxxp://www[.]overstockage[.]com/image/image.asp URL Payload URL\r\nhxxp://thedragon318[.]com/exchange/port10/gate/ URL August C2\r\nhxxp://himalayard[.]de/exchange/port10/gate/ URL August C2\r\nhxxp://muralegdanskzaspa[.]eu/network/port10/gate/ URL August C2\r\nhxxp://krusingtheworld[.]de/port/jp/gate/ URL August C2\r\nhxxp://pg4pszczyna[.]edu[.]pl/config/install/gate/ URL August C2\r\nhxxp://www[.]overstockage[.]com/catalog/core/gate/ URL August C2\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 8 of 11\n\nET and ETPRO Suricata/Snort Coverage\r\n2823166          ETPRO TROJAN August Stealer CnC Checkin\r\n2823171          ETPRO CURRENT_EVENTS MalDoc Payload Inbound Nov 08\r\nAppendix A: Forum Advertisement\r\nAugust Stealer - Passwords/Documents/Cookies/Wallets/Rdp/Ftp/IM Clients\r\nОписание функционала:\r\n- Стиллинг данных браузеров (сохранённые пароли/куки файлы) из:\r\nMozilla FireFox\r\nGoogle Chrome\r\nYandex Browser\r\nOpera Browser\r\nComodo IceDragon\r\nVivaldi Browser\r\nMail.Ru Browser\r\nAmigo Browser\r\nBromium\r\nChromium\r\nSRWare Iron\r\nCoolNovo Browser\r\nRockMelt Browser\r\nTorch Browser\r\nDooble Browser\r\nU Browser\r\nCoowon\r\n- Стиллинг данных учётных записей из некоторых фтп клиентов:\r\nFileZilla\r\nSmartFTP\r\n- Стиллинг данных из мессенджеров:\r\nPsi+\r\nPsi\r\n- Стиллинг файлов из указанных директорий по указанным маскам (возможность ограничивать вес\r\nвходящих файлов)\r\n- Стиллинг файлов wallet.dat (кошельки криптвалюты)\r\n- Стиллинг файлов удалённого подключения (.rdp)\r\nОписание билда:\r\n- Зависимость от .NET Framework (2.0, возможность компиляции для более поздних версий по желанию)\r\n- Самоудаление после работы\r\n- Отправка данных на гейт (PHP 5.4+)\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 9 of 11\n\n- Шифрование входящего/исходящего трафика\r\n- Вес чистого, необфусцированного билда ~ 45кб\r\n- Не таскает за собой нативные библиотеки\r\n- Не требуются админ. права для выполнения поставленных задач\r\n- Не использовались чужие исходники\r\nОписание панели управления:\r\n- Версия PHP 5.4+\r\n- Не требуется MySQL\r\n- Интуитивно-понятный интерфейс\r\n- Опенсорс, нет обфускации, нет привязок\r\n- Английский язык\r\nПервым трем покупателям - скидка 30% за отзыв\r\nТем, кто приобретал у меня ранее продукт, предоставляется скидка 50%\r\nПринимаю предложения по совершенстованию софта/пополнению функционала\r\nЗнатоки английского для исправления косяков в панели тоже бы пригодились\r\nСофт в будущем будет обновляться и пополняться новыми фичами, не глобальные обновления для\r\nклиентов будут бесплатны\r\nЦена: 100$\r\nРебилд: 10$\r\nМетод оплаты: BTC\r\nAppendix B: Forum Advertisement - English Translation\r\nAugust Stealer - Passwords/Documents/Cookies/Wallets/Rdp/Ftp/IM Clients\r\nStealing data browser (saved passwords / cookie files) from:\r\nMozilla FireFox\r\nGoogle Chrome\r\nYandex Browser\r\nOpera Browser\r\nComodo IceDragon\r\nVivaldi Browser\r\nMail.Ru Browser\r\nAmigo Browser\r\nBromium\r\nChromium\r\nSRWare Iron\r\nCoolNovo Browser\r\nRockMelt Browser\r\nTorch Browser\r\nDooble Browser\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 10 of 11\n\nU Browser\r\nCoowon\r\n- Stealing data accounts of some FTP clients:\r\nFileZilla\r\nSmartFTP\r\n- Stealing data from the messengers:\r\nPsi +\r\nPsi\r\n- Stealing files from the specified directory on the specified masks (the ability to restrict the size of incoming files)\r\n- Stealing wallet.dat files (cryptocurrency purses)\r\n- Stealing file remote connection (.rdp)\r\nDescription of the build:\r\n- Dependence on the .NET Framework (2.0, able to compile for later versions on request)\r\n- Self-removal after execution\r\n- Sending data to the gate (PHP 5.4+)\r\n- Encryption of incoming / outgoing traffic\\\r\n- Size of clean build before obfuscation ~45KB\r\n- Does not bring with it native libraries\r\n- Do not require admin\r\n- Do not borrow sources from other malware\r\nDescription of the control panel:\r\n- Version PHP 5.4+\r\n- You do not need MySQL\r\n- Intuitive interface\r\n- Open source, no obfuscation, no bindings\r\n- English\r\nThe first three customers - 30% discount for a review\r\nThose who acquired my earlier product, 50% discount\r\nI accept suggestions for making the software better / additional functionality\r\nExperts of the English language to correct the bugs in the panel are welcome\r\nSoftware in the future will be updated with new features done, small updates will be free for customers\r\nPrice: $ 100\r\nRebild: $ 10\r\nPayment method: BTC\r\nSource: https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nhttps://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\nPage 11 of 11\n\n https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene \nFigure 1: Example email used to deliver the macro-laden document\nFigure 2: Example email used to deliver the macro-laden document\n Page 2 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" ], "report_names": [ "august-in-december-new-information-stealer-hits-the-scene" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434263, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/320df28f75604078a4486fac24d8c96dcc47d5bc.pdf", "text": "https://archive.orkl.eu/320df28f75604078a4486fac24d8c96dcc47d5bc.txt", "img": "https://archive.orkl.eu/320df28f75604078a4486fac24d8c96dcc47d5bc.jpg" } }