{ "id": "154d0883-fbb0-4c17-a621-fe6212c81bf4", "created_at": "2026-04-06T00:16:06.399137Z", "updated_at": "2026-04-10T03:37:08.957461Z", "deleted_at": null, "sha1_hash": "5f40e4498ab33fb194420ce4b1cbf892e71cf104", "title": "Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8897292, "plain_text": "Atomic Stealer | Threat Actor Spawns Second Variant of macOS\r\nMalware Sold on Telegram\r\nBy Phil Stokes\r\nPublished: 2023-05-03 · Archived: 2026-04-02 10:39:28 UTC\r\nRecent weeks have seen a number of macOS-specific infostealers appear for sale in crimeware forums, including\r\nPureland, MacStealer and Amos Atomic Stealer. Of these, Atomic Stealer has offered by far the most complete\r\npackage, promising cybercriminals a full-featured if not particularly sophisticated infostealer. Atomic can grab\r\naccount passwords, browser data, session cookies, and crypto wallets, and in the version being advertised on\r\nTelegram, threat actors can manage their campaigns through a web interface rented out from the developer for\r\n$1000 per month.\r\nThe threat actor, however, has been busy looking for other ways to target macOS users with a different version of\r\nAtomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously\r\nunreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security\r\nteams defending macOS endpoints.\r\nHow is Atomic Stealer Distributed?\r\nCybercriminals are currently being offered “Amos Atomic MacOS Stealer” via a dedicated Telegram channel. In\r\nthe channel, which was opened on April 9th, the author offers to rent access to a web panel and provide a disk-image based installer for $1000/month.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 1 of 17\n\nAtomic Stealer as advertised on Telegram\r\nPayload distribution is left up to the crimeware actor renting the package, so methods vary, but so far observed\r\nsamples have been seen masquerading as installers for legitimate applications like the Tor Browser or pretending\r\nto offer users cracked versions of popular software including Photoshop CC, Notion, Microsoft Office and others.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 2 of 17\n\nAtomic MacStealer masquerades as legitimate applications\r\nMalvertising via Google Ads has also been noted privately among researchers as a distribution vector for Atomic\r\nStealer.\r\nSome Atomic Stealer ITW URLs (Source: VirusTotal)\r\nThe Atomic Stealer channel currently has over 300 subscribers, with some posts – possibly planted – appearing to\r\nendorse the efficacy of the malware.\r\nA Telegram message seems to endorse Atomic MacStealer\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 3 of 17\n\nA Google translation of the Russian text reads “The build works, the logs go, it robs clearly. Of all the poppy\r\nstealers that I used, this one is better in terms of a grabber, and most importantly, grandmas do not steal)”.\r\nThese fake applications are made with a fork of Appify, a legitimate script that can be found on Github for making\r\na barebones macOS application. All Atomic infostealers currently contain the same Go-based main executable that\r\nweighs in at around 51.5MB as a Universal binary targeting both Intel and arm64 architectures.\r\nAnatomy of the Atomic Stealer binary (variant A)\r\nDespite the heft, no attempt has been made to deliver a working copy of the spoofed apps. Aside from the Appify\r\nREADME, the Bundle contains nothing more than the Go infostealing binary, an icon file and a Info.plist.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 4 of 17\n\nAnatomy of an Atomic Stealer application bundle\r\nThe application bundles currently being distributed are all built with the default Appify bundle identifier, Appify\r\nby Machine Box.My Go Application , potentially a deliberate ploy by the author in the hope that detections might\r\nbe considered false positives.\r\nExecution Behavior of Variant A\r\nAtomic does not attempt to gain persistence, an increasing trend since Apple added login item notifications in\r\nmacOS Ventura, relying instead on a one-hit smash and grab methodology.\r\nAtomic Stealer uses a crude but effective means of extracting the user’s login password via AppleScript spoofing.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 5 of 17\n\nThis involves creating a dialog box with osascript and passing the hidden answer parameter to the display\r\ndialog command. These dialog boxes contain an ordinary text field, but the parameter displays the user’s typed\r\ncharacters as dots in the text field similar to a genuine authentication dialog. However, the password remains\r\ncaptured in plain text and can be seen in the system logs as such  – a good reason why legitimate software\r\ndevelopers should never use this insecure method to actually obtain user credentials.\r\ndisplay dialog \"MacOS wants to access System Preferences\r\nYou entered invalid password.\r\nPlease enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServi\r\nThe dialog box message contains grammatical and syntactic errors, suggesting the developer’s first language is not\r\nEnglish. The dialog box is generated using an infinite loop: Clicking the “Cancel” button simply pops the dialog\r\nbox again. If the “OK” button is clicked, the malware checks to see that the user entered a valid password via\r\n/usr/bin/dscl utility and the -authonly option.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 6 of 17\n\nThe dialog box repeatedly pops until the correct password is supplied. All of this occurs via the command line\r\nutility osascript , so it is easily visible to defenders monitoring command line activity.\r\nSentinelOne console reveals Atomic Stealer command line activity\r\nAmos Atomic is hardcoded to throw the user an error message after it has stolen the user’s password and gone\r\nabout its business of stealing various credentials. Here and elsewhere, the malware author’s lack of familiarity\r\nwith English and AppleScript provide clues that should raise suspicions: namely, the misspelling of “occurred”\r\nand the fact that a genuine error message shouldn’t contain a ‘Cancel’ button.\r\nAmos Atomic throws an error message and quits after successfully stealing user data\r\nWritten in Go, the disassembled source code reveals a comprehensive suite of functions to achieve the infostealers\r\nprimary aim: financially-motivated cybercrime.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 7 of 17\n\nInfostealing functions in Amos Atomic\r\nThe malware contains logic to steal the user’s keychain and crypto wallet contents, including those for Atomic,\r\nBinance, Electrum and Exodus. A process called ‘unix1’ is spawned in memory to obtain the keychain. Atomic\r\nstealer also targets both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related\r\nbrowser extensions to attack. A detailed walk through of the functions above has been previously described here.\r\nAtomic Stealer execution chain\r\nAtomic Stealer Variant B\r\nPivoting off the IP address 37.220.87.16 seen in some Atomic Stealer samples leads to another variant of the\r\nstealer, c70fdf4362eb56032793ab08e6aeb892f1bd4a9b , currently undetected on VirusTotal, masquerading as a\r\nGame Installer.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 8 of 17\n\nA previously undiscovered variant of Atomic Stealer\r\nThis version is not distributed in an application bundle, but rather as a raw Go binary. The unsigned “Game\r\nInstaller” Mach-O was uploaded to VirusTotal on April 13th and is contained in a disk image called\r\n“ALMV_launcher”. The DMG mounts with the name “Game Installer” and contains a binary of the same name,\r\ndisplaying an icon showing the text “Start Game”.\r\nBackground image of the ALMV_launcher.dmg\r\nAs the universal binary is unsigned, it will need to be manipulated by the user on both Intel and arm64\r\narchitectures in order to run.\r\nVariant B’s list of Go main functions differs from the version being packaged and sold on Telegram and shows a\r\nlarger number of functions focusing on Firefox and Chromium browsers. Variant B also targets Coinomi wallets.\r\nAtomic Stealer variant B primary functions\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 9 of 17\n\nBoth variant A and B utilize the /usr/bin/security utility to find Chrome passwords.\r\nsecurity 2\u003e\u00261 \u003e /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}\r\nAtomic Stealer B calls the /usr/bin/security utility to find Chrome passwords\r\nIn Variant B, the user name “administrator” appears from the development machine; this differs from variant A,\r\nwhich included the username “iluhaboltov”. The string “ATOMIC STEALER COOCKIE” is also found in variant\r\nB but not A.\r\nThe “ATOMIC STEALER” string is hardcoded into the malware\r\nUnlike the package offered in the Atomic Telegram channel, this version of Atomic stealer is more selective in the\r\ninformation it tries to steal and seems to be aimed specifically at games and users of cryptocurrency.\r\nAn associated Youtube channel by user @Crypto-ALMV was created on April 29th, apparently advertising a\r\nproduct that offers cryptowallet access within a game. The channel, user, and video appear to be in the early stages\r\nof development and may indicate a campaign that is yet to be launched.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 10 of 17\n\nAtomic Stealer Variant C\r\nA third variant appeared in mid-May that reduces the file size of these Go bins markedly to between 4.45 and\r\n9.13MB. Variant C changes the C2 to http[:]//94[.]142[.]138[.]177/ and uses a slightly different form of the\r\n“display dialog” command, adding a timeout of 9999999, although its uncertain that this timeout would actually\r\nwork, as Apple events ordinarily have a max timeout of around 150 seconds.\r\nVariant C is most similar to Variant A, but lighter and with some rudimentary attempt at anti-analysis in the\r\nsym._main.systeminfo function, which does not appear in earlier variants. This function queries the built-in\r\nsystem_profiler tool’s output for SPHardwareDataType , converts the output to lowercase, then searches it for\r\nthe substring “vmware”. If the substring is found, the malware then exits.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 11 of 17\n\nAtomic Stealer Variant C attempts to test if the malware is running in a Virtual Machine.\r\nHow to Protect Against Atomic Stealer\r\nSentinelOne customers are protected against all known versions of Atomic Stealer. When the agent is set to\r\n‘Protect’ mode, Atomic Stealer is prevented from executing.\r\nIn Detect Only mode, the malware’s execution causes an alert and behavioral and threat indicators are available in\r\nthe console.\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 12 of 17\n\nThreat hunters and security teams not protected by SentinelOne are encouraged to review the list of Indicators of\r\nCompromise provided at the end of this post.\r\nConclusion\r\nInfostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached\r\nwidespread use in organizations, both for work and personal use. As many Mac devices lack good external\r\nsecurity tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to\r\ndevelop and market tools to aid cybercriminals.\r\nAtomic Stealer’s advertised price suggests there is money to be made by “selling shovels” as cybercrime actors\r\nrush for the ‘Gold’ of data that can be harvested by tricking users into running untrustworthy software. However,\r\nthe existence of a second variant that appears to be aimed at infecting users first-hand suggests the threat actor\r\nisn’t averse to a bit of gold digging, too.\r\nIndicators of Compromise\r\nCommunications\r\n94[.]142[.]138[.]177/sendlog\r\namos-malware[.]ru/sendlog\r\n37[.]220.87[.]16:5000/sendlog\r\nOctober 2023 Update\r\n078dd6122694cbc6e637a11fec77d6cab94bac3b\r\n07fb38e48529490da73dcb9a0812bd3bb3337189\r\n1e1981c43d6524f3d51409f884cfe2155b9c5252\r\n23f7032a7f1dae759a56cfb6a89fc90a65fd7493\r\n2dfc73283a2f9aad0945af8578990f5b4076b649\r\n2ff09bc869c0fa6c5ec9538ffe654053f3dfb704\r\n30d1f086986cf6376d83295a50038b763a280890\r\n37d51ca4e21f228320ce88a0312ff0118c295b9f\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 13 of 17\n\n37d51ca4e21f228320ce88a0312ff0118c295b9f\r\n466e588f1145b1cb0a7445474a9216332343d4b3\r\n4811fea467a04a2f64fc22d7ca24051202815206\r\n4811fea467a04a2f64fc22d7ca24051202815206\r\n509234ccfa77ada7db066fc66eb15d489a526904\r\n52f045a46b7be149d033d4021ccd803cd05c284f\r\n5428d609d3f9fe66a920f7c43d66d8e0ff6d6a10\r\n551d43876a3fb2f502cd94c544cd566b9fbd348d\r\n5595cd279af37197181c93dd0ae66446d01448f9\r\n5bab9729665fcb4a78f5d119a8379bdf4e50dfdb\r\n5d74b760265d3376895178839b620cd989fdca2d\r\n5e6d5fa1d9db80e7d2ced115464e5b20e6bfb0e6\r\n741989be0da31b7cab84793fcc2d1da6c6c34d7b\r\n78e08e549bfa00d6d5a471fa3832d4f12c5e3a75\r\n7de2cfa8e36d69f4ca875d93f83c783c9f05ee3f\r\n86cae679347632f396bb90d95cdd577b5723d81c\r\n88d8c85852d634500b944d22ab1dc0f849c8d52b\r\n8b7c04861e9878325a5608d0a9ec07aa8b3885da\r\n9272b8bab6f9adf4df9e3a5eaf5c1917b632b9a8\r\n960abc20c9dcda33f41f5c6bede1f78f1019f316\r\n9a22ae8f58667b82403bb2732fef1d94297e47ea\r\n9c3dc069c1931192a64b9faae46f2a61777e5736\r\na440b484da9796dc1bf6e9744b0d74846b6eef19\r\na553dc777cce08c344f9fc2942d83062b1678e9b\r\na91f943c638eed9451cbc09f52b11b7f9c84f867\r\na958e561134e9403bf39660d90a94469f87b3645\r\naf0ef2999b78e3c1a46a68e18ce6c2d48e131548\r\nb438bc7ede48f24585ad86b41c3ca2ccb6a8d749\r\nbce7f2ad0b32a27d894be639ed486b0dca107053\r\nbe0f15fb7e746121fb6ef02d3ed0f114b9d45c68\r\nbf741ec139b0cb04063749f5d6f5ddf4e222bb37\r\nc0995b46091decb389d626ef677483bc90560ab1\r\nc233bab471f05fc767295251ccc1b8b4a3507eba\r\nc2eac0f41492cf6792c5fa12d2a73da8dffe3b3d\r\nc4545b290d062f939c769c48edf364e1c24c86fa\r\nc525205a7083be332e30dcdc6290914eb271b441\r\ncc0a546cff17ea7992b5747b8acf05eb10e0fbf1\r\ncd6d09030433532d33bc886dae389b41c329f74c\r\ncdbcc7c5d31e9ccad512540947cf9510dcb1d501\r\nd4f5f1bcf0fa9571010f35863e55e5e837d48ebd\r\ndb03ebdc068a36626e37345813d0f28161a37d6b\r\ne58987fac3b8cbdbd6e7408adbbfaeb5f60229e2\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 14 of 17\n\ne95b90c253794f56d32b14b2849f329d3c50f122\r\neb15e8df6d93a797f1b6d8b90b6aaeea09638d5a\r\ned823a6bcd74a506822d161018d9f1903323f7e6\r\nf025a8d501833ff4c35cd9444f2e49f05539da8e\r\nf0e4b34ebfc5a0580a356f3b588c8185deed934f\r\nf5682819b8adf51d7472b9487adf817dd0159216\r\nfc71769a4bebb3f19e9a0111e16bd8fa2343ea13\r\nfe3ca30da39f57ee5cdcf4ffe61afccc7bbfd181\r\nff6da20c870601023b8ebbdc3cb73e99226f237b\r\nSHA1 Variant A DMG\r\n0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a\r\n24c9f5c90ad325dae02aa52e2b1bac2857ae2faf\r\n36997111b5e7aa81b430a72df9f54bac2a9695ba\r\n7534b4ef7727d14b4fdd32d18651d32572c7747b\r\nSHA1 Variant A Mach-O \r\n0db22608be1172844c0ebf08d573ea4e7ef37308\r\n2681a24f0ec0b1c153cc12d5d861c0c19c8383ea\r\n385b9cc7d3147f049e7b42e97f242c5060fc9e97\r\n46426409b9e65043b15ce2fcddd61213ff4e5156\r\n48a0a7d4f0ae4b79b4f762857af3bbb02e8ab584\r\n4f25d1a1aa18c8d85d555cd7a8f1cf2cf202af8c\r\n58a3bddbc7c45193ecbefa22ad0496b60a29dff2\r\n5d2e995fa5dce271ac5e364d7198842391402728\r\n79007aabf9970e0aff7df52fd1c658b69f950c6f\r\n793195d48cce96bb9b4fc1ee5bac03b371db75f7\r\n82f4647e6783b012fc9a1f86108c644fcf491cf6\r\n849cde22d1d188cc290bb527bbd7252ad07099af\r\n9058ab6e05cb1f9ce77e4f8c18324a6827fb270d\r\n97b19a82a32890d5ddaecac5a294cc3384309ea9\r\n98f98a737a26c9dd1b27c474715976356ea4e18b\r\naab3a2897950e85a2b957f77d2f100e61e29061c\r\nb42243d72765f142953bb26794b148858bff10a8\r\nca05f80fe44174d1089077f4b2303c436653226f\r\nd5db5a11b9605d54cf66a153b0112b91c950d88f\r\nd9d46ecfc1100d2b671ad97dc870e879d2634473\r\nde465aad6cde9f0ce30fce0157bc18abf5a60d40\r\ne114f643805394caece2326fb53e5d3a604a1aa9\r\nf28025717f9db8a651f40c8326f477bf9d51a10f\r\nSHA1 Variant B DMG\r\n1f29b00c18bc0b7e1dfee5e79f8111da09f8fab8\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 15 of 17\n\nSHA1 Variant B Mach-O \r\na02730f734032ed0f3b3705926b657aa4b88d720\r\nc70fdf4362eb56032793ab08e6aeb892f1bd4a9b\r\ne951b889aabca7ee5b0ff9d06a057884ed788b70\r\nSHA1 Variant C Mach-O\r\n00a20cf506e169b99e75e937e55c4b156a56304a\r\n05138ad6617654e381b42ae37e1bf6bc552cd662\r\n083e7453a1800ce808a38bda2f2d9344f1e6aff9\r\n08713549eca50a3f4ee8c4dce32e713da1952423\r\n10b3b243fcdd5368c13fbe84abbff7af0c13df51\r\n148ed372fbf0b3bc19cc5c71977f61b8e41eb2da\r\n14a87488243bf253f8165d4b42f4b739407c9906\r\n19c9b3c9d0423c1817e165fd8315ce0a82034336\r\n1a687586039804c905759e6bdc9fb16ab4a05741\r\n1fc6a6a296103446edb51f5aba03f294a01ebc07\r\n22bd2457a284ac88963e6e87eafbb7f7060605c6\r\n2cbd24473f08bdce53a9ccc566ce817ea74e672f\r\n3c8fc04ef41341ed60410959d7f9266e075a0c94\r\n3dd4211432c79afa0534da3a88a6caab527282b0\r\n3ec7e1274fd4f51deff02b51937953327034f5d6\r\n40a97e141613e90907ed4dfa9c648e9ac05c5939\r\n447c5949a04436f1ac479ea391a8cac38456bf8b\r\n449bcac2b26d632d5a1d4f38b80349a6a440050b\r\n4a9222757521855b9f6b6ab35583f2bf629c53e8\r\n4d0b8212ab2a4631d2dc1a75f29ba786a69f7b2e\r\n5028e9ddac3eb80dd57b3fd0b1943b200a5af8d0\r\n6a3b6bc02121e7849f380c6420431e6165a5d5fc\r\n6b464209db5802fbc510918c0cc5cc009cc8e966\r\n7185a2eb6eb6873f82986c1e502678352ba1811b\r\n75f8171a4636e2a518ae6709b3e86875f31ede59\r\n7cece65179f21ea4d7e6e4778b0175418eb10171\r\n7daedd153efa323eba2a22b843d400e515cf2e12\r\n8751e7ca88e5c56ac928c70792e1fd33a6824d73\r\n9b3b2270a7b1c6cd29ef6df13d9a2260b597f65f\r\n9cadbd741f6e7547b0e6db38b47485dfd2a42948\r\n9d62d9ea9ed7f49bcde0aef15bdba65888af737e\r\na1feed5da7c9363e3a5c67912c6a6d34c0f32997\r\na9a94ec7a6d06e5e44199160f756c7f728ca60b0\r\na9d71b86f4f0b356fd30d191692b805cb81d7e52\r\nad8be4808f7dd910cec11d7eed88933e3f50132a\r\nc1c2c0630bbc8590e0f80e3bcf8c4d81de695284\r\nc2861ae327abe194a39775f9dcbddf816eb3385f\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 16 of 17\n\nc66fef5b2da022003386a3425c95adcf91bdacd4\r\nc73ed38e8c9687add687ff7ef4639740f2f1a4a4\r\nd7a69969f151fd1a712501a76f584580f3eab8a3\r\ndf0d85540e6d27858c7a750c11ead6c2cfc53e07\r\ne2164b84808360299fee0ce3c303d9af1cfce8b2\r\ne893136fda499d4534f9968eea14a39f6aabc9bf\r\necd0361847c99008c1f181378ae99fb168463eed\r\nf09021108fde30a9d51d0d47a02cf8ef24ef2e5a\r\nfb77bce6ace6f6c506f5ae006fddd1a0b2e557da\r\nfde1c0fa8a8ffc6ed704d4e082eb4ecba392d379\r\nSource: https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nhttps://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/" ], "report_names": [ "atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434566, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f40e4498ab33fb194420ce4b1cbf892e71cf104.pdf", "text": "https://archive.orkl.eu/5f40e4498ab33fb194420ce4b1cbf892e71cf104.txt", "img": "https://archive.orkl.eu/5f40e4498ab33fb194420ce4b1cbf892e71cf104.jpg" } }