{ "id": "d0d1ef90-6555-4b0f-8a1f-0b8de373c94c", "created_at": "2026-04-06T00:12:06.788936Z", "updated_at": "2026-04-10T03:37:09.089178Z", "deleted_at": null, "sha1_hash": "6eca90863a06da87de8859ab36440d2ef8dc03b0", "title": "Latrodectus \u0026 ACR Stealer Spread Via Auth Phishing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 970494, "plain_text": "Latrodectus \u0026 ACR Stealer Spread Via Auth Phishing\r\nPublished: 2024-08-08 · Archived: 2026-04-05 18:10:41 UTC\r\nDouble Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site \r\nDouble Trouble: Latrodectus and ACR Stealer observed spreading via Google\r\nAuthenticator Phishing Site \r\nCyble analyzes a phishing website mimicking Google Safety Centre, designed to trick users into downloading malware that\r\ndeploys Latrodectus and ACR Stealer, both aimed at compromising security and stealing sensitive information\r\nKey Takeaways  \r\nCyble Research and Intelligence Lab (CRIL) has identified a sophisticated phishing website masquerading as an\r\nofficial Google Safety Centre page. \r\nThe phishing site’s primary goal is to deceive users into downloading a file that purports to be Google Authenticator.\r\nIn reality, this file is a malicious application designed to install additional malicious software on the victim’s system. \r\nThe malicious file drops two distinct types of malware: Latrodectus and ACR Stealer. Each of these malware\r\ncomponents has its own set of functionalities aimed at compromising the victim’s security and extracting sensitive\r\ninformation. \r\nThe ACR Stealer employs Dead Drop Resolver (DDR) to obscure its Command and Control (C\u0026C) server details,\r\nembedding this information within seemingly innocuous locations or platforms. By disguising the C\u0026C details, the\r\nmalware enhances its stealth and reduces the likelihood of detection \r\nLatrodectus shows signs of active development, as evidenced by updates to its encryption key pattern and the\r\nintroduction of new commands.  \r\nThis ongoing development suggests that the Threat Actor (TA) is continuously enhancing the Latrodectus malware to\r\nadd new features and capabilities, reflecting an effort to adapt and evade detection. \r\nOverview \r\nCyble Research and Intelligence Labs (CRIL) recently discovered a phishing site—“googleaauthenticator[.]com”—cleverly\r\ncrafted to resemble an official Google Safety Centre. The website’s design mimics the authentic appearance of a legitimate\r\nGoogle service, aiming to deceive users into believing they are visiting the  Google genuine service, as shown below. \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 1 of 10\n\nFigure 1 – Phishing Webpage \r\nUpon further investigation, it became evident that the TAs behind this phishing campaign are distributing two types of\r\nmalware: a recently identified strain called Latrodectus and the notorious ACR Stealer. The fraudulent site serves as a\r\nconduit for these malicious payloads, leveraging the trust and familiarity of Google’s branding to lure unsuspecting victims\r\ninto downloading and executing the malware.  \r\nWorld's Best AI-Native Threat Intelligence\r\nRecently, researchers uncovered a similar campaign where attackers used  \r\nGoogle Ads to distribute an information-stealing malware known as “Deer Stealer.” They also identified that TAs were\r\nmisusing Google Ads to promote links to phishing sites. CRIL also suspects that the TA behind this campaign is utilizing\r\nGoogle Ads to promote phishing links. \r\nWhen the user clicks on the “Download Authenticator” button in the phishing site, it downloads an executable named\r\n“GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe“. When the user runs the downloaded\r\nfile, it displays a deceptive “Unable to Install” message. Meanwhile, in the background, it silently downloads ACR Stealer\r\nand Latrodectus to the %temp% directory and then executes them.  \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 2 of 10\n\nWhile the ACR Stealer gathers sensitive information from the victim and transmits it to a command and control (C\u0026C)\r\nserver, the Latrodectus uses evasion techniques to maintain persistence on the victim’s machine. It also collects user\r\ninformation and sends it to the command-and-control server (C\u0026C) to conduct other malicious activities.  \r\nThe figure below shows the infection chain of this campaign. \r\nFigure 2 – Infection Chain \r\nTechnical Analysis \r\nThe downloaded file, “GoogleAuthSetup.exe,” functions as a loader and is digitally signed. As shown in Figure 3, the\r\nsignature is valid as of the time of this analysis.  \r\nFigure 3 – Digital Signature information \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 3 of 10\n\nFigure 4 shows that the loader file’s RCData section contains encrypted payloads as well as the key required for their\r\ndecryption.  \r\nFigure 4 – RCData \r\nUpon execution, the malware loads the encrypted resource contents using the LoadResource() API, decrypts them, saves\r\nthem to the %temp% directory, and then executes the decrypted executable files using SYSCALL “NtCreateUserProcess.”\r\nThe figure below shows the decrypted content saved in the %temp% location. \r\nFigure 5 – Writing files to the %temp% directory \r\nSubsequently, the TA takes an additional step to enhance the deception and obfuscate their activities. They display a fake\r\nerror message to the victim. This message is designed to mislead the user into believing that the application they\r\ndownloaded was legitimate but encountered a technical problem during installation. \r\nFigure 6 – Fake error message \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 4 of 10\n\nThe decrypted payloads are identified as Latrodectus and ACR Stealer. When executed from the %temp% directory,\r\nLatrodectus checks whether it is running from the %appdata% directory. If not, it copies itself to %appdata%, executes from\r\nthere, and then terminates its process from the %temp% location.   \r\nFigure 7 – Process Tree \r\nACR Stealer \r\nUpon execution, the ACR Stealer, identified by its SHA-256 hash value\r\n532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3, initiates a process to exfiltrate sensitive\r\ninformation from the victim’s machine. To facilitate communication with its command and control (C\u0026C) server while\r\navoiding detection, ACR Stealer employs a technique known as Dead Drop Resolver (DDR).  \r\nDDR is a method used to obscure and hide the true location of the C\u0026C server by embedding this information within\r\nseemingly benign or legitimate platforms. In this case, ACR Stealer utilizes the Steam Community website as a cover for its\r\nC\u0026C details, as shown in Figure 8.  \r\nBy disguising the C\u0026C server information within the Steam Community platform, the malware takes advantage of the\r\nwebsite’s legitimate status to evade detection by security tools and researchers.  \r\nFigure 8 – Dead Drop Resolver \r\nThe ACR Stealer retrieves the C2 details and constructs a specific URL to download the encrypted configuration file from\r\n“hxxps://geotravelsgi[.]xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d ” It then decrypts the configuration file. The\r\ndecrypted configuration contains information about the targeted applications and their details. The table below shows the\r\napplications targeted by ACR Stealer. \r\nCategory  Application Names  \r\nWeb Browser  Google Chrome Canary, Epic Privacy Browser, Microsoft Edge, Nichrome, Opera\r\nStable, Google Chrome Dev, Google Chrome Beta, Google Chrome SxS, Vivaldi,\r\nMozilla Firefox, Opera GX Stable, Coowon, QIP Surf, Kometa, Torch, 360Browser,\r\nK-Melon, Orbitum, Elements Browser, CocCoc Browser, Brave-Browser, Google\r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 5 of 10\n\nChrome Unstable, CatalinaGroup Citrio, CentBrowser, TorBro, MapleStudio\r\nChromePlus, Amigo, Google Chrome, BlackHawk, Chromium, liebao, Chromodo,\r\nMaxthon3, Opera Neon, uCozMedia Uran, Chedot, Uran \r\nEmail Client \r\nMailbird, Pocomail, yMail2, The Bat!, eM Client, Thunderbird, Opera Mail,\r\nTrulyMail, PMAIL \r\nFTP Client \r\nFileZilla, NetDrive, FTPGetter, BlazeFtp, Steed, FTP Now, Estsoft ALFTP, BitKinex,\r\nDeluxeFTP, UltraFXP, INSoftware NovaFTP, FTPBox, GoFTP, Notepad++ plugins\r\nNppFTP \r\nCryptocurrency\r\nWallet \r\nElectrum, Bitcoin, Daedalus Mainnet, Litecoin, Monero, Electrum-LTC, Authy\r\nDesktop, Zcash, Exodus, Anoncoin, BBQCoin, Guarda, GoldCoin (GLD), DashCore,\r\nEthereum, YACoin, Coinomi, Armory, Digitalcoin, MultiDoge, Atomic, Namecoin,\r\nFlorincoin, Freicoin, Terracoin, Dogecoin, GInfinitecoin, IOCoin, Franko, devcoin,\r\nElectronCash, Binance, WalletWasabi, Mincoin, Megacoin \r\nMessenger  WhatsApp, Psi, Tox, Signal, Psi+, Telegram, Pidgin \r\nVPN  AzireVPN, NordVPN \r\nPassword\r\nManager \r\n1Password, RoboForm, Bitwarden, NordPass \r\nOther\r\nApplications \r\nGmailNotifierPro, To-Do DeskList, MySQL Workbench, AnyDesk, GHISLER,\r\nsnowflake-ssh, Sticky Notes, Conceptworld’s Notezilla \r\nLatrodectus  \r\nIn October 2023, Walmart researchers published a blog about a malware named Latrodectus. Subsequently, this variant was\r\nanalysed and discussed by other researchers at Proofpoint and Elastic. Latrodectus is a downloader that can execute\r\ncommands received from a Command \u0026 Control (C\u0026C) server. Researchers have also confirmed that it was developed by\r\nthe creators of IcedID. Most of the Latrodectus behaviors observed in this campaign show similarities to those in previous\r\ncampaigns. In this section, we summarize only the changes observed in the Latrodectus version 1.3. \r\nLike the previous campaign, the initial Command \u0026 Control (C\u0026C) communication from the victim’s machine, which is\r\nbase64 encoded and RC4 encrypted, is depicted in the figure below. \r\nFigure 9 – C\u0026C Communication \r\nIn this version, the TA has used a random string “1SJUf0qxxRVHjgWtVJDajSnFbT2glz9jy7qZE0au0MZPX3HOmf” as the\r\nkey for encrypting the Command \u0026 Control (C\u0026C) communication. In previous versions, the key used for encryption was\r\n“12345.” The figure below shows the decrypted content of its C\u0026C communication using CyberChef. \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 6 of 10\n\nFigure 10 – decrypted content \r\nIn version 1.3 of Latrodectus, the scheduled task created is configured to launch the malicious file every 10 minutes. In\r\ncontrast, version 1.1 utilized a task scheduler set to execute the malicious file only at logon. This change in scheduling\r\nfrequency indicates a shift towards more persistent and frequent execution of the malware in the newer version. \r\nFigure 11 – Scheduled task \r\nAdditionally, the developers behind Latrodectus have added a new command in version 1.3. While version 1.1 had 11\r\ncommands, version 1.3 now includes 12 commands, as shown in the figure below, reflecting an enhancement in the\r\nmalware’s functionality and capabilities. \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 7 of 10\n\nFigure 12 – BOT command IDs \r\nConclusion \r\nThis sophisticated phishing campaign illustrates the growing complexity of cyber threats, with attackers employing\r\ndeceptive tactics to compromise users. By mimicking a legitimate Google Safety Centre page and distributing a malicious\r\nfile disguised as Google Authenticator, the attackers deploy two distinct types of malware—Latrodectus and ACR Stealer—\r\nwith targeted malicious purposes.  \r\nACR Stealer’s use of Dead Drop Resolver (DDR) to obscure its C\u0026C server details highlights advanced evasion strategies.\r\nThe continuous development of Latrodectus, including updated encryption and new commands, demonstrates the attackers’\r\npersistent efforts to refine and enhance their malware. \r\nRecommendations \r\nAlways download Google Authenticator directly from official sources, such as the Google Play Store or the Apple\r\nApp Store, to ensure you are getting the legitimate app and avoid phishing scams. \r\nThis campaign reaches users via malicious Google ads. Users should be cautious when interacting with ads and\r\nverify the authenticity of links before clicking. Organizations should consider monitoring ad platforms for suspicious\r\nactivity and employing advanced threat detection tools to identify and block phishing attempts. \r\nThe TA has created a phishing site posing as Google Safety Centre. To protect yourself, verify the legitimacy of\r\nwebsites by scrutinizing URLs and avoiding suspicious links.  \r\nConduct training sessions to educate users on recognizing phishing attempts and the risks of downloading files from\r\nuntrusted sources. Emphasize the importance of verifying the legitimacy of websites and links before interaction. \r\nUse network security tools to monitor and block communications with known Command and Control (C\u0026C) servers.\r\nImplement firewalls and intrusion detection systems to detect and prevent unauthorized access. \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 8 of 10\n\nEnable MFA on all accounts to add an extra layer of security and reduce the risk of unauthorized access even if\r\ncredentials are compromised. \r\nDevelop and maintain an incident response plan to quickly address and mitigate the impact of malware infections.\r\nRegularly test and update the plan to ensure effectiveness. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique  Procedure \r\nInitial Access (TA0001)  Phishing (T1566) \r\nPhishing website hosted a malicious\r\nbinary as a legitimate application \r\nDefense\r\nEvasion(TA0005)  \r\nObfuscated Files or Information:\r\nSoftware Packing (T1027.002) \r\nPayload is encrypted inside the\r\nResource section \r\nExecution (TA0002)  Native API (T1106) \r\nThe NtCreateUserProcess() API is\r\nused to create a child process  \r\nExecution, Persistence,\r\nPrivilege Escalation \r\nScheduled Task/Job: Scheduled\r\nTask (T1053.005) \r\nSets scheduled tasks using COM\r\nObject  \r\nDefense Evasion\r\n(TA0005) \r\nIndicator Removal: File Deletion\r\n(T1070.004) \r\nDeletes itself from Temp dir \r\nDefense Evasion\r\n(TA0005) \r\nObfuscated Files or Information:\r\nDynamic API Resolution\r\n(T1027.007) \r\nLoads DLLs during runtime \r\nDiscovery(TA0007) \r\nSystem Information Discovery\r\n(T1082) \r\nChecks for Windows version and\r\nrunning processes \r\nCommand and Control\r\n(TA0011)  \r\nApplication Layer Protocol: Web\r\nProtocols (T1071.001) \r\nCommunicates to C\u0026C over HTTP \r\nCollection (TA0009)  Automated Collection (T1119) \r\nCollects Cryptocurrency wallet\r\ninformation \r\nCredential Access\r\n(TA0006) \r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers (T1555.003) \r\nTries to collect credentials from\r\nbrowsers \r\nCredential Access\r\n(TA0006) \r\nCredentials from Password\r\nStores: Password Managers\r\n(T1555.005) \r\nTries to steal credentials from\r\npassword managers \r\nIndicators Of Compromise \r\nIndicators   Indicator Type  Description \r\n62536e1486be7e31df6c111ed96777b9e3f2a912a2d7111253ae6a5519e71830  SHA-256  GoogleAuthSetup.ex\r\n81bc69a33b33949809d630e4fa5cdb89d8c60cf0783f447680c3677cae7bb9bb  SHA-256   Latrodectus \r\n532c9bc2e30150bef61a050386509dd5f3c152688898f6be616393f10b9262d3  SHA-256   ACR Stealer \r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 9 of 10\n\nhxxps://spikeliftall[.]com/live/  URL  C\u0026C of Latrodectus \r\nhxxps://godfaetret[.]com/live/  URL  C\u0026C of Latrodectus \r\nhxxps://geotravelsgi.xyz/ujs/2ae977f4-db12-4876-9e4d-fc8d1778842d URL \r\nConfig file of ACR\r\nStealer \r\ngoogleaauthenticator[.]com  Domain  Phishing Site \r\nReferences\r\nhttps://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nhttps://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice\r\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nSource: https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/" ], "report_names": [ "double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434326, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eca90863a06da87de8859ab36440d2ef8dc03b0.pdf", "text": "https://archive.orkl.eu/6eca90863a06da87de8859ab36440d2ef8dc03b0.txt", "img": "https://archive.orkl.eu/6eca90863a06da87de8859ab36440d2ef8dc03b0.jpg" } }