{ "id": "807e3acc-48dd-4dc5-bed8-f026e3ba7af3", "created_at": "2026-04-06T00:16:31.82844Z", "updated_at": "2026-04-10T13:11:54.982568Z", "deleted_at": null, "sha1_hash": "5ea7160b257635c0abf8c39dba386d882b5376f7", "title": "SLAPSTICK (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39629, "plain_text": "SLAPSTICK (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:43:17 UTC\r\nSLAPSTICK\r\nAccording to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a\r\nsecret, hard-coded password.\r\nReferences\r\n2022-03-16 ⋅ Mandiant ⋅ Joshua Homan, Logeswaran Nadarajan, Martin Co, Mathew Potaczek, Sylvain Hirsch, Takahiro Sugiyama,\r\nYu Nakamura\r\nHave Your Cake and Eat it Too? An Overview of UNC2891\r\nSLAPSTICK STEELCORGI LightBasin\r\n2020-11-02 ⋅ FireEye ⋅ Adrian Pisarczyk, Antonio Monaca, Daniel Caban, Daniel Susin, Justin Moore, Luis Rocha, Sara Rincon,\r\nWojciech Ledzion\r\nLive off the Land? How About Bringing Your Own Island? An Overview of UNC1945\r\nSLAPSTICK STEELCORGI\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick" ], "report_names": [ "elf.slapstick" ], "threat_actors": [ { "id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8", "created_at": "2022-10-25T16:07:24.364598Z", "updated_at": "2026-04-10T02:00:04.955871Z", "deleted_at": null, "main_name": "UNC2891", "aliases": [], "source_name": "ETDA:UNC2891", "tools": [ "BINBASH", "CAKETAP", "MIGLOGCLEANER", "SLAPSTICK", "STEELCORGI", "STEELHOUND", "SUN4ME", "Tiny SHell", "WINGCRACK", "WINGHOOK", "WIPERIGHT", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434591, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ea7160b257635c0abf8c39dba386d882b5376f7.pdf", "text": "https://archive.orkl.eu/5ea7160b257635c0abf8c39dba386d882b5376f7.txt", "img": "https://archive.orkl.eu/5ea7160b257635c0abf8c39dba386d882b5376f7.jpg" } }