{ "id": "26a49789-a3a9-40f9-a42a-6ddfa4f4f07a", "created_at": "2026-04-06T00:22:26.77272Z", "updated_at": "2026-04-10T13:12:42.403452Z", "deleted_at": null, "sha1_hash": "418439c5af2b3eedfc17d656f181ba42a740ddf6", "title": "Ares - Technical Analysis | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 724342, "plain_text": "Ares - Technical Analysis | Zscaler Blog\r\nBy Brett Stone-Gross\r\nPublished: 2021-03-30 · Archived: 2026-04-02 11:04:00 UTC\r\nKronos is a banking trojan that first emerged in 2014 and marketed in underground forums as a crimeware kit to\r\nconduct credit card, identity theft, and wire fraud. In September 2018, a new Kronos variant named Osiris\r\nintroduced several new features including TOR for command and control (C2) communications. The last update to\r\nOsiris appears to have been around mid-2019. In February 2021, Zscaler ThreatLabz identified a new Kronos\r\nvariant that surfaced via spam campaigns to German speakers, which calls itself Ares. In Greek mythology, Ares is\r\nthe son of Zeus and grandson of Kronos. Thus, the naming convention appears to refer to this new malware\r\nvariant as the third generation of Kronos. Ares still appears to be in development alongside an information stealer\r\nthat harvests credentials from various applications including VPN clients, web browsers, and the malware can\r\nexfiltrate arbitrary files and cryptocurrency wallets.\r\nThe threat actor behind this new variant continues to use both Osiris and Ares in parallel. In this blog post, we will\r\nexamine these new malware developments and campaigns.\r\nDarkCrypter\r\nRecent samples of Osiris and Ares have been protected by a malware packer written in C++ that calls itself\r\nDarkCrypter. The packer contains the PDB path d:\\scm\\Italy\\dopplegang\\DarkCrypter\\Bin\\Clean.pdb. The code is\r\nnot related to the commercial packer, DarkCrypter, that has been cracked and leaked online. Interestingly, the\r\npacker shares code with Kronos and Osiris including the string encryption algorithm. When the string table is\r\ndecrypted, the first 41 entries are identical to older Kronos variants with eight new string additions (shown below)\r\nto detect sandbox environments:\r\natcuf32.dll\r\numengx86.dll\r\nsandboxie.dll\r\nlibctc_sandbox.dll\r\natcuf64.dll\r\nantimalware_provider32.dll\r\nantimalware_provider64.dll\r\nlibctc_onexecute.dll\r\nIf the anti-analysis checks pass, the packer proceeds to the next step. There are at least two variants of the packer.\r\nThe first variant decrypts the next-stage payload using Blowfish. However, the decryption process uses a non-standard Blowfish key size. Typically, Blowfish key sizes are between 4 bytes and 56 bytes. However, the\r\nBlowfish decryption implementation in DarkCrypter supports a hardcoded key size that is 288 bytes (although\r\nonly the first 72 bytes are effectively used). This may be designed to break cryptographic libraries that implement\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 1 of 15\n\nBlowfish and follow the standard, where the maximum key size is limited to 56 bytes. The Blowfish key is located\r\nby computing a djb2 hash of each section name in the PE header. The code compares the resulting hash value with\r\ntwo hardcoded values that map to the section names .text (0xb80c0d8) and .sjdata (0xecae6faa).\r\nThe second variant of the DarkCrypter packer embeds the second-stage payload in a compressed format rather\r\nthan an encrypted Blowfish format. The compression algorithm is identical to that found in Ares, and components\r\nrelated to Ares, including a packer that impersonates a bitmap image header.\r\nModified UPX Packer\r\nThe threat actor has also experimented with modifying UPX headers, which has well known section names. The\r\nmodifications that have been made by the threat actor replace the UPX section names (UPX0, UPX1, ...) with\r\nstandard section names like .text, .data, and .rdata. This breaks compatibility with the command-line UPX\r\ndecompression tool, although the file can still be decompressed and executed. An example of the file header\r\nmodifications are shown below in Figure 1 on the left, with the alterations highlighted in red. \r\nFigure 1. Modified and Restored UPX Headers\r\nThese changes can easily be restored to the original UPX section names as shown on the right in Figure 1. The\r\nUPX command-line utility can then be used to statically unpack this binary, producing the final executable\r\npayload.\r\nBMPack\r\nThe threat actor has also been using another packer that Zscaler ThreatLabZ has dubbed BMPack. This packer has\r\nbeen utilized to pack both Osiris and Ares payloads. BMPack first decrypts embedded data using an XOR-based\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 2 of 15\n\nalgorithm, followed by RC4. After the decryption stage, the file appears to be a bitmap image as shown in Figure\r\n2.\r\nFigure 2. Fake Bitmap Image Used to Unpack Osiris and Ares Malware Payloads\r\nHowever, a closer inspection reveals that the data is not actually a bitmap image, but has a specific sequence of\r\ndata structures. By reverse engineering the packer, the format of the data structures can be determined, which\r\nconsist of three DWORD values that represent the compressed size (red), uncompressed size (green), next offset\r\n(blue), followed by the compressed data (orange). An example of the first data structure is shown below in Figure\r\n3.\r\nFigure 3. Format of BMPack Data Structures\r\nEach decompressed structure holds a different section of a PE file that is reconstructed and stitched together by a\r\ncustom loader, and executed. \r\nAres Malware\r\nAres is being actively developed and the malware author continues to create and test new plugins and web injects.\r\nIn the most recent Ares samples, there is an embedded DLL module that is compressed within the binary. The\r\nmodule contains an export that is designed to establish persistence. The code first copies itself to the location\r\n%APPDATA%\\Adobe\\AdobeNotificationUpdates.exe. It then creates a scheduled task named\r\nAdobeNotificationUpdates that is designed to execute Ares every two hours (with an expiration date of 2050-05-\r\n02 12:05:00). Similar persistence code is also found in many DarkCrypter samples.\r\nThe Ares persistence module has the same compilation prefix as other modules in its PDB path\r\nD:\\scm\\Italy\\ares\\source_ob\\Release\\startup.pdb. Ares attempts to locate an export name with the hash value\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 3 of 15\n\nF4S4G3S4U7C6P2P7, which maps to the string ?Startup@@YAHPA_W@Z. Once the address of this function is\r\nlocated, Ares executes the module. \r\nAres uses the same function hashing algorithm as Kronos, which consists of calculating a CRC64 hash, converting\r\nthe digest to uppercase hexadecimal characters. The result is then mapped to an alphanumeric value as shown in\r\nthe Python code below:\r\ndigest = hexdigest(crc64(function_name)).upper()\r\nout = \"\"\r\nfor i in range(len(digest)):\r\n if i \u0026 1 != 0:\r\n val = ord(digest[i]) % 9 + ord('0')\r\n else:\r\n val = ord(digest[i]) % 25 + ord('A')\r\n out += chr(val)\r\nreturn out\r\nAres contains most of the same code as its predecessors: Kronos and Osiris. However, there are several notable\r\ndifferences between Osiris and Ares, especially with respect to the C2 communications. Most Ares samples\r\ncurrently do not communicate with C2 servers over TOR. It is not quite clear, why most Ares samples have the\r\nTOR component removed, but it may be to reduce the malware's file size and evade corporate firewalls that block\r\nTOR network traffic. However, without TOR, the C2 servers are more vulnerable to takedown attempts. Some\r\nAres samples attempt to address this limitation by hardcoding a large number of C2 URLs in the binary. Zscaler\r\nThreatLabz has observed one Ares sample with 101 hardcoded C2 URLs.\r\nAres has also slightly modified the bot ID generation code, replacing the string Kronos with the string Ares as\r\nshown in Figure 4.\r\nFigure 4. Comparison Between Kronos and Ares Bot ID Generation \r\nAres uses the HTTP query string parameters shown in Table 1. The HTTP request that sends the report.zip file is\r\nunique to Ares and discussed in more detail below.\r\nQuery String Description\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 4 of 15\n\na=0 Send log data\r\na=1 Download web injects\r\na=2 Send keylogger data\r\na=3 Send report.zip file created by Ares Stealer\r\na=4 Request new commands\r\nTable 1. Ares Query String Parameters\r\nAres Commands\r\nAres supports many of the same commands as Kronos and Osiris. However, some of the commands have been\r\nmodified and the malware uninstall command (0x1) was removed. There are four modified commands that are\r\nsupported by Ares as shown below in Table 2.\r\nCommand Number Description\r\n0x3 Set registry value name MSE to 0\r\n0x4 Set registry value name MSE to 1\r\n0x6 Download, decompress, map Ares Stealer into memory, and execute\r\n0xC Download, decompress, map module into memory, and execute\r\nTable 2. New Commands Introduced By Ares\r\nThe commands 0x3 and 0x4 attempt to set a registry value name MSE to zero and one, respectively, under the\r\nregistry key HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion. However, this registry key does not\r\nexist and both functions will fail. This is likely an oversight by the malware author who accidentally left\r\nout Windows in this registry path between Microsoft and CurrentVersion. The registry value is not referenced\r\nelsewhere in Ares, so it may hint at a future use.\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 5 of 15\n\nOne of the most significant modifications is the command 0x6 that downloads, decompresses, and maps a PE file\r\ninto memory, and executes it. Command 0x6 specifically searches for an export name with the hash value\r\nC3E0Q6R7F1H2G5A4, which maps to the string CollectInfo. The code passes two string parameters to the\r\nCollectInfo export. The first string is a pattern provided by the C2 server and the second is hardcoded to the string\r\n%APPDATA%\\Google\\report.zip. Zscaler ThreatLabZ has observed this Ares command being used to download a\r\nfile from the URL http://mydynamite.dynv6[.]net/panel/upload/stealer.dll. The first four bytes of the response are\r\nthe uncompressed file size. The file is decompressed using the same compression algorithm as BMPack. \r\nAres has code artifacts from the development of command 0x6. Samples contain an unreferenced function that\r\nattempts to open a file located at d:\\scm\\Italy\\ares\\source_ob\\Binaries\\Release\\KittyDll.dll.cmp. The file is\r\ndecompressed and mapped into memory using the same process as command 0x6. After the file is mapped, the\r\nexport CollectInfo is called with the parameters: %userprofile%Documents|*.txt|5 and NULL. The purpose of\r\nthese fields will be described in the next section. Note that there is a missing backslash character between\r\n%userprofile% and Documents. This string serves as a directory path, and without the backslash the path\r\nis invalid.\r\nZscaler ThreatLabZ has also identified Ares samples that contain another unreferenced function that loads a VNC\r\nplugin by attempting to open a file located at d:\\scm\\Italy\\ares\\\\source_ob\\Binaries\\Release\\vnc.dll.cmp. Similar\r\nto the stealer plugin, the file is decompressed, mapped into memory, and the export MakeItStart is called. The\r\nMakeItStart export name is resolved similar to the other Ares functions using the same CRC64-based hash\r\nalgorithm and comparing the result with F0U5R4R6Q8H1P3E5. Ares then will terminate the VNC plugin by\r\nmapping the export name MakeItStop using the same process and comparing the result with the hash value\r\nC6P3T6Q8H1P3E5A8.\r\nThe command 0xC is the most recent modification to Ares and only found in newer samples.\r\nAres Stealer\r\nAres Stealer is downloaded by Ares and invoked via the export name CollectInfo. The malware is written in C++\r\nand uses the Boost and Curl libraries. Ares Stealer has compilation artifacts showing that the Boost library was\r\ncompiled in the directory d:\\scm\\Italy\\tools\\boost_1_74_0\\boost. This directory prefix is identical to the\r\nDarkCrypter’s PDB path and the location where the Ares unreferenced test functions attempt to load plugins from.\r\nThis artifact along with the shared compression code suggests that the malware author likely has developed\r\nDarkCrypter, BMPack, Ares, and Ares Stealer.\r\nThe Ares Stealer export CollectInfo takes two parameters: a pipe-delimited string and a filename string. The pipe-delimited string takes three arguments, which are used by the stealer’s file grabber feature. The first parameter is\r\nthe directory in which to start the file enumeration process, the second parameter is a search pattern, and the last\r\nparameter is the directory search depth. The filename string is used to store the results of the extraction, which are\r\nadded to a zip file.\r\nAn example command string observed from an Ares C2 server is %userprofile%|pass*.txt|5. This command will\r\nsearch a victim’s user profile directory up to five levels deep for text files that have the prefix pass.\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 6 of 15\n\nAres Stealer collects detailed system information and harvests credentials for numerous applications including\r\nFTP clients, VPN clients, web browsers, instant messengers, and email clients. It can also steal files,\r\ncryptocurrency wallets, cookies, and credit cards.\r\nThe stealer will attempt to extract information from the following applications:\r\nFTP clients\r\nFilezilla\r\nVPN clients\r\nNordVPN\r\nOpenVPN\r\nProtonVPN\r\nWeb browsers\r\nMozilla Firefox\r\nGoogle Chrome\r\nMicrosoft Edge\r\nMicrosoft Internet Explorer\r\nChromium\r\nCyberfox\r\nBlackHawk\r\nComodo IceDragon\r\nCometBird\r\nSeaMonkey\r\nPale Moon\r\nWaterfox\r\nMail.ru Atom\r\nChromodo\r\nUran\r\nCocCoc\r\nNichrome\r\nSputnik\r\nK-Meleon\r\nMaxthon 3\r\n360 Browser\r\nAmigo\r\nComodo Dragon\r\nOrbitum\r\nQIP Surf\r\nLiebao\r\nCoowon\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 7 of 15\n\nCatalina Group Citrio\r\nFenrir Sleipnir\r\nElements\r\nKometa\r\nChedot\r\nCentBrowser\r\n7 Star\r\nIridium\r\nMapleStudio ChromePlus\r\nTorch\r\nYandex Browser\r\nEpic Privacy Browser\r\nOpera\r\nBrave Browser\r\nVivaldi\r\nBlisk\r\nCryptocurrency wallet applications\r\nCoinomi\r\nGuarda \r\nAtomic Wallet\r\nElectrum\r\nEthereum\r\nExodus\r\nBytecoin\r\nArmory\r\nZcash\r\nBitcoin\r\nLitecoin\r\nInstant messenger clients\r\nPidgin\r\nEmail clients\r\nOutlook\r\nOsiris\r\nThe Osiris version that has been used by this threat actor contains a number of new features since the original\r\nversion that appeared in April 2018. These updates were introduced around mid-2019 and include the following\r\nchanges:\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 8 of 15\n\nNew beacon request format that includes information about the compromised system\r\nZlib compression to reduce the size of requests and responses (including web injects)\r\nAbility to deploy TeamViewer on a compromised host\r\nAbility to steal a victim’s Outlook contacts via Nirsoft’s OutlookAddressBookView utility\r\nSend spam emails to a victim’s contact list\r\nNew remote access capabilities\r\nThe threat actor has an Osiris C2 server that is located at http://ylnfkeznzg7o4xjf[.]onion/kpanel/connect.php,\r\nwhich has been instructing infected systems to steal and exfiltrate web browser and email credentials. The web\r\nbrowser harvesting command downloads a sqlite3 library from\r\nhttp://qqkzfkax24p4elax[.]onion/kpanel/upload/sqlite3.dll, which is a dependency to extract Google Chrome\r\npasswords. A second module for harvesting Firefox credentials from a 64-bit system is downloaded from\r\nhttp://qqkzfkax24p4elax[.]onion/kpanel/upload/ffc64.exe.\r\nThe C2 is also serving a web inject configuration file, which targets clients at German financial institutions with\r\nthe URL patterns shown below:\r\nset_url https://*commerzbank.de* GPI\r\nset_url https://*.de/*/entry* GPI\r\nset_url https://*.de/banking-*/portal?* GPI\r\nset_url https://*.de/banking-*/portal;* GPI\r\nset_url https://*.de/portal/portal* GPI\r\nset_url https://*.de/privatkunden/* GPI\r\nset_url https://*.de*abmelden* GPI\r\nset_url https://*.de/de/home* GPI\r\nset_url https://*.de/en/home* GPI\r\nset_url https://*.de/fi/home* GPI\r\nset_url https://*banking.sparda.de* GPI\r\nset_url https://*banking.sparda-* GPI\r\nset_url https://*banking.sparda.de/wps/loggedout.jsp GPI\r\nset_url https://*meine.deutsche-bank.de/trxm/db* GPI\r\nset_url https://*banking.berliner-bank.de/trxm* GPI\r\nset_url https://*meine.norisbank.de/trxm/noris* GPI\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 9 of 15\n\nset_url https://*targobank.de* GPI\r\nWhen a victim browses to a website that matches one of these patterns, JavaScript code will be injected from the\r\nthreat actor’s domain https://securebankingapp[.]com/.\r\nThe full list of web injects for this Osiris instance is shown here.\r\nThe threat actor has another active Osiris C2 server located at\r\nhttp://qqkzfkax24p4elax[.]onion/kpanel/connect.php. This C2 server is also serving commands to exfiltrate\r\ncredentials, but the web inject configuration file is blank. However, the C2 server is also providing commands to\r\nextract a victim’s email contact list using Nirsoft’s OutlookAddressBookView, which is downloaded from the\r\nfollowing locations:\r\nhttp://qqkzfkax24p4elax[.]onion/kpanel/upload/oabv32.exe (32-bit)\r\nhttp://qqkzfkax24p4elax[.]onion/kpanel/upload/oabv64.exe (64-bit)\r\nConclusion\r\nAres is a new fork of the Kronos banking trojan that appears to be in the early stages of development. The code\r\ncontains several bugs and unreferenced code segments that are likely used for debugging purposes. The threat\r\nactor has invested significant resources in building DarkCrypter, BMPack, Ares, and Ares Stealer. Therefore,\r\nactivity related to this threat is likely to increase as the malware continues to mature.\r\nDetections\r\nZscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:\r\nWin32.Banker.Kronos\r\nWin32.Banker.Kronos.LZ\r\nMITRE ATT\u0026CK Table\r\nTactic Technique\r\nT0011 Command and Control\r\nT1053 Scheduled Task/Job\r\nT1078 Valid Accounts\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 10 of 15\n\nT1087 Account Discovery\r\nT1090 Proxy\r\nT1185 Man in the Browser\r\nT1219 Remote Access Software\r\nT1497 Virtualization/Sandbox Evasion\r\nT1552 Unsecured Credentials\r\nT1573 Encrypted Channel\r\nT1592 Gather Victim Host Information\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs can be used to detect Osiris and Ares infections.\r\nSamples\r\nSHA256 Hash Module Name\r\nda767e6faf97d73997f397eae71b372a549dd6331bf8ec0ebd398ef8cfe9a47e Osiris sample\r\n5e7642e945bd05ecea77921cb3464b6da8db59e5ff38240608e3cbb44b07fb1d Osiris sample\r\n7498e37c332d55c14247ae4b675e726336a8683900d8fd1da412905567d2de4a Ares sample\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 11 of 15\n\ne5d624b7060c0e885abe11a0973a43a355c9930fc6912ff5eac83d1a9eec9c29 Ares sample\r\n035793d479c4229693fc6dcceaa639cd51ae89334b43e552b9c47a6dea68ce30\r\nAres sample with embedded\r\nStartup module\r\n94b084ea925990742f4eaaada1eef9a42c13066bf4f4c7a3b12a1509e32ff9e6 Ares Stealer sample\r\n09897c6ef88b9e9bc20917a2b47ec86ff2b727a2923678f5e2df6bb6437d3312 Ares VNC plugin\r\n896cebf465257f60347e58ffd7ec61629cf530956ef9b00e94f8b40ef9b30581\r\nDarkCrypter with second-stage BMPack and Osiris\r\nsample\r\n956ae36f40d0d847daa00d7964906e7e9d1671d0f3f2e7d257d5a8d324388c31\r\nDarkCrypter sample with\r\nencrypted Ares payload\r\n6c5dac9043b2f112543f3eca6503d4bcc70d762b47d75dcb85f9767c603de56f\r\nDarkCrypter sample with\r\ncompressed Ares TOR\r\npayload\r\nb3348405cd0fa66661b46bc6cbab97b55708be26a2ed7a745e1632b46d1b3f41\r\nDarkCrypter sample with\r\nencrypted Ares payload\r\n4044abad9a846e203f131c65b1f84bb2b79f94000d1d7be6c6d6a8e27ac76940\r\nBMPack sample with Osiris\r\npayload\r\nNetwork Indicators\r\nDomain / IP Address Description\r\nhttp://ylnfkeznzg7o4xjf[.]onion/kpanel/connect.php Osiris C2 URL\r\nhttp://m3r7ifpzkdix4rf5[.]onion/kpanel/connect.php Osiris C2 URL\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 12 of 15\n\nhttp://qqkzfkax24p4elax[.]onion/kpanel/connect.php Osiris C2 URL\r\nhttps://securebankingapp[.]com Osiris web inject domain\r\nhttp://vbyrduc537l5po3w[.]onion/panel/connect.php Ares C2 URL\r\nhttp://wifoweijijfoiwjweoi[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiiqefmiir[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiilefmjim[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiieeelkif[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiiofelkkq[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiihfelikh[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiiffdkijh[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiigedliji[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiirfdmjks[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://ddkiitefkkju[.]xyz/panel/connect.php Ares C2 URL\r\nhttp://mydynamite.dynv6[.]net/panel/connect.php Ares C2 URL\r\nhttp://cabletv[.]top/panel/connect.php Ares C2 URL\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 13 of 15\n\nYara rules\r\nThese rules are valid on unpacked Kronos, Osiris, and Ares binaries.\r\nrule kronos_string_decryption\r\n{\r\nstrings:\r\n $ = {6a 1e 5f f7 f7 8b 45 08 8d 3c 1e 8a 04 38 8a ?? ?? ?? ?? ?? 32 c2} \r\n $ = {55 8b ec 51 8b 4d 08 c1 e1 04 8b ?? ?? ?? ?? ?? 8a}\r\ncondition:\r\n all of them\r\n}\r\nrule kronos_api_strings\r\n{\r\n strings:\r\n $ = \"D7T1H5F0F5A4C6S3\"\r\n $ = \"H2G3F4F0F5A4D5E6\"\r\n $ = \"X1U5U8H8F5A4C8C5\"\r\n $ = \"E3D7R6B3R4H5F3R7\"\r\n $ = \"X8D3U3P7S6Q3S5R1\"\r\n $ = \"X8D3T6Q6U3S3A6R1\"\r\n $ = \"R6G2D2R3A5E3C4U5\"\r\n $ = \"H7Y6G2R3A5F4D3S8\"\r\n $ = \"P7Y3Q5P0Y8C2Y6F6\"\r\n $ = \"R6Y7B3C6E7E6T7U7\"\r\n $ = \"G2F3G6A6R3F1P6G2\"\r\n $ = \"S3H8T8Y5F5B5B0X0\"\r\n $ = \"C8G2T3U3B1H3T5B5\"\r\n $ = \"C4R7A2P4X3B1H5A4\"\r\n $ = \"R3Q7T7Q2R6S1Y3R5\"\r\n $ = \"E3C3A2Y3C4U6S5F5\"\r\n $ = \"F3P7Y6P3U3E2U5F3\"\r\n $ = \"E5X0A4Q4F0Y0D6E2\"\r\n $ = \"X2R0A4Q4F0Y0D6F3\"\r\n $ = \"H1G7R4Y7D1E6R5F8\"\r\n $ = \"G3C3R4H7R5T8E5R8\"\r\n $ = \"F6H5P7T4F6D6Y6D4\"\r\n $ = \"E3C7U2Y3C3R6R5D5\"\r\n $ = \"F5E8X5G3Q6T7E6T3\"\r\n $ = \"E1U3D5F7R2Y5S0H4\"\r\n $ = \"H3Y5C8Y2D4U8Y4S3\"\r\n $ = \"U0U6H1T2F6S1P2Y5\"\r\n $ = \"D5R3T8D5D3H0B4E2\"\r\n $ = \"D5B6G6R4A6H1P7A3\"\r\n $ = \"F1Q3D0H4H3T6U1X5\"\r\n $ = \"A4T6P1G7D6G0F3S5\"\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 14 of 15\n\n$ = \"C7G5T6P7U5B1H0F5\"\r\n$ = \"X2C7E3U6F3A7Y1D5\"\r\n $ = \"P4Y7T7R7R8X3E3A3\"\r\n $ = \"C5Y7R2R2H1R7A1B2\"\r\n $ = \"S4A3E3S3S4T1T3D1\"\r\n $ = \"B4Y2H7F8A2T3G4H3\"\r\n $ = \"B5D6X4H5G6S3R2B5\"\r\n $ = \"B6F6X4A8R5D3A7C6\"\r\n $ = \"C6P7E6P7A1R5Q4R7\"\r\n $ = \"R8S7D7S8H6Y4T6B7\"\r\n $ = \"U0S3T3D3U5F5B4E8\"\r\n $ = \"F6C3U4P4X3B1H3T5\"\r\n $ = \"T2F2T3U2H5B1C1A7\"\r\n $ = \"T0E0H4U0X3A3D4D8\"\r\n $ = \"C5R4X4H7R5T7A5R6\"\r\n $ = \"D3S0A7R4F6C8F2R5\"\r\n $ = \"Y1C1B6A7H3C0E7E7\"\r\n $ = \"H2E7A5B8Q6G3S7Y3\"\r\n $ = \"D3Q5F2F3R5Y5Y8S2\"\r\n $ = \"Y2C3G8R5R3A5F5B4\"\r\n $ = \"F1D2B6A5T3X2C8R1\"\r\n $ = \"G5D3P2G0F6G2H8E6\"\r\n $ = \"Y6Q6P2G0E5E6G2H8\"\r\n $ = \"Y7D3F3S7X2S4F2X3\"\r\n $ = \"X7D0E3R2R4Q0E4D3\"\r\n condition:\r\n 25 of them\r\n}\r\nSnort rules\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler TROJAN Ares Command Beacon\"; flow:establis\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nhttps://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan" ], "report_names": [ "ares-malware-grandson-kronos-banking-trojan" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434946, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/418439c5af2b3eedfc17d656f181ba42a740ddf6.pdf", "text": "https://archive.orkl.eu/418439c5af2b3eedfc17d656f181ba42a740ddf6.txt", "img": "https://archive.orkl.eu/418439c5af2b3eedfc17d656f181ba42a740ddf6.jpg" } }