{ "id": "d4e275b6-5502-4544-9826-5613a0ac4ed6", "created_at": "2026-04-06T00:21:00.435913Z", "updated_at": "2026-04-10T03:37:09.146879Z", "deleted_at": null, "sha1_hash": "4cb2ee7778d5854e285857b0bece0cd552e913f1", "title": "Invicta Stealer Spreads via Fake GoDaddy Refund Invoices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1649271, "plain_text": "Invicta Stealer Spreads via Fake GoDaddy Refund Invoices\r\nBy cybleinc\r\nPublished: 2023-05-25 · Archived: 2026-04-05 21:30:26 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes Invicta, a new stealer that spreads via fake GoDaddy Refund invoices\r\nto infect users.\r\nThreat Actor Releases Free Builder to Boost Popularity and Inflict Damage\r\nIt is apparent from past evidence that threat actors (TAs) utilize social media platforms to demonstrate their\r\ntechnical expertise to attract potential allies or customers interested in acquiring or leasing malware families such as\r\nStealers, Ransomware, RATs, and similar tools.\r\nThe primary motivation behind such actions is to generate monetary gains or seek collaborations for engaging in\r\nhighly profitable cyber-attacks. This pattern underscores the role of social media as a tool for connecting with like-minded individuals and facilitating the pursuit of lucrative cybercrime activities.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nCyble Research and Intelligence Labs (CRIL) came across a new stealer named Invicta Stealer. The developer\r\nbehind this malware is extensively engaged on social media platforms, utilizing them to promote their information\r\nstealer and its lethal capabilities.\r\nThe figure below shows the Telegram channel created by TAs to promote the stealer.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 1 of 16\n\nFigure 1 – Invicta Stealer Telegram Channel\r\nAdditionally, the TA has created a YouTube Channel where they demonstrate a video tutorial detailing the steps to\r\ncreate the Invicta Stealer executable using a builder tool available in the Github repository.\r\nThe Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and\r\nextract information from applications like Steam and Discord.\r\nThe GitHub post by the TA, illustrated in the figure below, highlights their active promotion of the Invicta Stealer\r\nand its functionalities.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 2 of 16\n\nFigure 2 – GitHub Post of Invicta Stealer\r\nThe GitHub post includes a noteworthy detail: the malware developer generously offers a free stealer builder\r\nalongside the provided information. When running the builder executable, users are prompted to input a Discord\r\nwebhook or server URL, which serves as the command and control (C\u0026C) mechanism.\r\nThe figure below illustrates the Invicta Stealer builder.\r\nFigure 3 – Invicta Stealer Builder\r\nCRIL has noticed a significant increase in the prevalence of the Invicta Stealer due to its builder availability on the\r\nGitHub page, leading to numerous TAs actively employing it to infect unsuspecting users.\r\nThe figure below shows the statistics of Invicta Stealer samples identified in the wild.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 3 of 16\n\nFigure 4 – Increased Activity of Invicta Stealer\r\nInfection Chain\r\nThe infection begins with a spam email with a deceptive HTML page designed to appear as an authentic refund\r\ninvoice from GoDaddy, aiming to trick the recipients.\r\nThe figure below shows the phishing HTML page.\r\nFigure 5 – Phishing HTML Page\r\nUpon opening the phishing HTML page, users are instantly redirected to a Discord URL, initiating the download of\r\na file named “Invoice.zip”. The figure below illustrates the HTML page’s redirection process to the Discord URL to\r\ndownload “Invoice.zip”.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 4 of 16\n\nFigure 6 – Browser Redirecting to Download Compressed File\r\nInside the “Invoice.zip” archive file, there is a shortcut file named “INVOICE_MT103.lnk”. When the user opens\r\nthis .LNK file, it triggers a PowerShell command that runs a .HTA file hosted on the TAs Discord server. The figures\r\nbelow depict the .LNK file and the PowerShell command.\r\nFigure 7 – Details of the Malicious Link File\r\nThis HTA file contains VBScript code that, in turn, executes a PowerShell script. The PowerShell script is\r\nresponsible for downloading an extremely malicious Invicta Stealer disguised as “Invoice_MT103_Payment.exe”.\r\nThe figure below shows the malicious PowerShell Command.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 5 of 16\n\nFigure 8 – Malicious PowerShell Command\r\nThe figure below depicts the entire infection chain of the Invicta stealer, illustrating the step-by-step progression\r\nfrom the initial infection to the delivery of the final payload.\r\nFigure 9 – Invicta Stealer Infection Chain\r\nTechnical Analysis\r\nFor our analysis of Invicta stealer capabilities, we obtained a 64-bit GUI binary of the malicious Invicta Stealer from\r\nthe wild. Its SHA256 hash is 067ef14c3736f699c9f6fe24d8ecba5c9d2fc52d8bfa0166ba3695f60a0baa45.\r\nThe figure below displays the details of the Invicta Stealer that CRIL analyzed.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 6 of 16\n\nFigure 10 – Invicta Stealer File Details\r\nAnti-VM techniques\r\nTo obscure the reversing process, the stealer employs several techniques. The developers utilize encrypted strings to\r\nconceal important information, and crucial operations are executed using SYSCALLS, making it harder to analyze\r\nthe code. Additionally, the stealer leverages multithreading to carry out multiple malicious activities simultaneously.\r\nThe figure below illustrates the assembly code responsible for the execution of SYSCALLS.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 7 of 16\n\nFigure 11 – Invicta Stealer Implementing SYSCALLS\r\nTargeting System Information\r\nUpon execution, the stealer collects an extensive array of system information. This includes details such as the\r\ncomputer name, system username, system time zone, system language, operating system version, and names of\r\nrunning processes. Additionally, the stealer employs techniques to extract system hardware information, such as the\r\nmain memory size, number of CPU cores, screen resolution, hardware ID, IP address, and Geo IP details. Once the\r\nsystem information is extracted, the stealer consolidates the collected data into a single text file named\r\n“sys_info.txt”. This file is then stored in memory and will be exfiltrated in the later stage of execution.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 8 of 16\n\nFigure 12 – sys_info.txt File Containing the System Details\r\nTargeting Discord\r\nUpon retrieving essential system information, the stealer proceeds to verify the presence of the Discord application\r\non the targeted system. To accomplish this, the stealer enumerates three specific paths within the system. This\r\nenumeration aims to confirm the installation of Discord and, if it is indeed present, proceed with the extraction of its\r\ndata. The paths enumerated by the Invicta Stealer are:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\discord\\Local Storage\\leveldb\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\discordptb\\Local Storage\\leveldb\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\discordcanary\\Local Storage\\leveldb\r\nThe figure below shows the Invicta Stealer targeting Discord.\r\nFigure 13 – Invicta Stealer Targeting Discord\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 9 of 16\n\nTargeting Wallets\r\nOnce Discord is targeted, the stealer enumerates the installed cryptocurrency wallets within the system. This\r\nenumeration process involves identifying and listing the various wallets present.\r\nThe figure below showcases the specific code segment where the stealer performs the wallet enumeration.\r\nFigure 14 – Invicta Stealer Targeting the Crypto Wallets\r\nThe below table shows all the wallets targeted by the Invicta Stealer:\r\nNeon Zcash VERGE WalletWasabi\r\nneblio Exodus atomic Armory\r\nGuarda Bitcoin scatter Binance\r\nCoinomi Dogecoin Electrum Litecoin\r\nCloakCoin ElectrumG MultiBitHD Exodus Eden\r\nElectrum-LTC Electrum-Smart com.liberty.jaxx Daedalus Mainnet\r\nark-desktop-wallet Nano Wallet Desktop  \r\nTargeting Browsers\r\nFollowing the targeting of cryptocurrency wallets, the stealer focuses on the user’s browser to steal sensitive data.\r\nThis data includes the leveldb folder, autofill data, cookies, credit card details, downloads, browsing history,\r\nkeywords, and login data.\r\nThe figure below illustrates the code snippet where the stealer conducts the enumeration of browser data.\r\nFigure 15 – Stealer Enumerating the Browsers\r\nThe stealer targets the following browsers to steal information:\r\nQIP Surf BraveSoftware Blisk Torch\r\n7Star Amigo Opera Stable Yandex\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 10 of 16\n\nComodo Dragon Chedot Google Chrome CocCoc Browser\r\nKometa Citrio Coowon liebao\r\nIridium Sputnik Orbitum Vivaldi\r\nSlimjet ChromePlus Elements Browser Sleipnir\r\nChromium Uran 360Browser Opera Neon\r\nCentBrowser Epic Privacy Browser Microsoft Edge  \r\nAfter confirming the presence of the targeted browser within the system, the stealer initiates the process of\r\nextracting data from it. The extracted data is then stored in memory, preparing it for the subsequent exfiltration\r\nstage. The figure below illustrates the code snippet the stealer employs to steal login data from the Edge browser\r\nspecifically.\r\nFigure 16 – Invicta Stealer Targeting Login Data\r\nThe figure below shows stolen data from the browsers installed on the victim’s machine.\r\nFigure 17 – Invicta Stealing the Browser Data from System\r\nTargeting Steam\r\nSimultaneously with the theft of browser data, the stealer also directs its attention toward the Steam gaming\r\napplication. Its objective is to steal crucial information such as active gaming sessions, usernames, and a\r\ncomprehensive list of games installed by the user on the system.\r\nThe figure below displays the specific code segment in which the stealer targets the Steam application.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 11 of 16\n\nFigure 18 – Invicta Stealer Targeting Steam Gaming Application\r\nTargeting Password Manager\r\nFollowing the extraction of Steam data, the stealer then shifts its focus towards targeting the KeyPass password\r\nmanager. KeyPass is a password management application that centralizes and manages passwords for various\r\nwebsites and applications in one location.\r\nThe figure below showcases the code segment targeting the KeyPass password manager.\r\nFigure 19 – Invicta Stealer Targets KeyPass Password Manager\r\nInstalled Applications and Users\r\nNext, the Invicta Stealer initiates the process of extracting user account details, including the applications associated\r\nwith those accounts. It gathers the names and versions of these applications and saves the collected information in\r\nmemory, creating a text file named “installed.txt”, as depicted below.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 12 of 16\n\nFigure 20 – Stealer Extracting the Installed Application Details\r\nStealing Important Files\r\nFollowing the enumeration of installed applications, the stealer advances towards stealing files from the Desktop\r\nand Documents folders. Specifically, the figure below depicts the routine employed by the stealer to target and\r\nextract text files from the Desktop folder.\r\nFigure 21 – Invicta Stealer Targeting the Files in the System\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 13 of 16\n\nAs the stealer actively collects the targeted data, it temporarily stores the acquired files in the system’s memory.\r\nOnce the necessary enumerations are completed, the stealer progresses to create a compressed zip file that\r\nencapsulates all the stolen files residing in memory.\r\nThis zip file is generated within the system’s temporary folder and is assigned a random name, which has the\r\nhardware ID of the victim’s system for identification purposes.\r\nThe figure below presents an illustration of the zip file.\r\nFigure 22 – Invicta Stealer Creating Zip File Containing Stolen Data\r\nAfter successfully completing the data theft process, the stealer proceeds to carry out the next step by sending the\r\nstolen data to the designated C\u0026C server or Discord webhook.\r\nConclusion\r\nWe have observed an ongoing trend where malware developers create and offer a wide range of stealers to potential\r\nbuyers and affiliates. Among these, the Invicta Stealer stands out as an extremely potent threat due to its ability to\r\ntarget multiple categories of highly sensitive information across several applications and browsers.\r\nThis stolen data can be leveraged by attackers for financial gain, as well as for launching attacks on other\r\nindividuals or organizations using the compromised information. It is crucial to acknowledge the severity of this\r\nthreat and take appropriate measures to protect against such malicious activities.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices as mentioned below:   \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., mainly contains such malware.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.\r\nUse a reputed antivirus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity. \r\nEducate employees on protecting themselves from threats like phishing/untrusted URLs.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 14 of 16\n\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nExecution  T1204  User Execution \r\nDefense Evasion  T1027 Obfuscated Files or Information\r\nCredential Access   \r\nT1528\r\nT1555\r\nSteal Application Access Token   \r\nCredentials from Password Stores\r\nDiscovery   \r\nT1010\r\nT1083\r\nApplication Window Discovery\r\nFile and Directory Discovery\r\nCollection T1005 Data from Local System\r\nCommand and Control    T1071 Application Layer Protocol   \r\nIndicators of Compromise (IOCs)\r\nIndicators \r\nIndicator\r\nType \r\nDescription \r\na48d1ff9c016484b3cac152d8d7105f4\r\nffdefa66bb8d00493e160cac67f8763566010c2c\r\n364ee9dd6ca5048adc7f95bfe78423202e13e46862553209e76600185532b343\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nPhishing\r\nhtml\r\ndb50086280878a064a1b5ccc61888bcd\r\neda3a5b8ec86dd5741786ed791d43698bb92a262\r\n3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96\r\nMD5\r\nSHA1\r\nSHA256\r\nInvoice.zip\r\n594a86d0fa8711e48066b1852ad13ac6\r\n35b840640e6a3c53a6ba0c6efa1a19a061f5c104\r\nb49d777b48ec591859c9374a2a707b179cb3770b54d9dc03b5c7f3ae2f06b360\r\nMD5\r\nSHA1\r\nSHA256\r\nShortcut\r\nLink File\r\na05d09177ff0cc866a4e7993f466564a\r\n60182b39f64936365ab1bdb2954cbcbb626a0e1e\r\n4ba062f88c8938cfc9b1d068a93a6769339ba950686d40bf63b6e9f8cdef5f49\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nHTA File\r\ncff3ed52f607f1f440f1c034dc2b0cfb\r\n8b0d53f62ebb9aa3b12661da449d2e7a87dc6779\r\n067ef14c3736f699c9f6fe24d8ecba5c9d2fc52d8bfa0166ba3695f60a0baa45\r\nMD5\r\nSHA1\r\nSHA256\r\nInvicta\r\nStealer\r\nExecutable\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 15 of 16\n\n1ca928016f030604c40a1567519d3dd0\r\n37337edafb7d4c1ff9a0b0787d09e2aea70d42f3\r\n0feb734c51a26a959d65fb871bb1a3e78bbc4479411d7eaf46a584e674eb439d\r\nMD5\r\nSHA1\r\nSHA256\r\nInvicta\r\nStealer\r\nExecutable\r\n41948cd77a6cf817b77be426968a6ad3\r\n7abc07e7f56fc27130f84d1c7935a0961bd58cb9\r\n2a3942d213548573af8cb07c13547c0d52d1c3d72365276d6623b3951bd6d1b2\r\nMD5\r\nSHA1\r\nSHA256\r\nInvicta\r\nStealer\r\nExecutable\r\n599aa41fade39e06daf4cdc87bb78bd7\r\n2543857b275ea5c6d332ab279498a5b772bd2bd4\r\n6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de\r\nMD5\r\nSHA1\r\nSHA256\r\nInvicta\r\nStealer\r\nExecutable\r\n7ebbbedc191a4f61553b787c08fe6347\r\n8b2295cba0d0a02fb41ecb828b2c1659ce01ed7e\r\n1f0ca8596406c07b8285545999da83a16875747612546db21ed58591ee06dbba\r\nMD5\r\nSHA1\r\nSHA256\r\nInvicta\r\nStealer\r\nExecutable\r\n005fe89163ac39222ec88b2c9db821b2\r\nb76e2c20ba533a1b42744f5c72607f3a1714bb2b\r\na9e2ba9ef84f40d03607855e6576ba802e0509b7061d4b364eef428627b5f7e6\r\nMD5\r\nSHA1\r\nSHA256\r\nInvicta\r\nStealer\r\nExecutable\r\nSource: https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nhttps://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/" ], "report_names": [ "invicta-stealer-spreading-through-phony-godaddy-refund-invoices" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434860, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4cb2ee7778d5854e285857b0bece0cd552e913f1.pdf", "text": "https://archive.orkl.eu/4cb2ee7778d5854e285857b0bece0cd552e913f1.txt", "img": "https://archive.orkl.eu/4cb2ee7778d5854e285857b0bece0cd552e913f1.jpg" } }