{ "id": "f7d44314-bd85-4394-bf12-d4d73498310d", "created_at": "2026-04-06T00:06:14.831754Z", "updated_at": "2026-04-10T03:37:09.289543Z", "deleted_at": null, "sha1_hash": "6f5cef29b144134174b22b0d4ead6335ca2a28df", "title": "Fickle Stealer Distributed via Multiple Attack Chain | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3570684, "plain_text": "Fickle Stealer Distributed via Multiple Attack Chain | FortiGuard\r\nLabs\r\nBy Pei Han Liao\r\nPublished: 2024-06-19 · Archived: 2026-04-05 19:39:36 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The stolen information can be used for future attack\r\nSeverity Level: High\r\nThe past few years have seen a significant increase in the number of Rust developers. Rust is a programming\r\nlanguage focused on performance and reliability. However, for an attacker, its complicated assembly code is a\r\nsignificant merit.\r\nIn May 2024, FortiGuard Labs observed a Rust-based stealer. In addition to its intricate code, the stealer is\r\ndistributed using a variety of strategies and has a flexible way of choosing its target. Because of this ambiguity, we\r\ndecided to call it Fickle Stealer.\r\nThis article summarizes the details of this campaign, roughly dividing the attack chain into three stages: Delivery,\r\nPreparatory Work, and Packer and Stealer Payload.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 1 of 19\n\nFigure 1: Attack flow\r\nDelivery\r\nWe are aware of four methods being used to deliver Fickle Stealer: VBA dropper, VBA downloader, link\r\ndownloader, and executable downloader. For the most part, they download a PowerShell script for preparatory\r\nwork. The file name is u.ps1 or bypass.ps1—they indicate the same file. In some attack chains, one more file is\r\nadded between the downloader and u.ps1\r\nVBA dropper\r\nThis attack chain starts with a Word document. Its VBA macro loads an XML file stored in the caption of a\r\nUserForm object and executes a script encoded with Windows Script Encoder in the XML file.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 2 of 19\n\nFigure 2: The VBA code executes the encoded script\r\nThe script in the XML file drops Fickle Stealer to the Temp folder and executes it.\r\nFigure 3: The decoded script.\r\nVBA downloader\r\nThere are three kinds of VBA downloaders. All of them are Word documents. The first one downloads\r\nu.ps1 directly.\r\nFigure 4: The VBA code in the first downloader\r\nThe second VBA downloader uses forfiles.exe to subvert detections that limit cmd usage.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 3 of 19\n\nFigure 5: runOnce.bat only executes u.ps1 with PowerShell\r\nThe third downloader uses a trick to indirectly deliver the VBA downloader. In the document, a web browser\r\ncontrol that accesses an MSHTML file on the server is embedded in a frame. When the victim enables active\r\ncontent and macro, it reads the MSHTML file and extracts the command from the file. Usually, the\r\nWebBrowser.Navigate method is necessary to load a specified URL. However, Word stores the last loaded URL in\r\nthe document file, and that URL is used if a new one is not provided. In other words, once the URL is loaded, it\r\ncan be loaded in the next execution even though there is no related macro. Another variant uses this technique to\r\nhide the URL (8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316).\r\nFigure 6: The orange-underlined code can be removed after the URL is loaded\r\nLink downloader\r\nThe link downloader directly downloads bypass.ps1.\r\nFigure 7: The link downloader refers to the command executing the PowerShell script\r\nExecutable downloader\r\nThe executable downloader is a DotNet executable mimicking a PDF viewer. \r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 4 of 19\n\nFigure 8: The executable downloader\r\nPreparatory Work\r\nThis section introduces the script files used in this attack.\r\nBypass.ps1/u.ps1\r\nThe primary purpose of this script is to bypass User Account Control (UAC) and execute Fickle Stealer.\r\nAdditionally, it creates a new task that executes engine.ps1 after 15 minutes. To bypass UAC, u.ps1 drops a\r\ncopy of WmiMgmt.msc and a fake WmiMgmt.msc to the following paths:\r\nNormal: C:\\Windows \\System32\r\nFake: C:\\Windows \\System32\\en-US\r\nAn MSC file, hosted in Microsoft Management Console (MMC), manages the hardware, software, and network\r\ncomponents and requires admin rights. Snap-ins provide the interface to the management task and access to the\r\nrequired program and data. The fake WmiMgmt.msc abuses a Shockwave Flash Object from ActiveX control,\r\nwhich opens a web browser by default.\r\nFigure 9: Settings in the fake WmiMgmt.msc\r\nThe URL for the web browser is set to localhost, and u.ps1 creates HttpListener, which shows a web page when\r\nWmiMgmt.msc is executed. The web page contains a script that configures exclusions for Fickle Stealer and then\r\ndownloads it to be executed.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 5 of 19\n\nFigure 10: The web page provided by u.ps1\r\nThe file path uses a technique called the Mock Trusted Directories Method. When converting a string during an\r\nevaluation request process, the trailing space after “Windows” is removed. As a result, the WmiMgmt.msc will be\r\ntreated as executed from a trusted path.\r\nFurthermore, MMC searches the MSC file for local languages. If not found, it tries to find one for en-US, so when\r\nFickle Stealer executes WmiMgmt.msc’s copy, the fake WmiMgmt.msc is executed instead, with elevated\r\nauthentication and no UAC prompt pops up.\r\nFigure 11: The MSC for local language has a higher priority\r\nengine.ps1 \u0026 inject.ps1\r\nengine.ps1 enumerates exe files in C:\\Users\\, D:\\, E:\\, F:\\. When a file is found, it runs inject.ps1 to inject\r\nshell code, which simply executes u.ps1 from the internet. The paths of injected files are base64 encoded\r\nand written to C:\\Users\\Public\\prepares.dat. Before injection, engine.ps1 checks the list to prevent double-injection.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 6 of 19\n\nFigure 12: Injected shell code.\r\ntgmes.ps1\r\nu.ps1, engine.ps1, and inject.ps1 send messages frequently to the attacker’s Telegram bot to show their\r\ncurrent condition. To send a message, they download tgmes.ps1 to the Temp folder with a random file\r\nname and execute it with the message as an argument. tgmes.ps1 is then deleted immediately. This occurs\r\nevery time a message is sent.\r\nFigure 13: The code for sending a message\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 7 of 19\n\nBesides the message, tgmes.ps1 sends victim information, including country, city, IP address, OS version,\r\ncomputer name, and user name to the Telegram bot.\r\nFigure 14: The data sent to the Telegram bot\r\nPacker\r\nFickle Stealer is protected by a packer disguised as a legal executable. It seems that the attacker made the packer\r\nby replacing some code of a legal executable with the packer’s code and changing a function called in the\r\ninitialize routine into the packer’s function. This can frustrate the static analysis. Mimicking various applications\r\nmakes it difficult to detect the malware using certain detection rules.\r\nFor example, there is a variant (a641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53)\r\nwhose __cinit function in the initialize routine is modified into the packer’s function. \r\nFigure 15: Comparison between the legal program and the packer for Fickle Stealer\r\nIn this case, the malicious code is executed before the WinMain function, which is usually the user-provided entry\r\npoint for a C/C++ GUI application. As a result, people following typical analysis rules may overlook the malicious\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 8 of 19\n\ncode. The packer only allocates memory to write the decrypted payload data and then executes it in memory.\r\nStealer Payload\r\nFigure 16: Fickle Stealer's execution flow\r\nInitially, Fickle Stealer creates a mutex to prevent a race condition. It then performs a series of anti-analysis\r\nchecks and exits the process while it is being analyzed. Generally, it shows a fake error message before\r\nterminating the process. \r\nFigure 17: The error message\r\nBelow are the anti-analysis techniques used:\r\nBeingDebugged Flag\r\nParses the Process Environment Block (PEB) structure to check the BeingDebugged flag at offset 0x2.\r\nWhen the flag is set, which means it’s being debugged, Fickle Stealer exits the process without popping out\r\na fake message.\r\nCurrently running processes\r\nCompares process names to names of analysis tools and some keywords that can be used in an analysis\r\nenvironment\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 9 of 19\n\nQuery string:\r\nSELECT Name FROM Win32_Process\r\nBlacklist:\r\ntcpview, wireshark, fiddler, procexp, autoit, df5serv, OllyDbg, x64dbg, x32dbg, WinDbg, fakenet32, fakenet64,\r\nProcessHacker, autorunsc, filemon, procmon, regmon, idaq, idaq64, ImmunityDebugger, dumpcap, HookExplorer,\r\nImportREC, PETools, LordPE, SysInspector, proc_analyzer, sysAnalyzer, sniff_hit, joeboxcontrol, joeboxserver,\r\nResourceHacker, Fidder, httpdebugger, PE-bear, die, sample, malware, virus, sandbox, maltest, test, and virustest\r\nLoaded module\r\nWhen a file is running in a sandbox, corresponding Dynamic-link library (dll) files are loaded to help with\r\nanalysis. Fickle Stealer calls the GetModuleHandleW function to check whether any are loaded to\r\nmemory. \r\nBlacklist:\r\nSbieDll, SxIn, Sf2, snxhk, cmdvrt32\r\nVirtual machine\r\nThe results of querying the following WMI objects are null in some virtual machines.\r\nQuery string:\r\nSELECT * FROM Win32_PortConnector\r\nSELECT * FROM CIM_Memory\r\nSELECT * FROM CIM_PhysicalConnector\r\nSELECT * FROM CIM_Slot\r\nSELECT * FROM Win32_SMBIOSMemory\r\nSELECT * FROM Win32_MemoryArray\r\nSELECT * FROM Win32_MemoryDevice\r\nSELECT * FROM Win32_PhysicalMemory\r\nSELECT * FROM Win32_CacheMemory\r\nBlacklist: (Empty)\r\nFigure 18: The result is null in some virtual machine\r\nHardware ID\r\nCompares hardware ID to IDs that might have been used in analysis environments.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 10 of 19\n\nQuery string:\r\nSELECT UUID FROM Win32_ComputerSystemProduct\r\nBlacklist:\r\n7AB5C494-39F5-4941-9163-47F54D6D5016\r\n03DE0294-0480-05DE-1A06-350700080009\r\n11111111-2222-3333-4444-555555555555\r\n6F3CA5EC-BEC9-4A4D-8274-11168F640058\r\nADEEEE9E-EF0A-6B84-B14B-B83A54AFC548\r\n4C4C4544-0050-3710-8058-CAC04F59344A\r\n00000000-0000-0000-0000-AC1F6BD04972\r\n00000000-0000-0000-0000-000000000000\r\n5BD24D56-789F-8468-7CDC-CAA7222CC121\r\n49434D53-0200-9065-2500-65902500E439\r\n49434D53-0200-9036-2500-36902500F022\r\n777D84B3-88D1-451C-93E4-D235177420A7\r\n49434D53-0200-9036-2500-369025000C65\r\nB1112042-52E8-E25B-3655-6A4F54155DBF\r\n00000000-0000-0000-0000-AC1F6BD048FE\r\nEB16924B-FB6D-4FA1-8666-17B91F62FB37\r\nA15A930C-8251-9645-AF63-E45AD728C20C\r\n67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3\r\nC7D23342-A5D4-68A1-59AC-CF40F735B363\r\n63203342-0EB0-AA1A-4DF5-3FB37DBB0670\r\n44B94D56-65AB-DC02-86A0-98143A7423BF\r\n6608003F-ECE4-494E-B07E-1C4615D1D93C\r\nD9142042-8F51-5EFF-D5F8-EE9AE3D1602A\r\n49434D53-0200-9036-2500-369025003AF0\r\n8B4E8278-525C-7343-B825-280AEBCD3BCB\r\n4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27\r\n79AF5279-16CF-4094-9758-F88A616D81B4\r\nFF577B79-782E-0A4D-8568-B35A9B7EB76B\r\nUser name\r\nCalls the GetEnvironmentVariableW function and compares the result to names that might have been\r\nused in analysis environments.\r\nBlacklist:\r\nBilly, george, Abby, Darrel Jones, John, John Zalinsk, John Doe, SHCtAGa3rm, UV0U6479boGY, 8wjXNBz,\r\nWALKER, oxYT3lZggZMK, t3wObOwwaW, uh6PN, sMdVVcp, 06AAy3, mLfaNLLP, JPQlavKFb0Lt0,\r\n7HV8BUt5BIsCZ, aFgxGd9fq4Iv8, Frank, Anna, wdagutilityaccount, WDAGUtilityAccount, hal9th, virus,\r\nmalware, sandbox, sample, currentuser, emily, hapubws, hong lee, jaakw.q, it-admin, johnson, miller, milozs,\r\nmicrosoft, sand box, and maltest.\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 11 of 19\n\nNext, it creates a new folder in the Temp folder with a random name, drops its copy to the new folder, and\r\nexecutes the copy. The currently running stealer will be terminated, and the copy will finish the remaining work to\r\ncommunicate with the server and send stolen data to the server.\r\nFigure 19: Communication between the server and Fickle Stealer\r\nIf the environment check is passed, Fickle Stealer sends victim information to the server. The server sends a list of\r\ntarget applications and keywords as a response. Fickle Stealer sends all files in folders according to the list. The\r\nstolen data is stored in a specific JSON format that has three key-value pairs:\r\n{\r\n\"name\": \"RB_{Computer name}\",\r\n\"title\": {File name},\r\n\"body\": {File content}\r\n}\r\nIn this sample, its name contains a string RB and the name of the victim’s computer. In version 1.5.7\r\n(a641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53), the string “RB” is changed to\r\n“Hold.” The title indicates the data it grabs. It usually contains a tag followed by a file path. The body is base64-\r\nencoded file content. After being compressed with the Deflate algorithm, the JSON-formatted data is sent to the\r\nserver. There are some exceptions. For example, the first packet sent to the server contains the following items,\r\nand the title is System.txt.\r\nuser name, user domain, DNS host name, NetBIOS name, screen resolution, OS version, language, host name, ip\r\naddress and hardware information: CPU, GPU, Antivirus software, installed application and currently running\r\nprocess\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 12 of 19\n\nFigure 20: The data in the first packet\r\nThe server's response is also in JSON format and has three key-value pairs: status, k, and c. The target list,\r\nencrypted using an RC4 algorithm and then base64 encoded, is stored in c. The decryption key for RC4 is stored\r\nin k, as the following image shows.\r\nFigure 21: The response from the server\r\nThere are four kinds of targets: crypto wallets, plugins, file extensions, and partial paths. Below are the targets\r\nspecified by the server and the way the data is processed:\r\nWallet\r\nSends files in specified folders. The title of data to send has a “wallet::” tag.\r\nAtomicWallet, Exodus, JaxxWallet, Electrum, ByteCoin, Ethereum, Guarda, Coinomi, Armory,\r\nZCash\r\nPlugin\r\nSends files in specified folders. The title of data to send has a “plugin___” tag.\r\nAuthenticator, EOSAuthenticator, Bitwarden, KeePassXC, Dashlane, 1Password, NordPass,\r\nKeeper, RoboForm, LastPass, BrowserPass, MYKI, Splikity, CommonKey, ZohoVault,\r\nNortonPasswordManager, AviraPasswordManager, TrezorPasswordManager, MetaMask,\r\nTronLink, BinanceChain, Coin98, iWallet, Wombat, MEWCX, NeoLine, TerraStation, Keplr,\r\nSollet, ICONex, KHC, TezBox, Byone, OneKey, DAppPlay, BitClip, SteemKeychain,\r\nNashExtension, HyconLiteClient, ZilPay, LeafWallet, CyanoWallet, CyanoWalletPro,\r\nNaboxWallet, PolymeshWallet, NiftyWallet, LiqualityWallet, MathWallet, CoinbaseWallet,\r\nCloverWallet, Yoroi, Guarda, EQUALWallet, BitAppWallet, AuroWallet, SaturnWallet,\r\nRoninWallet, Exodus, MaiarDeFiWallet, Nami, Eternl, UniSatWallet\r\nFile\r\nextension\r\nSearches files with the following extensions in %USERPROFILE% and the sub-folder. The title\r\nof data to send has a “grabg::” tag.\r\n.txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, wallet.dat\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 13 of 19\n\nPartial\r\npath\r\nConcatenates %APPDATA% and the following strings and searches log files and ldb files in the\r\nLocal Storage/leveldb subfolder. The title is “discord_dblist.txt”\r\ndiscord\r\nGoogle/Chrome/User Data/Default\r\nYandex/YandexBrowser/User Data/Default\r\nMicrosoft/Edge/User Data/Default\r\nBraveSoftware/Brave-Browser/User Data/Default\r\nGoogle/Chrome SxS/User Data\r\nGoogle/Chrome/User Data/Profile 1\r\nGoogle/Chrome/User Data/Profile 2\r\nGoogle/Chrome/User Data/Profile 3\r\nGoogle/Chrome/User Data/Profile 4\r\nGoogle/Chrome/User Data/Profile 5\r\nGoogle/Chrome/User Data/Profile 6\r\nGoogle/Chrome/User Data/Profile 7\r\nGoogle/Chrome/User Data/Profile 8\r\nGoogle/Chrome/User Data/Profile 9\r\ndiscordcanary\r\nLightcord\r\ndiscordptb\r\nOpera Software/Opera Stable\r\nOpera Software/Opera GX Stable\r\nAmigo/User Data\r\nTorch/User Data\r\nKometa/User Data\r\nOrbitum/User Data\r\nCentBrowser/User Data\r\n7Star/7Star/User Data\r\nSputnik/Sputnik/User Data\r\nVivaldi/User Data/Default\r\nEpic Privacy Browser/User Data\r\nuCozMedia/Uran/User Data/Default\r\nIridium/User Data/Default\r\nAdditionally, some applications are targets by default. Below are those targets and the way data is processed:\r\nApplications Sends files in specified folder to the server. Most often, the tag is the application name in\r\nlower case appended by two colons:\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 14 of 19\n\nAnydesk, Ubisoft (tag:uplay::), Steam, Skype, Signal, ICQ, Filezilla, Telegram, Tox,\r\nPidgin, Element\r\nGecko engine\r\nbrowser\r\nSearches %APPDATA%, %LOCALAPPDATA% or %USERPROFILE% for these files:\r\nlogins.json key4.db, keydb (tag: geckologins::) and  cookies.sqlite (tag: geckocookies::)\r\nIf found, it copies the file to the Temp folder, sends a copy to the server, and deletes the\r\ncopy.\r\nChromium\r\nbased browser\r\nSearches “os_crypt\" and \"encrypted_key” in the Local state file to get a decryption key. It\r\nparses data in Cookies, History, WebData, and Login Data files to obtain sensitive data and\r\nsends a summarized result to the server. These files are also copied to the Temp folder\r\nbefore Fickle Stealer reads them. They are later deleted. The title is browser and the data is\r\nstored in JSON format.\r\nFigure 22: The data from Opera. Each browser can have different content\r\nFinally, it sends a screenshot to the server and deletes itself by executing the following command:\r\ncmd.exe /c timeout /t 5 \u0026 del /f /q {stealer} \u0026\u0026 exit\r\nConclusion\r\nIn addition to some popular applications, this stealer searches sensitive files in parent directories of common\r\ninstallation directories to ensure comprehensive data gathering. It also receives a target list from the server, which\r\nmakes Fickle Stealer more flexible. Variants receiving an updated list are observed. The frequently updated attack\r\nchain also shows that it’s still in development. FortiGuard will continue monitoring malware variants and provide\r\nappropriate protections as needed.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 15 of 19\n\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nW32/InfoStealer.599C!tr\r\nVBA/TrojanDownloader.BED9!tr\r\nPowerShell/TrojanDownloader.AE38!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service, which runs on both FortiGate and FortiMail,\r\ncan disarm the malicious macros in the document.\r\nWe also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security\r\nAwareness. This module is designed to help end users learn how to identify and protect themselves from phishing\r\nattacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nTo stay informed and proactively defend against attacks like Fickle Stealer, sign up to receive Outbreak Alerts\r\nfrom Fortinet.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP Addresses\r\n144[.]208[.]127[.]230\r\n185[.]213[.]208[.]245\r\n138[.]124[.]184[.]210\r\n hxxps:// github[.]com/SkorikJR\r\nFiles\r\nDelivery\r\n1b48ee91e58f319a27f29d4f3bb62e62cac34779ddc3b95a0127e67f2e141e59\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 16 of 19\n\nad57cc0508d3550caa65fcb9ee349c4578610970c57a26b7a07a8be4c8b9bed9\r\n8e87ab1bb9870de9de4a7b409ec9baf8cae11deec49a8b7a5f73d0f34bea7e6f\r\n9ffc6a74b88b66dd269d006dec91b8b53d51afd516fe2326c6f9e3ed81d860ae\r\n48e2b9a7b8027bd03ceb611bbfe48a8a09ec6657dd5f2385fc7a75849bb14db1\r\n6f9f65c2a568ca65326b966bcf8d5b7bfb5d8ddea7c258f58b013bc5e079308b\r\n2236ffcf2856d5c9c2dedf180654cf318596614be450f6b24621dc13d7370dbf\r\n8d3ccfafc39830ee2325170e60a44eca4a24c9c4dd682a84fa60c961a0712316\r\n3ad1c2273ee77845117c0f7f55bf0050b0bcea52851d410520a694252b7bb187\r\n7034d351ce835d4905064d2b3f14adb605374a4a6885c23390db9eddd42add86\r\nc6c6304fea3fd6f906e45544b2e5119c24cda295142ed9fafd2ec320f5ff41cc\r\n97e5ac8642f413ba4b272d3cb74cba3e890b7a3f7a7935e6ca58944dbb9bfe54\r\nu.ps1\r\n011992cfa6abaeb71d0bb6fc05f1b5623b5e710c8c711bca961bf99d0e4cae38\r\n5fbd700bd77d3f632ba6ce148281c74a20391a40c7984f108f63a20dc442f8d6\r\nd9dcae235891f206d1baabfcbd79cb80337b5e462adef9516b94efc696b596b7\r\n679e9ba645e17cceeff14be7f5f7dff8582d68eba5712c5928a092e1eec55c84\r\n4d78793719d14f92f5bb9ecc7c2fa9e51c1bf332de26aa7746f35d7e42362db8\r\nd55611fce7fcdd6b49066b194196577ee12bffa98400b724d013fc3a1e254f34\r\n346e18b7ce2e3c3c5412dacdc8034a7566dee12ea0aafc6b82f196dcba2453f8\r\n20e1d7af698e3e2f5092815be1a0415019511da99550fdcc050741f4b47551fa\r\nf71069aed94e4b13d70bd9ee7b2a8fc8580c4339aa9ba9d8baf15abf95d6f673\r\n94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b\r\n24e44d000a61de06b63b532ef237d9f41aa897f4d9f46f8abaf9e654074a65af\r\na04677fe4ba06b66f698e4969b749174d30477283d97b5eaee16ffeb305d9c0a\r\n7b9e09227b036428a41dd46b6d6e354bb0c3822ce201c1a14d083116916e078d\r\n0494077ac65aa278680002f3b73c61c8896303668c62139a9db5a042923fd0ce\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 17 of 19\n\n47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973\r\ninject.ps1\r\n46caee016da4b460f7c242e19a88e8dc7544ded7d2528b0b9e918a7be64b5ceb\r\nb05736874d383ed2e8dcc9d392f2c04e0fd545b8880620499d720c44adb18822\r\nbf8b8f964d1c67aee82ad01528423077ef5e6c65de6d95e446c9343868849350\r\n4602d8f9e2150744e89958d813354696abe6800ee55ef70c48db3134e964a13a\r\ntgmes.ps1\r\n70363b97f955e5d30fb8d3a8d2a439303f88707420c05f051f87e0458fdfffc2\r\n62ff72aa8a8c5bccdf6c789952ee054a0d0d479e417fa20ea73a936e17bdf043\r\n5f24168581cdaef32e60a62ba7123917bbe65f2f8410d759f345587eb406be40\r\nengine.ps1\r\neffb85aaef61cd8918d66513da1573365be2743ec263be4029a6b827e3ecc1c6\r\nb57caa40f680d468bbf811e798ef9881d6158fb3462dd9bedb4658d17aed44a5\r\n26fa0ccc5c7b7733ee6ffc2c70edef067b6764387ef1b16cb8005f28c34a3d84\r\nf080d7803ce1a1b9dc72da6ddf0dd17e23eb8227c497f09aa7dfd6f3b5be3a66\r\n93db0d88966519e76db4995a3b67ca548e4aa9675806295a790eedf585e0aa2f\r\n9f7591c9d9bc66029e6a341a4fb8828361fc14b1918f9e35506c608359fa1eec\r\nStealer\r\ne9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c\r\na641d10798be5224c8c32dfaab0dd353cd7bb06a2d57d9630e13fb1975d03a53\r\n9ce52929765433ff8bf905764d7b83c4c3fcbefb4f12eabcf16ee3dddcd3759d\r\nb7bdb0cc90b11c4738c2af218a1a53e4c65b6c91c6067c224164b8fcfc3eed8c\r\nf878a88b7dda1155fe939abe0500e32d5fba34569ca933bccb5603d9e0e96cc0\r\nbfe2d817e20ecff45cc92b7b8f4e1cd0482b48a769940402eaa5b31cbfb9b908\r\n09b47fd0e1fcab827d1a723f9db7e402502ec91e57b7217ed85094abd98bc637\r\n978400108aa16e464b1fbc300bc270bc89193e3c3890d5e9373b3034b592b4da\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 18 of 19\n\ne394f96ee040508063606343b1ad2158e266dcbd8beb3ba4a23936d1957e5ad6\r\nSource: https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nhttps://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain" ], "report_names": [ "fickle-stealer-distributed-via-multiple-attack-chain" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433974, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f5cef29b144134174b22b0d4ead6335ca2a28df.pdf", "text": "https://archive.orkl.eu/6f5cef29b144134174b22b0d4ead6335ca2a28df.txt", "img": "https://archive.orkl.eu/6f5cef29b144134174b22b0d4ead6335ca2a28df.jpg" } }