{
	"id": "38220d3e-9254-4f23-9587-b1d33f753753",
	"created_at": "2026-04-06T00:18:57.914659Z",
	"updated_at": "2026-04-10T13:11:39.872403Z",
	"deleted_at": null,
	"sha1_hash": "59e7aaa960077e66ae2ecab3d4fab42ea563c9dd",
	"title": "a-txt-file-can-steal-all-your-secrets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 670898,
	"plain_text": "a-txt-file-can-steal-all-your-secrets\r\nPublished: 2021-04-02 · Archived: 2026-04-05 21:05:36 UTC\r\nLearn more about 360 Total Security\r\nRecently, 360 Security Center’s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight. The Poulight Trojan has been put into use since last year and has complete and powerful\r\nfunctions. This attack proved that it has begun to spread and use overseas.\r\nAttack process analysis\r\nThe attacker will first drop a phishing file using RLO (Right-to-Left Override) technology. Using RLO technology, the\r\nphishing file originally named “ReadMe_txt.lnk.lnk” will be displayed as “ReadMe_knl.txt” on the user’s computer. . At the\r\nsame time, if the attacker sets the icon of the lnk file as a notepad icon, it is easy for the user to mistake it for a txt file with\r\nno harm, which is extremely confusing.\r\nIn this way, the user originally thought to open a txt file, but actually executed the code prepared by the attacker. The system\r\nwill execute the powershell command according to the content of the “target” customized by the attacker, download the\r\nmalicious program https[:]//iwillcreatemedia[.]com/build.exe, set it as a hidden attribute, and run it.\r\nAfter analysis, the downloaded malicious program was compiled with .net and the internal name is Poullight.exe. The\r\ndeveloper did not confuse the code.\r\nCode analysis\r\nOperating environment detection\r\nThe putty3.exe downloaded to the local will first check whether the current environment is a virtual machine or a virus\r\nanalysis environment. If it is, it will exit. This action is used to combat some sample analysis sandboxes.\r\nhttps://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nPage 1 of 6\n\nAfter passing the environmental inspection, the Trojan starts to create threads to execute its real malicious function modules.\r\nFirst, the Trojan will load its own resources, and Base64 decode them, and finally get the configuration content:\r\n\u003cprog.params\u003eYWRtaW4=|MQ==|MA==\u003c/prog.params\u003e\r\n\u003ctitle\u003eUG91bGlnaHQ=\u003c/title\u003e\r\n\u003ccpdata\u003eMHwwfDEyQ051S2tLSzF4TEZvTTlQNTh6V1hrRUxNeDF5NTF6Nll8MTJDTnVLa0tLMXhMRm9NOVA1OHpXWGtFTE14MXk1M\r\n\u003culfile\u003eaHR0cDovL3J1LXVpZC01MDczNTI5MjAucHAucnUvZXhhbXBsZS5leGU=\u003c/ulfile\u003e\r\n\u003cmutex\u003ePL2d4vFEgVbQddddkms0ZhQiI0I\u003c/mutex\u003e\r\nThe value of \u003cmutex\u003e is converted to lowercase and “pl2d4vfegvbqddddkms0zhqii0i” is created as the file name under the\r\n%TEMP% directory, and the written content is a random value of 8 to 32 bytes. However, analysts found that there seems to\r\nbe a problem with this part of the code, or that the Trojan horse program we got is still in the pre-test stage, which makes it\r\nunable to run normally.\r\nData theft\r\nIn addition to the detection of the operating environment, the Trojan will also record user names, machine names, system\r\nnames, and other machine information including installed anti-virus products, graphics card labels, and processor labels.\r\nWrite all the above data into the file %LocalAppData%\\\\\u003c8-byte random characters\u003e\\\\PC-Information.txt. It can be seen\r\nfrom the decompiled code that a lot of Russian descriptions are used in the program.\r\nhttps://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nPage 2 of 6\n\nAfter that, the Trojan obtains the list of currently active processes and writes it into the file\r\n%LocalAppData%\\\\1z9sq09u\\\\ProcessList.txt, which will also mark “(Injected)” after the Trojan process name.\r\nNext, get the third element in the item value of \u003cprog.params\u003e in the previously mentioned configuration file to be decoded\r\nand perform Base64 decoding again. If the value is “1”, execute the function clipper.Start(). This function will decrypt the\r\nresource named “cpp”, the connection string:\r\n\u003cclbase\u003e0|0|12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y|12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y|0\u003c/clbase\u003e\r\nWrite the file %TEMP%\\\\Windows Defender.exe and execute it (the file does not exist in the test environment). Among\r\nthem, the value in \u003cclbase\u003e is decoded by Base64 again from the value of \u003ccpdata\u003e decoded in the previous section.\r\nThe following is the data stolen by Poulight and its actions:\r\nDesktop screenshot；\r\nFor documents in the following folders, if the file name contains strings such as password, login, account, аккаунт,\r\nпарол, вход, важно, сайта, site, or the suffix is .txt, .rtf, .log, .doc,. docx, .rdp, .sql files, all copied to the directory\r\n“\\\\Stealer Files\\\\Disks Files\\\\”：\r\n Desktop directory, documents, %AppData%, %LocalAppData%；\r\nExcept \\Windows\\, \\programdata\\, \\program files (x86)\\, \\program files\\, \\users\\, \\perflogs\\, \\пользователи\\ in\r\nthe root directory of the disk;\r\nWeb camera to take pictures;\r\nFileZilla server login credentials：FileZilla\\recentservers.xml；\r\nPidgin login configuration:.purple\\accounts.xml；\r\nDiscord data storage backup：discord\\Local Storage；\r\nTelegram data storage files:\r\nTelegram Desktop\\tdata\\D877F783D5D3EF8C1\r\nTelegram Desktop\\tdata\\D877F783D5D3EF8C0\r\nTelegram Desktop\\tdata\\D877F783D5D3EF8C\\\\map1\r\nTelegram Desktop\\tdata\\D877F783D5D3EF8C\\\\map0\r\nSkype data：Microsoft\\\\Skype for Desktop\\\\Local Storage；\r\nStealing steam ssfn authorization files；\r\nStealing various cryptocurrency wallet related documents, including:\r\nBTC-BitCoin key data file wallet.dat, including wallet address key pair, wallet transaction and other information；\r\nBTC-Bytecoin wallet key file, search with .wallet suffix；\r\nBTC-Dash wallet wallet.dat file；\r\nAll files in the storage directory of BTC-Ethereum wallet key related files under Ethereum\\\\keystore；\r\nBTC-Monero wallet related documents；\r\nSteal cookies, access URLs, accounts, passwords, Autofill data, payment card information, etc. of 25 browsers;The\r\nfile name is searched by wildcard string: “co*es”, “log*ta”, “we*ata”, “loc*ate”, the search scope is three levels of\r\ndirectories starting from the browser directory:\r\ngoogle\r\nyandex\r\nopera software\r\namigo\r\norbitum\r\nkometa\r\nmaxthon\r\nhttps://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nPage 3 of 6\n\ntorch\r\nepic browser\r\ncomodo\r\nucozmedia\r\ncentbrowser\r\ngo!\r\nsputnik\r\ntitan browser\r\nacwebbrowser\r\nvivaldi\r\nflock\r\nsrware iron\r\nsleipnir\r\nrockmelt\r\nbaidu spark\r\ncoolnovo\r\nblackhawk\r\nmaplestudio\r\nAll the stolen data is stored in the directory %LocalAppData%\\\\\\1z9sq09u\\\\ (the string “1z9sq09u” is randomly generated).\r\nhttps://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nPage 4 of 6\n\nAfterwards, upload the stolen data to one of two remote C\u0026C servers:\r\nhttp[:]//poullight[.]ru/handle.php (unused)\r\nhttp[:]//gfl.com[.]pk/Panel/gate.php.\r\nAfter the data is encoded, it is uploaded to the server in order. After the remote end returns the string “good”, the subsequent\r\ncode will be executed. Otherwise, an upload attempt will be made every 2 seconds until it succeeds.\r\nAfter the above action is over, the Trojan will download the URL resource hxxp://ru-uid-507352920.pp.ru/example.exe and\r\nsave it as “%LocalAppData%\\\\\u003c8 bytes random characters 1\u003e\\\\\u003c8 bytes Random characters 2\u003e.exe”, for example:\r\n%LocalAppData%\\\\en0mp4o4\\8ej8q80s.exe.\r\nThe main function of the program is also to collect various information on the machine, but after the collection, the folder\r\nwhere it is located is deleted. It is speculated that it is still in the testing stage.\r\n360 Total Security already supports the detection and killing of the virus. infected User is recommended to install from the\r\nofficial website: https://www.360totalsecurity.com.\r\nIOCs\r\nHash\r\ndcb4dfc4c91e5af6d6465529fefef26f\r\n083119acb60804c6150d895d133c445a\r\nb874da17a923cf367ebb608b129579e1\r\nC2\r\nhxxp://gfl.com.pk/Panel/gate.php\r\nhxxp://poullight.ru/handle.php（Unused）\r\nURL\r\nhxxps://iwillcreatemedia.com/build.exe\r\nhxxp://ru-uid-507352920.pp.ru/example.exe\r\nhttps://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nPage 5 of 6\n\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nhttps://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true"
	],
	"report_names": [
		"?web_view=true"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434737,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59e7aaa960077e66ae2ecab3d4fab42ea563c9dd.pdf",
		"text": "https://archive.orkl.eu/59e7aaa960077e66ae2ecab3d4fab42ea563c9dd.txt",
		"img": "https://archive.orkl.eu/59e7aaa960077e66ae2ecab3d4fab42ea563c9dd.jpg"
	}
}