{ "id": "e064b3d0-8872-4fec-a256-7fb3f8c4dbeb", "created_at": "2026-04-06T00:18:13.742195Z", "updated_at": "2026-04-10T03:37:49.803971Z", "deleted_at": null, "sha1_hash": "3ff38433c240f937a33c536fbfc8969c58929dd5", "title": "The Rise of FusionCore An Emerging Cybercrime Group from Europe - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1858021, "plain_text": "The Rise of FusionCore An Emerging Cybercrime Group from\r\nEurope - CYFIRMA\r\nArchived: 2026-04-02 10:54:35 UTC\r\nPublished On : 2023-04-03\r\nEXECUTIVE SUMMARY\r\nThe CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore.\r\nRunning Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services\r\nthat are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective\r\nyet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the\r\nransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of\r\ninstructions for any service or product being sold, enabling individuals with minimal experience to carry out complex\r\nattacks.\r\nINTRODUCTION\r\nIn this research report, we will discuss previously undiscovered malware being sold by FusionCore, its respective\r\ncapabilities and the level of sophistication of the threat actors. FusionCore was founded in 2022 by user “Hydra”, the\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 1 of 37\n\nco-developer of the Typhon Reborn stealer. This malware developer has been in the stealer development and logs-selling business for a few years now, initially, being involved with the NoMercy infostealer, along with another\r\nassociate that goes by the alias; “NecroSys”.\r\nResearchers found the NoMercy stealer to be very crude and basic, and observations indicate that it was at the initial\r\nstages of development in early 2022. Based on the feedback from the threat actors, who were using the NoMercy\r\ninfostealer, Hydra quickly realized that there is a high demand for all kinds of malware, not just infostealers. He\r\ndecided to build a team that develops custom malware – and named the team FusionCore. Their malware catalogue\r\nincludes, Typhon-R Stealer, RootFinder Stealer, RootFinder RAT, Cryptonic Crypter, RootFinder Ransomware,\r\nRootFinder Miner, Golden Mine, ApolloRAT, SarinLocker and KratoS dropper; with many new malwares already in\r\nthe pipeline.\r\nThe other primary associates of FusionCore include, “NecroSys” (developer of SarinLocker, Typhon Stealer, Kratos\r\nDropper, Ambien RAT), “DanielNusradin” (developer of RootFinder RAT, RootFinder Miner, RootFinder Stealer and\r\nRootFinder Ransomware), “InsaniumDev” (the developer of Golden Mine) and “SysKey” (group administrator,\r\nmalware developer). Given the breadth of the threat actor group’s capabilities, translating into a range of lateral\r\nmovements, a successful attack could result in significant financial and operational damage, as well as damage to the\r\norganization’s reputation among customers, investors, and partners. The CYFIRMA research team was able to obtain a\r\nfew of the previously undiscovered malware samples being used by FusionCore operators. We will analyze them and\r\nshare our findings with the community in our upcoming research reports.\r\nFUSIONCORE GROUP PROFILE\r\nFusionCore aliases are highly influenced by Greek and Roman mythology. Hydra named himself after a serpentine\r\nwater monster Lernaean Hydra (the many-headed serpent who, when one of its heads was cut off, grew two more) in\r\nGreek Mythology. The Typhon stealer’s name is based on a monstrous serpentine giant, Typhon in Greek mythology.\r\nWe have observed a trend within FusionCore’s primary operators to name their flagship malware after Greek\r\nmythological creatures. Most of the malware programs developed by FusionCore are written in C++, C# and Go. The\r\noperators are using open-source .NET obfuscators such as Obfuscar, NETShield and ConfuserEx to increase the\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 2 of 37\n\nevasiveness of their crypter stub (software that can encrypt, obfuscate, and manipulate malware). The group highly\r\nrelies on open-source software, with NBMiner and xmrig as part of their tool arsenal to enable cryptocurrency mining.\r\nTIMELINE OF FUSIONCORE EVOLUTION\r\nJune 2022\r\nAfter working on new features and evasion capabilities, Hydra started selling the Typhon-stealer, released on their new\r\ntelegram channel.\r\nJuly 2022\r\nTyphon stealer was being updated frequently, based on user feedback.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 3 of 37\n\nJuly 2022\r\nThe MaaS operators were found to provide malware-spreading services across the globe, indicating that they likely\r\nhave access to a private botnet, spanned across multiple geographies. The operators were found to charge a higher\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 4 of 37\n\nprice, to spread malware within Europe, than any other continent.\r\nSeptember 2022\r\nFusionCore’s telegram channel was created for streamlining MaaS operations:\r\nDue to a lack of buyers, Hydra was willing to recruit a Russian-speaking advertiser, who would advertise the products\r\non underground forums, channels, etc. with a 25% commission for the marketer on the revenue.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 5 of 37\n\nOctober 2022\r\nAnother malware developer in FusionCore that goes by the alias NecroSys came in advertising a soon-to-be-released\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 6 of 37\n\nransomware written in C#, called SarinLocker.\r\nNovember 2022\r\nThe group admin, SysKey announced the official launch of the webshop for FusionCore.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 7 of 37\n\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 8 of 37\n\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 9 of 37\n\nNovember 2022\r\nThe operators released an announcement, regarding the upcoming tools and related features:\r\nJanuary 2023\r\nThe MaaS operators were looking to expand their team with the addition of an experienced malware developer.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 10 of 37\n\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 11 of 37\n\nNeedless to say, the post gained traction from the malware developers’ community.\r\nFebruary 2023\r\nLeveraging the poor Operations Security (OpSec) from the MaaS operators, the CYFIRMA research team has obtained\r\nthe C2 panel snippet, shared by the attacker on 25th February 2023 on their telegram channel (now deleted). The\r\nsnippet reveals public IPs that are being used by the FusionCore for testing grounds for the malware:\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 12 of 37\n\nThe CYFIRMA research team will continue to monitor the infrastructure, as these are likely part of the botnet that the\r\nMaaS operators are using to provide malware- spreading services. The RootFinder telegram channel was deleted\r\nshortly, after the threat actors realized the operational error.\r\nMarch 2023\r\nHydra shared a screenshot of the Typhon Reborn stealer dashboard (under development). Please take note that the\r\ndashboard is set to display Sweden time by default.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 13 of 37\n\nOn 26th March 2023, NecroSys made an announcement on the Typhon stealer telegram channel about an upcoming,\r\nfully native, and fully undetectable ransomware, named “VIPERA Ransomware”, that is designed to encrypt victim\r\nfiles in microseconds.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 14 of 37\n\nBased on the available information and discussions, it can be ascertained with medium confidence that the operators of\r\nFusionCore are operating from Europe. The group acts as both malware developers and threat actors, providing\r\nmalware subscriptions as well as hacker-for-hire services. Using phishing as their primary attack vector for initial\r\naccess, FusionCore specializes in a wide range of malware, which makes them capable of carrying out stealthy and\r\npersistent attacks.\r\nMALWARE OFFERED BY FUSIONCORE\r\nSARINLOCKER\r\nOn 15th November 2022, NecroSys officially announced the release of SarinLocker v1.0, a ransomware which would\r\nuse telegram for sending decryption keys and client information. It appends an extension SARIN.LOCKED on the\r\nencrypted files. The prices were really competitive, compared to other ransomware, as they were charging 20$ for a\r\nmonth, and 100$ for lifetime access.\r\nPlease take note that the ransomware has the ability to wipe the decryption key from the infected device’s memory –\r\nmaking it tougher to extract the key, during memory forensics.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 15 of 37\n\nThe CYFIRMA research team was able to obtain a few of the malware samples, being used by FusionCore operators.\r\nWe will analyze the obtained FusionCore samples and share our findings with the community in our upcoming research\r\nreports. Till then, security teams can find the IOC(s) at the end of this report to block as required.\r\nAdmin Panel\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 16 of 37\n\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 17 of 37\n\nIn November 2022, a poll was posted on the Typhon stealer telegram channel, regarding the development of\r\nSarinLocker v2.0\r\nPlease take note that the malware developer states that there will be 2 precompiled payloads for x64 and x86 systems.\r\nOn 22nd December 2022, NecroSys announced the release of SarinLocker v2.0, which was written in C++. Amongst\r\nother changes, the new version would have a longer decryption key for victims, as the decryption key in SarinLocker\r\nv1.0 was short and could be brute-forced.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 18 of 37\n\nROOTFINDER STEALER\r\nOn 14th February 2023, Hydra started advertising a new information stealer, called the RootFinder Stealer on the\r\nTyphon Stealer telegram channel.\r\nThe developer of RootFinder range of malwares (Stealer, RAT, Ransomware, Miner) is using the alias, Daniel\r\nNusradin. We believe that the developer of RootFinder is a novice at this stage and is taking guidance from the more\r\nseasoned members of FusionCore on how to develop malware.\r\nIt is a variant based on the Redline and Typhon Stealer. The infostealer uses a telegram bot for receiving data from the\r\ninfected device.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 19 of 37\n\nFeatures:\r\nGrabs the victims’ details (Date \u0026 Time, Computer User, Operating System, Operating System Version, DNS\r\nhostname, Installed Anti-Virus, And the Computer language)\r\nHarvests hardware information (HWID, RAM Sizə (in Megabytes), Memory Devices, BIOS Caption, BIOS\r\nManufacturer, Graphics Card, CD-Rom path)\r\nCollects Network Information (Private IP address, External IP address, Subnet Scan, Mac Address)\r\nData recovery (Passwords, Cookies, Autofills, Credit Cards, Search History)\r\nROOTFINDER RANSOMWARE\r\nThere’s very limited information about the RootFinder ransomware. The ransomware’s author seems inexperienced,\r\nwith poor OpSec, so it’s unlikely that the malware will become more sophisticated and widespread anytime soon.\r\nFeatures:\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 20 of 37\n\nThe Ransomware employs an encryption process that is completely undetectable and can encrypt files more\r\nquickly. The encryption method used is AES Encryption.\r\nThe Ransomware is designed to be lightweight, with a size of only 26 KB.\r\nUpon installation, the malware connects to an HTTP Panel and transmits the personal installation key to the\r\nattacker.\r\nThe Ransomware can generate unique decryption keys for each victim.\r\nAdditionally, there is a separate application for affiliates that requests the Personal Installation Key. The attacker\r\nmust provide the victim’s Installation Key in the application to obtain the decryption key.\r\nBuyers(attackers) are registered to a web panel, enabling them to log in and access the ransomware admin panel.\r\nCRYPTONIC\r\nCryptonic is a .NET crypter that’s compatible with both .NET and Native Payloads. A crypter is a type of software that\r\ncan encrypt, obfuscate, and manipulate malware, making it harder to detect by security programs. Cryptonic comes\r\nwith an easy-to-use builder and each stub is unique. It is not for sale yet as the threat actors have not finished the\r\ndevelopment. However, anyone who is interested can purchase test crypts, that are being sold for $5 equivalent in XMR\r\nor ETH.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 21 of 37\n\nThreat actors can use Cryptonic to make known malware undetectable by Antivirus engines. FusionCore demonstrated\r\nthis by using Cryptonic on a previously known LockBit 3.0 sample:\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 22 of 37\n\nGOLDENMINE\r\nGoldenMine is a cryptocurrency miner written in .NET. The miner is based on open- source tools, named NBMiner and\r\nXMRig. It can mine a wide variety of coins such as XMR, ETH, RVN, BEAM, and more, supporting both CPU \u0026 GPU\r\nmining.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 23 of 37\n\nFeatures:\r\nThe miner’s custom arguments are modified dynamically at the beginning of the process.\r\nThe client allows for restarts, while miners are currently running.\r\nThe client has the capability to detect if miners are being terminated or not.\r\nThe client provides protection for miners(anti-analysis).\r\nSTRONTIUM STEALER\r\nThis infostealer is a relatively new addition to FusionCore’s malware arsenal.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 24 of 37\n\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 25 of 37\n\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 26 of 37\n\nFeatures:\r\nThe server and client components of the malware are lightweight. The client component is only 83KB in size.\r\nThe malware can gather basic system information from the victim’s computer.\r\nIt is capable of stealing passwords, cookies, autofill data, and credit card information.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 27 of 37\n\nThe malware also includes spying functions such as activating a keylogger and taking screenshots of the\r\nvictim’s desktop.\r\nThe client component has an AntiAnalysis module to prevent security researchers from analyzing the malware.\r\nThe connection between the malware and the C2 server is encrypted.\r\nThe server component can generate an obfuscated client to evade detection by anti-virus software.\r\nThe malware is designed to bypass majority of anti-virus programs.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) INSIGHTS\r\nThreat Actor Profile: The members of FusionCore are young (possibly in their late teens), yet ambitious malware\r\ndevelopers who have a wide variety of skills, depending on the type of malware that needs to be built. FusionCore is\r\nrunning a Malware-as-a-service model (MaaS), along with hacker-for-hire services, relying largely upon open-source\r\ntools, such as Obfuscar, NETShield, ConfuserEX, for increasing evasiveness in their malware toolkit.\r\nThreat Landscape: FusionCore operators have started an affiliate program, named AnthraXXXLocker, and more\r\naffiliates are likely to join the group in the upcoming months. Furthermore, with the addition of new developers,\r\nFusionCore is set to enhance its malware arsenal in the coming future, adding to the already booming infostealer\r\nbusiness, as well as dipping their toes into the extortion business.\r\nVictimology: The targets of FusionCore would predominantly depend on the buyers and affiliates. Given they are a\r\nyoung up-and-coming group, they are willing to work with anyone, from anywhere. However, so far, the known targets\r\nof FusionCore include, Lindesberg Municipality in Sweden, and the Typhon Stealer was observed in a phishing\r\nattempt, against an infosec company in Asia Pacific.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 28 of 37\n\nImpact Assessment: The threat actor group’s diverse catalogue of malware presents a multifaceted risk to an\r\norganization, with the potential for financial losses due to data theft, operational disruptions caused by ransomware\r\nattacks, and reputational damage resulting from breaches of sensitive data.\r\nThe group’s hacker-for-hire services and stealer capabilities offer a significant threat to the organization’s digital assets,\r\npotentially leading to financial losses, due to stolen intellectual property or compromised customer data.\r\nThe use of crypters in FusionCore’s malware suggests a sophisticated approach, increasing the potential impact of their\r\nattacks and the difficulty of detecting and mitigating them.\r\nCONCLUSION\r\nThe members of the new FusionCore group are coming up with their own set of malwares, with the help of more\r\nseasoned malware developers present in the group. Their developing catalogue of tools suggests they have the ambition\r\nto create a suite, covering most, if not all of kill-chain, creating a one-stop shop for threat actors.\r\nDue to the emergence of Malware-as-a-Service (MaaS), cyber-attacks have become more sophisticated than before.\r\nWith the potential of a single data breach bringing down an entire system, attackers currently have a significant\r\nadvantage. It is also imperative to have complete visibility onto the attack surface, as security teams cannot protect\r\nagainst what they cannot see.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 29 of 37\n\nMITIGATION STRATEGIES / RECOMMENDATIONS\r\nStrategic Recommendations\r\nConduct regular vulnerability assessments and penetration testing to identify and remediate vulnerabilities.\r\nDevelop and implement an incident response plan, that includes clear procedures for containment, investigation,\r\nand recovery from security incidents.\r\nReview and update security policies and procedures to ensure they align with best practices and regulatory\r\nrequirements.\r\nFoster a security-first culture, by promoting security awareness and accountability at all levels of the\r\norganization.\r\nManagement Recommendations\r\nInvest in ongoing security training and development for IT staff, to ensure they have the skills and knowledge\r\nnecessary to protect the organization’s assets.\r\nEstablish a security governance framework that includes clear roles and responsibilities for managing security\r\nrisks.\r\nEngage with industry peers and partners to share threat intelligence and best practices for mitigating\r\ncybersecurity risks.\r\nRegularly review and update the organization’s risk management strategy to ensure it reflects the evolving threat\r\nlandscape and business priorities.\r\nTactical Recommendations\r\nImplement network segmentation to limit the impact of successful attacks on critical systems.\r\nDeploy endpoint protection solutions to detect and prevent malware infections.\r\nTrain employees on security awareness best practices to reduce the risk of successful phishing attacks.\r\nMonitor network traffic and user activity to detect and respond to suspicious behavior.\r\nAPPENDIX I\r\nIndicators Of Compromise (IOCs)\r\nNo. Indicator Type Malware\r\n1 Fa914f6b81cf4b03052d11798e562f1c MD5 SarinLocker v1.0\r\n2 4cdd313daa831401382beac13bea4f00 MD5 SarinLocker v1.0\r\n3 856707241a7624681d6a46b2fa279bd56aa6438a SHA1 SarinLocker v1.0\r\n4 1a0211f6bc0aab4889364024bd2ec9a3baa56e654d07586bb9c06b0c86f68eaf SHA256 SarinLocker v1.0\r\n5 97e4bd269be93b96d8c67c11fadcb75b MD5\r\nSarinLocker v2.0\r\npayload (x64)\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 30 of 37\n\n6 a5696381cbffc85c0509b2054484b4d4c56697d6 SHA1\r\nSarinLocker v2.0\r\npayload (x64)\r\n7 563dfc726daaec005638ed3271657aa3e2a2529b7940cd0741d5a47e7e9b9c2c SHA256\r\nSarinLocker v2.0\r\npayload (x64)\r\n8 10aeadfd910bc5dab9e7d9d88abf5795 MD5\r\nSarinLocker v2.0\r\npayload (x86)\r\n9 d9806de5917acdfa6f5c0c0f83cf7f4b42830e9d SHA1\r\nSarinLocker v2.0\r\npayload (x86)\r\n10 d41d03d804e6ccb7c749c74745df5187618f57b5c58d427d293a40f91a7e9736 SHA256\r\nSarinLocker v2.0\r\npayload (x86)\r\n11 20.99.160[.]173 IPv4 RootFinder RAT\r\n12 373bb4e17fbf239f2d02ea3fb3dfa352 MD5\r\nRootFinder\r\nStealer\r\n13 bd93aa67e43350ea3c4833671d68709621a1304d SHA1\r\nRootFinder\r\nStealer\r\n14 575c5ad5a00e3ce13a75079666adfd254734f9c99555f4edf42ca3fa5d83f6f6 SHA256\r\nRootFinder\r\nStealer\r\n15 925a12fa388efe3bad829e475ac12bfb MD5 Builder\r\n16 d9f6e37c8f58ac02c5415cab7e49c730 MD5\r\nAnthraxxxLocker\r\nRansomware\r\nPayload\r\n17 b7f1a84fcc50733ef535891dc9253c3b3544f81f SHA1 Builder\r\n18 de03afb794e3017d1f6aa657a6ef82ca49c6fd08 SHA1\r\nAnthraxxxLocker\r\nRansomware\r\nPayload\r\n19 05472bedb5a7613310b8088ca89b81e8390d39dddb8ed79dedd7311d2aaa6f80 SHA256 Builder\r\n20 eed648bb9bd45a440b2ceadbbae04e69f9c7f098ab8980c019a6736e4f7bd10b  SHA256\r\nAnthraxxxLocker\r\nRansomware\r\nPayload\r\nAPPENDIX II\r\nMITRE Mapping\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 31 of 37\n\nNo. Tactics\r\nTechniques/Sub-Techniques\r\nPurpose Used By\r\n1\r\nExecution\r\nTA0002\r\nWindows Management\r\nInstrumentation T1047\r\nQueries sensitive video device\r\ninformation (via WMI,\r\nWin32_VideoController, often\r\ndone to detect virtual machines)\r\nChecks if Antivirus program is\r\ninstalled (via WMI)\r\nQueries sensitive processor\r\ninformation (via WMI,\r\nWin32_Processor, often done to\r\ndetect virtual machines)\r\nQueries process information (via\r\nWMI, Win32_Process)\r\nQueries sensitive Operating System\r\nInformation (via WMI,\r\nWin32_ComputerSystem, often\r\ndone to detect virtual machines)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n \r\nCommand and Scripting\r\nInterpreter T1059\r\nAccept command line arguments\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n  Scripting T1064 Executes batch files\r\nTyphon Reborn\r\nStealer\r\n2\r\nPersistence\r\nTA0003\r\nRegistry Run Keys /\r\nStartup Folder\r\nT1547.001\r\nReference startup folder\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n3\r\nPrivilege\r\nEscalation\r\nTA0004\r\nProcess Injection T1055\r\nSpawn processes in suspended\r\nmode (likely to inject code)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n4\r\nDefense\r\nEvasion\r\nTA0005\r\nMasquerading T1036\r\nCreates files inside the user\r\ndirectory\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n  Process Injection T1055\r\nCreates a process in suspended\r\nmode (likely to inject code)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n  Scripting T1064 Executes batch files\r\nTyphon Reborn\r\nStealer\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 32 of 37\n\nFile Deletion T1070.004\r\nDrops batch files with force delete\r\nusing cmd (self deletion)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, SarinLocker\r\n  Timestomp T1070.006\r\nBinary contains a suspicious time\r\nstamp\r\nTyphon Reborn\r\nStealer\r\n \r\nVirtualization/Sandbo x\r\nEvasion T1497\r\nQueries sensitive device\r\ninformation (via WMI,\r\nWin32_VideoController,\r\nWin32_Processor,\r\nWin32_ComputerSystem often\r\ndone to detect virtual machines)\r\nContains long sleeps (\u003e= 3 min)\r\nMay sleep (evasive loops) to hinder\r\ndynamic analysis\r\nChecks if the current process is\r\nbeing debugged\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, SarinLocker\r\n \r\nDisable or Modify Tools\r\nT1562.001\r\nUses netsh to modify the Windows\r\nnetwork and firewall settings\r\nCreates guard pages, often used to\r\nprevent reverse engineering and\r\ndebugging\r\nUses taskkill to terminate processes\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, SarinLocker,\r\nStrontium\r\n \r\nObfuscated Files or\r\nInformation T1027\r\nEncrypt or decrypt data via BCrypt\r\nEncrypt data using DPAPI\r\nEncode data using Base64\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n \r\nFile and Directory\r\nPermissions\r\nModification T1222\r\nSet file attributes\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, SarinLocker\r\n \r\nSystem Checks\r\nT1497.001\r\nReference anti-VM strings\r\ntargeting VirtualBox\r\nReference anti-VM strings\r\ntargeting VMWare\r\nReference anti-VM strings\r\nReference anti-VM strings\r\ntargeting Xen\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, SarinLocker\r\n  Reflective Code Loading\r\nT1620\r\nLoad .NET assembly Typhon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nMiner, RootFinder\r\nRAT, RootFinder\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 33 of 37\n\nRansomware,\r\nCryptonic\r\n5\r\nCredential\r\nAccess\r\nTA0006\r\nOS Credential Dumping\r\nT1003\r\nTries to harvest and steal browser\r\ninformation artifacts\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n  Input Capture T1056\r\nCreates a DirectInput object (often\r\nfor capturing keystrokes)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium\r\n6\r\nDiscovery\r\nTA0007\r\nApplication Window\r\nDiscovery T1010\r\nSample monitors Window changes\r\n(e.g., starting applications)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT\r\n  Query Registry T1012\r\nMonitors certain registry keys /\r\nvalues for changes (often done to\r\nprotect auto-start functionality)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium,\r\nSarinLocker\r\n \r\nSystem Network\r\nConfiguration Discovery\r\nT1016\r\nChecks the IP addresses of the\r\nmachine\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium,\r\nSarinLocker\r\n \r\nRemote System\r\nDiscovery T1018\r\nReads the hosts file\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n  Process Discovery T1057\r\nQueries a list of all running\r\nprocesses\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium,\r\nSarinLocker\r\n  System Information\r\nDiscovery T1082\r\nQueries information about the\r\ninstalled CPU (vendor, model\r\nnumber etc.)\r\nQueries the volume information\r\n(name, serial number etc.) of a\r\ndevice\r\nQueries the cryptographic machine\r\nGUID\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium,\r\nSarinLocker,\r\nRootFinder Miner,\r\nCryptonic, Golden\r\nMine\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 34 of 37\n\nReads software policies\r\nQueries process information (via\r\nWMI, Win32_Process)\r\nQueries sensitive Operating System\r\nInformation (via WMI,\r\nWin32_ComputerSystem, often\r\ndone to detect virtual machines)\r\n \r\nFile and Directory\r\nDiscovery T1083\r\nReads ini files\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, RootFinder\r\nRansomware,\r\nSarinLocker\r\n \r\nSecurity Software\r\nDiscovery T1518.001\r\nChecks if Antivirus program is\r\ninstalled (via WMI)\r\nAV process strings found (often\r\nused to terminate AV products)\r\nMay try to detect the virtual\r\nmachine to hinder analysis (VM\r\nartifact strings found in memory)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium,\r\nSarinLocker,\r\nRootFinder Miner,\r\nCryptonic, Golden\r\nMine\r\n \r\nSystem Location\r\nDiscovery T1614\r\nGet geographical location\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nRAT, Strontium,\r\nSarinLocker,\r\nRootFinder Miner,\r\nCryptonic, Golden\r\nMine\r\n7\r\nCollection\r\nTA0009\r\nData from Local System\r\nT1005\r\nTries to harvest and steal browser\r\ninformation (history, passwords,\r\netc.)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, Strontium\r\n  Input Capture T1056\r\nCreates a DirectInput object (often\r\nfor capturing keystrokes)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, Strontium\r\n \r\nData from Information\r\nRepositories T1213\r\nReference WMI statements\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer\r\n  Archive Collected Data\r\nT1560\r\n.NET source code contains calls to\r\nencryption/decryption functions\r\nRootFinder Stealer,\r\nRootFinder RAT,\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 35 of 37\n\nRootFinder\r\nRansomware, Typhon\r\nReborn Stealer\r\n8\r\nExfiltration\r\nTA0010\r\nExfiltration Over Web\r\nService/Exfiltration to\r\nCloud Storage\r\nT1567.002\r\nExfiltrates data using Telegram API\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, SarinLocker\r\n9\r\nCommand\r\nand Control\r\nTA0011\r\nApplication Layer\r\nProtocol T1071\r\nUses HTTPS\r\nPerforms DNS lookups\r\nDownloads files from webservers\r\nvia HTTP\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nMiner, Golden Mine,\r\nStrontium,\r\nSarinLocker,\r\nRootFinder RAT\r\n  Web Service T1102\r\nConnects to an online service (for\r\nC\u0026C)\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nMiner, Golden Mine,\r\nStrontium,\r\nSarinLocker,\r\nRootFinder RAT\r\n \r\nEncrypted Channel\r\nT1573\r\nUses HTTPS\r\nUses HTTPS for network\r\ncommunication\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nMiner, Golden Mine,\r\nStrontium,\r\nSarinLocker,\r\nRootFinder RAT\r\n10\r\nImpact\r\nTA0040\r\nResource Hijacking\r\nT1496\r\nMine cryptocurrency\r\nTyphon Reborn\r\nStealer, RootFinder\r\nStealer, RootFinder\r\nMiner, Golden Mine\r\n \r\nData Encrypted for\r\nImpact T1486\r\nModifies user documents; Writes a\r\nnotice file (html or text) to demand\r\na ransom\r\nSarinLocker,\r\nRootFinder\r\nRansomware\r\n \r\nInhibit System Recovery\r\nT1490\r\nDeletes volume shadow copies SarinLocker\r\nSigma Rule(s)\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 36 of 37\n\nRootFinder Stealer\r\ntitle: Suspicious Network Command\r\ndescription: Adversaries may look for details about the network configuration and settings of systems they access or\r\nthrough information discovery of remote systems\r\ntags:\r\n  – attack.discovery\r\n  – attack.t1016\r\nlogsource:\r\n  category: process_creation\r\n  product: windows\r\ndetection:\r\n  selection:\r\n    CommandLine|contains:\r\n      – ‘ipconfig /all’\r\n      – ‘netsh interface show interface’ – ‘arp -a’\r\n      – ‘nbtstat -n’\r\n      – ‘net config’\r\n      – ‘route print’\r\n  condition: selection\r\nlevel: low\r\nSource: https://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17003\r\nPage 37 of 37\n\n https://www.cyfirma.com/?post_type=out-of-band\u0026p=17003 \nJuly 2022 \nThe MaaS operators were found to provide malware-spreading services across the globe, indicating that they likely\nhave access to a private botnet, spanned across multiple geographies. The operators were found to charge a higher\n Page 4 of 37 \n\n https://www.cyfirma.com/?post_type=out-of-band\u0026p=17003 \nOn 26th March 2023, NecroSys made an announcement on the Typhon stealer telegram channel about an upcoming,\nfully native, and fully undetectable ransomware, named “VIPERA Ransomware”, that is designed to encrypt victim\nfiles in microseconds. \n Page 14 of 37", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.cyfirma.com/?post_type=out-of-band\u0026p=17003" ], "report_names": [ "?post_type=out-of-band\u0026p=17003" ], "threat_actors": [ { "id": "afafa2dd-4d1e-45f9-b051-8d49e9fc7f04", "created_at": "2023-11-17T02:00:07.608571Z", "updated_at": "2026-04-10T02:00:03.459153Z", "deleted_at": null, "main_name": "FusionCore", "aliases": [], "source_name": "MISPGALAXY:FusionCore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434693, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ff38433c240f937a33c536fbfc8969c58929dd5.pdf", "text": "https://archive.orkl.eu/3ff38433c240f937a33c536fbfc8969c58929dd5.txt", "img": "https://archive.orkl.eu/3ff38433c240f937a33c536fbfc8969c58929dd5.jpg" } }