{ "id": "412e82a4-043f-4221-b31c-c580da4308ff", "created_at": "2026-04-06T00:12:55.411495Z", "updated_at": "2026-04-10T13:12:21.732545Z", "deleted_at": null, "sha1_hash": "6830a3e391e60066c34d9c42055f61f5d0620045", "title": "Zloader Reversing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2342121, "plain_text": "Zloader Reversing\r\nPublished: 2021-10-18 · Archived: 2026-04-05 17:26:10 UTC\r\nAka: ZeusLoader, Deloader, Terdot, Zbot is a malware family that downloads Zeus OpenSSL. Parts of the source\r\ncode of Zeus were leaked back in 2010 [1] and since couple of versions been forked. Each of the version has its\r\nmalicious capabilities, but all in common do info stealing specially banking information. Zeus in its core does wild\r\nstuff from stealing HTTPS session before being encrypted; to split  stolen data and send it in multiple channels\r\nover different C2 server based on the stolen info-type [2]. The sent data is being encrypted using RC4 algorithm.\r\nGiven that major parts of the Zeus being well known and very detectable by almost every AV; Zloader is not just a\r\nloader/packer to Zeus core functionality. There are some complicated obfuscation techniques and visual encryption\r\nimplemented on every single unpacked version of Zloader that bypass security and difficulty extracting\r\nconfiguration. Uncommon attack vector like using Google AdSense has been observed lately [3] also attacker signs\r\nZloader with a certificate compromised from legitimate software in order to evade detection. In this post, we gonna\r\ntake a look of common Zloader 123 botnet attack that uses maldoc vector. Quickly analyze maldoc, downloader,\r\nand the well known unpacking technique with observed behavior which simple and not quite interesting. However,\r\nthe second part is going to be deep dive into analyzing and reversing techniques of Zloader unpacked version.\r\nMaldoc\r\nSHA256 500856ee3fc13326cad564894a0423e0583154ef10531de4ab6e6d5df90d4e31\r\nFile Type Office Open XML Spreadsheet\r\nName tn4598151.xlsm\r\nSize 182.62 KB (187002 bytes)\r\nCreation Time 2021-10-04 13:17:51\r\nLinks MalwareBazaar, VirusTotal, Any.run\r\nIn clear text on sheet2, the maldoc give away downloader URL, directory where it’s been dropped, and shell\r\ncommand to run a Dll which is the Zloader.\r\nEnable macro is required to run the above in VBA script.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 1 of 24\n\nDownloaded test.dll is just an HTML! that downloads logs.php which is a Zloader Dll file!\r\nDll Zloader\r\nSHA256 c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d\r\nFile Type Win32 DLL\r\nNames suqyatda.dll, ewviv.dll, ehev.dll, cyvi.dll, logs.php\r\nSize 1.13 MB (1189888 bytes)\r\nCompiler Time-stamp Mon Sep 23 01:29:14 2019\r\nFirst Submission 2021-10-04 18:23:00\r\nLinks MalwareBazaar, VirusTotal, Tria.ge\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 2 of 24\n\nZloader Dll file is been downloaded and runned in temp location. After Zloader runs:\r\n1. Create new process msiexec.exe and inject its loader in it.\r\n2. Loader sets new registry values using random hive and key names in:\r\nHKCU\\Software\\Mircosoft\\bbxk\\uuwk\r\nHKCU\\Software\\Mircosoft\\bbxk\\ziox\r\n3. Deletes original downloader and copy itself to %AppData%\\Roaming\\*random name\\*.dll\r\nThe registry value calls the new directory for persistent in case of host rebooted.  Both registry values are\r\nencrypted with RC4 but more to that in next section\r\nRunning Process and Registry Value change\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 3 of 24\n\nWhen checking memory strings for any forensics it spells out great number of C2 values. Noticed that 20 URLs\r\nhas random name with fixed length. Those are called Domain Generated Algorithm DGA, unlike hardcode C2\r\nURLs those are queried during running. More to that later in next section.\r\nUsing pe-sieve64 tool is good way to dump the unpacked Zloader from the running process which is valid PE file\r\nto be analyzed. However, just a quick debugging would give same result. In SquirrelWaffle and QakBot recent\r\nanalysis [4] [5] it’s been observed that Zloader among other malwares are using same crypters/decryptor for\r\nunpacking mechanism for their loaders before injecting them in process. Following the same debugging method in\r\n[4] would reveal the packed Zloader.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 4 of 24\n\nUnpacked Zloader\r\nSHA256 3A4CA58B0A2E72A264466A240C6636F62B8742FFBC96CE14E2225F0E57012E96\r\nFile Type Win32 DLL\r\nName unpacked_zloader_21_10_4.dll, \r\nSize 146.00 KB (149504 bytes)\r\nCompiler Time-stamp Wed Jul 14 08:04:16 2021\r\nFirst Submission 2021-10-18 15:32:37\r\nLinks MalwareBazaar, VirusTotal, Tria.ge\r\nThe unpacked Zloader is a master piece of obfuscated functions that waste lots of analysis time to dig into. API\r\nstrings among other static indicators would not be a good clue for analyzing Zloader. Beside, this malware family\r\nis known for API hashing, Visual Encryption using XOR, and RC4 encryption to encrypt strings.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 5 of 24\n\nThere are five main topics we are going to discuss in this section when reversing Zloader: API hashing, XORing\r\nstring, extracting Configuration, DGA routine, and Zeus function.\r\nAPI Hashing:\r\nStatically analyzing Zloader is a bit of a challenge. However, with a new amazing IDA plugin called HashDB from\r\nOpenAnalysis Labs [6] it’s amazing how much obfuscated strings get out the way when reversing Zloader. Just to\r\nshow a case of what HashDB can do before and after shots of hashed values in a random function. The hashes been\r\nchecked among large database of hashes with good prediction of hashing algorithms been used.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 6 of 24\n\nXORing Strings:\r\nWith API hashing out of the way. It’s important to get reversing tricks to dig into the main functions and extract\r\nconfigurations. There’re very limited hardcode strings in Zloader that can be clues like those.\r\nFirst, let’s look at Off_186010 which is an offset of an offset of a memory location rdata:00183D80 with literal\r\nstring ( #uVTN7’GQ’rxUf5Ly ). When cross referencing this offset it’s been used 4 times in two different\r\nfunctions. And there’s some sort of XOR function in both subroutines which reveal this is the key literal string\r\ncould be an XOR key value.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 7 of 24\n\nCross referencing both sub_1658F0 and sub_173C90 routines would shows that over 120 times those functions\r\nhas been called. Randomly checking any of the cross referencing like below\r\n….skipped lines……..\r\ntext:001610E0 push offset unk_183E8E\r\n.text:001610E5 call sub_1658F0\r\n….skipped lines……..\r\ntext:0016444E push offset unk_184310\r\ntext:00164453 call sub_173C90\r\n….. skipped lines……\r\ntext:00165685 push offset unk_184040\r\ntext:0016568A call sub_1658F0\r\nWe noticed both subrouties been called after a push of unknow offsets\r\nLet’s use XOR key (#uVTN7’GQ’rxUf5Ly) with offset unk_184040 value.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 8 of 24\n\nShift+E over unknow offset location\r\nHex: 70 00 1A 00 30 00 20 00 39 00 56 00 55 00 22 00 0D 00 6A 00 1B 00 1B 00 27 00 09 00 46 00 23 00 1F 00\r\n57 00 29 00 56 00\r\nkey: #uVTN7’GQ’rxUf5Ly\r\nResult: SuLT~7.Gh’$x.f.Lt#.VON,’`Q.r\u003eUE5Sytu.T.7\r\nThe XORed value/result doesn’t make sense. If anything noticeable that the Hex values has zeros in sequence.\r\nWhich indicate sub_1658F0 is for wide character and this makes and sub_173C90 for normal character. let’s try\r\nagain deleting all repeated zeros and XOR with the key\r\nHex: 701A3020395655220D6A1B1B270946231F572956\r\nkey: #uVTN7’GQ’rxUf5Ly\r\nResult: Software\\Microsoft\\\r\nIt’s not just strings that been obfuscated, some API calls been XORed too. Almost 120 offset being pushed in stack\r\nwhich means 120 strings are being XORed and to make it readable; Appendix – A contains all the strings with\r\naddresses after been XORed.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 9 of 24\n\nConfiguration:\r\nThe other string ‘qhpacozsstaznupphhedjtuoww’ is 26 length. It’s crossed referenced twice in two separate\r\nroutines.\r\nsnipped assembly from sub_161E40 and sub_1673D0 routines\r\n.text:00161EE3 push offset aQhpacozsstaznu ; “qhpacozsstaznupphhedjtuoww”\r\n.text:00161EE8 push offset unk_184404\r\n——-skipped lines—\r\ntext:001673D0 sub_1673D0 proc near ; CODE XREF: sub_171400+40↓p\r\n.text:001673D0 push ebp\r\n.text:001673D1 mov ebp, esp\r\n.text:001673D3 push edi\r\n.text:001673D4 push esi\r\n.text:001673D5 mov esi, ecx\r\n.text:001673D7 call sub_1809A0\r\n.text:001673DC mov edi, [eax+30h]\r\n.text:001673DF mov ecx, esi\r\n.text:001673E1 call sub_1809A0\r\n.text:001673E6 add eax, edi\r\n.text:001673E8 push 36Fh\r\n.text:001673ED push offset unk_184404\r\n.text:001673F2 push eax\r\n.text:001673F3 call sub_171D80\r\n.text:001673F8 add esp, 0Ch\r\n.text:001673FB mov ecx, esi\r\n.text:001673FD call sub_1809A0\r\n.text:00167402 mov edi, [eax+34h]\r\n.text:00167405 mov ecx, esi\r\n.text:00167407 call sub_1809A0\r\n.text:0016740C add eax, edi\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 10 of 24\n\n.text:0016740E push 64h ; ‘d’\r\n.text:00167410 push offset aQhpacozsstaznu ; “qhpacozsstaznupphhedjtuoww”\r\nIn both routines notice a repeated push to an offset unk_184404. This offset contains configurations. Noticed that\r\nboth offset passed into a function sub_1656B0 (name decrypting_rc4)\r\nPseudo code from sub_1656B0 routine\r\nDecrypting_rc4 function calls multiple function and those are calling other functions. What we are looking here is\r\nRC4 algorithm.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 11 of 24\n\nTo have mind map where RC4 algorithm location lets Xref-from Decrypting_rc4 function where Config strings and\r\nkey retrieved\r\nXref_from sub_1656B0 (decrypting_rc4)\r\nNow let’s go back to the configuration ‘config’ offset in data block and copy its hex value to CyberChef and use\r\nRC4 algorithm to decrypt it with the key (qhpacozsstaznupphhedjtuoww)\r\nNotice three things: got C2 URLs, list in Table-1, and 123 which is ID for this variant of Zloader, and at the tail\r\nthere’s this value (djfsf02hf832hf03) which is another RC4 key that decrypt the registry values in\r\n\\HKEY_CURRENT_USER\\Software\\Microsoft\\bbxk and also encrypt decrypt traffic with C2 [7].\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 12 of 24\n\nTable-1\r\n123\r\nhxxp://gipc.in/post[.]php\r\nhxxp://fbhindia.com/post[.]php\r\nhxxp://ecolenefiber.com/post[.]php\r\nhxxp://design.ecolenefiber.com/post[.]php\r\nhxxp://beta.marlics.ir/post[.]php\r\nhxxp://hari.pk/post[.]php\r\nhxxp://iaiskjmalang.ac.id/post[.]php\r\nhxxp://314xd.com/post[.]php\r\nhxxp://ejournal.iaiskjmalang.ac[.]id/post.php\r\nhxxp://duanvn.com/post[.]php\r\ndjfsf02hf832hf03\r\nDecrytped registry key value contains host name and the Zloader in %AppData% directory.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 13 of 24\n\nDGA:\r\nZloader know for using DGA algorithm and we notice above some of the generated 32 character length URLs. To\r\nfind the DGA function in this we can look for .com or post.php strings that been deobfuscatd in the previous\r\nsection of XORing strings.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 14 of 24\n\nwhen cross referencing .com from rdata:001849B4 location we find that it’s been called by one function and let’s\r\nname that function the_dga\r\nThe_dga function has been called one by another function. Based on [8], the caller of DGA routine does it math\r\ncalculating values called Seed based on time and RC4 key (djfsf02hf832hf03) (second key). So the values\r\ngenerated are much different each day passed in used GetLocalTime and SystemTimetoFileTime APIs. Notice\r\nthat the_dga function has passed value of 32 which is the same length of the URL string with Seed value which in\r\nthis case makes the entire caller function to calculate Seed value. followed by post.php and https while loop. The\r\ncaller function got many obfuscated function that slows down analysis and it get complicated calculating generated\r\ndomains manually.\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 15 of 24\n\nZeus Items:\r\nZeus uses item ID as list below which is the main one, there are more extended list based on Zloader version [1]\r\n[2] [7]. Each ID passed into a function and dissect information from victim machine. When that information stored\r\nin attacker SQL filed it show retrieved info about the host.\r\nItem ID Value\r\n10001 SBCID BOT ID\r\n10002 SBCID BOTNET\r\n10003 SBCID BOT VERSION\r\n10005 SBCID NET LATENCY\r\n10006 SBCID TCPPORT S1\r\n10007 SBCID PATH SOURCE\r\n10008 SBCID PATH DEST\r\n10009 SBCID TIME SYSTEM\r\n10010 SBCID TIME TICK\r\n10011 SBCID TIME LOCALBIAS\r\n10012 SBCID OS INFO\r\n10013 SBCID LANGUAGE ID\r\n10014 SBCID PROCESS NAME\r\n10015 SBCID PROCESS USER\r\n10016 SBCID IPV4 ADDRESSES\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 16 of 24\n\nItem ID Value\r\n10017 SBCID IPV6 ADDRESSES\r\n10018 SBCID BOTLOG TYPE\r\n10019 SBCID BOTLOG\r\nTo get to Zeus item values and function we need to search strings in IDA to find one the common ID values since\r\nthey are constant.  \r\nNotice that most the calls are sub_1657B0, let’s call it z_items_main, it’s been crossed referenced 17 times. List of\r\nZeus items being found in 123 variant.\r\nItem ID Value\r\n10001 SBCID BOT ID\r\n10003 SBCID BOT VERSION\r\n10006 SBCID_PING\r\n10007 SBCID PATH SOURCE\r\n11014 SBCID_GET_FILE\r\n11015 SBCID_GET_FILE_VER\r\n11031 SBCID_LOG_ID_EXT\r\n11032 SBCID_LOG_ERR_CODE\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 17 of 24\n\nItem ID Value\r\n11033 SBCID_LOG_MSG\r\n10022 SBCID_DEBUG\r\n10025 SBCID_MARKER\r\n20001 CFGID_LAST_VERSION\r\n20000 SBCID_BOTLOG\r\n20005 CFG_HTTP_FILTER\r\n20006 CFGID_HTTP_POSTDATA_FILTER\r\n20008 CFGID_DNS_LIST\r\nJust to give an example of the level of obfuscation on every stage of Zloader. Not all the items ID values are\r\nretrieved in decimal passed to the function. Some values passed into another function and require to calculate\r\nseparately like below in v29 value return from sub_167890 .\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 18 of 24\n\nTo give an example of how Zeus item works let take a look at this function sub_177110.\r\nsub_16F780 has (20001: CFGID_LAST_VERSION) that updates Zloader version. Looking at it in the disassembler\r\nwould show so much obfuscated function, but to have an idea of what possibly this update could do let’s see the\r\nleaked source code having this similar Item ID in similar fashion [9].\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 19 of 24\n\nThe successful update would lead to update registry values in HKCU\\Software\\Mircosoft\\bbxk\\ which points to\r\n%AppData% directory of possible the new Zloader that has new C2 connections\r\nFinally, to have an idea how Zeus function being called here’s a mind map when Xref-to it.\r\nAppendix A\r\nAddress XORed string\r\nrdata:00183DED kernel32.dll\r\nrdata:00183DFA http\r\nrdata:00183E26 post\r\nrdata:00183E37 .63\r\nrdata:00183E3B Wininet.dll\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 20 of 24\n\nAddress XORed string\r\nrdata:00183DE0 Imagehlp.dll\r\nrdata:00183DB0 C:\\Windows\\SystemApps\r\nrdata:00183D9C Local\r\nrdata:00183D92 .exe\r\nrdata:00183D50 NtQueryVirtualMemory\r\nrdata:00183D43 Bcrypt.dll\r\nrdata:00183D38 Ftllib.dll\r\nrdata:00183D2A Samlib.dll\r\nrdata:00183D20 Post.php\r\nrdata:00183E47 Ntdll.dll\r\nrdata:00183E5C CmpMem64\r\nrdata:00183E70 INVALID_BOT_ID\r\nrdata:00183E8E \\start\r\nrdata:00183EA0 HideClass\r\nrdata:00183EB4 advapi32.dll\r\nrdata:00183ED0 ABCDEFGHIJKLMNOPQRSTUVWZabcdefghijklmnopqrstuvwz\r\nrdata:00183F21 ws2_32.dll\r\nrdata:00183F3B Shlwapi.dll\r\nrdata:00183F47 crypt32.dll\r\nrdata:00183F60 NtProtectVirtualMemory\r\nrdata:00183F77 GetMem64\r\nrdata:00183F90 Get\r\nrdata:00183FA0 Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nrdata:00183FFC Urlmon.dll\r\nrdata:0018400A wtsapi32.dll\r\nrdata:00184040 Software\\Microsoft\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 21 of 24\n\nAddress XORed string\r\nrdata:00184068 tmp\r\nrdata:0018407C Iphlpapi.dll\r\nrdata:0018408C Version.dll\r\nrdata:0018409E rpcrt4.dll\r\nrdata:001840AA Dll\r\nrdata:00184111 wldap32.dll\r\nrdata:00184165 ole32.dll\r\nrdata:0018416F psapi_dll\r\nrdata:00184180 NtFreeVirtualMemory\r\nrdata:001841A0 NtSetContextThread\r\nrdata:001841B3 Winsta.dll\r\nrdata:001841D0 user32.dll\r\nrdata:001841E0 Software\\Microsoft\\WindowsNT\\CurrentVersion\r\nrdata:00184288 gdi32.dll\r\nrdata:00184292 Gdiplus.dll\r\nrdata:001842C0 regsvr32.exe\r\nrdata:001842F0 RtlCreateUserProcess\r\nrdata:00184310 NtWriteVirtualMemory\r\nrdata:00184330 InstallDate\r\nrdata:001843B0 NtReadVirtualMemory\r\nrdata:001843E0 RtlCreateProcessParameters\r\nrdata:00184780 Connection_close\r\nrdata:00184794 Dnsapi.dll\r\nrdata:001847BC secur32.dll\r\nrdata:001847D0 kernel32.dll\r\nrdata:001847F0 NtGetContextThread\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 22 of 24\n\nAddress XORed string\r\nrdata:00184820\r\nMozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36.\r\nrdata:00184892 NtResumeThread\r\nrdata:001848B0 SeSecurityPrivilege\r\nrdata:00184914 shell32.dll\r\nrdata:00184920 Ntdll.dll\r\nrdata:00184940 LdrGetProcedureAddress\r\nrdata:00184957 netapi32.dll\r\nrdata:00184964 Mpr.dll\r\nrdata:0018496C https:\\\\\r\nrdata:00184975 X64Call\r\nrdata:00184980 NtAllocateVirtualMemory\r\nrdata:001849B4 .com\r\nrdata:001849BA Global\r\nrdata:001849CA Winscard.dll\r\nrdata:001849D7 Cabinet.dll\r\nrdata:001849E3 Userenv.dll\r\nrdata:001849EF Ncrypt.dll\r\nReferences\r\n[1] Zeus opensource, https://github.com/Visgean/Zeus\r\n[2] Titans’ revenge: detecting Zeus via its own flaws, https://www.honeynet.it/wp-content/uploads/Papers/04-\r\nTitans%20revenge.pdf\r\n[3] Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms,\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\n[4] The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle” ,\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 23 of 24\n\n[5] QakBot Quick analysis, https://twitter.com/aaqeel87/status/1443255927000424449?s=20\r\n[6] HashDB project, https://hashdb.openanalysis.net/#section/Using-The-API/Hash-Format\r\n[7] The “Silent Night” Zloader/Zbot , https://www.malwarebytes.com/resources/files/2020/06/the-silent-night-zloader-zbot_final.pdf\r\n[8] The DGA of Zloader, https://bin.re/blog/the-dga-of-zloader/\r\n[9] Zeus source code,\r\nhttps://github.com/Visgean/Zeus/blob/c55a9fa8c8564ec196604a59111708fa8415f020/source/client/dynamicconfig.cpp\r\nSource: https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nhttps://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/" ], "report_names": [ "zloader-reversing" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434375, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6830a3e391e60066c34d9c42055f61f5d0620045.pdf", "text": "https://archive.orkl.eu/6830a3e391e60066c34d9c42055f61f5d0620045.txt", "img": "https://archive.orkl.eu/6830a3e391e60066c34d9c42055f61f5d0620045.jpg" } }