{ "id": "8ea714d2-fb0d-4411-a9ae-053ca06a0c37", "created_at": "2026-04-06T00:11:47.061064Z", "updated_at": "2026-04-10T03:36:48.051551Z", "deleted_at": null, "sha1_hash": "6a8ea83348ef2025d5f38b3733eaa6ebfb1864db", "title": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 514196, "plain_text": "New OpcJacker Malware Distributed via Fake VPN Malvertising\r\nBy By: Jaromir Horejsi, Joseph C Chen Mar 29, 2023 Read time: 9 min (2541 words)\r\nPublished: 2023-03-29 · Archived: 2026-04-05 15:00:38 UTC\r\nMalware\r\nWe discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its\r\ncryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.\r\nWe discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its\r\ncryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. OpcJacker is\r\nan interesting piece of malware, since its configuration file uses a custom file format to define the stealer’s\r\nbehavior. Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers\r\npresent in the configuration file make the stealer run desired functions. The purpose of using such a design is\r\nlikely to make understanding and analyzing the malware’s code flow more difficult for researchers.\r\nOpcJacker’s main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading\r\nadditional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.\r\nWe’ve observed OpcJacker being distributed via different campaigns that involve the malware being disguised as\r\ncryptocurrency-related applications and other legitimate software, which the threat actors distribute through fake\r\nwebsites. In the latest (February 2023) campaign involving OpcJacker, the infection chain began with\r\nmalvertisements that were geofenced to users in Iran. The malvertisements were disguised as a legitimate VPN\r\nservice that tricked its victims into downloading an archive file containing OpcJacker.\r\nThe malware is loaded by patching a legitimate DLL library within an installed application, which loads another\r\nmalicious DLL library. This DLL library then assembles and runs shellcode — the loader and runner of another\r\nmalicious executable — and OpcJacker from chunks of data stored in data files of various formats, such as\r\nWaveform Audio File Format (WAV) and Microsoft Compiled HTML Help (CHM). This loader has been in use\r\nfor over a year since it was previously described and named as the Babadeda crypter. The threat actor behind the\r\ncampaign implemented a few changes in the cryptor itself, then added a completely new payload (a\r\nstealer/clipper/keylogger).\r\nWe noticed that OpcJacker mostly drops (or downloads) and runs additional modules, which are remote access\r\ntools — either the NetSupport RAT or a hidden virtual network computing (hVNC) variant. We also found a\r\nreport sharing information on a loader called “Phobos Crypter” (which is actually the same malware as\r\nOpcJacker) being used to load the Phobos ransomware.\r\nDelivery\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 1 of 12\n\nAs mentioned in the introduction, we observed OpcJacker being distributed through several different campaigns\r\nthat usually involve fake websites advertising seemingly legitimate software and cryptocurrency-related\r\napplications, but are actually hosting malware. As these campaigns deliver a few other different malware in\r\naddition to OpcJacker, we believe that they are most likely to be different pay-per-install services leveraged by\r\nOpcJacker’s operators.\r\nIn the latest campaign from February 2023, we noticed OpcJacker being distributed via  malvertisements\r\ngeotargeting Iran. These malvertisements were linked to a malicious website disguised as a website for a\r\nlegitimate VPN software. The site’s content was copied from the website of a legitimate commercial VPN service\r\n— however, the links were modified to link to a compromised website hosting malicious content.\r\nThe malicious website checks the client’s IP address to determine whether the victim uses a VPN service. If the IP\r\naddress is not from a VPN service, it then redirects the victim to the second compromised website to lure them\r\ninto downloading an archive file containing OpcJacker. Note that the attack will not proceed if the intended victim\r\nis using a VPN service.\r\nopen on a new tab\r\nFigure 2. An example of a malvertisement designed to deliver OpcJacker\r\nFurthermore, we also found a bunch of ISO images and RAR/ZIP archives containing modified installers of\r\nvarious pieces of software that all lead to the loading of OpcJacker. These installers, which were previously used\r\nby other campaigns, were hosted on various hacked WordPress-powered websites or software development\r\nplatforms like GitHub. A possible reason why threat actors favor the use of ISO files is to bypass Mark-of-the-Web warnings.\r\nThe following are some file name examples we found:\r\nCLF_security.iso\r\nCloudflare_security_setup.iso\r\nGoldenDict-1.5.0-RC2-372-gc3ff15f-Install.zip\r\nMSI_Afterburner.iso\r\ntigervnc64-winvnc-1.12.0.rar\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 2 of 12\n\nTradingViewDesktop.zip\r\nXDag.x64.rar\r\nBabadeda crypter\r\nNote that the file names mentioned in this section often change between different installers. However, their overall\r\nfunctions remain the same.\r\nAfter the installer drops all the necessary files, it then loads the main executable file (RawDigger.exe), which is a\r\nclean legitimate file. \r\n open on a\r\nnew tab\r\nFigure 3. A list of files dropped by the installer; while most of them are clean legitimate files, some\r\nare patched or malicious files\r\nThe executable file loads a DLL library that includes patched imports (librawf.dll).\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 3 of 12\n\nopen on a new tab\r\nFigure 4. A list of imported DLL libraries; the highlighted library was patched to load another\r\nmalicious DLL library\r\nThe patched DLL’s (librawf.dll, which is connected to the legitimate app RawDigger, a raw image analyzer)\r\nimport address table was further patched to include two additional DLL libraries. In the figure below, notice how\r\nthe FirstThunk addresses (of the newly added libraries) start with 001Dxxxx instead of the 0012xxxx used in the\r\nFirstThunk addresses from the original libraries.\r\nThe highlighted library in Figure 5 (libpushpp.dll) is then loaded and executed. Its main task is to open one of the\r\ndata files (hm) and load the first stage shellcode stored inside.\r\nThe offset and size of the first stage shellcode is hardcoded into the DLL library.\r\n open on a new\r\ntab\r\nFigure 7. Malicious library copying the first stage shellcode from offset 0x37D50; the size of the\r\nshellcode is 0x75A bytes\r\nIn newer versions of the Babadeda crypter, another DLL library (mdb.dll, from the fake VPN installer) is loaded\r\ninto memory, after which a hardcoded, randomly selected block of memory is overwritten with the first stage\r\nshellcode. Note that this change is just a small detail and has no influence on the first stage shellcode’s overall\r\nfunction.\r\n open on a new tab\r\nFigure 8. The legitimate library (mdb.dll) is loaded into memory, after which the first stage\r\nshellcode (0x7B5 bytes) is copied into the library’s memory space\r\nThere is a configuration table containing offsets of encrypted chunks followed by their respective sizes at the end\r\nof the first stage shellcode. The first stage shellcode then decrypts and combines all chunks to form the second\r\nstage shellcode (a loader) and the main malware (OpcJacker with the ability to load additional malicious\r\nmodules).\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 4 of 12\n\nThe configuration table starts with at least eight of the same characters (the red colored “*” in Figure 9, but\r\ndifferent characters may be used in other samples), followed by the total length of the data file (green color; length\r\nof hm = 0x1775e0 = 1537504 bytes), the encryption key (yellow color; 0x18), the number of chunks in the second\r\nstage of the shellcode (brown color; 0x07), and finally, by the number of chunks in the main malware (white\r\ncolor; 0x08). The list of 0x07 (red bracket) and 0x08 (blue bracket) is equivalent to fifteen addresses and sizes of\r\neach chunk.\r\nAt the beginning of the data file (hm), we can see the (WAV) file header as it tries to mimic a WAVE file format.\r\nNote that the data file can be a different file format, since we also observed CHM being used.\r\nMain stealer component (OpcJacker)\r\nThe main malware component (OpcJacker) is an interesting stealer that first decrypts and loads its configuration\r\nfile. The configuration file format resembles a bytecode written in a custom machine language, where each\r\ninstruction is parsed, individual opcodes are obtained, and then the specific handler is executed.\r\nWhen analyzing the custom bytecode, we noticed the following patterns:\r\nASCII strings were encoded as 01 xx xx xx xx \u003cstring bytes\u003e; where xx xx xx xx is the length of the string.\r\nSimilarly, wide character strings started with byte 02, while binary arrays started with byte 03.\r\nThe configuration file format is a sequence of instructions where instruction starts with three 4-byte little-endian\r\n(DWORD) numbers. The first number is the virtual program counter, the second is likely the parent instruction’s\r\nvirtual program counter, while the third is the handler ID (code to be executed in the virtual machine), followed by\r\ndata bytes or additional handler IDs.\r\nBased on these observations, we wrote an instruction parser, from which we were presented with the following\r\noutput. Although our observations and understanding of the virtual machine’s internal implementation was\r\nincomplete, the parser gave us a good understanding of what behavior was defined in the configuration file.\r\nThe decrypted and decoded configuration file starts with the initialization of certain system variables, with “test”\r\nand “rik” likely being campaign IDs. The configuration file dropped by SHA256\r\nc5b499e886d8e86d0d85d0f73bc760516e7476442d3def2feeade417926f04a5 contains different keywords “test”\r\nand “ilk” as campaign IDs. Meanwhile, the configuration file dropped by the latest campaign from February 2023\r\n(SHA256 565EA7469F9769DD05C925A3F3EF9A2F9756FF1F35FD154107786BFC63703B52) contains the\r\nkeywords “test_installs” and “yorik.”\r\nThen initialization of clipboard replacement functionality (clipping) follows.\r\nLater, the variable “exe” is initialized with executable file bytes (see the 4d 5a 90 = MZ marker). This executable\r\nis a remote access tool.\r\nThe malware sets up persistence via registry run and task scheduler methods. Note the  $itself_exe variable used\r\nfor holding the file name of the current process.\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 5 of 12\n\nThe malware then starts the clipper function, that is, it monitors the clipboard for cryptocurrency addresses and\r\nreplaces them with its own cryptocurrency addresses controlled by the attackers.\r\nFinally, the virtual_launch_exe function runs the previously embedded executable, which we observed to be\r\nRATs, either the NetSupport RAT, the NetSupport RAT downloader, or hVNC.\r\nHandler IDs in custom virtual machines\r\nAs can be observed in the third column (or decoded “command” variable) in a few of the previous screenshots, the\r\nvirtual machine implements numerous internal handlers. Most of these are related to various data manipulations.\r\nWe list a few of the notable handlers that have specific high-level functionalities in Table 1. The functions the\r\nstealer implements include the following: clipping (clipboard content replacement), keylogging, file execution and\r\nlisting, killing processes, stealing chromium credentials, detecting idleness, and detecting virtual machines.\r\nHowever, during our testing scenarios, we observed the stealer mostly just sets the persistence and delivers\r\nadditional modules (remote access tools).\r\nHandler ID Function\r\n0x3E9 Used for persistence (registry; HKCU)\r\n0x3EA Used for persistence (registry; HKLM)\r\n0x3EB Used for persistence (startup folder)\r\n0x3EC;0x3ED Used for persistence (task scheduler)\r\n0x7d1 Lists files\r\n0x579 Starts clipper\r\n0x57A Stops clipper\r\n0x12d Puts the machine into sleep mode\r\n0x385 Terminates process\r\n0x387 Exits process\r\n0x388; 0x38B Runs PE executable\r\n0x389 Runs shellcode\r\n0x38A Runs PE executable export routine\r\n0x76D Gets current committed memory limit (ullTotalPageFile)\r\n0x76E Gets the amount of actual physical memory (ullTotalPhys)\r\n0x641 Steals sensitive data from Chromium\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 6 of 12\n\n0x259 Checks if the machine is idle and if the cursor is not moving\r\n0x25B Checks if the machine is idle and if no new process is being created\r\n0x25D Checks if the machine idle and if no new window is being created\r\n0x835 Starts keylogger\r\n0x836 Starts keylogger for a certain period\r\n0x837 Stops keylogger\r\n0x839 Copies data (likely logs) then return 0x83a (klogs)\r\n0x1F5 Retrieves VMWare via CPUID\r\n0x1f7 Searches for 'virtual' in SYSTEM\\\\ControlSet001\\\\Services\\\\disk\\\\Enum\r\n0x83A Writes file(s) to klogs//\r\n0x89a Writes file(s) to screenshots\\\\\r\n0x596 Writes to clp\\clp_log.txt\r\n0xf6 Writes file(s) to chromium_creds\\\\\r\n0xCE Copies files to filesystem\\\\\r\n0x321 Creates messagemonitor window, which needed for the clipper\r\n0x322 Destroys messagemonitor window, which is needed for the clipper\r\n0x5DC Gets environment ID\r\n0x5E0 Runs GetModuleFileNameW, which is needed for resolving $itself_exe\r\nTable 1. Virtual machine command IDs\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 7 of 12\n\nopen on a new tab\r\nFigure 20. Keylogger-related commands implemented within the stealer’s binary; Command IDs\r\ncan also be observed in the screenshot (0x835; 0x837; 0x836; 0x839)\r\nEmbedded modules\r\nSome embedded modules contain the client32.exe (SHA256\r\n18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D or SHA256\r\n49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3) file from the\r\nNetSupport RAT. This single file is not enough, however, as the NetSupport tool needs additional DLL libraries\r\nand a configuration file. Note that these missing files have already been dropped by the modified installer into the\r\ninstallation directory.\r\nFor researchers, the most important file is called client32.ini, which contains important settings such as gateway\r\naddresses, gateway keys (GSK), and ports.\r\nSome embedded modules contain the NetSupport RAT downloader (SHA256\r\nC68096EB0A655924CA840EA1C71F9372AC055F299B52335AD10DDFA835F3633D). This downloader\r\ndecrypts the URL payload, then downloads and executes it.\r\nopen on a new tab\r\nFigure 22. Decrypted downloader’s configuration file, with additional URLs being visible in clear\r\ntext\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 8 of 12\n\nThe decrypted configuration contains two URLs, one leading to an archive containing the NetSupport RAT, like\r\nthe previous module, while the second contains a few batch scripts, which display messages such as the one seen\r\nin Figure 23. Later, one of these batch scripts downloads additional stealers.\r\n open on a new tab\r\nFigure 23. Decoy message telling the victim to wait for the program to be installed\r\nSome embedded modules contain a modified hVNC module\r\nF772B652176A6E40012969E05D1C75E3C51A8DB4471245754975678F04DEDAAA. This module, in addition\r\nto standard remote desktop functionality, also contains routines to search for the existence of the following\r\ncryptocurrency related Google Chrome, Microsoft Edge, and Mozilla Firefox extensions (wallets):\r\nGoogle Chrome extension ID Extension name\r\nffnbelfdoeiohenkjibnmadjiehjhajb  Yoroi\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\njbdaocneiiinmjbjlgalhcelgbejmnid Nifty Wallet\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\nafbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet\r\nfhbohimaelbohpjbbldcngcnapndodjp Binance Wallet\r\nodbfpeeihdkbihmopkbjmoonfanlbfcl Brave Wallet\r\nhpglfhgfnhbgpjdenjgmdgoeiappafln Guarda Wallet\r\nblnieiiffboillknjnepogjhkgnoapac Equall Wallet\r\ncjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty\r\nfihkakfobkmkjojpchpfgcmhfjnmnfpi BitApp Wallet\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 9 of 12\n\nkncchdigobghenbbaddojjnnaogfppfj iWallet\r\namkmjjmmflddogmhpjloimipbofnfjih Wombat\r\nfhilaheimglignddkjgofkcbgekhenbh Oxygen\r\nnlbmnnijcnlegkjjpcfjclmcfggfefdm MyEtherWallet\r\nnanjmdknhkinifnkgdcggcfnhdaammmj GuildWallet\r\nnkddgncdjgjfcddamfgcmfnlhccnimig Saturn Wallet\r\nfnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet\r\naiifbnbfobpmeekipheeijimdpnlpgpp Station Wallet\r\nfnnegphlobjdpkhecapkijjdkgcjhkib Harmony\r\naeachknmefphepccionboohckonoeemg Coin98\r\ncgeeodpfagjceefieflmdfphplkenlfk EVER Wallet\r\npdadjkfkgcafgbceimcpbkalnfnepbnk KardiaChain\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nfhilaheimglignddkjgofkcbgekhenbh Oxygen\r\nmgffkfbidihjpoaomajlbgchddlicgpn Pali\r\naodkkagnadcbobfpggfnjeongemjbjca BoltX\r\nkpfopkelmapcoipemfendmdcghnegimn Liquality\r\nhmeobnfnfcmdkdcmlblgagmfpfboieaf XDEFI\r\nlpfcbjknijpeeillifnkikgncikgfhdo Nami\r\ndngmlblcodfobpdpecaadgfbcggfjfnm MultiversX DeFi\r\nTable 2. Targeted Chrome extensions\r\nMicrosoft Edge extension ID Extension name\r\nakoiaibnepcedcplijmiamnaigbepmcb Yoroi\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask\r\ndfeccadlilpndjjohbjdblepmjeahlmm Math Wallet\r\nkjmoohlgokccodicjjfebfomlbljgfhk Ronin Wallet\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 10 of 12\n\najkhoeiiokighlmdnlakpjfoobnjinie Terra Station\r\nfplfipmamcjaknpgnipjeaeeidnjooao BDLT wallet\r\nniihfokdlimbddhfmngnplgfcgpmlido Glow\r\nobffkkagpmohennipjokmpllocnlndac OneKey\r\nkfocnlddfahihoalinnfbnfmopjokmhl MetaWallet\r\nTable 3. Targeted Edge extensions\r\nMozilla Firefox extension ID Extension name\r\n{530f7c6c-6077-4703-8f71-cb368c663e35}.xpi Yoroi\r\nronin-wallet@axieinfinity.com.xpi Ronin Wallet\r\nwebextension@metamask.io.xpi MetaMask\r\n{5799d9b6-8343-4c26-9ab6-5d2ad39884ce}.xpi TronLink\r\n{aa812bee-9e92-48ba-9570-5faf0cfe2578}.xpi  \r\n{59ea5f29-6ea9-40b5-83cd-937249b001e1}.xpi  \r\n{d8ddfc2a-97d9-4c60-8b53-5edd299b6674}.xpi  \r\n{7c42eea1-b3e4-4be4-a56f-82a5852b12dc}.xpi Phantom\r\n{b3e96b5f-b5bf-8b48-846b-52f430365e80}.xpi  \r\n{eb1fb57b-ca3d-4624-a841-728fdb28455f}.xpi  \r\n{76596e30-ecdb-477a-91fd-c08f2018df1a}.xpi  \r\nTable 4. Targeted Firefox extensions\r\nIn our analyzed sample, command-and-control (C\u0026C) communication starts with the following magic:\r\nThe snippet below shows that some values are hardcoded into the executable, others are generated from\r\nMachineGuid or randomly generated. Note the string “7.7” seen in Figure 25, which is likely the modified hVNC\r\nversion.\r\nConclusion\r\nIt seems that OpcJacker’s operator is motivated by financial gain, since the malware’s primary purpose is stealing\r\ncryptocurrency funds from wallets. However, its versatile functions also allow OpcJacker to act as an information\r\nstealer or a malware loader, meaning it can be used beyond its initial intended use.\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 11 of 12\n\nThe campaign IDs we found in the samples, such as “test” and “test_installs”, indicate that OpcJacker could still\r\nbe under development and testing stages. Given its unique design combined with a variety of VM-like\r\nfunctionalities, it’s possible that the malware could prove to be popular with threat actors, and therefore could see\r\nuse in future threat campaigns.\r\nIndicators of Compromise\r\nThe indicators for this blog entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nhttps://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html" ], "report_names": [ "new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434307, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a8ea83348ef2025d5f38b3733eaa6ebfb1864db.pdf", "text": "https://archive.orkl.eu/6a8ea83348ef2025d5f38b3733eaa6ebfb1864db.txt", "img": "https://archive.orkl.eu/6a8ea83348ef2025d5f38b3733eaa6ebfb1864db.jpg" } }