{ "id": "d44a98a3-c817-4bcb-98ae-cf344ad0ebb4", "created_at": "2026-04-06T00:12:46.995676Z", "updated_at": "2026-04-10T03:37:19.212444Z", "deleted_at": null, "sha1_hash": "69e7dba119ab70326e9b7bd265f14c2137429f73", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 353759, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy ChrisTan0\r\nArchived: 2026-04-02 10:45:29 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 1 of 7\n\n41 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 2 of 7\n\nUnauthorized RDP Connections For Cyberespionage Operations\r\nCVE: 5 | FileHash-MD5: 4 | FileHash-SHA1: 4 | FileHash-SHA256: 9 | URL: 7\r\nCyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files\r\nto gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain\r\nemploys PowerShell and BAT scripts to evade detection, create administrative accounts, and alter Remote\r\nDesktop settings. The campaign, named 'HeptaX', has been active since 2023, targeting various sectors with\r\nconsistent techniques. It involves the deployment of ChromePass, a tool for stealing saved passwords from\r\nChromium-based browsers. The attack begins with a ZIP file containing a malicious shortcut, likely distributed via\r\nphishing emails, and progresses through multiple stages of payload downloads and executions, ultimately enabling\r\nthe threat actors to establish remote access for further malicious activities.\r\n373,183 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 3 of 7\n\nSpace Pirates: Explore the tools and connections of a new hacker group\r\nCVE: 1 | FileHash-MD5: 156 | FileHash-SHA1: 150 | FileHash-SHA256: 150 | URL: 1 | Domain: 5 | Email: 1\r\n| Hostname: 56\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 4 of 7\n\nAt the end of 2019, specialists from the Positive Technologies security expert center ( PT Expert Security Center ,\r\nPT ESC) discovered a phishing email targeting one of the enterprises in the Russian aerospace industry. It\r\ncontained a link to previously unknown malware. Our experts discovered the same malware in 2020 while\r\ninvestigating an information security incident in one of the Russian government organizations. In the course of\r\nthis work, several new malware families were also discovered using a common network infrastructure, while some\r\nof them were not previously mentioned in open sources.\r\n354 Subscribers\r\n840 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 5 of 7\n\nCycldek: Bridging the (air) gap | Securelist\r\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate\r\nsensitive data for espionage, according to a newly published research by Kaspersky\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 6 of 7\n\n65 Subscribers\r\nIndicators Search\r\nShow expired indicators\r\nWe've found 39 indicators\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:chromepass\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:chromepass" ], "report_names": [ "pulses?q=tag:chromepass" ], "threat_actors": [ { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434366, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69e7dba119ab70326e9b7bd265f14c2137429f73.pdf", "text": "https://archive.orkl.eu/69e7dba119ab70326e9b7bd265f14c2137429f73.txt", "img": "https://archive.orkl.eu/69e7dba119ab70326e9b7bd265f14c2137429f73.jpg" } }