{ "id": "3a44fecc-9a47-4ef2-9a2a-eeabd34b4d61", "created_at": "2026-04-06T00:16:48.616955Z", "updated_at": "2026-04-10T03:37:08.794351Z", "deleted_at": null, "sha1_hash": "51546af40345afbe8fb55383e3735699a4774c80", "title": "Don't Judge a PNG by Its Header: PURELOGS Infostealer Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83269, "plain_text": "Don't Judge a PNG by Its Header: PURELOGS Infostealer Analysis\r\nBy Louis Schürmann\r\nPublished: 2026-01-19 · Archived: 2026-04-05 20:30:10 UTC\r\nSwiss Post Cybersecurity traced a suspicious JavaScript file back to a stealthy PURELOGS campaign hiding its payload\r\nwithin a PNG.\r\nLouis Schürmann, Security Analyst of Swiss Post Cybersecurity identified and analyzed a previously unnoticed\r\nPURELOGS stealer campaign. In our blog article, he describes the complete attack chain, from the initial use of legitimate\r\ninfrastructure to the final data exfiltration.\r\nPhishing triage is usually predictable, but this sample was an exception. Masquerading as a pharmaceutical invoice, the\r\nloader immediately reached out to archive.org to fetch a PNG image. This caught the attention of our Security Analyst. After\r\nfour layers of deobfuscation, he discovered PURELOGS. While the malware itself is a known commodity, the staging\r\ninfrastructure in this campaign offers a valuable case study in evasion. \r\nInitial Access: The JScript Dropper\r\nThe infection starts with a phishing email masquerading as a pharmaceutical invoice. Inside the ZIP archive is a file with a\r\n.js extension. Most users see JavaScript and think \"browser stuff,\" but this isn't browser JavaScript.\r\nIt's a Windows Script Host (WSH) JScript file, meaning it executes with full OS-level privileges through the Windows\r\nscripting engine. It gets direct access to COM objects like WScript.Shell and Win32_Process, so it can create files, launch\r\nprocesses, and interact with the system however it wants.\r\nAt first glance, the file is unreadable:\r\nIt's packed with non-ASCII characters that break static analysis and mess with signature-based detection. Strip out the junk\r\ncharacters though, and the script's logic is pretty straightforward: it builds a PowerShell command with a Base64-encoded\r\npayload and fires it off using WMI.\r\nIt launches a hidden PowerShell process and runs the decoded payload in memory with Invoke-Expression. No file hits disk,\r\nso basic file-based AV doesn't see it. Standard fileless execution. What caught our Security Analyst's attention was what the\r\nPowerShell payload did next: it started looking for a PNG file on archive.org.\r\nStage 1: The Polyglot PNG\r\nThe decoded PowerShell script acts as the first stage downloader. Instead of fetching an executable from some disposable\r\ndomain, it downloads a PNG image from archive.org, a legitimate and well-known website. When analysts review network\r\nlogs and see traffic to archive.org, it typically doesn’t typically raise flags. The attackers are using the site's reputation as\r\ncover.\r\nBut this isn't actually a standard PNG. Well it is, but with extras. The attackers embedded a Base64-encoded payload after\r\nthe IEND chunk of the PNG, which marks the official end of the image data. The file still renders as a valid image in any\r\nviewer. The actual malware sits between two custom markers, BaseStart- and -BaseEnd.\r\nThe PowerShell script uses regex to extract the payload between these markers:\r\n$imageData -match 'BaseStart-(.+?)-BaseEnd'\r\n$valor = $matches[1]\r\nNotice that it uses DownloadString() instead of DownloadFile(). The \"image\" never touches the disk in its original form. It\r\nonly exists in memory as a string variable. File based security controls never get a chance to inspect it.\r\nOnce extracted, the script Base64-decodes the payload and loads it directly into memory using .NET Reflection:\r\nhttps://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nPage 1 of 6\n\nThis is where fileless execution really matters. Traditional antivirus scans files on disk, calculate hashes, and match\r\nsignatures. However, when an assembly loads directly from a byte array into memory, it bypasses all of that. The malware\r\nonly exists in the PowerShell process's memory space.\r\nThe script then passes several arguments to the loaded assembly, including another encoded URL, and invokes a method\r\nusing Reflection. We've moved from a simple dropper to a configurable loader, and the next stage is where things get more\r\ncomplex.\r\nStage 2: VMDetectLoader Configuration\r\nThe .NET assembly loaded by the PowerShell stager is what IBM X-Force researchers call \"VMDetectLoader\". This\r\nmodular loader is responsible for persistence options, environment checks, and injecting the next stage. Its behavior is\r\nentirely dictated by the arguments passed from Stage 1.\r\nIn this campaign, the attackers made some specific configuration choices:\r\nNo Persistence: The loader supports multiple persistence mechanisms (VBScript with Run registry keys, scheduled tasks)\r\nbut none were enabled here.\r\nVM Detection Enabled: A standard sandbox evasion check. If the loader detects that it's running in a virtual machine, it\r\nterminates. Most automated malware analysis relies on VMs, this helps the malware avoid early detection.\r\nTarget Process: CasPol.exe: This is the host process that the loader will use for injection. CasPol.exe is a legitimate .NET\r\nFramework tool (Code Access Security Policy Tool), which makes it the perfect cover. Security tools see it as a trusted\r\nMicrosoft utility.\r\nOne interesting detail: many of the internal variable names are in Portuguese (like “nativo” for \"native\"). IBM X-Force\r\nattributes VMDetectLoader to Hive0131, a South American threat group. However, since VMDetectLoader is the only\r\nindicator linking this PURELOGS campaign to that threat actor, the attribution is considered as low confidence.\r\nThe loader's main job is to fetch the next stage payload. It takes one of the arguments from Stage 1 (stored in the $olinia\r\nvariable), reverses it, and Base64-decodes it to get a URL pointing to a .txt file. \r\nThis file contains yet another encoded PE, which the loader fetches, decodes, and prepares for injection using a technique\r\ncalled process injection.\r\nProcess Injection via RunPE\r\nOnce the next stage payload is decoded and in memory, the loader's final task is to execute it. To accomplish this, the loader\r\nemploys a classic, well-documented process injection technique known as RunPE , or process hollowing.\r\nIt launches the legitimate .NET Framework utility CasPol.exe in a suspended state, removes its original code from memory,\r\nand replaces it with the decoded payload. By hijacking the main thread and redirecting the instruction pointer to the\r\npayload's entry point, the malware effectively masquerades as a trusted Microsoft process. From the perspective of the\r\noperating system and many security tools, CasPol.exe is simply running as expected, allowing the next stage to begin its\r\nwork as a “trusted” process.\r\nStage 3: The Secondary Unpacker\r\nThe payload injected via process hollowing is not the final PURELOGS stealer. Instead, it's a .NET unpacker obfuscated\r\nwith .NET-Reactor. Its sole purpose is to decrypt, decompress, and execute the final payload entirely within memory.\r\nAn Event-Driven Unpacking Pipeline\r\nThe unpacker's code initially appears disorganized. The ExecutionEngine class constructor, however, reveals the actual\r\narchitecture: each method is subscribed to a specific event, forming a sequential pipeline where completing one step triggers\r\nthe next in the chain.\r\nThis architecture breaks the unpacking process into five distinct, sequential stages. The Main method simply kicks off this\r\nchain by creating an ExecutionEngine instance and triggering the first event.\r\nhttps://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nPage 2 of 6\n\nStep 1: Decryption with Legacy 3DES\r\nThe first operational step is decryption with DecompressDispatcher. This function takes the encrypted payload, a key, and an\r\ninitialization vector (IV) from the unpacker's embedded resources.\r\nThe choice of cryptography here is noteworthy. Instead of a modern standard like AES, the malware uses the Triple DES\r\n(3DES) algorithm. 3DES is a legacy cipher that has been officially deprecated by NIST for being too slow and inefficient.\r\nIts use here is likely a deliberate choice to evade automated detection systems. Many security tools are configured to look\r\nfor the cryptographic constants and signatures associated with AES, using an older, less common algorithm can help the\r\nmalware fly under the radar.\r\nStep 2: Decompression with GZip\r\nAfter decryption, the resulting data is still not a valid PE file. It is a GZip-compressed archive. The next event in the chain\r\ntriggers the decompression process: EncryptEfficientDecryptor.\r\nThis two-layer approach of encryption followed by compression is a common and effective technique for protecting a\r\npayload. It ensures that the final assembly is never exposed until the last possible moment, shielding it from static analysis\r\ntools that might otherwise flag it.\r\nStep 3 + 4: Assembly Loading and Final Handover via Reflection \r\nWith the final PURELOGS assembly now fully decompressed in memory, the last two steps of the pipeline are dedicated to\r\nexecuting it. This is accomplished using .NET Reflection to achieve a complete fileless handover.\r\n1. Load Assembly: The LoadAssemblyFromBytes method is triggered, which calls Assembly.Load() on the raw byte\r\narray of the PURELOGS payload. The assembly is now loaded into the unpacker's memory space.\r\n2. Invoke Entry Point: The final event triggers the InvokeEntryPoint method. This method uses reflection to find and\r\nexecute the entry point of the newly loaded assembly. \r\nStage 4: PURELOGS at last\r\nAfter four stages of unpacking and injection, the PURELOGS stealer is now running inside the hollowed CasPol.exe\r\nprocess.\r\nMeet PURELOGS\r\nPURELOGS is a commodity .NET infostealer that first appeared for sale on various underground forums in 2022. It is\r\ndeveloped and sold by a developer known as PureCoder, who also offers a suite of other malicious tools, such as PureRAT,\r\nBlueLoader, and PureCrypter.\r\nAs most infostealers nowadays PURELOGS operates as a Malware-as-a-Service (MaaS), making it accessible to a wide\r\nrange of threat actors, regardless of their technical skill level. The stealer is advertised on clearnet and darknet sites, with\r\nsales handled through a fully automated Telegram bot. For as little as $150 a month, anyone can purchase a subscription and\r\ndeploy a sophisticated infostealer in minutes. \r\nThe malware itself is engineered to be modular and stealthy, with features that appeal to both low-sophistication operators\r\nand more capable threat actors. These features include in-memory .NET loaders, flexible command-and-control (C2)\r\nchannels, and a plugin system for harvesting a wide variety of data from compromised systems.\r\nArchitecture and Obfuscation\r\nThe PURELOGS stub itself is obfuscated using a combination of ConfuserEx, .NET Reactor, and custom virtualization\r\ntechniques. This results in mangled class and method names, virtualized control flow, and encrypted strings. This makes\r\nanalysis more difficult but not impossible.\r\nAt its core, the stealer's execution flow is straightforward:\r\n1. Decrypt Configuration: It starts by decrypting its C2 configuration from an embedded resource.\r\n2. Execute Modules: It runs its various stealer modules according to the feature flags set in the configuration.\r\n3. Exfiltrate Data: It packages and sends the stolen data back to the C2 server.\r\nhttps://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nPage 3 of 6\n\nConfiguration\r\nThe C2 configuration is stored as a Protobuf-serialized, XOR-encrypted blob embedded in the malware's resources. To\r\naccess its configuration, the malware first applies a custom XOR decryption routine to the resource blob. This results in\r\na Protobuf message that contains another layer of encryption: the actual configuration data is encrypted with 3DES.\r\nThe code snippet below shows the final 3DES decryption routine. It takes the encrypted data and a Base64-encoded string\r\n(the key) as input.\r\nFirst, it decodes the Base64 string and computes its MD5 hash to derive the actual 3DES key.\r\nThen, it initializes a TripleDESCryptoServiceProvider with the derived key and sets the mode to Electronic Codebook\r\n(ECB).\r\nFinally, it calls CreateDecryptor().TransformFinalBlock() to decrypt the data.\r\nOnce decrypted, the configuration reveals the following:\r\nC2 Server Details: The IP address and port number for command-and-control communication.\r\n3DES Encryption Key: A Base64-encoded key used to encrypt all outgoing data.\r\nBuild ID: A unique identifier for the malware campaign.\r\nFeature Flags: A series of boolean values that enable or disable individual stealer modules.\r\nModules\r\nAs mentioned earlier, PURELOGS is modular, meaning it includes numerous modules, each targeting different applications\r\nand credentials. Given the large number of modules available, not all of them are examined in detail here. Instead, the focus\r\nis on the two most important modules. A complete list is provided at the end. \r\nChromium: DPAPI be gone\r\nThe stealer's primary data harvesting module targets browsers built on the open-source project, which uses the Blink\r\nrendering engine. This allows it to attack a wide range of popular browsers like Google Chrome, Microsoft Edge, and Opera\r\nwith a single codebase.\r\nPURELOGS starts by reading the Local State file to find the encrypted master key. This key is protected by the Windows\r\nData Protection API (DPAPI). However, DPAPI's protection is context-dependent and offers no real defense in this scenario.\r\nSince the malware is executing within the victim's user session, a call to the native CryptUnprotectData function is sufficient\r\nfor the operating system to transparently decrypt the master key. This renders the protection useless against an attacker who\r\nhas already achieved code execution.\r\nRead about alternative Chromium credential theft techniques in our previous blog article on The ClickFix Deception.\r\nWith the plaintext AES-256-GCM master key in hand, the stealer accesses the SQLite databases, Login Data, Cookies,\r\nand Web Data, to decrypt and extract stored credentials, session cookies, autofill information, history and credit cards .\r\nFinally, all the harvested information is collected, serialized, and packed into a Protobuf data structure, ready for exfiltration.\r\nCrypto-Currency: Cash Grab\r\nThe malware employs a dual-pronged approach to stealing cryptocurrency, targeting both traditional desktop wallet\r\napplications and modern browser-based wallet extensions.\r\nFor desktop wallets, the WalletStealer class maintains an extensive hardcoded list of over 30 wallet applications including\r\nBitcoin Core, Electrum, Exodus, and Monero. It systematically checks the default installation paths (typically within\r\n%APPDATA%) and registry keys for these applications. If a wallet file (like wallet.dat or default_wallet) is found, it is\r\nqueued for exfiltration.\r\nHowever, the more potent threat lies in its targeting of browser extensions, implemented within\r\nthe ChromiumBrowserStealer module. This component targets over 70 different browser-based Web3 wallets, such as\r\nMetaMask, Phantom, Trust Wallet, and Binance Chain Wallet. It works by enumerating the Local Extension\r\nSettings directory of compromised browsers. It compares directory names against a dictionary of known wallet extension\r\nIDs (e.g., nkbihfbeogaeaoehlefnkodbefgpgknn for MetaMask). When a match is found, the malware compresses the entire\r\nextension data folder, which contains the encrypted seed phrases and private keys, into a ZIP archive. Crucially, because\r\nthese extensions often use the browser's storage mechanisms, the attacker can potentially decrypt this data using the same\r\nmaster key stolen from the browser profile.\r\nhttps://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nPage 4 of 6\n\nRemaining Modules\r\nThe full list of targeted applications and services includes:\r\nFirefox / Gecko Browsers, Opera Browser, Yandex Browser, FileZilla, WinSCP, Outlook, Thunderbird, Foxmail, Mailbird,\r\nMailMaster, Telegram, Signal, Pidgin, Steam, OpenVPN, ProtonVPN, Ngrok, OBS Studio, Internet Download Manager\r\n(IDM)\r\nConclusion\r\nPURELOGS demonstrates how commodity malware has adapted to the modern threat landscape, not through\r\ngroundbreaking innovation, but through practical evasion layered at every stage.\r\nThe key insight here isn't sophistication. It's volume economics. These campaigns don't target specific industries or high-value entities. They're spray-and-pray operations where success is measured by the number of infections, not the impact per\r\nvictim. For $150 per month, threat actors can deploy this tool and cast a wide net across thousands of potential targets. More\r\ninfections mean more stolen credentials, more crypto wallets, more data to monetize.\r\nThis creates an interesting dynamic: the attacks don't need cutting-edge EDR bypasses because the targets largely don't have\r\nEDR. Home users, small businesses, and freelancers are operating with Windows Defender and basic antivirus at best. The\r\nfour-stage delivery chain isn't overkill, it's right-sized for that threat model. It defeats consumer-grade defenses while\r\nremaining cheap and scalable.\r\nBut here's what matters for organizations: these campaigns don't discriminate. Corporate employees working from home,\r\ncontractors on personal devices, and partners in your supply chain are all in the blast radius. Once credentials get\r\ncompromised, they get tested against corporate VPNs, cloud services, and SaaS platforms. An infostealer hitting a remote\r\nemployee's personal laptop can quickly become an enterprise security incident. The defense isn't complex. Memory-based\r\nexecution leaves behavioral traces. Process hollowing creates anomalies. Reflection abuse generates telemetry. But you need\r\nvisibility to see it, and you need monitoring to act on it. \r\nThe malware may be cheap, but the risk isn't.\r\nThe only system which is truly secure is one which is switched off and unplugged locked in a titanium lined safe, buried\r\nin a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my\r\nlife on it.\r\n- Gene Spafford, Director, Computer Operations, Audit, and Security Technology (COAST) Project, Purdue University\r\nIOC’s\r\nIOC Type Name\r\nc3857a086bdac485a5e65fc88828cb0c4c831be7a1f63e2dab32a47f97b36289   SHA256  PO 4501054441 Luan Pharm.js\r\nc208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4 SHA256  Microsoft.Win32.TaskSchedule\r\n3050a5206d0847d5cfa16e79944ce348db688294e311db4d7b6045ffbe337450  SHA256  Qgwwal.exe \r\nbb723217f9c2932116c9e1313d558a7baddb921886eaa3beca95f7b3c5b848b0  SHA256  ClassLibrary4.dll \r\n08a5d0d8ec398acc707bb26cb3d8ee2187f8c33a3cbdee641262cfc3aed1e91d  SHA256  optimized_MSI.png \r\nhxxps[://]archive[.]org/download/optimized_msi_20250904/optimized_MSI[.]png  url   \r\nhxxps[://]ia902909[.]us[.]archive[.]org/16/items/optimized_msi_20250904/optimized_MSI[.]png  url  \r\nhxxp[://]lineclearexpress[.]wuaze[.]com/arquivo_20250908023227[.]txt  url  \r\n185.27.134.206  IP  \r\n 45.137.70.55:5888  IP:Port   \r\nReferences\r\nhttps://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nPage 5 of 6\n\nhttps://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america\r\nhttps://github.com/SychicBoy/NETReactorSlayer\r\nhttps://hackforums.net/showthread.php?tid=5926879\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-07\u0026post=PureLogs-Forensics\r\nSource: https://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nhttps://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header" ], "report_names": [ "purelogs-infostealer-analysis-dont-judge-a-png-by-its-header" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434608, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51546af40345afbe8fb55383e3735699a4774c80.pdf", "text": "https://archive.orkl.eu/51546af40345afbe8fb55383e3735699a4774c80.txt", "img": "https://archive.orkl.eu/51546af40345afbe8fb55383e3735699a4774c80.jpg" } }