{ "id": "5dabbabc-c513-4624-9b3e-f3b740e2f9ae", "created_at": "2026-04-06T00:12:41.043066Z", "updated_at": "2026-04-10T03:36:47.998838Z", "deleted_at": null, "sha1_hash": "6422ada0fe5293e8791635d611207c12a4b3080e", "title": "ViperSoftX: Hiding in System Logs and Spreading VenomSoftX", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4345305, "plain_text": "ViperSoftX: Hiding in System Logs and Spreading VenomSoftX\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 21:42:44 UTC\r\nWe’ve been closely monitoring an information stealer called ViperSoftX. ViperSoftX was first reported on Twitter\r\nin 2020, and by Fortinet in the same year. Some aspects of ViperSoftX were also described previously by Colin\r\nCowie. However, it has undergone very intensive development since then, intensifying throughout 2022. The\r\nmalware authors’ constant game of hide-and-seek in which they continually improve their strategies and\r\ntechniques to avoid detections shows no signs of stopping. We, therefore, decided to put the pieces together to\r\nprovide a comprehensive analysis.\r\nThis multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single\r\nline in the middle of otherwise innocent-looking large log files, among others. ViperSoftX focuses on stealing\r\ncryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing\r\narbitrary additional payloads, or executing commands.\r\nOne of the payloads ViperSoftX distributes is a specific information stealer in the form of a browser extension for\r\nChromium-based browsers. Due to its standalone capabilities and uniqueness, we decided to give it its own name,\r\nVenomSoftX. The malicious extension provides full access to every page the victim visits, carries out man-in-the-browser attacks to perform cryptocurrency addresses swapping by tampering with API requests’ data on popular\r\ncryptocurrency exchanges, steals credentials and clipboard content, tampers with crypto addresses on visited\r\nwebsites, reports events using MQTT to the C\u0026C server, and more.\r\nViperSoftX is mostly spread via cracked software such as Adobe Illustrator , Corel Video Studio ,\r\nMicrosoft Office , and more, commonly distributed over torrents.\r\nCampaign overview\r\nSince the beginning of 2022, we have protected more than 93,000 of our users. As the malware is mostly spread\r\nvia torrents and software-sharing sites, ViperSoftX activity is distributed all over the world. The most impacted\r\ncountries are India (7,000+), USA (6,000+), and Italy (5,000+).\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 1 of 15\n\nMap illustrating the targeted countries since the beginning of 2022\r\nMonetary gain\r\nBoth ViperSoftX and VenomSoftX focus on stealing cryptocurrencies from infected computers, either by scanning\r\nlocal files or by using more sophisticated techniques. In the table below, we show an estimation of the attackers’\r\ntotal earnings for relevant cryptocurrency wallets.\r\nTable with monetary gain (data refreshed 2022-11-08)\r\nThe amounts in the wallets ViperSoftX and VenomSoftX redirect stolen cryptocurrencies to add up to about\r\n$130,421.56, as of November 8, 2022. This is just the amount sent to cryptocurrency wallets, and doesn’t include\r\nother possible profits from other activities.\r\nTechnical analysis\r\nOverview of the infection chain\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 2 of 15\n\nFrom cracked software to fake logs\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 3 of 15\n\nIn the beginning, ViperSoftX is served to victims when they download what they believe to be cracked software. It\r\nis commonly named Activator.exe or Patch.exe . Upon execution, however, the victim is infected with\r\nViperSoftX.\r\nActivator.exe extraction\r\nActivator.exe is in fact a loader that decrypts data from itself using AES in CBC mode.\r\nThe decryption algorithm performs a checksum as follows:\r\n1. Read 4 bytes at offset 0x24 from the end of the file which gives an offset\r\n2. Hash the offset value using SHA256\r\n3. Read the rest of the bytes (from -0x20 ) and compare it to the hash\r\nIf the checksum holds, the offset points to the location where the data is stored at offset+0x24 from the end of\r\nthe binary. Since the data is stored from the end of the binary, offset is also the size of the data blob. This blob can\r\nbe decrypted straight away using a hardcoded key as well as IV inside the binary:\r\nKey\r\n71C54C3BCFFCE591A70C0B5BA6448327BC975D89F3021053125F1CB9A7C0AF72\r\nIV\r\nC0BA0B56EAC742AFD4CB680EE0EB4FB0\r\nThe decrypted data blob is a serialized protocol buffer structure. The structure template contains two protobuf\r\nmessages as shown below:\r\nWe can use this template to deserialize the structure, revealing five different files:\r\nA log file with a hidden additional payload resulting in the ViperSoftX PowerShell (see next subsections)\r\nXML file for the task scheduler\r\nSyncAppvPublishingServer.vbs (clean) that is used to create a scheduled task for persistence\r\nApplication binary (usually clean) that is supposed to be cracked\r\nManifest file\r\nLast but not least, you can find the extraction Python script in our GitHub repository.\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 4 of 15\n\nAnalyzing the files\r\nThe most interesting file is the aforementioned “log file” which is usually more than 5 MB in size and contains a\r\nsingle malicious line of code (usually from 17,302 lines in total, but this might vary in different versions).\r\nThis log file is usually named and stored as:\r\nC:\\Windows\\Logs\\system-logs.txt\r\nalthough we saw variants dropping the same “log” files disguising as a “driver” or a “text” file, e.g.\r\nC:\\Windows\\System32\\Drivers\\p4kizn\\e12de1ae-2139-45f6-b883-3c58243f23d6.sys\r\nC:\\Windows\\2ZQ2UoL\\5A7C4B54-4404-4424-83DA-CC696BED43D3.txt\r\nwhere the subfolder names and the GUIDs are randomized.\r\nAn example of such a malicious line can be found below. As we will see later, this line actually contains a script\r\nthat is decoded and executed.\r\nExample of the log file with a single malicious line on the line 17,034\r\nThe malware creates a scheduled task using the legacy SyncAppvPublishingServer.vbs script for executing these\r\nhidden scripts afterward as well for ensuring persistence. Note that the line number varies depending on the\r\nmalware configuration provided in the scheduled task.\r\nHidden Script Variants\r\nWe have seen two variants of hidden scripts lurking in the logs so far.\r\nThe first variant is a simple dropper that downloads another payload from a hardcoded C\u0026C server and executes\r\nit. We have only seen the ViperSoftX information stealer downloaded as a payload so far. We will cover the stealer\r\nseparately in the subsection below.\r\nThe first variant of the PowerShell script – simple dropper\r\nThe second variant is in the form of a PowerShell script without the encoding. This script contains two parts, the\r\nfirst one is a set of decryption functions and the second is an encrypted data blob.\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 5 of 15\n\nExample of the log file with a single malicious line on line 17,034 (second variant)\r\nThe script uses AES in CBC mode to decrypt the payload, the ViperSoftX stealer. The AES key is passed via the\r\ncommand line by the scheduled task created by Activator.exe. You can find the decryption process in this\r\nCyberChef template.\r\nViperSoftX Information Stealer\r\nWhen the payload is dropped, an obfuscated ViperSoftX PowerShell script is presented to us. We have seen\r\nmultiple variants of ViperSoftX, suggesting that the malware is under active development. In the text below, we\r\nwill cover the stealer’s features as a whole.\r\nStealing Capabilities\r\nFirst, let’s have a look at what ViperSoftX is actually capable of stealing. ViperSoftX performs fingerprinting of\r\nthe infected machine, focusing on various types of information, including:\r\nComputer name\r\nUsername\r\nOS information and its architecture\r\nInstalled antivirus or other security software and whether the solution is active\r\nThe malware focuses on stealing cryptocurrencies. To do so, it searches the typical locations for web browser\r\nextensions and locally stored wallets. The full list of locations can be found in the Appendix. More generic\r\ninformation, such as OS, architecture, and username, is obtained using WMI and system variables.\r\nViperSoftX searches for cryptocurrencies stored locally on the infected device in cryptocurrency software and\r\nbrowser extensions, and monitors the clipboard for cryptocurrency wallet addresses to perform clipboard\r\nswapping.\r\nThe gathered data, as well as the fingerprint, is then concatenated together into a single string, encoded by base64,\r\nand sent to the hardcoded C\u0026C server in the User-Agent HTTP header. Note that C\u0026C servers vary across\r\nversions:\r\nhttp://api.private-chatting[.]com/connect\r\nEach time the victim copies anything to their clipboard, ViperSoftX scans the content using predefined regular\r\nexpressions in the background. If the expression matches one of the configured wallet addresses belonging to the\r\nspecific cryptocurrency, the malware replaces the content with the attacker’s address and sends a notification to\r\nthe C\u0026C server in the X-Notify HTTP header in a form of three values:\r\nCryptocurrency type - victim’s address - attacker’s address\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 6 of 15\n\nThe cryptocurrency type reflects what type of cryptocurrency was matched and can be one of the following: BTC ,\r\nBCH , BNB , ETH , XMR , XRP , DOGE , or DASH .\r\nThe malware also checks title texts of opened windows ( MainWindowTitle property) and if it spots an application\r\nfocused on cryptocurrencies or finance, it logs its presence into:\r\n%SystemDrive%\\Users\\Public\\log.dat\r\nThe full list of searched keywords can be found in the Appendix.\r\nOn top of the information-stealing core, ViperSoftX provides RAT functionalities as well, like executing arbitrary\r\ncommands on the command line, downloading an additional arbitrary payload provided by the C\u0026C server, and\r\nexecuting it, as well as removing itself completely from the system. The RAT functionality can also be used, for\r\nexample, to steal cryptocurrencies from their locations, which it previously identifies and sends to the C\u0026C server.\r\nHost Header Spoofing\r\nAside from trying to steal cryptocurrencies, the malware spoofs host headers to obfuscate its communication with\r\nthe C\u0026C servers.\r\nThe spoofed host header consists of five to 10 lowercase alpha letters, but the true destination is in the hardcoded\r\n$meta_host variable. This way, the real C\u0026C server address is obfuscated by a random-looking domain that\r\ndoesn’t exist.\r\nVenomSoftX Browser Extensions\r\nNewer versions of ViperSoftX information stealer are capable of loading a custom malicious browser extension to\r\nChromium-based browsers installed on infected computers. The extension is provided by the C\u0026C server. The\r\nextension is basically another standalone information stealer, we are calling VenomSoftX, but is installed by\r\nViperSoftX, as described below. The extension disguises itself as various popular browser extensions to avoid user\r\ndetection. \r\nThe main goal VenomSoftX is also to steal cryptocurrencies from the unsuspecting victim. The difference is,\r\nVenomSoftX mainly does this by hooking API requests on a few very popular crypto exchanges victims\r\nvisits/have an account with. When a certain API is called, for example, to send money, VenomSoftX tampers with\r\nthe request before it is sent to redirect the money to the attacker instead. Although similar in principle to what\r\ninformation stealers like ViperSoftX do and rather a common clipboard swapping, this technique is performed at a\r\nlower level, meaning the victim has little to no chance of noticing the money is being transferred elsewhere.\r\nInstalling the extension\r\nViperSoftX’s approach is simple. The malware downloads a VenomSoftX PowerShell installer from the C\u0026C\r\nserver e.g. by base64-decoding a hardcoded request metadata directly from the PowerShell script, following a\r\nrequest to:\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 7 of 15\n\nhttp://apps-analyser[.]com/api/v1/\u003cHASH\u003e\r\ndepending on the malware version. This can hold different payloads, but we will focus on the VenomSoftX\r\nbrowser extension.\r\nAfter the installer script is downloaded from the C\u0026C server and the VenomSoftX browser extension is\r\nextracted, the installer searches several locations for .lnk files and if such a link file belongs to Chrome , Brave ,\r\nOpera , or Edge , it modifies the link file with a parameter --load-extension=\r\n\u003cpath_to_the_malicious_extension\u003e . This way, when the user starts their favorite browser, they actually load the\r\nmalicious extension with it.\r\nThese locations are checked for link files leading to browsers:\r\n%USERPROFILE%\\Desktop\r\n%USERPROFILE%\\OneDrive\\Desktop\r\n%PUBLIC%\\Desktop\r\n%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\r\n%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\r\nThe extension ID is randomly generated, provided random lowercase characters to represent the extension folder\r\nand randomly generated version number of the extension:\r\n$(Get-Random -Minimum 1 -Maximum 10).$(Get-Random -Minimum 1 -Maximum 10).$(Get-Random -Minimum 1 -\r\nMaximum 10)._0\r\nWe observed further versions of ViperSoftX containing a full update mechanism. These versions were able to\r\nwalk through the modified .lnk files, parse the manifest.json file of the malicious extension, and when an\r\nolder version or an old write timestamp of the extension was detected on the infected system than what was\r\nadvertised by the C\u0026C server, the malware requested an update and replaced the extension files to the newest\r\nversion by a dedicated command (provided by the C\u0026C server).\r\nThe extension tries to disguise itself as well known and common browser extensions such as Google Sheets . In\r\nreality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access\r\npermissions to every website the user visits from the infected browser.\r\nDiving into javascript shenanigans\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 8 of 15\n\nThe extension contains several files, as shown in the table below. Each file has a different purpose:\r\nThe malware focuses on five big cryptocurrency exchanges, reflected by abbreviations in the modules names.\r\nIn the paragraphs below, we’ll focus on what each of the modules do, in detail.\r\ncontent.bootstrap.js\r\nThis module is the starting point of VenomSoftX and it is loaded with every site visit. It orchestrates what modules\r\nto load and it is also responsible for sending stolen data to the C\u0026C server.\r\nThe scripts are loaded depending on the visited domain. The bootstrap checks what site is being loaded and if it is\r\none of the following: Blockchain.com , Binance , CoinBase , Gate.io , or Kucoin , the module loads an\r\nappropriate “ webpack ”. If the user is on any other site, webpack_content.js is loaded. The module\r\nwebpack_common.js is loaded by default regardless of which site the victim visits.\r\nDetermination process which modules to load (deobfuscated)\r\nAll the modules serve their own purpose. However, two of the modules, webpack_common.js and\r\nwebpack_block.js , are capable of sending data back to the collector server using a Paho MQTT client present\r\nin the content.bootstrap.js . The MQTT client has an event listener set to a hardcoded value b8b0becb-080a-46af-9688-e3671fcc4166 that indicates data should be sent to an MQTT broker, harvesting the data:\r\nbroker.emqx[.]io\r\nNote that the collector address can vary in different versions.\r\nThe sent data are structured as follows:\r\nMSG: time: \u003cutc_datetime\u003e\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 9 of 15\n\nip: \u003cclient_ip\u003e\r\ndata: \u003cdata\u003e\r\nThe time and ip fields are obtained using a public service ( https://worldtimeapi.org/api/ip ).\r\nThe data field is either clipboard content with a cryptowallet and other metadata, or stolen credentials for\r\nblockchain.com . See further sections below for details.\r\nwebpack_common.js\r\nThe “ common ” module is loaded to every website, regardless of whether it is a cryptocurrency exchange or\r\nsomething else. It is used to define an address book with regular expression patterns, which is used for crypto\r\naddress matching on several occasions in other modules.\r\nThe structure of the address book is in the form of a dictionary, where the key is the regular expression and the\r\nvalue is yet another dictionary containing three values: coin , address , and network . An example of such an\r\naddress book can be seen in the below snippet. For the full address book, see Appendix.\r\nA snippet of a possible address book (incomplete, deobfuscated)\r\nFurthermore, each time the user pastes anything into any website (except the malicious address from the address\r\nbook), this module checks whether the clipboard content matches any of the regular expressions from the address\r\nbook and if they do, it sends the following data to the collector server encoded using base64. The data for the\r\nMQTT message has a following construct:\r\nAction\r\nSite: \u003cURL\u003e\r\nBrowser: \u003cUSER-AGENT\u003e\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 10 of 15\n\nClipboard: \u003cCLIPBOARD-WALLET-ADDRESS\u003e\r\nTime: \u003cTIMESTAMP\u003e\r\nwebpack_content.js\r\nThis module monitors two input elements for content the user fills into websites and it is loaded when the victim\r\nis outside of any of the mentioned exchange sites:\r\nHTMLInputElement\r\nHTMLTextAreaElement\r\nThis is done by implementing hooks in getters of these elements to try to find a compatible crypto address for the\r\nuser’s input and if found, the malware creates new localStorage entry with a combination of visited site and the\r\ncompatible address:\r\nwebsite_attackerAddress: userAddress\r\nThe compatible address is found when the provided address matches any of the regular expressions from the\r\naddress book described in the previous section.\r\nAfter that, a custom MutationObserver watches for dynamic changes in the site (e.g. loading the page,\r\ndisplaying a message sent earlier in the user’s messenger client, etc.) and if such a change occurs, the malware\r\nreplaces all mentions of the malicious address (if found) with the user’s address using the localStorage . This\r\neffectively hides all traces of the malicious address in the website’s body.\r\nNote that since the information is stored directly in the persistent localStorage , the functionality survives a\r\nbrowser restart, PC restart, or re-visiting the page anytime in the future. The victim has to clear the user data in\r\ntheir browser or uninstall the malware extension altogether to get rid of the malicious behavior.\r\nFor the sake of demonstrating this behavior, we decided to create a demo PoC of a simple page that illustrates the\r\nwhole process of content tampering while the malware is active:\r\n1. First two buttons, Attacker address and User address , fill in attacker address or user address to the\r\n“ Dynamic content to be pasted ” line on the webpage\r\n2. “ Get value ” button triggers the getter but the hook is inactive since the provided address doesn’t match\r\ncryptowallet address pattern (it is too short)\r\n3. The user fills in a compatible address\r\n4. “ Get value ” button creates a localStorage entry with the entered address\r\n5. The attacker’s address is always replaced with the one from localStorage\r\nDraining the victim’s accounts\r\nAs we already mentioned, VenomSoftX focuses on five different crypto exchanges/websites, namely on\r\nBlockchain.com , Binance , Coinbase , Gate.io , and Kucoin .\r\nIn these modules, the malware tries to tamper with API requests the sites use for several actions like money\r\nwithdrawal or sending security codes. This is done by creating hooks on the API calls (or rather functions\r\nresponsible for sending those requests), parsing their structure, and replacing the response’s body with the desired\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 11 of 15\n\nattacker’s contents – commonly meaning that the recipient’s address is replaced by the attacker’s one as well as\r\nthe amount is set to the value of an available account balance if known. The request is then processed by the\r\nmalware without the user noticing anything, completely draining the victim’s portfolio as a result.\r\nNote that the user has little to no chance to notice this. In comparison to a rather common clipboard swapping, for\r\nexample, this “swapping” is performed on a lower level. Since the transactions on blockchains/ledgers are\r\ninherently irreversible, when the user checks the transaction history of payments afterward, it is already too late.\r\nThe complete list of hooked API functions can be found in the Appendix. The only file that differs from the rest is\r\nwebpack_block.js . This module focuses on www.blockchain.com and it tries to hook\r\nhttps://blockchain.info/wallet . It also modifies the getter of the password field to steal entered passwords.\r\nOnce the request to the API endpoint is sent, the wallet address is extracted from the request, bundled with the\r\npassword, and sent to the collector as a base64-encoded JSON via MQTT.\r\nSince the rest of the hooks are the same on the higher level if we ignore API differences, we will use the Binance\r\nmodule as an illustration example.\r\nThe Binance module recognizes six different API calls invoking malicious interactions. When the user logs in to\r\nthe site, it is expected that at some point the API function\r\nhttps://www.binance.com/bapi/asset/v3/private/asset-service/asset/get-user-asset\r\nwill be called. VenomSoftX then parses and saves all assets available on the victim’s account. When the user tries\r\nto manipulate their savings, e.g. withdrawing their money, the malware intercepts the request\r\nhttps://www.binance.com/bapi/capital/v3/private/capital/withdraw/apply\r\nand tampers with the request body, modifying the address to redirect the money to the attacker’s address if a\r\ncompatible attacker’s address was found. The amount of the request is also set to the maximum amount available\r\nobtained by the previous step. After the tampering, the request is passed further like nothing happened, effectively\r\ndraining the victim’s wallet.\r\nConclusion\r\nIn this blog post, we took a closer look at ViperSoftX, a long-standing information stealer, and its malicious\r\nbrowser extension payload VenomSoftX. We described both information stealers’ infection chains, and how the\r\noriginal payload hides and decrypts on the infected system.\r\nWe described what both ViperSoftX and VenomSoftX steal and how the browser extension leverages its full\r\naccess to every page the victim visits and carries out man-in-the-browser attacks by silently tampering with the\r\nAPI requests popular cryptocurrency exchanges use, resulting in draining the victim’s accounts.\r\nIndicators of Compromise (IoC)\r\nGitHub repository: ViperSoftX\r\nViperSoftX\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 12 of 15\n\nVenomSoftX\r\nC\u0026C\r\nAppendix\r\nScripts and tools\r\nExtractor for ViperSoftX’s initial payloads (commonly named Activator.exe )\r\nCyberChef template for decrypting the second variant of the hidden scripts in logs\r\nList of wallet addresses\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 13 of 15\n\nAlso in our GitHub.\r\nViperSoftX\r\nList of monitored cryptocurrency locations\r\nComplete list in our Github.\r\nList of monitored window titles\r\nAlso in our GitHub.\r\nVenomSoftX\r\nAddress book\r\nComplete list in our Github.\r\nList of hooked API calls\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 14 of 15\n\nThreat Research Team\r\nThreat Research Team\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nhttps://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/\r\nPage 15 of 15\n\nSince the beginning via torrents and of 2022, we software-sharing have protected sites, ViperSoftX more than 93,000 activity is distributed of our users. As all over the the malware is world. The mostly spread most impacted\ncountries are India (7,000+), USA (6,000+), and Italy (5,000+).\n Page 1 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/" ], "report_names": [ "vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434361, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6422ada0fe5293e8791635d611207c12a4b3080e.pdf", "text": "https://archive.orkl.eu/6422ada0fe5293e8791635d611207c12a4b3080e.txt", "img": "https://archive.orkl.eu/6422ada0fe5293e8791635d611207c12a4b3080e.jpg" } }