{ "id": "6598db8d-81c5-4f06-af49-490517c3f373", "created_at": "2026-04-06T00:21:55.191532Z", "updated_at": "2026-04-10T03:37:08.553705Z", "deleted_at": null, "sha1_hash": "388782ce89e7fceff5eac3ce639c195b1a5dadb3", "title": "Unmasking RedLine Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11987454, "plain_text": "Unmasking RedLine Stealer\r\nBy Idan Malihi\r\nPublished: 2023-11-04 · Archived: 2026-04-05 19:35:22 UTC\r\nExecutive Summary\r\nThe ‘RedLine’ malware was discovered in 2020 during the COVID-19 outbreak. This information-stealing variant\r\nallows attackers to steal personal and sensitive data such as login credentials, web browsing history, crypto\r\nwallets, geographical locations, etc.\r\nAfter extensive research on the ‘RedLine’ malware, I discovered many threat actors were using it to sell stolen\r\ninformation on the Dark Web and Telegram. I decided to delve deeper into the topic by analyzing a sample of the\r\n‘RedLine’ malware and conducting a high-level malware analysis.\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 1 of 37\n\nRedLine Data Logs For Sale in Telegram\r\nTechnical Details:\r\nFilename: NetFlix Checker by xRisky v22.exe\r\nFile Type: Executable\r\nArchitecture: PE32 (32-bit)\r\nSize: 6.47MB\r\nSHA256: e3544f1a9707ec1ce083afe0ae64f2ede38a7d53fc6f98aab917ca049bc63e69\r\nMD5: 8556792f20126e1ed89f93e1e26030e5\r\nInfection Diagram\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 2 of 37\n\nRedLine Stealer’s Infection Diagram\r\nStatic Analysis\r\nMalware’s Architecture\r\nThe malware is an executable file that works with 32-bit architecture.\r\nPress enter or click to view image in full size\r\nMalware’s Architecture\r\nScanning the Malware in the VirusTotal\r\n55 out of 71 anti-virus engines identified the binary as malicious.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 3 of 37\n\nMalware Scan in VirusTotal\r\nStrings\r\nSeveral strings indicate the malware resources and modules usage that are coded in .NET, such as the mscorlib,\r\nSystem, Object, and System.Reflection, etc.\r\nAlso, the malware uses functions that can indicate the malware’s functionality, such as:\r\nAes - the malware uses the AES encryption, a symmetric block cipher.\r\nMemoryStream - Creates a stream whose backing store is memory.\r\nGetBytes - Function used to encode strings into bytes.\r\nSymmetricAlgorithm - Represents the abstract base class from which all implementations of symmetric\r\nalgorithms must inherit.\r\nICryptoTransform - Basic operations of cryptographic transformations.\r\nCreateDecryptor - Creates a symmetric decryptor object.\r\nCryptoStream - Represents the abstract base class from which all implementations of symmetric algorithms must\r\ninherit.\r\nCryptoStreamMode - This function specifies the mode of a cryptographic stream.\r\nFromBase64String - Convert base64 encoded strings.\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 4 of 37\n\nMalware Resources and Modules\r\nInitial Execution\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 5 of 37\n\nThe malware uses an AES encryption, which, after execution, decrypts the encryption and injects it to an\r\nexecutable file named ‘winlogon.exe’ and drops it to the %AppData% directory path.\r\nThe AES encryption data is the actual RedLine malware.\r\nPress enter or click to view image in full size\r\nAES Encryption\r\nPress enter or click to view image in full size\r\nCode Injection into the Winlogon.exe File\r\nThe malware employs loops in the code that lead back to the same code. It drops an executable file titled ‘NetFlix\r\nChecker by xRisky v2.exe’ in the Desktop directory. Additionally, it drops two executable files named\r\n‘chrome.exe’ and ‘svchost.exe’ in the %AppData% directory.\r\nPress enter or click to view image in full size\r\n‘NetFlix Checker by xRisky v2.exe’ File Drop\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 6 of 37\n\n‘svchost.exe’ and ‘chrome.exe’ Files Drop\r\nIn summary, for the initial execution, the malware drops four executable files into the endpoint.\r\nPress enter or click to view image in full size\r\nThree Files in %AppData%\r\nA File in the Desktop\r\nThe malware adds chrome.exe to the endpoint’s system-scheduled tasks for persistent data collection.\r\nPress enter or click to view image in full size\r\nTask Scheduler\r\nWinlogon.exe Code Analysis\r\nIn the initial execution of the malware, three executable files (winlogon.exe, svchost.exe, and chrome.exe) are\r\ndropped in the %AppData% path.\r\nHowever, the actual RedLine malware is in the ‘winlogon.exe’ file.\r\nDuring the execution, the ‘winlogon.exe’ file attempts to send stolen data to the C2 server.\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 7 of 37\n\nInitially, the malware author uses an obfuscator to make the executable’s source code unintelligible, which\r\ncomplicates code review.\r\nPress enter or click to view image in full size\r\nCode Obfuscation Detection\r\nIn the source code of the stealer, the malware’s actions are exposed, which will be performed during execution,\r\nsuch as stealing the following data: Chrome cookies, Opera cookies, crypto wallets, system hardware, geo-location, files, etc.\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 8 of 37\n\nMalware’s Actions\r\nBrowsers\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 9 of 37\n\nUsers commonly save login credentials, auto-fill, and credit card info in browsers like Chrome, Opera, and\r\nFirefox for faster form-filling and account access.\r\nStealers like ‘RedLine’ specifically target browser information in order to steal victims’ accounts and access them,\r\nespecially for credit card information, to steal money and use it to make unauthorized purchases online.\r\nThe malware steals the browser’s version information, account credentials, auto-fill data, cookies, credit cards,\r\nlogin data, and geolocation from Chrome and Opera browsers.\r\nPress enter or click to view image in full size\r\nAccount Credentials Theft\r\nThe malware steals the autofill data from the browsers.\r\nPress enter or click to view image in full size\r\nAutofill Data Theft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 10 of 37\n\nAutofill Data Theft 2\r\nThe malware gathers information about the browser installed on the endpoint.\r\nPress enter or click to view image in full size\r\nBrowser Information Theft\r\nThe malware steals credit card information from the browsers.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 11 of 37\n\nCredit Card Information Theft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 12 of 37\n\nCredit Card Information Theft 2\r\nThe malware steals login data from the Chrome browser.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 13 of 37\n\nLogin Data Theft\r\nThe malware steals cookies from the browsers.\r\nPress enter or click to view image in full size\r\nCookies Theft\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 14 of 37\n\nThe malware uses ‘GeoPlugin,’ a geolocation web service API, to determine the location of an endpoint based on\r\nits IP address.\r\nPress enter or click to view image in full size\r\nGeoLocation API\r\nThe malware uses the OpenSubKey function to access the registry path SOFTWARE\\Clients\\StartMenuInternet\r\nand retrieve the string value using the GetValue method.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 15 of 37\n\nRegistry Path Access and Read\r\nCrypto Wallets\r\nMost threat actors use cryptocurrency wallets for anonymity. These wallets generate unique wallet addresses for\r\nvictims to transfer money anonymously.\r\nFurthermore, some people invest in cryptocurrency coins like Bitcoin, Ethereum, Tether, Solana, etc.\r\nThreat actors target crypto wallets to steal victims’ crypto wallet information and money.\r\nThe malware searches and steals information and files from the list of wallets, such as Coinbase, Yoroi, Atomic,\r\nWombat, Jaxx Liberty wallets, Saturn, etc.\r\nPress enter or click to view image in full size\r\nCryptocurrency Wallets List\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 16 of 37\n\nCryptocurrency Wallets List 2\r\nPress enter or click to view image in full size\r\nCryptocurrency Wallets List 3\r\nPress enter or click to view image in full size\r\nCryptocurrency Wallets List 4\r\nPress enter or click to view image in full size\r\nCryptocurrency Wallets List 5\r\nPress enter or click to view image in full size\r\nCryptocurrency Wallets List 6\r\nThe malware searches for Armory .wallet files in the %AppData% directory.\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 17 of 37\n\nPress enter or click to view image in full size\r\nArmory Wallet Files Theft\r\nThe malware attempts to steal cryptocurrency wallet files in the ‘atomic’ directory.\r\nPress enter or click to view image in full size\r\nAtomic Wallet Files Theft\r\nThe malware searches for JSON files or any files within the ‘\\Exodus\\’ directory and locates the ‘exodus.wallet’\r\nfile on the endpoint.\r\nPress enter or click to view image in full size\r\nExodus Wallet Files Theft\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 18 of 37\n\nThe stealer attempts to steal information from the Jaxx Liberty cryptocurrency wallet directory.\r\nPress enter or click to view image in full size\r\nJaxx Liberty Wallet Files Theft\r\nThe stealer attempts to search for any Coinomi crypto wallet files within the \\Coinomi directory located in the\r\n%AppData% path.\r\nPress enter or click to view image in full size\r\nCoinomi Wallet Files Theft\r\nThe stealer attempts to steal all files related to the Electrum wallet located in the %AppData%\\Electrum\\wallets\r\ndirectory.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 19 of 37\n\nElectrum Wallet Files Theft\r\nThe stealer tries to collect information about the Guarda wallet in the %AppData% directory.\r\nPress enter or click to view image in full size\r\nGuarda Wallet Files Theft\r\nSystem\r\nMalware authors program stealers to gather system information, such as country, city, hardware, and IP addresses.\r\nThis is done to profile victims, enable geographic targeting, assess hardware vulnerabilities, deliver content in\r\nvictims’ languages, etc.\r\nGet Idan Malihi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe malware gathers information from the endpoint, including city, country, file location, hardware, IP address,\r\nlanguage, machine name, and zip code.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 20 of 37\n\nSystem Information Gathering\r\nPress enter or click to view image in full size\r\nSystem Information Gathering\r\nThe malware author uses the WQL command ‘SELECT * FROM Win32_Processor’ to steal information about the\r\nendpoint, including the number of cores in the processor and running processes.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 21 of 37\n\nSELECT * FROM Win32_Processor\r\nIn addition, the malware author uses the WQL command ‘SELECT * FROM Win32_VideoController’ to steal\r\ninformation about the RAM in the endpoint.\r\nPress enter or click to view image in full size\r\nSELECT * FROM Win32_VideoController\r\nAlso, the malware uses the WQL command ‘SELECT * FROM Win32_DiskDrive’ to retrieve the disk drives\r\nconnected to the endpoint and their serial number.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 22 of 37\n\nSELECT * FROM Win32_DiskDrive\r\nThe malware uses the WQL command ‘SELECT * FROM Win32_Process Where SessionId=’ to retrieve session\r\nIDs, names, and command lines.\r\nPress enter or click to view image in full size\r\nSELECT * FROM Win32_Process Where SessionId=\r\nThe malware collects ‘ProductsName’ and ‘CSDVersion’ values from the ‘SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion’ registry path and system architecture information.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 23 of 37\n\nCollects ‘ProductsName’ and ‘CSDVersion’ Values\r\nOnce the stealer attempts to steal data from the endpoint, it stores the acquired information in a list that includes\r\nlanguages, browsers, FTP connections, chat logs for games, game launcher files, installed browsers, message\r\nclient files, Nord accounts, open processes, Proton, scanned files, scanned wallets, security utilities, software, and\r\nhardware components of the system.\r\nPress enter or click to view image in full size\r\nSaves Information in Lists\r\nThe malware gathers IPv4, city, country, and zip code data from the endpoint.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 24 of 37\n\nIP, City, Country, and ZipCode Theft\r\nPress enter or click to view image in full size\r\nIP and Location Theft\r\nPress enter or click to view image in full size\r\nCountry and PostalCode Theft\r\nPress enter or click to view image in full size\r\nCurrentInputLanguage Theft\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 25 of 37\n\nPress enter or click to view image in full size\r\nTimeZoneInfo.Local Theft\r\nScanned Files\r\nMalware authors program stealers to steal the known and sensitive files on the victims’ system, such as docx, txt,\r\ndoc, and csv.\r\nThreat actors would want to steal sensitive information for further exploitation, financial gain, identity theft, and\r\ndata extortion.\r\nThe stolen files can also be used for espionage, intelligence gathering, or resale on the dark web.\r\nThe malware attempts to steal exe, docx, txt, doc, csv, and DLL files from the endpoint.\r\nPress enter or click to view image in full size\r\nexe, docx, txt Files Theft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 26 of 37\n\ndoc, csv, docx, doc, DLL Files Theft\r\nThe malware attempts to extract account details from the \\\\FileZilla\\\\sitemanager.xml file located in the\r\n%AppData% directory.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 27 of 37\n\nFileZilla sitemanager.xml Theft\r\nThe malware searches for files and directories in Program Files (x86) and ProgramData paths.\r\nPress enter or click to view image in full size\r\nSearches Files and Directories in Program Files (x86) and ProgramData\r\nThe malware uses the GetDirectories method to retrieve the names of subdirectories and the GetFiles method to\r\nretrieve the names of files within those directories.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 28 of 37\n\nGets Directories and Sub-Directories\r\nThe method JavaScriptSerializer can be used to convert JSON strings into objects.\r\nPress enter or click to view image in full size\r\nJavaScriptSerializer\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 29 of 37\n\nThe malware uses the LoadLibrary function to load two DLL files, kernel32.dll and user32.dll. It then executes the\r\nGetConsoleWindow command to fetch the window handle of the console associated with the process, followed by\r\nthe ShowWindow command to set the show state of the specified window.\r\nPress enter or click to view image in full size\r\nGetConsoleWindow and ShowWindow Commands\r\nVPN Software\r\nStealers’ malware may target VPN software files on victims’ systems to disrupt their anonymity and online\r\nprivacy, steal login credentials and configuration details, conduct targeted surveillance, and exfiltrate sensitive\r\ndata protected by the VPN.\r\nThe malware searches for two specific files, ‘BirdVPN’ and ‘NordVpn.exe,’ within the directory\r\n%USERPROFILE%\\AppData\\Local\\ to obtain the username and password for both VPN software.\r\nPress enter or click to view image in full size\r\nBirdVPN and NordVPN Files Theft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 30 of 37\n\nBirdVPN and NordVPN Files Theft\r\nThe malware attempts to steal the ovpn files of ProtonVPN from the %AppData%\\Local directory.\r\nPress enter or click to view image in full size\r\nProtonVPN Files Theft\r\nThe stealer attempts to steal the OpenVPN ovpn files in the ‘%AppData%\\Roaming\\OpenVPN\\profiling’\r\ndirectory.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 31 of 37\n\nOpenVPN Files Theft\r\nSoftware\r\nStealer malware targets third-party software, such as Telegram, Steam, or Discord, to steal user login credentials,\r\nauthentication tokens, etc. This data enables threat actors to gain unauthorized access, commit identity theft, and\r\npotentially generate financial gains.\r\nThis kind of stealing can reveal victims’ interests and affiliations, and it can also be used for extortion and resale\r\non the dark web.\r\nThe malware attempts to extract a user’s Telegram profile from their endpoint.\r\nPress enter or click to view image in full size\r\nTelegram Profile Files Theft\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 32 of 37\n\nTelegram Profile Files Theft\r\nPress enter or click to view image in full size\r\nTelegram Profile Files Theft\r\nThe stealer attempts to steal Discord information by searching for .log and .ldb files in the\r\n%AppData%\\discord\\Local Storage\\leveldb directory.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 33 of 37\n\nDiscord Files Theft\r\nThe malware attempts to steal data by accessing the registry key ‘Software\\Valve\\Steam’ and extracting the values\r\nof SteamPath, ssfn, config, and .vdf.\r\nPress enter or click to view image in full size\r\nSteam Files Theft\r\nMalware’s C2 Server\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 34 of 37\n\nThe threat actor conceals his IP address with a dynamic DNS service that links his IP address 192.169.69.26 to the\r\n‘siyatermi.duckdns.org’ domain.\r\nMalware’s C2 Server\r\nPress enter or click to view image in full size\r\nMalware’s C2 Server in Wireshark\r\nThe transmission of the stolen information is sent to ‘siyatermi.duckdns.org’ through SOAP message in HTTP\r\nprotocol.\r\nSOAP is a protocol that is used for structuring messages in web services and facilitating communication between\r\ndifferent applications or systems over the internet and the data represented in XML format.\r\nPress enter or click to view image in full size\r\nSOAP Data Transmission\r\nThe stealer verifies the connection established by the malware to the C2 server.\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 35 of 37\n\nPress enter or click to view image in full size\r\nConnection Verification\r\nConclusion\r\nRedLine Stealer is a dangerous type of malware that can cause serious harm to both individuals and organizations.\r\nIt is crucial to protect your systems from RedLine Stealer by using strong passwords, keeping your software up to\r\ndate, and being cautious about which emails you open and what attachments you download.\r\nMITRE ATT\u0026CK Mapping\r\nPress enter or click to view image in full size\r\nMITRE ATT\u0026CK Mapping\r\nIndicators of Compromise (IoCs)\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 36 of 37\n\n1. %AppData%/winlogon.exe\r\n2. %AppData%/chrome.exe\r\n3. %AppData%/svchost.exe\r\n4. Desktop/NetFlix Checker by xRisky v2.exe\r\n5. siyatermi.duckdns.org:17044\r\n6. 192.169.69.26\r\nYARA Rule\r\nThe following YARA rule detects the ‘winlogon.exe’ RedLine malware.\r\nPress enter or click to view image in full size\r\nYara Rule\r\nRedLine Detection With the Yara Rule\r\nPress enter or click to view image in full size\r\nRedLine Detection\r\nSource: https://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nhttps://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab\r\nPage 37 of 37", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab" ], "report_names": [ "redline-stealer-malware-analysis-76506ef723ab" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434915, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/388782ce89e7fceff5eac3ce639c195b1a5dadb3.pdf", "text": "https://archive.orkl.eu/388782ce89e7fceff5eac3ce639c195b1a5dadb3.txt", "img": "https://archive.orkl.eu/388782ce89e7fceff5eac3ce639c195b1a5dadb3.jpg" } }