{ "id": "78278a41-2d9c-4dc3-9754-f02be3d13a4f", "created_at": "2026-04-06T00:08:30.539508Z", "updated_at": "2026-04-10T03:36:13.779831Z", "deleted_at": null, "sha1_hash": "6c2d9097ff5b8be1cf261bcfae41785561dba87e", "title": "Bookworm Trojan: A Model of Modular Architecture", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 723764, "plain_text": "Bookworm Trojan: A Model of Modular Architecture\r\nBy Robert Falcone, Mike Scott, Juan Cortes\r\nPublished: 2015-11-10 · Archived: 2026-04-05 17:09:31 UTC\r\nRecently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a\r\nvariant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading\r\nand a shellcode file. After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed\r\nBookworm and track in Autofocus using the tag Bookworm.\r\nBookworm’s functional code is radically different from PlugX and has a rather unique modular architecture that\r\nwarranted additional analysis by Unit 42. Bookworm has little malicious functionality built-in, with its only core\r\nability involving stealing keystrokes and clipboard contents. However, Bookworm expands on its capabilities\r\nthrough its ability to load additional modules directly from its command and control (C2) server. This blog will\r\nprovide an analysis of the Bookworm Trojan and known indicators of compromise. A later blog will explore the\r\nassociated attack campaigns and attributions surrounding Bookworm.\r\nBookworm: Chapter One\r\nSo far, it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand.\r\nBookworm has many layers (see Figure 1) that increase the complexity of its overall architecture. To make matters\r\nworse, the author used multiple algorithms not only to encrypt and decrypt files saved to the system, but also to\r\nencrypt and decrypt network communications between Bookworm and its C2 servers (known servers are listed in\r\nthe Indicators of Compromise section near the end of this post).\r\nLayered Loading Approach\r\nThe threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application. The self-extracting\r\nRAR writes a legitimate executable, an actor-created DLL called Loader.dll and a file named readme.txt to the\r\nfilesystem and then executes the legitimate executable.\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 1 of 11\n\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 2 of 11\n\nFigure 1 Architecture of Bookworm\r\nThus far, the actors deploying bookworm have used the legitimate executables Microsoft Malware Protection\r\n(MsMpEng.exe) and Kaspersky Anti-Virus (ushata.exe) to perform DLL side-loading and load the Loader.dll.\r\nLoader.dll decrypts the readme.txt file using a three byte XOR algorithm with 0xd07858 as a key, which results in\r\nshellcode that is responsible for decrypting the remainder of readme.txt containing the actual Bookworm Trojan.\r\nThe shellcode then loads Bookworm by manually loading another DLL named “Leader.dll” embedded in the\r\ndecrypted readme.txt and passes a buffer to Leader.dll containing additional DLLs. Leader.dll is the main\r\ncomponent of Bookworm, which will we refer to as “Leader” for the remainder of this blog.\r\nThe initial execution of Leader results in the installation of Bookworm. The installation process involves moving\r\nthe legitimate executable and actor-created DLL to a new location. Bookworm also creates an additional file in\r\nthis new location that has the same filename as the actor-created DLL but with no file extension. Figures 2 and 3\r\nshows the newly created files based on the legitimate application used to side-load the actor created DLL.\r\n%AllUsersProfile%\\Application Data\\Microsoft\\DeviceSync\\MsMpEng.exe\r\n%AllUsersProfile%\\Application Data\\Microsoft\\DeviceSync\\MpSvc.dll\r\n%AllUsersProfile%\\Application Data\\Microsoft\\DeviceSync\\MpSvc\r\nFigure 2 Files created if the Microsoft Malware Protection was used to Sideload the DLL\r\n%AllUsersProfile%\\Application Data\\Microsoft\\DeviceSync\\ushata.exe\r\n%AllUsersProfile%\\Application Data\\Microsoft\\DeviceSync\\ushata.dll\r\n%AllUsersProfile%\\Application Data\\Microsoft\\DeviceSync\\ushata\r\nFigure 3 Files created if the Kaspersky Antivirus application was used to Sideload the DLL\r\nAfter this process is completed, Bookworm changes how it loads itself, now reading the newly created file\r\n“MpSvc” or “ushata” instead of readme.txt. The newly created file is encrypted with RC4 using the contents of the\r\nfollowing registry value as its key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration\\ProductID\r\nThe decrypted contents of this new file contain a path to the following file:\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 3 of 11\n\n%AllUsersProfile%\\Application Data\\Microsoft\\Crypto\\RSA\\MachineKeys\\sgkey.data\r\nThe sgkey.data file contains the shellcode from readme.txt that loads the Bookworm modules, but instead of being\r\nencrypted with the three byte XOR algorithm like readme.txt, sgkey.data is encrypted with RC4 using the\r\n“ProductID” value as the key. The installation process finishes with the creation of a service named “Microsoft\r\nWindows DeviceSync Service”, which results in the addition of registry keys listed in Figure 4, which will run\r\nBookworm when the system starts.\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\Type: 0x00000120\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\Start: 0x00000002\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\ErrorControl: 0x00000001\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\ImagePath: \"C:\\Documents and Settings\\All\r\nUsers\\Application Data\\Microsoft\\DeviceSync\\MsMpEng.exe\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\DisplayName: \"Microsoft Windows DeviceSync Service\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\ObjectName: \"LocalSystem\"\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\Description: \"Allows USB devices to be hosted on this\r\ncomputer. If this service is stopped, any hosted USB devices will stop functioning and no additional hosted devices\r\ncan be added. If this service is disabled, any services that explicitly depend on it will fail to start.\"\r\nFigure 4 Registry Keys Resulting from the Creation of the Bookworm Service\r\nBookworm Modules\r\nLeader is Bookworm's main module and controls all of the activities of the Trojan, but relies on the additional\r\nDLLs to provide specific functionality. The developers of Bookworm use these modules in a rather unique way, as\r\nthe other embedded DLLs provide API functions for Leader to carry out its tasks. To load additional modules,\r\nLeader parses the buffer passed to it by the shellcode in readme.txt for the other DLLs, which exist in the\r\nfollowing structure:\r\nstruct embedded_dll {\r\nDWORD dll_identifier;\r\nDWORD length_of_dll;\r\nchar[length_of_dll] embedded_dll;\r\n};\r\nTable 1 contains all of the embedded DLLs in each Bookworm sample, their ID numbers, and a description of the\r\nfunctionality of each DLL’s API functions provided to Leader. It should be noted that Bookworm does not write\r\nany of these DLLs to the filesystem, as the Trojan operates entirely in memory.\r\nName\r\nDLL\r\nID #\r\nDescription\r\nLeader.dll 0x0\r\nMain module. Communicates with the C2 server and other activities by\r\ninteracting with other modules in this table.\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 4 of 11\n\nResolver.dll 0x1 Used to resolve C2 server locations.\r\nMover.dll 0x2\r\nMoves the Bookworm files from the RAR archive to a new folder and runs it\r\nfrom the new location. Only used on initial infection during installation.\r\nCoder.dll 0xA\r\nUsed to carry out RC4 encryption and decryption, base64 encoding and\r\ndecoding and the generation of CRC32 hashes of data.\r\nDigest.dll 0xB Used to generate MD5 hashes of data.\r\nAES.dll 0xC Used to encrypt and decrypt data using AES.\r\nNetwork.dll 0xE\r\nSets the network interface into promiscuous mode and gathers network traffic\r\nfor traffic destined to the system to receive data from C2 responses. Also\r\nprovides the ability to send data to the C2 as well.\r\nHTTP.dll 0x13 Used to create HTTP Requests to send to the C2.\r\nWinINetwork.dll 0x17\r\nUsed to interact with the C2 server, specifically by sending HTTP GET and\r\nPOST requests.\r\nKBLogger.dll 0x5 Key logger that records keystrokes and the contents saved to the clipboard.\r\nTable 1 Bookworm's Embedded Modules with their Corresponding Identification Number and a Brief\r\nDescription\r\nLeader loads each DLL into memory and then resolves an exported function named \"ProgramStartup\" within the\r\nloaded DLL. Leader then uses the \"dll_identifier\" (DLL ID # in Table 1) value to determine the appropriate\r\narguments to send to the DLL when calling the ProgramStartup function. Leader then passes a pointer to a\r\nstructure to each loaded DLL with each DLL receiving a different offset that it will set with addresses of its\r\ninternal functions. The purpose of passing a structure to each DLL is to populate one large structure that allows\r\nLeader to call specific functions within each DLL, which is very similar conceptually to the import address table\r\nof a portable executable. Figure 5 below visualizes this concept, showing Leader calling example functions in the\r\nBookworm modules to carry out various tasks.\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 5 of 11\n\nFigure 5 Visualization of Leader using other Bookworm Modules’ API Functions to Carry out Tasks\r\nBy using this type of modular framework, the developers of Bookworm have made static analysis of the Trojan\r\nquite challenging. To perform static analysis of Bookworm, an analyst must recreate the structure used by Leader\r\nto store the API functions of each DLL and apply them throughout the entire Trojan. Without performing this task,\r\nan analyst would be unable to determine which API function Leader calls within the supporting DLLs. For\r\nexample, Figure 6 below shows a code block within Leader that is responsible for encrypting a buffer using\r\nfunctions within the AES module; however, the red, blue, and green boxes show calls to functions based on an\r\noffset in a structure.\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 6 of 11\n\nFigure 6 Bookworm Calling API Functions using an Offset to its Structure\r\nAt first glance, an analyst would be unable to determine the purpose of the code block displayed in Figure 6, as\r\nthe functions called are not readily apparent. By creating a structure and populating it with the correct API\r\nfunctions however, an analyst can determine the API functions called in this code block. In Figure 7 below, the\r\nred, blue and green boxes show calls to three functions within the AES module that allow Leader to encrypt data\r\nusing the AES algorithm.\r\nFigure 7 Applying Bookworm's API Structure Exposes the API Functions Called\r\nNot only does this modular approach require an analyst to create a structure, but it also takes away an analyst’s\r\nability to use cross references (XREFs) on the API functions within the supporting modules. Using XREFs during\r\nstatic analysis is a common technique to quickly find where functions of interest are called. An analyst cannot use\r\nthis method to find where Leader is calling specific Bookworm APIs because the functions are not called directly;\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 7 of 11\n\nrather they are called based on the structure offset. We are unsure if the developers of Bookworm created this as\r\nan analysis hurdle, but it certainly contributes to anti-analysis tactics.\r\nBookworm’s Capabilities\r\nAlthough the developers of Bookworm have included only keylogging functionality in Bookworm as a core\r\nability, as suggested in Table 1, several of the embedded DLLs provide Leader with cryptographic and hashing\r\nfunctions, while others support Leader’s ability to communicate with its C2 server. The developers designed\r\nBookworm to be a modular Trojan not limited to just the initial architecture of the Trojan, as Bookworm can also\r\nload additional modules provided by the C2 server. The ability to load additional modules from the C2 extends the\r\ncapabilities of the Trojan to accommodate any activities the threat actors need to carry out on the compromised\r\nsystem.\r\nKey Logging Functionality\r\nThe KBLogger.dll module, which we will refer to as KBLogger, provides key logging and clipboard grabbing\r\nfunctionality and is the only Bookworm module that does not provide Leader with API functions. Instead, Leader\r\ncreates a new process “C:\\WINDOWS\\System32\\dllhost.exe –user” that it injects itself into and uses to execute\r\nthe KBLogger functionality.\r\nKBLogger runs on its own by creating a new window called “DolefulClass\u003cusername\u003e\u003cPID\u003e”, which is hidden\r\nso it is invisible to the user. The new window executes code that will create the following folder to store files that\r\ncontain logged keystrokes and stolen clipboard contents:\r\n%AllUsersProfile%\\Application Data\\Microsoft\\Crypto\\RSA\\MachineKeys\\\u003ccrc32 hash\u003ebk\r\nKBLogger captures keystrokes typed by the user and saves them to a file in the folder above. KBLogger also\r\nspecifically monitors for the keystroke combinations “Control + C”, “Control + V” and “Control + X” that it uses\r\nas triggers to copy the contents of the clipboard to a file. The keystrokes and clipboard contents are encrypted\r\nbefore KBlogger saves them to the file system using the RC4 algorithm using a key derived from the value at the\r\nfollowing registry key:\r\nHKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration\\ProductID\r\nKBLogger will generate the key for the RC4 algorithm by using XOR and an eight-byte key (specifically 0x6E,\r\n0x30, 0xD0, 0x30, 0xB9, 0x30, 0xB1, 0x30) on the value of the above registry key. KBLogger creates files with\r\nthe naming format “\u003cusername XOR with 2 byte key 0x5878\u003e_\u003cseconds since EPOCH\u003e” to store the captured\r\nkeystrokes and clipboard. For example, on November 3, 2015, we saw the following file created during by\r\nKBLogger on an analysis system with a username of “administrator”:\r\n191c351136112b0c2a192c172a_56391E90\r\nC2 Communications and Additional Modules\r\nBookworm uses a state machine to keep track of and carry out communications between the compromised system\r\nand the C2 server. Also, Bookworm uses a combination of encryption and compression algorithms to obfuscate\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 8 of 11\n\nthe traffic between the system and C2 server. We have seen the following encryption and compression methods\r\nused at various stages and in differing combinations in the C2 communications:\r\nRC4\r\nAES\r\nXOR with 0x5a\r\nLZO\r\nBookworm first creates an HTTP request that acts as a network beacon to notify the C2 of the compromised\r\nsystem. The initial network beacon is either an HTTP GET or POST request, which varies between Bookworm\r\nsamples. Unit 42 analyzed the contents of a beacon seen in Figure 8, which was sent to a URL that follows a\r\nstructure of \"http://\u003cc2 server\u003e:\u003cport\u003e/0\u003ccrc32 hash of tick count\u003e\u003ctick count\u003e\u003cencrypted data\u003e\". The encrypted\r\ndata in the URL is a 32 character string (16 hexadecimal bytes) created by RC4 and AES encrypting an empty data\r\nbuffer using the tick count and crc32 hash of the tick count as a key.\r\nFigure 8 Initial C2 Beacon from Bookworm sample 8ae2468d3f208d07fb47ebb1e0e297d7\r\nSubsequent HTTP POST requests from Bookworm to the C2 server include campaign identifier and system\r\nuptime. The data in the HTTP POST has a structure of “\\x03\\x04\u003ccampaign code\u003e\\x00\u003csystem uptime\u003e”. Leader\r\nthen compresses this string using the LZO compression algorithm and compares the compressed length to the\r\noriginal string length. Leader uses the shorter of the two strings and appends it to a DWORD that is the size of the\r\ndata and encrypts the combined string using AES with a key of \"0123456789\" and XOR with a key of 0x5a. We\r\nbelieve the threat actors use the data in these POST requests to map the compromised system to the appropriate\r\ncampaign and to filter out analysis systems. In our follow-up blog we will further discuss the campaign codes\r\nidentified in our analysis.\r\nThe threat actors also deliver additional modules to Bookworm via C2 communications. To load additional\r\nmodules into Bookworm, Leader parses C2 responses for data that have the following structure:\r\n\u003cMD5 of cleartext of module\u003e\u003cencrypted module\u003e\r\nLeader skips the first 16 bytes and RC4 decrypts the remaining data with the key \"0123456789\". It then computes\r\nthe MD5 hash of the resulting cleartext and checks this hash with the MD5 in the first 16 bytes of the C2 response\r\ndata to see if it is the same. If the MD5 hashes match, then the code will carry out further checks on the decrypted\r\ndata to determine if the data is a new DLL for Leader to load as an additional module. At this time, Unit 42 has not\r\nseen a Bookworm C2 server provide additional modules via network communications. By performing static\r\nanalysis on Leader.dll, we know that Leader will load the additional modules and attempt to call \"ProgramStartup\"\r\nand \"QueryBuffer\" functions exported by the DLLs.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 9 of 11\n\nWhile we did not discuss the surrounding attacks using Bookworm in detail, we have observed threat actors\r\ndeploying Bookworm primarily in attacks on targets in Thailand. The developers of Bookworm have gone to great\r\nlengths to create a modular framework that is very flexible through its ability to run additional modules directly\r\nfrom its C2 server. Not only is this tool highly capable, but it also requires a very high level of effort to analyze\r\ndue to its modular architecture and its use of API functions within the additional modules. We believe that it is\r\nlikely threat actors will continue development Bookworm, and will continue to use it for the foreseeable future.\r\nIndicators of Compromise\r\nKnown Bookworm C2 Servers\r\nbkmail.blogdns[.]com\r\ndebain.servehttp[.]com\r\nlinuxdns.sytes[.]net\r\nnews.nhknews[.]hk\r\nsswmail.gotdns[.]com\r\nsswwmail.gotdns[.]com\r\nsysnc.sytes[.]net\r\nsysteminfothai[.]gotdns.ch\r\nthailandbbs.ddns[.]net\r\nubuntudns.sytes[.]net\r\nweb12.nhknews[.]hk\r\nBookworm Smart Install Maker Samples\r\n0f41c853a2d522e326f2c30b4b951b04\r\n8ae2468d3f208d07fb47ebb1e0e297d7\r\n35755a6839f3c54e602d777cd11ef557\r\n87d71401e2b8978c2084eb9a1d59c172\r\n599b6e05a38329081b80a461b57cec37\r\nba1aea40182861e1d1de8c0c2ae78cb7\r\nde1595a7585219967a87a909f38acaa2\r\nf8c8c6683d6ca880293f7c1a78d7f8ce\r\n0b4ad1bd093e0a2eb8968e308e900180\r\ncba74e507e9741740d251b1fb34a1874\r\nfcd68032c39cca3385c539ea38914735\r\n3e69c34298a8fd5169259a2fef506d63\r\nBookworm Self-Extracting RAR Samples\r\n04d63e2a3da0a171e5c15d8e904387b9\r\n0d57d2bef1296be62a3e791bfad33bcd\r\n4389fc820d0edd96bac26fa0b7448aee\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 10 of 11\n\n74c293acdda0d2c3b5087763dae27ec6\r\nb030c619bb24804cbcc05065530fcf2e\r\n29df124f370752a87b3426dcad539ec6\r\n9df45e8d8619e234d0449daf2f617ba3\r\n40f1b160b88ff98934017f3f1e7879a5\r\n210816c8bde338bf206f13bb923327a1\r\n187cdb58fbc30046a35793818229c573\r\n0b4ad1bd093e0a2eb8968e308e900180\r\n499ccc8d6d7c08e135a91928ccc2fd7a\r\n5e4852c8e5ef3cbceb69a9bc3d554d6c\r\n5282b503b061eaa843c0bcda1c74b14f\r\nUpdated April 4, 2024, at 9:15 a.m. PT to correct Table 1. \r\nSource: https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nhttps://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/\r\nPage 11 of 11\n\n https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/ \nResolver.dll 0x1 Used to resolve C2 server locations. \n Moves the Bookworm files from the RAR archive to a new folder and runs it\nMover.dll 0x2 \n from the new location. Only used on initial infection during installation. \n Used to carry out RC4 encryption and decryption, base64 encoding and\nCoder.dll 0xA \n decoding and the generation of CRC32 hashes of data. \nDigest.dll 0xB Used to generate MD5 hashes of data. \nAES.dll 0xC Used to encrypt and decrypt data using AES. \n Sets the network interface into promiscuous mode and gathers network traffic\nNetwork.dll 0xE for traffic destined to the system to receive data from C2 responses. Also\n provides the ability to send data to the C2 as well. \nHTTP.dll 0x13 Used to create HTTP Requests to send to the C2. \n Used to interact with the C2 server, specifically by sending HTTP GET and\nWinINetwork.dll 0x17 \n POST requests. \nKBLogger.dll 0x5 Key logger that records keystrokes and the contents saved to the clipboard.\nTable 1 Bookworm's Embedded Modules with their Corresponding Identification Number and a Brief\nDescription \nLeader loads each DLL into memory and then resolves an exported function named \"ProgramStartup\" within the\nloaded DLL. Leader then uses the \"dll_identifier\" (DLL ID # in Table 1) value to determine the appropriate\narguments to send to the DLL when calling the ProgramStartup function. Leader then passes a pointer to a\nstructure to each loaded DLL with each DLL receiving a different offset that it will set with addresses of its\ninternal functions. The purpose of passing a structure to each DLL is to populate one large structure that allows\nLeader to call specific functions within each DLL, which is very similar conceptually to the import address table\nof a portable executable. Figure 5 below visualizes this concept, showing Leader calling example functions in the\nBookworm modules to carry out various tasks. \n Page 5 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/" ], "report_names": [ "bookworm-trojan-a-model-of-modular-architecture" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "8386d4af-5cca-40bb-91d7-aca5d1a0ec99", "created_at": "2022-10-25T16:07:23.414558Z", "updated_at": "2026-04-10T02:00:04.588816Z", "deleted_at": null, "main_name": "Bookworm", "aliases": [], "source_name": "ETDA:Bookworm", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Scieron", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434110, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c2d9097ff5b8be1cf261bcfae41785561dba87e.pdf", "text": "https://archive.orkl.eu/6c2d9097ff5b8be1cf261bcfae41785561dba87e.txt", "img": "https://archive.orkl.eu/6c2d9097ff5b8be1cf261bcfae41785561dba87e.jpg" } }