{ "id": "00585b6c-845c-4eee-9039-4ceead32f176", "created_at": "2026-04-06T00:15:52.774892Z", "updated_at": "2026-04-10T03:36:47.854766Z", "deleted_at": null, "sha1_hash": "6df8b2e94ad02106b09c89465f6fb0f8f535b247", "title": "CoralRaider targets victims’ data and social media accounts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3042439, "plain_text": "CoralRaider targets victims’ data and social media accounts\r\nBy Chetan Raghuprasad\r\nPublished: 2024-04-04 · Archived: 2026-04-05 14:50:59 UTC\r\nCoralRaider targets victims’ data and social media accounts\r\nThursday, April 4, 2024 08:00\r\nCisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese\r\norigin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in\r\nseveral Asian and Southeast Asian countries. \r\nThis group focuses on stealing victims’ credentials, financial data, and social media accounts, including\r\nbusiness and advertisement accounts.\r\nThey use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we\r\nanalyzed.\r\nThe actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and\r\nuncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe \r\nCoralRaider operators likely based in Vietnam \r\nTalos assesses with high confidence that the CoralRaider operators are based in Vietnam, based on the actor\r\nmessages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other\r\nVietnamese words hardcoded in their payload binaries. The actor’s IP address is located in Hanoi, Vietnam. \r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 1 of 14\n\nOur analysis revealed that the actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. This allowed us to\r\ncollect information and uncover several invaluable indicators about the origin and activities of the attacker. \r\nThe attacker used two Telegram bots: A “debug” bot for debugging, and an “online” bot where victim data was\r\nreceived. However, a Desktop image in the “debug” bot had a similar desktop and Telegram to the “online” bot.\r\nThis showed that the actor possibly infected their own environment while testing the bot. \r\nAnalyzing the images of the actor’s Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese\r\nnamed “Kiém tien tử Facebook,” “Mua Bán Scan MINI,” and “Mua Bán Scan Meta.” Monitoring these groups\r\nrevealed that they were underground markets where, among other activities, victim data was traded. \r\nIn an image from the “debug bot,” we spotted the Windows device ID (HWID) and an IP address\r\n(118[.]71[.]64[.]18), located in Hanoi, Vietnam, that is likely to be CoralRaider’s IP address.\r\nTalos’ research uncovered two other images that revealed a few folders on their OneDrive. One of the folders had\r\na Vietnamese name, “Bot Export Chiến,” which is the same as one of the folders in the PDB strings of their loader\r\ncomponent. Pivoting on the folder path in the PDB string, we discovered a few other PDB strings having similar\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 2 of 14\n\npaths but different Vietnamese names. We analyzed the discovered samples with the PDB strings and found they\r\nbelong to the same loader family, RotBot. The Vietnamese name in the PDB string of the loader binary further\r\nstrengthens our assessment that CoralRaider is of Vietnamese origin.\r\nD:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Khuê\\14.225.210.XX-Khue-Ver\r\n2.0\\GPT\\bin\\Debug\\spoolsv.pdb\r\nD:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\149.248.79.205 - NetFrame 4.5 Run Dll -\r\n2024\\ChromeCrashServices\\obj\\Debug\\FirefoxCrashSevices.pdb\r\nD:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-\r\nTrứ\\GPT\\bin\\Debug\\spoolsv.pdb\r\nD:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver\r\n2.0\\GPT\\bin\\Debug\\spoolsv.pdb\r\nD:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-\r\nTrứ\\GPT\\bin\\Debug\\SkypeApp.pdb\r\nD:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver\r\n2.0\\GPT\\bin\\Debug\\spoolsv.pdb\r\nD:\\ROT\\ROT\\ROT Ver 5.5\\Source\\Encrypted\\Ver 4.8 - Client Netframe 4.5\\XClient\\bin\\Debug\\AI.pdb\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 3 of 14\n\nAnother image we analyzed is an Excel spreadsheet that likely contained the victims’ data. We have redacted the\r\nimages to maintain confidentiality. The spreadsheet has several tabs in Vietnamese, and their English translation\r\nshowed us the tabs “Employee salary spreadsheet,” “advertising costs,” “website to buy copies,” “PayPal related,”\r\nand “can use.” The spreadsheet seemed to have multiple versions — the first was created on May 10, 2023. We\r\nalso spotted that they have logged into their Microsoft Office 365 account with the display name “daloia krag”\r\nwhile accessing the spreadsheet, and CoralRaider likely operates the account. \r\nCoralRaider’s payload, XClient stealer analysis, showed us a few more indicators. CoralRaider had hardcoded\r\nVietnamese words in several stealer functions of their payload XClient stealer. The stealer function maps the\r\nstolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s\r\ntemporary folder before exfiltration. One example function we observed is used to steal the victim’s Facebook Ads\r\naccount that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date\r\nCreated, etc.\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 4 of 14\n\nThe campaign \r\nTalos observed that CoralRaider is conducting a malicious campaign targeting victims in multiple countries in\r\nAsia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam. \r\nThe initial vector of the campaign is the Windows shortcut file. We are unclear on the technique the actor used to\r\ndeliver the LNKs to the victims. Some of the shortcut file filenames that we observed during our analysis are:\r\n자세한 비디오 및 이미지.lnk\r\n設計內容+我的名片.lnk\r\nrun-dwnl-restart.lnk\r\nindex-write-upd.lnk\r\nfinals.lnk\r\nmanual.pdf.lnk\r\nLoanDocs.lnk\r\nDoctorReferral.lnk\r\nyour-award.pdf.lnk\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 5 of 14\n\nResearch.pdf.lnk\r\nstart-of-proccess.lnk\r\nlan-onlineupd.lnk\r\nrefcount.lnk\r\nWe also discovered a few notable unique drive serial numbers from the metadata of the Windows Shortcut files:\r\nA0B4-2B36\r\nFA4C-C31D\r\n94AA-CEFB\r\n46F7-AF3B\r\nThe attack begins when a user opens a malicious Windows shortcut file, which downloads and executes an HTML\r\napplication file (HTA) from an attacker-controlled download server. The HTA file executes an embedded\r\nobfuscated Visual Basic script. The malicious Visual Basic script executes an embedded PowerShell script in the\r\nmemory, which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disables the Windows and application notifications on the\r\nvictim’s machine, and finally downloads and run the RotBot. \r\nRotBot, the QuasarRAT client variant, in its initial execution phase, performs several detection evasion checks on\r\nthe victim machine and conducts system reconnaissance. RotBot then connects to a host on a legitimate domain,\r\nlikely controlled by the threat actor, and downloads the configuration file for the RotBot to connect to the C2.\r\nCoralRaider uses the Telegram bot as the C2 channel in this campaign. \r\nAfter connecting to the Telegram C2, RotBot loads the payload XClient stealer onto the victim memory from its\r\nresource and runs its plugin program. The XClient stealer plugin performs anti-VM and anti-virus software checks\r\non the victim's machine. It executes its functions to collect the victim's browser data, including cookies, stored\r\ncredentials, and financial information such as credit card details. It also collects the victim’s data from social\r\nmedia accounts, including Facebook, Instagram, TikTok business ads, and YouTube. It also collects the\r\napplication data from the Telegram desktop and Discord application on the victim's machine. The stealer plugin\r\ncan capture screenshots of the victim’s desktop and save them as a PNG file in the victim's machine’s temporary\r\nfolder. With PNG files, the stealer plugin dumps the collected victim’s data from the browser and social media\r\naccounts in a text file and creates a ZIP archive. The PNG and ZIP files are exfiltrated to the attacker's Telegram\r\nbot C2.\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 6 of 14\n\nInfection flow diagram.\r\nRotBot loads and runs the payload  \r\nRotBot, a remote access tool (RAT) compiled on Jan. 9, 2024, is downloaded and runs on the victim machine\r\ndisguised as a Printer Subsystem application “spoolsv.exe.” RotBot is a variant of the QuasarRAT client that the\r\nthreat actor has customized and compiled for this campaign. \r\nDuring its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including\r\nIP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system\r\ndata on the victim machine. It also configures the internet proxy on the victim machine by modifying the registry\r\nkey: \r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet \r\nSettings with the values:\r\nProxyServer = 127.0.0.1:80\r\nProxyEnable = 1\r\nWe observed that RotBot discovered in this campaign creates mutex in the victim machine as the infection\r\nmarkers using the hardcoded strings in the binary.\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 7 of 14\n\nRotBot loads and runs the XClient stealer module from its resources and uses the configuration parameters for its\r\nTelegram C2 bot from the downloaded configuration file. \r\nThe XClient stealer sample we analyzed in this campaign is a .Net executable compiled on Jan. 7, 2024. It has\r\nextensive information-stealing capability through its plugin module and various modules for performing remote\r\nadministrative tasks. \r\nXClient stealer has three primary functions that help it to avoid the radar. First, it will do virtual environment\r\nevasion if the victim’s machine runs in VMware or VirtualBox. It also checks if a DLL called sbieDll.dll exists in\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 8 of 14\n\nthe victim machine file system to detect if it runs in the Sandboxie environment. XClient stealer also checks if\r\nanti-virus software, including AVG, Avast, and Kaspersky, is running on the victim’s machine. \r\nAfter bypassing all the checking functions, the XClient stealer captures the victim’s machine screenshot, saves it\r\nwith the “.png” extension in the victim’s temporary user profile folder, and sends it to C2 through the URL\r\n“/sendPhoto.” \r\nXClient stealer steals victims’ social media web application credentials, browser data, and financial information\r\nsuch as credit card details. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browser data\r\nfiles through the absolute paths of the respective browser installation paths. It extracts the contents of the browser\r\ndatabase to a text file in the victim’s profile local temporary folder. \r\nXClient stealer hijacks and steals various Facebook data from the victim’s Facebook account. It sets custom HTTP\r\nheader metadata along with the victim’s stolen Facebook cookie, and the username sends requests to Facebook\r\nAPIs through the URLs below.\r\nIt checks if the victim’s Facebook is a business or ads account and uses regular expressions to search for\r\naccess_token, assetID, and paymentAccountID. Using Facebook graph API, XClient attempts to collect an\r\nextensive list of information from the victim’s account, shown in the table below.\r\nEntities Value place holders\r\nfacebook_pages\r\nverification_status, fan_count, followers_count, is_owned, name,\r\nis_published,is_promotable, parent_page, promotion_eligible,\r\nhas_transitioned_to_new_page_experience, picture, roles\r\nAdaccounts, businesses\r\nname, permitted_roles, can_use_extended_credit, primary_page, wo_factor_type,\r\nclient_ad_accounts, verification_status, id, created_time,\r\nis_disabled_for_integrity_reasons, sharing_eligibility_status,\r\nallow_page_management_in_www, timezone_id, timezone_offset_hours_utc\r\nowned_ad_accounts id, currency, timezone_offset_hours_utc, timezone_name,adtrust_dsl\r\nBusiness_users name, account_status, account_id, owner_business, created_time, next_bill_date,\r\ncurrency, timezone_name, timezone_offset_hours_utc, business_country_code,\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 9 of 14\n\ndisable_reason, adspaymentcycle{threshold_amount}, has_extended_credit,\r\nadtrust_dsl, funding_source_details, balance, is_prepay_account, owner\r\nXClient stealer also collects the financial information from the victims’ Facebook business and ads accounts.\r\nPayment related entities Value Place holders\r\npm_credit_card display_string, exp_month, exp_year, is_verified\r\npayment_method_direct_debits\r\naddress, can_verify, display_string, s_awaiting, is_pending,\r\nstatus\r\npayment_method_paypal email_address\r\npayment_method_tokens Current_balance, original_balance, time_expire, type\r\namount_spent, userpermissions user, role\r\n Using the graph API, XClient stealer retrieves victims’ account friend list details and pictures. \r\nXClient stealer also targets the victim’s Instagram account and YouTube accounts through the URLs and collects\r\nvarious information, including username, badge_count, appID, accountSectionListRenderer, contents, title, data,\r\nactions, getMultiPageMenuAction, menu, multiPageMenuRenderer, sections and hasChannel. It collects the\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 10 of 14\n\napplication data from the Telegram desktop and Discord application on the victim’s machine. XClient also collects\r\nthe data from the victim’s TikTok business account and checks for business ads. \r\nTalos compiled the hardcoded HTTP request header metadata the XClient stealer uses in this campaign while\r\nretrieving the victim’s information from Facebook, Instagram, and YouTube accounts. \r\nFacebook\r\nsec-ch-ua-mobile: ?0\r\nsec-ch-ua-platform: \\\"Windows\\\"\r\nsec-fetch-dest: document\r\nsec-fetch-mode: navigate\r\nsec-fetch-site: none\r\nsec-fetch-user: ?1\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/108.0.0.0 Safari/537.36\r\nsec-ch-ua: \\\"Not?A_Brand\\\";v=\\\"8\\\", \\\"Chromium\\\";v=\\\"108\\\", \\\"Google Chrome\\\";v=\\\"108\\\"\r\nsec-ch-ua-mobile: ?0\r\nInstagram\r\nSec-Ch-Prefers-Color-Scheme: light\r\nSec-Ch-Ua: \"Google Chrome\"; v = \"113\", \"Chromium\"; v = \"113\", \"Not-A.Brand\"; v = \"24\"\r\nSec-Ch-Ua-Full-Version-List: \"Google Chrome\"; v = \"113.0.5672.127\", \"Chromium\"; v =\r\n\"113.0.5672.127\", \"Not-A.Brand\"; v = \"24.0.0.0\"\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nSec-Ch-Ua-Platform-Version: \"10.0.0\"\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 11 of 14\n\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: none\r\nSec-Fetch-User: ?1\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36(KHTML, like\r\nGecko) Chrome / 113.0.0.0 Safari / 537.36\r\nYoutube\r\ncontent-type: application/json\r\nsec-ch-ua: \"Google Chrome\";v=\"113\", \"Chromium\";v=\"113\", \"Not-A.Brand\";v=\"24\"\r\nsec-ch-ua-arch: \"x86\"\r\nsec-ch-ua-bitness: \"64\"\r\nsec-ch-ua-full-version: \"113.0.5672.127\"\r\nsec-ch-ua-full-version-list: \"Google Chrome\";v=\"113.0.5672.127\", \"Chromium\";v=\"113.0.5672.127\",\r\n\"Not-A.Brand\";v=\"24.0.0.0\"\r\nsec-ch-ua-mobile: ?0\r\nsec-ch-ua-model: \"\"\r\nsec-ch-ua-platform: \"Windows\"\r\nsec-ch-ua-platform-version: \"10.0.0\"\r\nsec-ch-ua-wow64: ?0\r\nsec-fetch-dest: empty\r\nsec-fetch-mode: same-origin\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/113.0.0.0 Safari/537.36\r\nx-goog-authuser: 0\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 12 of 14\n\nx-origin: https://www.youtube.com\r\nx-youtube-bootstrap-logged-in: true\r\nx-youtube-client-name: 1\r\nFinally, the XClient stealer stores the victim’s social media data, which is collected into a text file in the local user\r\nprofile temporary folder and creates a ZIP archive. The ZIP files were exfiltrated to the Telegram C2 through the\r\nURL “/sendDocument”.\r\nTalos’ research of this campaign focused on discovering and disclosing a new threat actor of Vietnamese origin\r\nand their payloads. Additional technical details of the attack chain components of this campaign can be found in\r\nthe report published by the researchers at QiAnXin Threat Intelligence Center. \r\nCoverage\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 13 of 14\n\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SID for this threat is 63192.\r\nClamAV detections are also available for this threat:\r\nLnk.Downloader.CoralRaider-10024620-0\r\nHtml.Downloader.CoralRaider-10025101-0\r\nWin.Trojan.RotBot-10024631-0\r\nWin.Infostealer.XClient-10025106-2\r\nIndicators of Compromise\r\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nhttps://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/" ], "report_names": [ "coralraider-targets-socialmedia-accounts" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434552, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6df8b2e94ad02106b09c89465f6fb0f8f535b247.pdf", "text": "https://archive.orkl.eu/6df8b2e94ad02106b09c89465f6fb0f8f535b247.txt", "img": "https://archive.orkl.eu/6df8b2e94ad02106b09c89465f6fb0f8f535b247.jpg" } }