{ "id": "760b0ab3-aa80-47ab-8521-9794e580e039", "created_at": "2026-04-06T00:19:01.778479Z", "updated_at": "2026-04-10T03:36:47.77073Z", "deleted_at": null, "sha1_hash": "330421ad11bb92efb06b3a31d80cf48337d3c23c", "title": "Cyble - Prynt Stealer Spotted In The Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4259119, "plain_text": "Cyble - Prynt Stealer Spotted In The Wild\r\nPublished: 2022-04-21 · Archived: 2026-04-05 17:07:02 UTC\r\nThe stealer is new on the cybercrime forums and can steal financial data using a clipper and keylogging operations.\r\nCyble research labs discovered a new Infostealer named Prynt Stealer. The stealer is new on the cybercrime forums\r\nand comes with various capabilities. Along with stealing the victim’s data, this stealer can also perform financial\r\nthefts using a clipper and keylogging operations. Additionally, it can target 30+ Chromium-based browsers, 5+\r\nFirefox-based browsers, and a range of VPN, FTP, Messaging, and Gaming apps. Furthermore, a builder may\r\ncustomize the functionality of this stealer.\r\nFigure 1: Post on cybercrime marketplace\r\nThe developer of the stealer recently claimed the recent versions of the stealer to be FUD (Fully Undetectable), as\r\nshown in Figure 2. We could also spot a few stealer logs available for free on the Telegram channel.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 1 of 22\n\nFigure 2: Details from Telegram\r\nThe embedded binary contains hardcoded strings which are encrypted using AES256 and Rijndael encryption\r\nalgorithm. Prynt Stealer is a .Net-based malware. Figure 3 shows the file details.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 2 of 22\n\nFigure 3: File details\r\nTechnical Analysis\r\nThe sample (SHA 256: 1283c477e094db7af7d912ba115c77c96223208c03841768378a10d1819422f2) has an\r\nobfuscated binary stored as a string, as shown in Figure 4.\r\nFigure 4: Obfuscated binary\r\nThe binary is encoded using the rot13 cipher. ROT13 (rotate by 13 places) replaces a letter with one after 13\r\npositions from the current letter. The rot13 algorithm is applied on a Base64 encoded binary in this sample. The\r\nmalware rather than dropping the payload executes it directly in the memory using\r\nAppDomain.CurrentDomain.Load() method.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 3 of 22\n\nFigure 5: Binary decoding process\r\nThe malware uses ServicePointManager class to establish an encrypted channel to interact with the server. There are\r\na few hardcoded strings encrypted using the AES256 algorithm. All these strings are decrypted by calling\r\nSettings.aes256. Decrypt() method is assigned back to the same variables, as shown in the Figure below.\r\nFigure 6: Decrypts hardcoded strings\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 4 of 22\n\nAfter this, the malware creates a hidden directory in the AppData folder, which will be named using the MD5 hash\r\nvalue. The Figure below shows the part of code in malware for creating and hiding a directory.\r\nFigure 7: Creates a hidden directory\r\nThen a subfolder is created inside the parent directory created above and is named using the format\r\n“username@computername_culture.” Malware will also create other folders inside this folder, such as Browsers,\r\nGrabber, etc. These folders will be used for saving the stolen data from respective sources.\r\nThe malware then identifies all the logical drives present in the victim’s system using the DriveInfo() class and\r\nchecks for the presence of removable devices. Next, the malware adds the drive’s name and path to its target list for\r\nstealing data. After identifying the drive details, the malware steals the files from the targeted directories, as shown\r\nin Figure 8. The malware uses a multithreading approach for stealing the files fast from the victims’ machines. Prynt\r\nStealer only steals the files whose size is less than 5120 bytes and should have the following extensions:\r\nDocument: pdf, rtf, doc, docx, xls, xlsx, ppt, pptx, indd, txt, json.\r\nDatabase: db, db3, db4, kdb, kdbx, sql, sqlite, mdf, mdb, dsk, dbf, wallet, ini.\r\nSource Code: c, cs, cpp, asm, sh, py, pyw, html, css, php, go, js, rb, pl, swift, java, kt, kts, ino.\r\nImage: jpg, jpeg, png, bmp, psd, svg, ai.\r\nFigure 8: Steal files\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 5 of 22\n\nBrowsers\r\nAfter stealing files from the victim’s system, Prynt Stealer steals data from browsers.\r\nTargeted browsers include:\r\nChromium-based browsers\r\nMS Edge\r\nFirefox-based browsers\r\nChromium-based browsers:\r\nIt first creates a folder named “Browsers” and then checks for the Browsers directories (refer to the Figure below) in\r\nthe “AppData” folder using Directory.Exists() method. If it returns true, the malware starts stealing data from the\r\nrespective location. The stealer can target nearly all chromium-based browsers, as can be seen in the Figure below.\r\nThe Chromium browsers use multiple .sqlite files for storing users’ data.\r\nFigure 9: Targeted chromium-based browsers\r\nIt steals the master key from the “Local Sate” file, which is used for decrypting the sensitive information stored in\r\nthe browsers.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 6 of 22\n\nThe malware steals Credit Cards, Passwords, Cookies, Autofill, History, Downloads, and Bookmarks data from\r\nbrowsers, and saves the stolen data in respective text files created under the “Browsers\\Browser_Name\\” directory.\r\nFiles targeted by malware for stealing data:\r\nWeb Data (for Autofill data)\r\nLogin Data (for Login Credentials)\r\nHistory (for search history)\r\nCookies (for browser Cookies)\r\nFigure 10: Steals data from chromium-based browsers\r\nWhile stealing the data from browsers, the malware also checks if keywords belonging to services such as Banking,\r\nCryptocurrency, and Porn are present in the browser data using ScanData() method. The Figure below shows the\r\nservices for which malware runs string search operations.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 7 of 22\n\nFigure 11: Checks for specific services\r\nMS Edge Browsers:\r\nThe malware first checks for the directory “\\AppData\\Local\\Microsoft\\Edge\\User Data,” which helps identify if an\r\nedge browser is installed on the victim’s system. After this, it enumerates all the files in the system and checks if the\r\n“Login Data” file is present. If so, then it steals the data from the browser, as can be seen in the Figure below.\r\nFinally, the ScanData() method is used again to steal the data from the Edge browser\r\nFigure 12: Steals data from MS Edge browser\r\nFirefox-based browsers:\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 8 of 22\n\nPrynt stealer targets eight Firefox-based browsers which can be seen in Figure 13.\r\nFigure 13: Targeted Firefox-based browsers\r\nThe malware only proceeds to steal data if the Profile folder is present under the “AppData\\Browser_name”\r\ndirectory. Firefox Browser uses this folder for saving user data. The malware copies the “logins.json” file from the\r\n“Profile” folder to the initially created folder for saving stolen data. The “Logins.json” file is used for storing the\r\nFirefox login credentials. Following files are targeted by malware for stealing data, present under the “Profile”\r\nfolder:\r\nPlaces.sqlite (for Bookmarks and History)\r\ncookies.sqlite (for browser cookies)\r\nlogins.json (for Login Credentials)\r\nFigure 14: Steals data from Firefox-based browsers\r\nMessaging Applications\r\nAfter stealing data from browsers, the malware targets the following messaging applications:\r\nDiscord\r\nPidgin\r\nTelegram\r\nThe malware first creates a folder names Messenger which will be used for saving data from these applications.\r\nDiscord:\r\nAfter this, the malware checks for Discord tokens. It first searches for the following directories:\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 9 of 22\n\nDiscord\\\\Local Storage\\\\leveldb\r\ndiscordptb\\\\Local Storage\\\\leveldb\r\nDiscord Canary\\\\leveldb\r\nIt only proceeds if the above directory exists. If directories are present, malware checks for files ending with .ldb or\r\n.log and extracts Discord tokens from them using regular expression. Then it creates a folder named “Discord” and\r\nwill write the stolen tokens to “Tokens.txt.”\r\nFigure 15: Steals Discord tokens\r\nPidgin:\r\nPidgin is a chat program that lets you log in to accounts on multiple chat networks simultaneously. It is compatible\r\nwith the following chat networks: Jabber/XMPP, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, Lotus\r\nSametime, SILC, SIMPLE, and Zephyr.\r\nThe malware first identifies if “.purple\\\\accounts.xml” is present in the AppData folder. This file stores the Pidgin\r\nlogin credentials. It steals the Login credentials and Protocol details and saves them into the accounts.txt file for\r\nexfiltration.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 10 of 22\n\nFigure 16: Steals data from Pidgin\r\nTelegram:\r\nThe malware calls Process.GetProcessByName()  method for getting the running process name and path in the\r\nvictims’ machine. The malware then checks if the Telegram string is present in the retrieved path. Finally, it gets the\r\nTelegram directory and steals data from there if it is present—the malware targets “tdata” folder for stealing telegram\r\nsessions.\r\nFigure 17: Steals telegram sessions\r\nGaming Applications\r\nPrynt Stealer targets the following gaming applications:\r\nSteam\r\nMinecraft\r\nUplay\r\nSteam:\r\nThe malware identifies the Steam installation path by checking the registry key value at\r\n“HKEY_LOCAL_MACHINE\\Software\\Valve\\Steam.” After this action, it enumerates the subkey present under\r\n“HKEY_LOCAL_MACHINE\\Software\\Valve\\Steam\\Apps” to get details of the application, as can be seen in the\r\nFigure below. The malware also targets the steam’s SSFN file, known as the authorization file, and copies it for\r\nexfiltration.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 11 of 22\n\nFigure 18: Steals data from steam\r\nUplay:\r\nThe malware looks for “Ubisoft Game Launcher” in the AppData folder, and if this folder is present, it copies all the\r\nfiles in it for exfiltration.\r\nFigure 19: Steals data from Uplay\r\nMinecraft:\r\nFor Minecraft, the stealer checks if the “.minecraft” folder is present under the AppData directory. If it is present, it\r\ncreates a folder named “Minecraft” under the “Gaming” folder to save the stolen data.\r\nThis stealer copies “launcher_profiles.json”, “servers.dat” and screenshots to “Minecraft ” folder for exfiltration. It\r\nalso extracts mods and version details and saves them to respective text files created in “Minecraft” folder.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 12 of 22\n\nFigure 20: Steals data from Minecraft\r\nCrypto Wallets\r\nThe malware targets the following crypto wallets:\r\nZcash, Armory, Bytecoin, Jaxx, Ethereum, AtomicWallet, Guarda,  and Coinomi.\r\nIt creates a folder named “Wallets” and then enumerates a list of hardcoded wallets for identifying the crypto wallet\r\nused by the victim.\r\nStealer queries registry for identifying the location of Blockchains such as Litecoin, Dash, and Bitcoin as shown in\r\nFigure below. It obtains the path from registry data “strDataDir” in the\r\nHKEY_CURRENT_USER\\Software\\Blockchain_name\\ Blockchain_name-Qt registry key.\r\nFigure 21: Steals data from Crypto wallets\r\nFTP Applications\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 13 of 22\n\nPrynt stealer targets FileZilla, a free and open-source, cross-platform FTP application. It steals the data from\r\n“sitemanager.xml” and “recentservers.xml” and stores the data in the “Hosts.txt” file under the “FileZilla” folder for\r\nexfiltration.\r\nFigure 22: Steals data from FileZilla\r\nVPN\r\nPrynt Stealer targets the following VPN applications:\r\nOpenVPN\r\nPorotonVPN\r\nNordVPN\r\nIt copies the configuration file of ProtonVPN, OpenVPN and steals the user credentials from NordVPN\r\nconfiguration file.\r\nFigure 23: Steals data from VPN’s configuration file\r\nDirectory tree\r\nAfter this action, the malware creates a folder named “Directories” and then obtains the structure of a directory and\r\nwrites them to text files, as shown in the Figure below. The directories targeted by malware include the one targeted\r\ninitially for copying data.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 14 of 22\n\nFigure 24: Obtains the directory tree\r\nSystem Information\r\nIt creates a folder named “System” in which it will store the solen information regarding running processes, network\r\ndetails, and victim’s system screenshot, etc.\r\nProcess Details:\r\nPrynt stealer uses Process.GetProcesses() method to identify all the running processes in the victim’s system and\r\nwrite them to the “Process.txt” file in the format:\r\nProcess name\r\nProcess ID\r\nExecutable path\r\nAfter this action, it gets the active windows using the process.MainWindowTitle() method and write the data into the\r\n“Windows.txt” file in the format:\r\nProcess name\r\nProcess ID\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 15 of 22\n\nExecutable path\r\nFigure 25: Extract details of current processes\r\nScreenshot:\r\nNow it takes a screenshot of the victim’s system and saves it as a “Desktop.jpg” file:\r\nFigure 26: Takes Screenshot\r\nNetwork Information:\r\nThe stealer also extracts the network credentials using the command “chcp 65001 \u0026\u0026 netsh wlan show profile” and\r\nsaves them into the “Savednetworks.txt” file. After this, using the command  “/C chcp 65001 \u0026\u0026 netsh wlan show\r\nnetworks mode=bssid” it obtains the list of available networks and saves them into the “ScanningNetworks.txt” file.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 16 of 22\n\nFigure 27: Steals save network credentials and identify the available network\r\nWindows Product Key:\r\nIt steals the windows product key from the\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion,” decodes it, and then saves it to\r\nthe “ProductKey.txt file.”\r\nFigure 28: Steal Windows product key\r\nData exfiltration:\r\nThe malware creates a list and adds the overview of stolen data to it, as shown in the Figure below. Then it sends a\r\nchat message using the Telegram bot.\r\nFor identifying the public IP, it sends a request to hxxp[:]//icanhazip[.]com\r\nFor identifying the geolocation, it sends a request to hxxps[:]//api.mylnikov.org/geolocation/wifi?v=1.1\u0026bssid=\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 17 of 22\n\nFigure 29: Creates an overview of stolen data\r\nThe malware compresses the folder where the stolen data is saved and exfiltrates it to the telegram bot. Furthermore,\r\nit uses a secure network connection for exfiltrating the stolen data to the remote server.\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 18 of 22\n\nFigure 30: Decrypted network traffic\r\nOther Capabilities\r\nOur analysis found that specific modules in the sample are not executed by the malware, including the Anti-analysis,\r\nKeylogger, and Clipper. Threat Actors (TAs) also provide a builder for this stealer, which can be customized to\r\ncontrol these functionalities. Taking the case of anti-analysis, it’s working on the hardcoded string present in\r\nmalware. The Figure below shows the method responsible for executing anti-analysis functionalities. Similarly, other\r\nprocesses also depend on these hard-coded strings.\r\nFigure 31: Anti-analysis\r\nClipper:\r\nThe Figure below shows the list in which TAs can store their crypto addresses. These entries are not populated,\r\nhighlighting the fact that TA might not have opted for this functionality in the builder.\r\nFigure 32: Clipper\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 19 of 22\n\nKeylogger:\r\nThis stealer enables the keylogging feature only if the hardcoded specific applications are running in the system. The\r\nstolen data will be saved in “logs\\keylogger” folder.\r\nFigure 33: Keylogger module\r\nConclusion\r\nPrynt Stealer is a recent Infostealer strain. It has a ton of capabilities. Though there are pretty popular stealers in the\r\ncybercrime marketplaces, TAs do adopt new toolkits which aid them in updating their Tactics, Techniques, and\r\nProcedures. These types of malware provide an easy way for TAs to get into the corporate networks, as breaking into\r\na network is not everyone’s cup of tea.\r\nOur Recommendations: \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., mainly contains such malware. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.  \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices. \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solution on the employees’ systems. \r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 20 of 22\n\nMITRE ATT\u0026CK® Techniques  \r\nTactic  Technique ID  Technique Name \r\nExecution   T1204  User Execution \r\nDefense Evasion  T1497.001  Virtualization/Sandbox Evasion: System Checks \r\nCredential Access \r\nT1555 \r\nT1539 \r\nT1552 \r\nT1528 \r\nCredentials from Password Stores \r\nSteal Web Session Cookie \r\nUnsecured Credentials \r\nSteal Application Access Token \r\nCollection  T1113  Screen Capture \r\nDiscovery \r\nT1087 \r\nT1518 \r\nT1057 \r\nT1124 \r\nT1007\r\nT1614 \r\nAccount Discovery \r\nSoftware Discovery \r\nProcess Discovery \r\nSystem Time Discovery \r\nSystem Service Discovery \r\nSystem Location Discovery   \r\nCommand and Control  T1071 Application Layer Protocol \r\nExfiltration \r\nT1041 \r\nT1567 \r\nExfiltration Over C2 Channel \r\nExfiltration Over Web Service     \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\nab913c26832cd6e038625e30ebd38ec2\r\n719873f61eeb769493ac17d61603a6023a3db6dd\r\n1283c477e094db7af7d912ba115c77c96223208c03841768378a10d1819422f2  \r\nMD5\r\nSHA1 \r\nSHA256 \r\n \r\nMalicious\r\nbinary\r\n0b75113f8a78dcc1dea18d0e9aabc10a\r\n269e61eed692911c3a886a108374e2a6d155c8d1\r\n808385d902d8472046e5899237e965d8087da09d623149ba38b3814659689906\r\nMD5\r\nSHA1 \r\nSHA256 \r\nMalicious\r\nbinary\r\n661842995f7fdd2e61667dbc2f019ff3\r\n1a638a81b9135340bc7d1f5e7eae5f3f06667a42\r\n4569670aca0cc480903b07c7026544e7e15b3f293e7c1533273c90153c46cc87\r\nMD5\r\nSHA1 \r\nSHA256 \r\nMalicious\r\nbinary\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 21 of 22\n\nSource: https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/" ], "report_names": [ "prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434741, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/330421ad11bb92efb06b3a31d80cf48337d3c23c.pdf", "text": "https://archive.orkl.eu/330421ad11bb92efb06b3a31d80cf48337d3c23c.txt", "img": "https://archive.orkl.eu/330421ad11bb92efb06b3a31d80cf48337d3c23c.jpg" } }