{ "id": "3c0444cf-db03-43af-ba96-9030c44441c0", "created_at": "2026-04-06T00:06:07.55544Z", "updated_at": "2026-04-10T03:37:08.753926Z", "deleted_at": null, "sha1_hash": "4f6c3ac7e7081f32414c451d66778d3b56a436a8", "title": "SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2666178, "plain_text": "SquirtDanger: The Swiss Army Knife Malware from Veteran\r\nMalware Author TheBottle\r\nBy Josh Grunzweig, Brandon Levene, Kyle Wilhoit, Pat Litke\r\nPublished: 2018-04-17 · Archived: 2026-04-05 22:02:34 UTC\r\nFinding and investigating new malware families or campaigns is a lot like pulling a loose thread from an article of\r\nclothing. Once you start tugging gently on the thread, everything starts to unravel. In this particular case we began\r\nby investigating a new malware family, which we are calling SquirtDanger based on a DLL, SquirtDanger.dll,\r\nused in the attacks. There is strong evidence to indicate that this malware family was created by a prolific Russian\r\nmalware author that goes by the handle of ‘TheBottle’. By pulling on a few strings we were eventually led to\r\nTheBottle's unraveling. In this post we will delve into how we unraveled TheBottle's activities and his newest\r\nmalware family.\r\n    Malware Overview\r\nSquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and\r\ncapabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the\r\nsystem, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections\r\nto a remote command and control (C2) server for network communications.\r\nSquirtDanger comes with a wealth of functionality, including the following:\r\nTake screenshots\r\nDelete malware\r\nSend file\r\nClear browser cookies\r\nList processes\r\nKill process\r\nList drives\r\nGet directory information\r\nDownload file\r\nUpload file\r\nDelete file\r\nSteal wallets\r\nSteal browser passwords\r\nSwap identified wallets in the victim’s clipboard\r\nExecute file\r\nThe ability to swap out identified wallets with a predetermined wallet owned by the attacker is not a new one, as\r\nwe have previously reported on it when analyzing the ComboJack malware family. For more information on how\r\nthe SquirtDanger malware family operates, please refer to an in-depth analysis within the Appendix of this post.\r\nUsing various analytic techniques, Palo Alto Networks Unit 42 researchers were able to extract an embedded\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 1 of 12\n\nidentifier from roughly 400 SquirtDanger samples, which we attribute to separate campaigns. Broadly, we identify\r\ntwo subsets of this malware which are divided by distinct mutexes and other indicators that we observed in\r\nWildFire. As we dug into this malware, we discovered a code repository which coincided with the capabilities and\r\nstyle of the samples we had observed. A screenshot of this repository's base page is reproduced in figure 1 below:\r\nFigure 1 Source code of SquirtDanger hosted on GitHub\r\n \r\nFurther analysis of the code in this repository indicated that our initial assessment was correct, and that this\r\nrepository was the source code for SquirtDanger. While exploring the code, we discovered that TheBottle had\r\nposted this repository (and others) as a companion to a \"confession\" blog posted on telegra.ph.\r\n  TheBottle Connection\r\nTheBottle, a well-known Russian cybercriminal has been active on global underground marketplaces for years.\r\nDistributing, selling, and trading malware and source code has been TheBottle's modus operandi on underground\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 2 of 12\n\nmarketplaces and forums. It appears, however, that TheBottle has encountered several issues throughout his career\r\nas a malware author. According to Vitali Kremez of Flashpoint:\r\n\"Previously, TheBottle was banned unanimously by the underground arbitrators for customer infractions. His\r\nunderground infractions were very costly leading to multiple disputes accusing him of not delivering malware\r\nsupport that was needed for long-term criminal operations.\"\r\nWhile investigating SquirtDanger, we came across a confessional blog post claiming to be TheBottle. In the post,\r\nthe individual claimed responsibility for creating several malware families, including Odysseus Project, Evrial,\r\nOvidiy Stealer, and several others. Again, Vitali of Flashpoint:\r\n\"In his latest confession on telegraph, the actor walks through their life in underground lamenting on his\r\nchallenges of being a malware developer with real-life issues... His sense of guilt pushed him to release all of his\r\nmalware creations that were used in many cybercrime operations in the past from \"Ovidiy Stealer\" to \"Reborn\r\nStealer.\"\r\nBelow is a screenshot of TheBottle's original post in his native Russian:\r\n \r\nFigure 2 Screenshot of TheBottle's blog post, confessing to authorship of malware families. TheBottle is ultimately\r\nexpressing regret for creating many of the malware families.\r\n \r\nLooking closer at TheBottle's blog posting revealed a Telegram channel exposing a group of roughly 900\r\nindividuals most of whom appear to be Russian. Here the channel members are coordinating attacks, developing\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 3 of 12\n\ncode, and trading/selling access to several different botnets and builders. Additionally, this Telegram group\r\nappears to be a common haunt of some interesting prolific actors,  some with high-profile ties; such as foxovsky,\r\nan underground actor who is famous in underground communities for developing malware. Readers may recall\r\nfoxovsky as being the author of a previously reported malware family called Rarog. Additionally, the\r\n‘1MSORRY‘ actor was identified as being a member of this community, who is behind the 1MSORRY\r\ncryptocurrency botnet and other malware families being distributed around the globe.\r\n \r\nFigure 3 Screenshot of Telegram channel with prolific underground actors communicating\r\n \r\nAfter some online sleuthing, we were able to find additional accounts across several social media sites TheBottle\r\nfrequented. Across most of the social media sites we located, it was apparent TheBottle took his hacking persona\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 4 of 12\n\nseriously.\r\nFigure 4 Screenshot of TheBottle's Twitter feed\r\n \r\nAlso, looking closer into TheBottle's Twitter conversations helped shed some light on how TheBottle feels about\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 5 of 12\n\nindividuals using their malware.\r\nFigure 5 Screenshot of TheBottle's conversation with @malwarhunterteam\r\n \r\nInfection Vector/Victimology\r\nIn total, we saw 1,277 unique SquirtDanger samples used across multiple campaigns. SquirtDanger is likely\r\ndelivered via illicit software downloads also known as \"Warez\".\r\nAs of the time of writing, we witnessed 119 unique C2 servers that were geographically dispersed:\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 6 of 12\n\nFigure 9 Geographic distribution of identified C2 servers\r\nAdditionally, in the wild, we were able to identify 52 unique IP's or domains acting as delivery infrastructure. This\r\ninfrastructure acts as a dissemination point for this malware. Some of this delivery infrastructure appeared to be\r\ncompromised legitimate websites unwittingly distributing SquirtDanger.\r\nWe have witnessed SquirtDanger being used against individuals across the globe, such as a Turkish university, an\r\nAfrican telecommunications company, and a Japanese Information and communication technology provider in\r\nSingapore.\r\nConclusion\r\nThe SquirtDanger malware family is just one of many commodity families being created today. It comes equipped\r\nwith a wealth of features that allow attackers to quickly perform various actions on a compromised machine.\r\nWhile the malware itself proved to be interesting, it was the actor behind it that provided a much more interesting\r\nstory.\r\nAs we pulled on TheBottle's thread, we slowly started to realize that what we've found is just the tip of the\r\nproverbial iceberg. As we looked deeper into TheBottle's malware and online activity, we noticed this was just\r\nminor activity taking place in a larger web of criminals working together. In fact, just recently, one of TheBottle's\r\nallies was outed by the researcher known as Benkow.\r\nUltimately, as we unraveled a small portion of criminal activity, we were able to observe a malware author evolve\r\ninto what seemed a somewhat remorseful individual, posting on a near personal level. Ultimately, will TheBottle\r\nchange his ways? We will watch and see.\r\nUsing several sources of intelligence were key to the investigation of this actor and malware, and Palo Alto\r\nNetworks customers are protected from this threat by:\r\n1. WildFire detects all SquirtDanger files with malicious verdicts\r\n2. AutoFocus customers can track these samples with the SquirtDanger tag\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 7 of 12\n\n3. Traps blocks all of the files associated with SquirtDanger\r\nAppendix\r\n \r\nMalware Analysis\r\nThe SquirtDanger malware family comes equipped with a wealth of features by the author. The malware is coded\r\nusing C#. The malware author chose to make use of the Costura add-in to embed the SquirtDanger payload into\r\nthe compiled executable.\r\nOnce the main module is loaded and subsequently executed, it will begin by creating an installation directory,\r\nwhere the malware will copy itself. The following directories and their corresponding installation executables\r\nhave been observed in the samples analyzed:\r\n%TEMP%\\Microsoft_SQL_SDKs\\AzureService.exe\r\n%TEMP%\\MonoCecil\\Fazathron.exe\r\nAfter SquirtDanger is copied to the necessary path, a new instance of this malware will be spawned prior to killing\r\nthe current process.\r\nOnce the installation phase has completed and the malware is found to be executed from the correct location, a\r\nnew mutex will be created to ensure only one instance of the malware is run at a given time. The following two\r\nmutexes have been observed across all analyzed samples:\r\nOmagarable\r\nAweasomeDendiBotnet\r\nAfter the mutex has spawned, SquirtDanger will proceed to check for the existence of another executable, which\r\nwill act as a persistence mechanism. This simple executable will simply check for the existence of the\r\nSquirtDanger payload, and if the payload cannot be found, a new copy is written to disk and a new instance will\r\nbe spawned. This executable is embedded within the SquirtDanger payload, and has been observed dropped to the\r\nfollowing location:\r\n%TEMP%\\MSBuild.exe\r\n%TEMP%\\OmagarableQuest.exe\r\nThis dropped file is given both SYSTEM and HIDDEN attributes to prevent victims from discovering it. A new\r\nscheduled task is created with a name of ‘CheckUpdate’ to run this file. This scheduled task checks every minute\r\nafter it is initially setup.\r\nSquirtDanger proceeds to communicate with the remote C2 server using raw TCP sockets. Data sent between the\r\nclient and server is serialized, however, it is not obfuscated. When the malware initially communicates with the\r\nremote server, it will attempt to obtain a list of additional modules to install. An example of this communication\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 8 of 12\n\nmay be seen below:\r\nFigure 6 Example communication between malware client and C2 server\r\nAfter the list of modules and their associated URLs are collected, SquirtDanger will download these modules via\r\nHTTP communication.\r\nSquirtDanger comes with a wealth of functionality, including the following:\r\nTake screenshots\r\nDelete malware\r\nSend file\r\nClear browser cookies\r\nList processes\r\nKill process\r\nList drives\r\nGet directory information\r\nDownload file\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 9 of 12\n\nUpload file\r\nDelete file\r\nSteal wallets\r\nSteal browser passwords\r\nSwap identified wallets in the victim’s clipboard\r\nExecute file\r\nIn the case of stealing passwords from browsers, a number of browsers are supported, including the following:\r\nChrome\r\nFirefox\r\nYandex Browser\r\nKometa\r\nAmigo\r\nTorch\r\nOpera\r\nFigure 7 Malware attempting to collect passwords from various popular browsers\r\nSquirtDanger also has the ability to seek out wallets for various cryptocurrencies, including the following:\r\nLitecoin\r\nBitcoin\r\nBytecoin\r\nDash\r\nElectrum\r\nEthereum\r\nMonero\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 10 of 12\n\nFigure 8 Malware attempting to identify various cryptocurrency wallets on the victim machine\r\nIn addition to stealing wallets, the malware contains the ability to swap a victim’s clipboard data in the event a\r\nspecific regular expression is encountered. The following regular expressions were present within the malware:\r\nType Regular Expression\r\nQIWI\r\n(^\\+\\d{1,2})?((\\d3)|(\\-?\\d{3}\\-)|(\\d{3}))((\\d{3}\\-\\d{4})|(\\d{3}\\-\\d\\d\\-\\d\\d)|(\\d{7})|(\\d{3}\\-\\d\\-\r\n\\d{3}))\r\nBTC ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})$\r\nETH ^(0x[0-9a-fA-F]{40})$\r\nLTC ^(L[a-zA-Z0-9]{26,33})$\r\nXRP ^(r[rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz]{27,35})$\r\nDOGE ^(t[0-9a-zA-Z]{34})$\r\nZEC ^(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})$\r\nXMR ^(4[0-9AB][1-9A-Za-z]{93,104})$\r\n \r\nIn the event one of these digital currency addresses are encountered, the malware is configured to swap the value\r\nwith one that is pre-determined. A number of digital currency addresses were able to be retrieved from our sample\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 11 of 12\n\nset, which have been included in the Appendix of this blog post. This feature is not a new one, as we have\r\npreviously reported on it when analyzing the ComboJack malware family.\r\n  SquirtDanger Samples\r\nFor a full list of SquirtDanger hashes, as well as their first seen timestamps, please refer to the following link.\r\n  C2 Servers\r\nFor a full list of C2 servers, as well as their first seen timestamps, please refer to the following link.\r\n  Distribution Servers\r\nFor a full list of distribution servers, as well as their first seen timestamps, please refer to the following link.\r\n  Updates:\r\nwww.msftconnecttest[.]com was erroneously included in the IoC and that has been corrected\r\nSource: https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottl\r\ne/\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" ], "report_names": [ "unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433967, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f6c3ac7e7081f32414c451d66778d3b56a436a8.pdf", "text": "https://archive.orkl.eu/4f6c3ac7e7081f32414c451d66778d3b56a436a8.txt", "img": "https://archive.orkl.eu/4f6c3ac7e7081f32414c451d66778d3b56a436a8.jpg" } }