{ "id": "69078d96-b9c6-472c-bf29-89139d02383c", "created_at": "2026-04-06T00:18:12.818658Z", "updated_at": "2026-04-10T03:36:48.225997Z", "deleted_at": null, "sha1_hash": "467ef951580eb0dbebf68e8cd2b68f06e0f0f748", "title": "Deep Analysis of Snake", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1629681, "plain_text": "Deep Analysis of Snake\r\nBy Mohamed Ezzat\r\nPublished: 2024-06-30 · Archived: 2026-04-05 19:53:10 UTC\r\nMeet Snake keyloggerPermalink\r\nSnake, also known as the 404 Keylogger and Snake Keylogger, is a . NET-based info-stealing malware that was first\r\ndiscovered in late 2020, commonly spread via phishing scams, and remains a major threat in 2024.\r\nThe name ‘Snake’ comes from strings in its log files and code. Threat actors use the snake’s builder to select features\r\nand create new attacks. This means the capabilities of different versions can vary.\r\nSnake has evolved from basic keystroke logging to include advanced data capture capabilities. Over time, it has\r\nimproved its stealth and persistence techniques. Recent campaigns have increasingly targeted critical infrastructure\r\nand used legitimate services to mask malicious activities.\r\nTechnical in PointsPermalink\r\nSnake operates in multiple stages, where each stage decrypts and loads the next payload. This staged approach\r\ninvolves using.NET assemblies and dynamic analysis to reveal the core payload.\r\nHost Profiling: Snake will gather information about the infected host; it collects the following information:\r\nthe PC name, date and time, client IP address, country name, country code, region name, region code, city,\r\ntime zone, latitude, and longitude, which are put in the header of the collected stolen information.\r\nSnake makes use of timers to execute specific tasks at regular intervals, such as repeatedly capturing\r\nkeystrokes, screenshots, and clipboard contents, as well as scheduling data exfiltration to remote command-and-control servers to avoid detection.\r\nSnake steals sensitive data from applications installed on infected systems, including email clients and\r\nbrowsers, capturing credentials and other information. It also targets FTP clients such as FileZilla and\r\ncommunication apps like Discord.\r\nConfiguration Extraction: Snake comes with embedded configuration; in this variant, the configuration is\r\nBase64 encoded and encrypted using DES with a hard-coded key. These configurations contain the host, port,\r\nusername, and password, which determine the set-up used for its server to exfiltrate the gathered information.\r\nSnake sends stolen data to its server using various methods, including SMTP, FTP, and Telegram, in plain text\r\nor encrypted using the DES algorithm.\r\nSample Basic InformationPermalink\r\nThe sample is identified as a PE32 executable (GUI) Mono/.Net assembly designed for the x86 architecture. It was\r\ncreated on July 25, 2082, at 14:24:59 UTC, and according to Virus Total, it first appeared in the wild on June 11,\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 1 of 21\n\n2024, at 18:32:45 UTC.\r\nFigure(1): sample on VirusTotal\r\nUnpackingPermalink\r\nStage 1Permalink\r\nPacked .NET samples usually hide a further-stage payload that is unpacked in memory at runtime and loaded as byte\r\nreflection without writing it to disk.\r\nIn Snake, when the main entry point is called, it creates a form (Form1). The form’s constructor then loads and\r\ncreates a type from the decrypted payload.\r\nThe process starts with Activator.CreateInstance , which dynamically creates an instance of a type during\r\nprogram execution.\r\nThe type is determined through DefaultJsonNameTable.Anterne , which then starts loading the second stage\r\nassembly or module using AppDomain.CurrentDomain.Load . This assembly/module is decrypted from an embedded\r\nresource (Resources.Example) using a simple XOR encryption method with the hard-coded key YPrALKXmrr.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 2 of 21\n\nFigure(2): Decrypting the second stage\r\nTo extract the binary after unpacking, we can do a dynamic analysis session by stepping through the code and\r\nbreakpoint at the line where the module is loaded and saving it to disk; however, we could keep working with the\r\ndynamic session until we get our final payload.\r\nFigure(3): Next stage: Example.dll is loaded into memory.\r\nStage 2Permalink\r\nBy analyzing the interesting function BMfMTiULrwrQOTDiGxUMZ() , we see that it uses reflection to load an assembly\r\nand invoke a method from it dynamically.\r\nFigure(4): Stage 2 Entry Point\r\nThe encrypted data (Resources.AQipUvwTwkLZyiCs) is retrieved using a ResourceManager\r\n(Resources.ResourceManager) and decrypted using AES encryption with the ECB mode and a SHA-256 hashed key\r\nto get the assembly to load.\r\nFigure(5): Decrypting the third stage\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 3 of 21\n\nThen,the type (class) and method to be invoked are decrypted using the same technique.\r\nThe decryption method uses the AES encryption algorithm ( RijndaelManaged ). It initializes with a predefined salt\r\nfor key derivation and uses Rfc2898DeriveBytes to derive the encryption key and IV from a provided password.\r\nFigure(6): Decryption of the class name and method using AES.\r\nAfter loading the assembly and getting the method, the malware runs it with specific parameters. These parameters\r\nare: a PE file fetched from ‘Resources.Scrivens’, decrypted using the previously mentioned AES decryption method,\r\nas the first parameter, and the file path of the application’s executable as the second parameter.\r\nFigure(7): The third stage, AQipUvwTwkLZyiCs.dll, is loaded into memory.\r\nStage 3Permalink\r\nThis DLL is more obfuscated than the previous stages, and it dynamically decrypts using a simple XOR and loads\r\nAPIs.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 4 of 21\n\nFigure(8): Decrypting and loading APIs\r\nBy looking into the code, this stage uses process hollowing to inject the main Snake payload into a newly created\r\nchild process and execute it to evade detection.\r\nFigure(9): Third stage main code\r\nFirst, the file path passed as the first argument is used to start a new process in suspended mode and hollows out the\r\nmemory using ZwUnmapViewOfSection() and then allocates it again using VirtualAllocEx() with RWX\r\npermissions.\r\nNext, it writes the final stage executable that is passed as the first argument of the previous stage to the allocated\r\nmemory region using two calls to WriteProcessMemory() .\r\nFinally, it’s making the necessary modifications; the thread context is updated using SetThreadContext and the\r\nsuspended thread is resumed with ResumeThread , allowing the new process to run with the injected malicious code.\r\nBy dumping the data injected into the process, we can extract the final Snake payload and start examining the\r\nmalware’s exact behavior.\r\nAnti AnalysisPermalink\r\nCode ObfuscationPermalink\r\nSnake’s final payload uses obfuscation tools like Deep Sea Obfuscator and Ben-Mhenni-Protector to make its code\r\nquite challenging to understand. The names of classes and functions are scrambled, making the code difficult to\r\nanalyze.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 5 of 21\n\nFigure(10): Obfuscated Code\r\nTo better understand the code, we can use the tool de4dot to de-obfuscate the payload file. This made the code easier\r\nto read, allowing us to analyze it more effectively.\r\nDate checkPermalink\r\nSnake checks the current date it runs on to ensure that if a specified date has passed, then the executable will\r\nschedule its deletion to avoid detection or analysis.\r\nFigure(11): Date check and self-deletion\r\nDetect Analysis EnvironmentPermalink\r\nSnake uses specific IP addresses to check for monitoring or analysis. If these IPs are detected, the malware alters its\r\nbehavior to avoid detection. If the environment is considered clean, the malware sends the collected data to its server.\r\nFigure(12): Check for Analysis Environment\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 6 of 21\n\nChecking ProcessesPermalink\r\nSnake loops through running processes on the system and compares their executable names against a list of processes\r\nthat are generally associated with antivirus software, firewalls, network monitoring tools, and other security-related\r\napplications and malware analysis tools, and terminates any running processes whose names match any of those\r\nlisted.\r\nFigure(13): Check running processes\r\nfull processes list\r\nExpand to see more\r\n  zlclient\r\n  egui\r\n  bdagent\r\n  wireshark\r\n  olydbg\r\nMain Snake FunctionalityPermalink\r\nHost ProfilingPermalink\r\nSnake builds a detailed profile of the infected system; it gathers important details from infected machines, starting\r\nwith basic information like the machine’s name and current date/time. Also, it retrieves sensitive geolocation data\r\nsuch as the machine’s public IP address, country name/code, region name/code, city name, time zone, and precise\r\nlatitude and longitude coordinates.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 7 of 21\n\nFigure(14): Host profiling of the compromised machine\r\nKeyLoggingPermalink\r\nSnake performs keylogging and employs a timer to periodically send this data to its server.\r\nIn programming, timers run a specific piece of code at regular intervals. In .NET, the System.Windows.Forms.Timer\r\nclass is often used in Windows Forms applications to trigger events at set intervals.\r\nTimers allow asynchronous execution, enabling actions to happen independently of the main program’s flow.\r\nFigure(15): Timer used for sending keylogs\r\nSnake’s keylogger runs continuously in the background by using the SetWindowsHookExA API to set up a Windows\r\nhook _hook) . This hook monitors keyboard events and integrates itself into the keyboard hook chain. The hook is\r\nassociated with the callback method _hookCallback , which handles keyboard events. Whenever a key is pressed,\r\nthis callback function is triggered. It records the keystroke and then forwards the call to the next hook in the chain.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 8 of 21\n\nFigure(16): Keylogger function\r\nIt also regularly monitors and logs the title of the active window in the foreground using APIs like\r\nGetForegroundWindow() and GetWindowText() . By recording the active window’s title alongside keystrokes, the\r\nkeylogger gains valuable context about where and when the keystrokes occur. This is important for improving the\r\ninformation captured by the keylogger and helping the attacker understand what apps or windows are in use when the\r\nuser types.\r\nFigure(17): Capture the title of the current active window.\r\nScreenshotPermalink\r\nSnake periodically captures screenshots of the user’s screen, which may capture sensitive information such as\r\ndocuments or login credentials, saving them initially as “Screenshot.jpg” in a folder “SnakeKeylogger” within the\r\nuser’s Documents directory. The captured images are stored until they are sent to the attacker before they are deleted\r\nfrom the system. This process is triggered by a timer set to run every 100 milliseconds.\r\nFigure(18): hashdb result\r\nClipboardPermalink\r\nSnake uses a timer to capture and process clipboard contents. It retrieves text from the clipboard using\r\nClass2.Class1_0.Clipboard. GetText() checks if the text is already stored in a global variable before adding it, to\r\nensure that each unique clipboard entry is logged only once. Periodically, another timer sends the collected clipboard\r\ndata to its server. This capability allows Snake to capture sensitive information, such as passwords or credit card\r\nnumbers, that users have copied.\r\nFigure(19): Capture and parse clipboard contents.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 9 of 21\n\nSteal Email Clients credentialsPermalink\r\nSnake retrieves Outlook email credentials from Microsoft Outlook profiles stored in the Windows Registry and gets\r\nvalues associated with various email protocols such as IMAP, POP3, HTTP, and SMTP. If these values are found, it\r\ndecrypts the passwords using a helper method and retrieves the associated email addresses and email information.\r\nFigure(20): Extract and log Outlook's credentials\r\nWith a similar method, Snake targets Foxmail to extract stored credentials by retrieving the Foxmail installation path\r\nfrom the registry and constructing the path to the storage directory where account information is stored. It loops\r\nthrough the directories within Storage, looking for Account.rec0 files that contain account credentials (e-mail and\r\npassword).\r\nPath Description\r\nSOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\r\nOutlook\r\nprofile\r\nregistry\r\n(Office\r\n15.0)\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\r\nOutlook\r\nprofile\r\nregistry\r\n(Windows\r\nNT)\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 10 of 21\n\nPath Description\r\nSOFTWARE\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\r\nMessaging\r\nprofiles\r\n(Windows)\r\nSOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\r\nOutlook\r\nprofile\r\nregistry\r\n(Office )\r\nSOFTWARE\\Classes\\Foxmail.url.mailto\\Shell\\open\\command\r\nFoxmail\r\nregistry\r\n\\\\Accounts\\\\Account.rec0\r\nAccount\r\ndata file\r\npath\r\n   \r\nThe extracted information is then formatted and appended to the stolen info global variable to be sent to the attacker.\r\nSteal Browsers CredentialsPermalink\r\nBrowsers store saved login credentials in encrypted files. Snake has a predefined list of common browsers and\r\nchecks for their existence on the system. It can access these storage locations to extract these credentials and send\r\nthem to the attacker.\r\nChromium-based browsersPermalink\r\nChromium-based browsers, such as Chrome, use SQLite databases to store saved login credentials in a file called\r\n‘Login Data’ in the user’s profile directory.\r\nSnake scans the system for browser profiles and accesses the SQLite databases used by these browsers, then parses\r\nthe ‘logins’ table within the SQLite database, iterating through each row to retrieve the website URL (origin_url), the\r\nusername (username_value), and the encrypted password (password_value). Depending on the encryption version, it\r\ntries to decrypt passwords. Both the username and decrypted password are formatted into a string and appended to\r\nthe stolen info global variable to be sent to the attacker.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 11 of 21\n\nFigure(21): Extract and decrypt the Chrome credential.\r\nThe full list of browsers :\r\nExpand to see more\r\n  Google Chrome\r\n  Chrome Canary\r\n  BraveSoftware (Brave-Browser)\r\n  360Browser\r\n  Chromium\r\nGecko-based browsersPermalink\r\nGecko-based browsers use JSON files to store saved login credentials in ‘logins.json’.\r\nSnake scans directories to find profiles of Gecko-based browsers, such as Firefox. Then, it accesses the logins.json\r\nfile within each profile directory, which stores encrypted login credentials, including usernames and passwords.\r\nFigure(22): Extract and decrypt the Mozilla browser credential.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 12 of 21\n\nIt decrypts these credentials using cryptographic libraries (mozglue.dll and nss3.dll), which are dynamically loaded\r\nfrom the installation directories of Mozilla Firefox and related browsers. Once loaded, these libraries enable Snake to\r\ninitialize the NSS (Network Security Services) library, creating the necessary cryptographic contexts that decrypt and\r\nextract usernames and passwords.\r\nFigure(23): Snake tries to load moazglue.dll and nss3.dll by checking installed paths.\r\nThe decrypted information is formatted into strings and appended to the stolen info global variable to be sent to the\r\nattacker.\r\nThe full list of Gecko-based browsers is :\r\nMozilla Firefox\r\nSeaMonkey\r\nIceDragon\r\nCyberfox\r\nPale Moon\r\nWaterfox\r\nicecat\r\nSteal FTP clients credentialsPermalink\r\nThe FileZilla software program is a free-to-use (open source) FTP utility, allowing a user to transfer files from a local\r\ncomputer to a remote computer.\r\nFileZilla is targeted by Snake to get the saved configurations of previously accessed servers.By parsing the\r\nrecentservers.xml file located in the user’s AppData directory, it tries to retrieve stored server details such as\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 13 of 21\n\nhostnames, usernames, encrypted passwords, and ports. It uses XML parsing techniques to extract these elements and\r\ndecrypt the Base64-encoded password.\r\nFigure(24): Extract and log FileZilla info.\r\nObtain discord tokensPermalink\r\nDiscord uses a token-based authentication system. Each user session is identified by a token that is stored locally. By\r\naccessing the leveldb files, Snake can extract these tokens and use them to mimic the user, gaining access to their\r\naccount without needing their password. This can lead to unauthorized access to personal messages, servers, and\r\nother sensitive information.\r\nThe code checks if the leveldb directory exists. If found, it iterates through its files to locate .ldb files\r\ncontaining the substring “oken” (part of “token”). It then extracts the token by splitting the text around the “oken”\r\nsubstring and reassembling the parts to separate the token. Finally, it logs the result to be sent to the attacker.\r\nFigure(25): Steal discrod login tokens\r\nStealing Wi-Fi Credentials:Permalink\r\nSnake extracts Wi-Fi profile information and passwords using netsh commands. It starts by fetching a list of Wi-Fi\r\nprofiles on the system.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 14 of 21\n\nFigure(26): Retrieve Wi-Fi profiles on the system.\r\nThen it parses each profile to retrieve its name and clear-text password. This information is logged and sent to the\r\nattacker.\r\nFigure(27): Extracting and Formatting Wi-Fi Profile Passwords.\r\nBy gathering Wi-Fi credentials, Snake can secretly connect to networks, monitor traffic for sensitive data, and get\r\naccess to activities like botnet operations or data theft.\r\nSnake’s data exfiltration FunctionalityPermalink\r\nSnake contains an embedded DES-encrypted configuration within its binary.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 15 of 21\n\nFigure(28): Encrypted configuration\r\nSnake malware uses embedded DES in ECB mode encryption with a hard-coded key. It first decodes the data using\r\nBase64 encoding. For decryption, it hashes the key using MD5 and uses only the first 8 bytes of the hashed key as\r\nthe final key to decrypt the data.\r\nFigure(29): Encrypted Algortihms used in configuration\r\nWe can use CyberChef to simulate the decryption process statically. First, the key will be MD5 hashed =\r\n{6fc98cd68a1aab8b24c517549e658115}, and the first 8 bytes are used to decrypt the data.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 16 of 21\n\nFigure(30): The actual decrypted configuration the malware uses.\r\nThese configurations determine the setup used by the sample for its server.\r\nthe host set to ‘valleycountysar[.]org’ .\r\nport:’26’.\r\nusername : ‘rightlut@valleycountysar[.]org’ .\r\npassword ‘fY,FLoadtsiF’ .\r\nData ExfiltrationPermalink\r\nMalware needs to connect to servers to exfiltrate stolen data.\r\nSnake can transmit gathered information in plaintext or DES-encrypted format to its server through several\r\ncommunication methods, including SMTP, FTP, or even sending it to a specific Telegram bot.\r\nSMTPPermalink\r\nSnake uses SMTP (Simple Mail Transfer Protocol) in two different approaches for data exfiltration.\r\nThe first approach creates an email (a mail message) with the following configurations: sender, recipient, subject\r\n(including PC name and a tracking identifier), and a body containing stolen information. This email is sent using an\r\nSmtpClient configuration: host, port, and authentication credentials (username and password).\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 17 of 21\n\nFigure(31): Using SMTP for data exfiltration, the body mail approach\r\nThe second approach is to create an email (MailMessage2) with similar sender and recipient details. But instead of\r\nadding data directly, it attaches files containing stolen information. This method also uses an SmtpClient2 configured\r\nsimilarly to the first way.\r\nFigure(32): Using SMTP for data exfiltration (attachments)\r\nFTPPermalink\r\nThe FTP request is configured with credentials (user name and password) to authenticate access to the FTP server\r\nand a dynamic method to create an FtpWebRequest . It builds a filename by combining the machine name with a\r\nrandom string and adding a.txt extension that helps uniquely identify the data.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 18 of 21\n\nFigure(33): Using FTP for data exfiltration\r\nTelegramPermalink\r\nSnake uses Telegram’s bot API as a C2 channel by creating and communicating with a bot hosted on Telegram\r\nservers. It starts by creating a message containing stolen information, which is URL-encoded, and sends via HTTPS\r\nPOST requests to a remote endpoint ( Class6.string_1 + \"/_send_.php?L\" ) where the encoded message is directed\r\nfor transmission.\r\nFigure(34): Using telegram bot for data exfiltration\r\nPersistencePermalink\r\nSnake adds a startup entry to the Windows Registry, ensuring that the malware runs automatically on the system\r\nboot.\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 19 of 21\n\nFigure(35): Persistence function\r\nConclusionPermalink\r\nAnalyzing Snake revealed its true purpose as a sophisticated keylogger and data stealer that targets sensitive data\r\nfrom various applications like browers, email clients, FTP clients, and messaging apps, demonstrating its broad data\r\ntheft capabilities.\r\nYARA RulePermalink\r\nrule detect_unpacked_snake\r\n{\r\n meta:\r\n description = \"A rule for detecting unpacked snake samples\"\r\n author = \"Mohamed Ezzat (@ZW01f)\"\r\n hash1 = \"e81ff60c955d9f232d4812a68ef4335f204be923d6aa75c5d309e8fe76eed1ed\"\r\n hash2 = \"fc20db86eea0db054491e5739e93153c5548ed933e0df6a139582e0b8569e737\"\r\n hash3 = \"461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e\"\r\n strings:\r\n $mz = {4D 5A} //PE File\r\n $s0 = \"YFGGCVyufgtwfyuTGFWTVFAUYVF\" ascii wide\r\n $s1 = \"Snake Keylogger Stub New\" ascii wide\r\n $s2 = \"\\\\SnakeKeylogger\" wide\r\n $s3 = \"Open Network\" ascii wide\r\n $s4 = \"- Clipboard Logs ID -\" ascii wide\r\n $s5 = \"| Snake Tracker\" wide\r\n $s6 = \"/C choice /C Y /N /D Y /T 3 \u0026 Del \\\"\" ascii wide\r\n $s7 = \"wlan show profile\" ascii wide\r\n $p1 = {1D 8D ?? 00 00 01 25 16 72 ?? ?? 00 70 A2 25 17 09 A2 25 18 72 ?? ?? 00 70 A2 25 19 11 04 A2 25 1A 72\r\n condition:\r\n ($mz at 0) and (all of ($p*)) and (5 of ($s*)) and filesize \u003c 500KB\r\n}\r\nIoCsPermalink\r\nStage Hash\r\nStage 1 faebc09f47203bbe599ac368f12622f38255e957d1435e6763c80bf2ebd988bf\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 20 of 21\n\nStage Hash\r\nStage 2 8a520450581de3e9987f53c54723fdf9d4af32571769c49af7c18d985ef52fb0\r\nStage 3 45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b\r\nMain payload 68df92cd19e5587a799a54bc21ddd95a27223faf972c6a914c818c99d3332a84\r\nURL hxxp://103[.]130[.]147[.]85\r\nURL valleycountysar[.]org\r\nEmail / UserName rightlut@valleycountysar[.]org\r\nPassword fY,FLoadtsiF\r\nReferencesPermalink\r\nResearchers Uncover SnakeKeylogger Attacks, Techniques \u0026 Tactics\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nSource: https://zw01f.github.io/malware%20analysis/snake/\r\nhttps://zw01f.github.io/malware%20analysis/snake/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://zw01f.github.io/malware%20analysis/snake/" ], "report_names": [ "snake" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434692, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/467ef951580eb0dbebf68e8cd2b68f06e0f0f748.pdf", "text": "https://archive.orkl.eu/467ef951580eb0dbebf68e8cd2b68f06e0f0f748.txt", "img": "https://archive.orkl.eu/467ef951580eb0dbebf68e8cd2b68f06e0f0f748.jpg" } }