{ "id": "65b8d808-aa72-4e6c-be92-642e7eba8d15", "created_at": "2026-04-06T00:18:16.667453Z", "updated_at": "2026-04-10T03:35:56.564698Z", "deleted_at": null, "sha1_hash": "3b9e03f8439363fdd67cb5cfbcc0f5c2f562410b", "title": "Loki Password Stealer (PWS) (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 162519, "plain_text": "Loki Password Stealer (PWS) (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:18:42 UTC\r\nLoki Password Stealer (PWS)\r\naka: Burkina, Loki, LokiBot, LokiPWS\r\nActor(s): SWEED, The Gorgon Group, Cobalt\r\nVTCollection     URLhaus        \r\n\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected\r\nmachines, and then submit that info to a command and control host via HTTP POST. This private data includes\r\nstored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" -\r\nPhishMe\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast\r\nmajority of them are.\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is\r\nused when Loki-Bot is upgrading itself.\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For\r\nexample: “B7E1C2CC98066B250DDB2123“.\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th\r\ncharacters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and\r\n“.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the\r\nexplanation of their purpose:\r\nFILE EXTENSION FILE DESCRIPTION\r\n.exe A copy of the malware that will execute every time the user account is logged into\r\n.lck A lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb A database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb A database of keylogger data that has yet to be sent to the C2 server\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If\r\nnot, it sets up persistence under HKEY_CURRENT_USER.\r\nThe first packet transmitted by Loki-Bot contains application data.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 1 of 8\n\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default,\r\nLoki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\nCommunications to the C2 server from the compromised host contain information about the user and system\r\nincluding the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating\r\nSystem.\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\nBYTE PAYLOAD TYPE\r\n0x26 Stolen Cryptocurrency Wallet\r\n0x27 Stolen Application Data\r\n0x28 Get C2 Commands from C2 Server\r\n0x29 Stolen File\r\n0x2A POS (Point of Sale?)\r\n0x2B Keylogger Data\r\n0x2C Screenshot\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific\r\nthreat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this,\r\ntake note!\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is\r\nlikely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\nBYTE INSTRUCTION DESCRIPTION\r\n0x00 Download EXE \u0026 Execute\r\n0x01 Download DLL \u0026 Load #1\r\n0x02 Download DLL \u0026 Load #2\r\n0x08 Delete HDB File\r\n0x09 Start Keylogger\r\n0x0A Mine \u0026 Steal Data\r\n0x0E Exit Loki-Bot\r\n0x0F Upgrade Loki-Bot\r\n0x10 Change C2 Polling Frequency\r\n0x11 Delete Executables \u0026 Exit\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 2 of 8\n\nSuricata Signatures\r\nRULE SID RULE NAME\r\n2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314 ET TROJAN Loki Bot File Exfiltration Detected\r\n2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2\r\nReferences\r\n2024-12-02 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nLokiBot Malware Analysis\r\nLoki Password Stealer (PWS)\r\n2024-11-07 ⋅ Logpoint ⋅ Anish Bogati\r\nHiding in Plain Sight: The Subtle Art of Loki Malware’s Obfuscation\r\nLoki Password Stealer (PWS)\r\n2024-02-28 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen\r\nX-Force data reveals top spam trends, campaigns and senior superlatives in 2023\r\n404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot\r\nQakBot Remcos\r\n2023-07-12 ⋅ Fortinet ⋅ Cara Lin\r\nLokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros\r\nLoki Password Stealer (PWS)\r\n2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\n2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel\r\nAn inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure\r\nRiltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 3 of 8\n\nLoki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader\r\nSTOP TinyNuke Vidar Zloader\r\n2022-08-05 ⋅ 0xIvan ⋅ Twitter (@viljoenivan)\r\nLokiBot Analysis\r\nLoki Password Stealer (PWS)\r\n2022-06-30 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV\r\nHow to Expose a Potential Cybercriminal due to Misconfigurations\r\nLoki Password Stealer (PWS)\r\n2022-06-30 ⋅ Cyber Geeks (CyberMasterV) ⋅ Vlad Pasca\r\nHow to Expose a Potential Cybercriminal due to Misconfigurations\r\nLoki Password Stealer (PWS)\r\n2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord (PureCrypter)\r\nAberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer\r\nFormbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine\r\nStealer WhisperGate\r\n2022-04-17 ⋅ Malcat ⋅ malcat team\r\nReversing a NSIS dropper using quick and dirty shellcode emulation\r\nLoki Password Stealer (PWS)\r\n2022-03-07 ⋅ ⋅ LAC WATCH ⋅ Cyber Emergency Center\r\nI CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND\r\nJSOC DETECTION TRENDS\r\nXloader Agent Tesla Formbook Loki Password Stealer (PWS)\r\n2022-02-11 ⋅ Cisco Talos ⋅ Talos\r\nThreat Roundup for February 4 to February 11\r\nDarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus\r\n2022-01-28 ⋅ Atomic Matryoshka ⋅ z3r0day_504\r\nMalware Headliners: LokiBot\r\nLoki Password Stealer (PWS)\r\n2021-11-17 ⋅ Infoblox ⋅ Gaetano Pellegrino\r\nDeep Analysis of a Recent Lokibot Attack\r\nLoki Password Stealer (PWS)\r\n2021-08-25 ⋅ Trend Micro ⋅ Bin Lin, William Gamazo Sanchez\r\nNew Campaign Sees LokiBot Delivered Via Multiple Methods\r\nLoki Password Stealer (PWS)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 4 of 8\n\n2021-08-23 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\n[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite\r\nCloudEyE Loki Password Stealer (PWS)\r\n2021-08-16 ⋅ Malcat ⋅ malcat team\r\nStatically unpacking a simple .NET dropper\r\nLoki Password Stealer (PWS)\r\n2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-07 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\n[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python\r\nCloudEyE Loki Password Stealer (PWS)\r\n2021-07-06 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\n[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2\r\nCloudEyE Loki Password Stealer (PWS)\r\n2021-06-08 ⋅ ilbaroni\r\nLOKIBOT - A commodity malware\r\nLoki Password Stealer (PWS)\r\n2021-04-06 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva\r\nMalspam with Lokibot vs. Outlook and RFCs\r\nLoki Password Stealer (PWS)\r\n2021-01-06 ⋅ Talos ⋅ Holger Unterbrink, Irshad Muhammad\r\nA Deep Dive into Lokibot Infection Chain\r\nLoki Password Stealer (PWS)\r\n2020-12-07 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nCommodity .NET Packers use Embedded Images to Hide Payloads\r\nAgent Tesla Loki Password Stealer (PWS) Remcos\r\n2020-10-01 ⋅ SpiderLabs Blog ⋅ Diana Lopera\r\nEvasive URLs in Spam: Part 2\r\nLoki Password Stealer (PWS)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 5 of 8\n\n2020-08-26 ⋅ Lab52 ⋅ Jagaimo Kawaii\r\nA twisted malware infection chain\r\nAgent Tesla Loki Password Stealer (PWS)\r\n2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT\r\nStealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer\r\nRemcos Zloader\r\n2020-05-21 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nCybercrime tactics and techniques\r\nAve Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC\r\n2020-05-14 ⋅ SophosLabs ⋅ Markel Picado\r\nRATicate: an attacker’s waves of information-stealing malware\r\nAgent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos\r\n2020-04-28 ⋅ Trend Micro ⋅ Miguel Ang\r\nLoki Info Stealer Propagates through LZH Files\r\nLoki Password Stealer (PWS)\r\n2020-03-31 ⋅ Click All the Things! Blog ⋅ Jamie\r\nLokiBot: Getting Equation Editor Shellcode\r\nLoki Password Stealer (PWS)\r\n2020-03-20 ⋅ Bitdefender ⋅ Liviu Arsene\r\n5 Times More Coronavirus-themed Malware Reports during March\r\nostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos\r\n2020-02-14 ⋅ Virus Bulletin ⋅ Aditya K. Sood\r\nLokiBot: dissecting the C\u0026C panel deployments\r\nLoki Password Stealer (PWS)\r\n2020-02-06 ⋅ Prevailion ⋅ Danny Adamitis\r\nThe Triune Threat: MasterMana Returns\r\nAzorult Loki Password Stealer (PWS)\r\n2019-12-28 ⋅ Paul Burbage\r\nThe Tale of the Pija-Droid Firefinch\r\nLoki Password Stealer (PWS)\r\n2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko\r\nCyber Threat Landscape in Japan – Revealing Threat in the Shadow\r\nCerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password\r\nStealer (PWS) PandaBanker PLEAD POISONPLUG TrickBot BlackTech\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 6 of 8\n\n2019-10-28 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nSWEED Targeting Precision Engineering Companies in Italy\r\nLoki Password Stealer (PWS)\r\n2019-08-10 ⋅ Check Point ⋅ Omer Gull\r\nSELECT code_execution FROM * USING SQLite;\r\nAzorult Loki Password Stealer (PWS) Pony\r\n2019-07-15 ⋅ Cisco Talos ⋅ Edmund Brumaghin\r\nSWEED: Exposing years of Agent Tesla campaigns\r\nAgent Tesla Formbook Loki Password Stealer (PWS) SWEED\r\n2019-04-05 ⋅ Trustwave ⋅ Phil Hay, Rodel Mendrez\r\nSpammed PNG file hides LokiBot\r\nLoki Password Stealer (PWS)\r\n2018-12-04 ⋅ Brad Duncan\r\nMalspam pushing Lokibot malware\r\nLoki Password Stealer (PWS)\r\n2018-08-29 ⋅ Kaspersky Labs ⋅ Tatyana Shcherbakova\r\nLoki Bot: On a hunt for corporate passwords\r\nLoki Password Stealer (PWS)\r\n2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅ David Fuertes, Josh Grunzweig, Kyle Wilhoit, Robert Falcone\r\nThe Gorgon Group: Slithering Between Nation State and Cybercrime\r\nLoki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT\r\n2018-07-06 ⋅ Github (d00rt) ⋅ d00rt\r\nLokiBot Infostealer Jihacked Version\r\nLoki Password Stealer (PWS)\r\n2017-12-19 ⋅ Lastline ⋅ Andy Norton\r\nNovel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot\r\nLoki Password Stealer (PWS)\r\n2017-06-22 ⋅ SANS Institute Information Security Reading Room ⋅ Rob Pantazopoulos\r\nLoki-Bot: InformationStealer, Keylogger, \u0026amp;More!\r\nLoki Password Stealer (PWS)\r\n2017-05-17 ⋅ Fortinet ⋅ Hua Liu, Xiaopeng Zhang\r\nNew Loki Variant Being Spread via PDF File\r\nLoki Password Stealer (PWS)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 7 of 8\n\n2017-05-07 ⋅ R3MRUM ⋅ R3MRUM\r\nLoki-Bot: Come out, come out, wherever you are!\r\nLoki Password Stealer (PWS)\r\n2017-05-05 ⋅ Github (R3MRUM) ⋅ R3MRUM\r\nloki-parse\r\nLoki Password Stealer (PWS)\r\n2017-03-23 ⋅ Cofense ⋅ Cofense\r\nTales from the Trenches: Loki Bot Malware\r\nLoki Password Stealer (PWS)\r\n2017-02-16 ⋅ Cysinfo ⋅ Winston M\r\nNefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!\r\nLoki Password Stealer (PWS)\r\nYara Rules\r\n[TLP:WHITE] win_lokipws_auto (20251219 | Detects win.lokipws.)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws" ], "report_names": [ "win.lokipws" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b9e03f8439363fdd67cb5cfbcc0f5c2f562410b.pdf", "text": "https://archive.orkl.eu/3b9e03f8439363fdd67cb5cfbcc0f5c2f562410b.txt", "img": "https://archive.orkl.eu/3b9e03f8439363fdd67cb5cfbcc0f5c2f562410b.jpg" } }