{ "id": "f26d3dad-ad44-4353-ab4b-cf2be595d2e5", "created_at": "2026-04-06T00:08:07.218917Z", "updated_at": "2026-04-10T03:37:08.948683Z", "deleted_at": null, "sha1_hash": "704c3c8c0bdb17696d31b57081741cfa858a78af", "title": "The Curious Case of an Open Source Stealer: Phemedrone", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1784691, "plain_text": "The Curious Case of an Open Source Stealer: Phemedrone\r\nBy James\r\nPublished: 2024-09-06 · Archived: 2026-04-05 22:27:48 UTC\r\nAt SpyCloud, we recapture logs from more than sixty infostealer malware families, but very few of them are open\r\nsource stealers. Intrigued, our team at SpyCloud Labs took on the task of dissecting Phemedrone, an open source\r\nstealer available to anyone on Telegram. \r\nWhen we dug in, we found Phemedrone to have some other unique characteristics as well, namely:\r\nHere’s what we found.\r\nPhemedrone, which as we mentioned is an entirely open source stealer, is written in C# and therefore provides\r\nabundant opportunities for actors to customize the malware to suit their needs. It also gives bad actors an easy\r\nsnapshot of what they have stolen within its logs, leveraging password/cookie “tagging” for various categories.\r\nHowever, when looking at the definitions for these tags, it becomes clear that many of these tags focus on Russian\r\ntargets, which is pretty unique for a stealer.\r\nWith code distributed mainly over Telegram (and previously on GitHub before being taken down), bad actors can\r\nacquire and deploy Phemedrone for free. Phemedrone offers log encryption when sending to Telegram,\r\nbrowser/application theft, cookie tagging, and more, as well as the ability to easily tweak the stealer in C#.\r\nPhemedrone’s devs release regular updates for both their panel as well as their builder, which keeps Phemedrone\r\nactive and well-used. They also offer a chat for people to discuss Phemedrone.\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 1 of 15\n\nImage 1: Phemedrone’s chat offering, in both English and Russian.\r\nPhemedrone’s operation is fairly simple, opting to do password/cookie parsing on the victim’s machine instead of\r\njust stealing entire raw password database files to be parsed on a panel later. This allows Phemedrone to then tag\r\nstolen passwords and cookies with a variety of categories to make it easy to identify which logs are useful. By\r\ndefault, many of these tag values are associated with primarily Russian targets, such as tinkoff and sberbank for\r\n“BANK”.\r\nBrowser theft\r\nPhemedrone accesses a variety of Chromium and Firefox/Gecko based browsers in order to steal data from them.\r\nPhemedrone steals data from the internal Chromium/Firefox storage databases that store passwords, credit cards,\r\ncookies, and more. Additionally, when stealing from Chromium based browsers, Phemedrone also targets the\r\nfollowing extensions:\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 2 of 15\n\nExtension name Extension GUID\r\nAuthenticator bhghoamapcdpbohphigoooaddinpkbai\r\nEOS Authenticator oeljdldpnmdbchonielidgobddffflal\r\nBrowserPass naepdomgkenhinolocfifgehidddafch\r\nMYKI bmikpgodpkclnkgmnpphehdgcimmided\r\nSplikity jhfjfclepacoldmjmkmdlmganfaalklb\r\nCommonKey chgfefjpcobfbnpmiokfjjaglahmnded\r\nZoho Vault igkpcodhieompeloncfnbekccinhapdb\r\nNorton Password Manager admmjipmmciaobhojoghlmleefbicajg\r\nAvira Password Manager caljgklbbfbcjjanaijlacgncafpegll\r\nTrezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk\r\nMetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nTronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nBinanceChain fhbohimaelbohpjbbldcngcnapndodjp\r\nCoin98 aeachknmefphepccionboohckonoeemg\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nNeoLine cphhlgmgameodnhkjdmkpanlelnlohao\r\nTerra Station aiifbnbfobpmeekipheeijimdpnlpgpp\r\nKeplr dmkamcknogkgcdfhhbddcghachkejeap\r\nSollet fhmfendgdocmcbmfikdcogofphimnkno\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\nKHC hcflpincpppdclinealmandijcmnkbgn\r\nTezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nByone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nOneKey ilbbpajmiplgpehdikmejfemfklpkmke\r\nTrust Wallets pknlccmneadmjbkollckpblgaaabameg\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 3 of 15\n\nMetaWallet pfknkoocfefiocadajpngdknmkjgakdg\r\nGuarda Wallet fcglfhcjfpkgdppjbglknafgfffkelnm\r\nExodus idkppnahnmmggbmfkjhiakkbkdpnmnon\r\nJaxxxLiberty mhonjhhcgphdphdjcdoeodfdliikapmj\r\nAtomic Wallet bhmlbgebokamljgnceonbncdofmmkedg\r\nElectrum hieplnfojfccegoloniefimmbfjdgcgp\r\nMycelium pidhddgciaponoajdngciiemcflpnnbg\r\nCoinomi blbpgcogcoohhngdjafgpoagcilicpjh\r\nGreenAddress gflpckpfdgcagnbdfafmibcmkadnlhpj\r\nEdge doljkehcfhidippihgakcihcmnknlphh\r\nBRD nbokbjkelpmlgflobbohapifnnenbjlh\r\nSamourai Wallet apjdnokplgcjkejimjdfjnhmjlbpgkdi\r\nCopay ieedgmmkpkbiblijbbldefkomatsuahh\r\nBread jifanbgejlbcmhbbdbnfbfnlmbomjedj\r\nKeepKey dojmlmceifkfgkgeejemfciibjehhdcl\r\nTrezor jpxupxjxheguvfyhfhahqvxvyqthiryh\r\nLedger Live pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln\r\nLedger Wallet hbpfjlflhnmkddbjdchbbifhllgmmhnm\r\nBitbox ocmfilhakdbncmojmlbagpkjfbmeinbd\r\nDigital Bitbox dbhklojmlkgmpihhdooibnmidfpeaing\r\nYubiKey mammpjaaoinfelloncbbpomjcihbkmmc\r\nGoogle Authenticator khcodhlfkpmhibicdjjblnkgimdepgnd\r\nMicrosoft Authenticator bfbdnbpibgndpjfhonkflpkijfapmomn\r\nAuthy gjffdbjndmcafeoehgdldobgjmlepcal\r\nDuo Mobile eidlicjlkaiefdbgmdepmmicpbggmhoj\r\nOTP Auth bobfejfdlhnabgglompioclndjejolch\r\nFreeOTP elokfmmmjbadpgdjmgglocapdckdcpkn\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 4 of 15\n\nAegis Authenticator ppdjlkfkedmidmclhakfncpfdmdgmjpm\r\nLastPass Authenticator cfoajccjibkjhbdjnpkbananbejpkkjb\r\nDashlane flikjlpgnpcjdienoojmgliechmmheek\r\nKeeper gofhklgdnbnpcdigdgkgfobhhghjmmkj\r\nRoboForm hppmchachflomkejbhofobganapojjol\r\nKeePass lbfeahdfdkibininjgejjgpdafeopflb\r\nKeePassXC kgeohlebpjgcfiidfhhdlnnkhefajmca\r\nBitwarden inljaljiffkdgmlndjkdiepghpolcpki\r\nNordPass njgnlkhcjgmjfnfahdmfkalpjcneebpl\r\nLastPass gabedfkgnbglfbnplfpjddgfnbibkmbb\r\nNifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nMath Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCoinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad\r\nEqual Wallet blnieiiffboillknjnepogjhkgnoac\r\nEVER Wallet cgeeodpfagjceefieflmdfphplkenlfk\r\nJaxx Liberty ocefimbphcgjaahbclemolcmkeanoagc\r\nBitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\nMew CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGU Wallet nfinomegcaccbhchhgflladpfbajihdf\r\nGuild Wallet nanjmdkhkinifnkgdeggcnhdaammmj\r\nSaturn Wallet nkddgncdjgifcddamgcmfnlhccnimig\r\nHarmony Wallet fnnegphlobjdpkhecapkijjdkgcjhkib\r\nTON Wallet nphplpgoakhhjchkkhmiggakijnkhfnd\r\nOpenMask Wallet penjlddjkjgpnkllboccdgccekpkcbin\r\nMyTonWallet fldfpgipfncgndfolcbkdeeknbbbnhcc\r\nDeWallet pnccjgokhbnggghddhahcnaopgeipafg\r\nTrustWallet egjidjbpglichdcondbcbdnbeeppgdph\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 5 of 15\n\nNC Wallet imlcamfeniaidioeflifonfjeeppblda\r\nMoso Wallet ajkifnllfhikkjbjopkhmjoieikeihjb\r\nEnkrypt Wallet kkpllkodjeloidieedojogacfhpaihoh\r\nCirusWeb3 Wallet kgdijkcfiglijhaglibaidbipiejjfdp\r\nMartian and Sui Wallet efbglgofoippbgcjepnhiblaibcnclgk\r\nSubWallet onhogfjeacnfoofkfgppdlbmlmnplgbn\r\nPontem Wallet phkbamefinggmakgklpkljjmgibohnba\r\nTalisman Wallet fijngjgcjhjmmpcmkeiomlglpeiijkld\r\nKardiachain Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nPhantom Wallet bfnaelmomeimhIpmgjnjophhpkkoljpa\r\nOxygen Wallet fhilaheimglignddjgofkcbgekhenbh\r\nPaliWallet mgfffbidihjpoaomajlbgchddlicgpn\r\nBoltX Wallet aodkkagnadcbobfpggnjeongemjbjca\r\nLiquality Wallet kpopkelmapcoipemfendmdghnegimn\r\nxDefi Wallet hmeobnffcmdkdcmlb1gagmfpfboieaf\r\nNami Wallet Ipfcbjknijpeeillifnkikgncikgfhdo\r\nMaiarDeFi Wallet dngmlblcodfobpdpecaadgfbeggfjfnm\r\nMetaMask Edge Wallet ejbalbakoplchlghecdalmeeeajnimhm\r\nGoblin Wallet mlbafbjadjidk1bhgopoamemfibcpdfi\r\nBraavos Smart Wallet jnlgamecbpmbajjfhmmmlhejkemejdma\r\nUniSat Wallet ppbibelpcjmhbdihakflkdcoccbgbkpo\r\nOKX Wallet mcohilncbfahbmgdjkbpemcciiolgcge\r\nManta Wallet enabgbdfcbaehmbigakijjabdpdnimlg\r\nSuku Wallet fopmedgnkfpebgllppeddmmochcookhc\r\nSuiet Wallet khpkpbbcccdmmclmpigdgddabeilkdpd\r\nKoala Wallet lnnnmfcpbkafcpgdilckhmhbkkbpkmid\r\nExodusWeb3 Wallet aholpfdialjgjfhomihkjbmgjidlcdno\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 6 of 15\n\nAurox Wallet kilnpioakcdndlodeeceffgjdpojajlo\r\nFewcha Move Wallet ebfidpplhabeedpnhjnobghokpiioolj\r\nCarax Demon Wallet mdjmfdffdcmnoblignmgpommbefadffd\r\nLeap Terra Wallet aijcbedoijmgnlmjeegjaglmepbmpkpi\r\nCryptowallet theft\r\nPhemedrone also targets cryptowallets on the victim’s machine, looking for “wallet.dat” files to steal from.\r\nAdditionally, Phemedrone steals from the following hardcoded cryptowallets:\r\nThis functionality allows Phemedrone to steal victims’ cryptocurrency with ease.\r\nDiscord token theft\r\nPhemedrone will target Discord tokens by accessing the Discord leveldb database, stored on a victim’s computer.\r\nIt will then regex for “dQw4w9WgXcQdQw4w9WgXcQ:[^\\”]*”, which it will use to extract the victim’s Discord\r\ntoken for authentication purposes. This string is appended to each encrypted Discord token stored in the victim’s\r\nDiscord leveldb database. The exact string is actually a rickroll easter egg.\r\nFileGrabber\r\nPhemedrone also includes a basic filegrabber, which will iterate through My Documents and Desktop and steal all\r\nfiles based on config supplied max file size and directory depth.\r\nFTP theft\r\nPhemedrone will target a popular FTP application, FileZilla, for theft. From FileZilla, Phemedrone will steal a\r\nvictim’s “recentservers.xml” as well as their “sitemanager.xml”\r\nScreenshot\r\nPhemedrone will automatically obtain a screenshot of the victim’s screen post installation for exfiltration. \r\nSteam theft\r\nPhemedrone will target the game application Steam for theft, stealing *ssfn* and \\\\config.vdf files, which\r\nattackers can use to take over a victim’s Steam account.\r\nTelegram theft\r\nPhemedrone targets Telegram for theft, too. Phemedrone grabs the DefaultIcon from a victim’s registry, in\r\naddition to stealing a victim’s tdata information, which can be used to take over their Telegram account.\r\nVPN theft\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 7 of 15\n\nPhemedrone targets several common VPN providers for theft in order to steal a victim’s VPN connection info.\r\nPhemedrone targets the following applications:\r\nOpenVPN: Steals Profiles and ovpn files\r\nProtonVPN: Steals ProtonVPN user.config\r\nSurfShark: Steals SurfShark *.dat\r\nCookie and password tagging\r\nPhemedrone has the ability to look through stolen cookies/passwords and provide a “snapshot” of what was stolen\r\nusing a list of tags contained in the binary. These tags look for domains and are as follows:\r\nTag Category Tag Domain\r\nCheats celka.\r\nCheats nursultan.\r\nCheats xone\r\nCheats akrien\r\nCheats interium\r\nCheats nixware\r\nCheats skeet\r\nGames roblox.com.\r\nGames genshin\r\nGames minecraft.net\r\nGames epicgames.com\r\nGames steampowered.com\r\nBank tinkoff\r\nBank sberbank\r\nMoney yoomoney\r\nMoney amazon\r\nMoney funpay\r\nMoney americanexpress\r\nCrypto binance\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 8 of 15\n\nCrypto bybit\r\nThese tags are added to the generated Information.txt, along with information about the victim’s system, total\r\npasswords stolen, total cookies stolen, and an ASCII heart with the Phemedrone author signature. These tags are\r\neasily customizable, and in fact, in variants such as “Mephedrone”, we can see tags added to the list, such as\r\n“FACEBOOK”.\r\nImage 2: The Phemedrone Stealer author tag added to the top of logs.\r\nAs observed in the above table, in the BANK section, both of the domains are for banks commonly used in\r\nRussia. Additionally, in the MONEY section, half (yoomoney, funpay) are services commonly used in Russia. As\r\nwill be discussed in later sections, while this malware does have a CIS check in the binary, this check is an\r\noptional toggle switch during the creation of a bot and can easily be toggled off, allowing Phemedrone to target\r\nareas where the MONEY/BANK sections could be used to their fullest.\r\nUseragent generation\r\nAs observed in the screenshot below, Phemedrone has the ability to generate random useragents, which it uses\r\nduring communication with its C2. This possibly helps it sneak by detections that might rely on hardcoded\r\nuseragent values.\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 9 of 15\n\nImage 3: Code from Phemedrone which shows how it can easily change its useragent on the fly.\r\nPhemedrone contains several anti-analysis checks which can be enabled during the build phase of the malware. If\r\nany of the checks described below are successful, Phemedrone exits.\r\nAnti-debugger\r\nPhemedrone’s anti-debugger check checks the victim’s environment for the following processes, which may\r\nindicate that Phemedrone is being debugged:\r\nAnti-VM\r\nPhemedrone’s anti-VM check checks the victim’s computer for the following virtual machine (VM) strings, which\r\nindicate that Phemedrone is being run in a VM:\r\nCIS check\r\nPhemedrone has a check that checks if a victim is a speaker of the following languages spoken in Commonwealth\r\nof Independent States (CIS) countries, by using a keyboard language check, as observed in Image 4:\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 10 of 15\n\nImage 4: This is an optional check in the build process for a bot and is disabled by default.\r\nMutex check\r\nUsing the hardcoded config, Phemedrone checks to see if it is already running by checking to see if its mutex\r\nalready exists.\r\nPhemedrone’s bot builder has three different “sender” customization options, with some of the options behaving\r\ndifferently than the others. The three options are as follows:\r\nGate sender\r\nPhemedrone’s gate sender allows actors using Phemedrone to specify a C2 that hosts the Phemedrone gate.php\r\nscript. Bots that connect to this php gate will send their logs there, and then:\r\nPanel sender\r\nPhemedrone’s panel sender allows actors to stand up a panel on a domain they control and then specify the\r\nIP/PORT combination when building their bot. This sender stores logs on the server, and then also notifies a\r\nTelegram chat when logs arrive. Connected victims as well as logs can be viewed in Phemedrone’s console-based\r\npanel application.\r\nTelegram sender\r\nPhemedrone’s Telegram sender allows actors to specify a Telegram channel/telegram bot as the preferred\r\ndestination for exfiltrated logs. The Telegram sender also has an option to encrypt all logs sent with this method,\r\nso that the logs are not sitting in Telegram unencrypted. Phemedrone leverages a basic AES + RSA encryption\r\nalgorithm for all logs, as observed in Image 5. Telegram exfil is an increasingly popular choice for malware, as\r\nwell as phishing, and this encryption adds an extra layer of security for people choosing to use that option.\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 11 of 15\n\nImage 5: Code from Phemedrone shows that it can successfully encrypt information using AES+RSA.\r\nBased on an overlap between behavior and log format, we’ve noticed that there are variants of Phemedrone with\r\nlogs sold on forums. One of those variants is a family called “Mephedrone”.\r\nChecking our logs, we’ve noticed that we most often see Phemedrone affecting the United States, with 20% of\r\nlogs attributed to that country. A full breakdown of countries can be found in the image and corresponding table\r\nbelow:\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 12 of 15\n\nCountry Percentage\r\nUnited States 20.00%\r\nNetherlands 19.00%\r\nRepublic of Korea 18.58%\r\nGermany 8.41%\r\nItaly 7.67%\r\nBrazil 5.9%\r\nIsrael 3.24%\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 13 of 15\n\nArgentina 3.24%\r\nBulgaria 3.1%\r\nFinland 2.95%\r\nSingapore 2.8%\r\nVietnam 2.51%\r\nRussia 2.36%\r\nInterestingly, Russia consisted of 2% of the total infections, despite the CIS check in the malware.\r\nInformation file\r\nA final interesting feature of Phemedrone is that – as it parses the passwords out of its respective password stores\r\non the victim computer (instead of on a panel) – it’s able to create snapshots in a generated Information.txt file,\r\nwhich allows actors to rapidly see which logs they’ve obtained. As observed in Image 6, the generated\r\nInformation.txt file has a snapshot where log count can be observed:\r\nImage 6: Phemedrone’s Information.txt log snapshot, which shows what log counts can be observed.\r\nPhemedrone is an interesting case study in the evolution of infostealer families. As this article describes, there are\r\nseveral characteristics that make Phemedrone particularly attractive to cybercriminals:\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 14 of 15\n\nWhile Phemedrone appears to be used to target Russian users and services, particularly in instances where\r\nbanking or financial information can be harvested, the US is still the most affected country according to our\r\nresearch.\r\nUser exposures from Phemedrone infections (even on personal devices) can threaten businesses if actors gain\r\naccess to credentials and other identity data that opens doors to your environment. We recommend security teams\r\nintegrate Post-Infection Remediation steps into existing malware remediation playbooks for confirmed exposures\r\nto minimize risk and prevent follow-on attacks like account takeover and fraud.\r\nWe’ll continue to monitor developments of Phemedrone’s capabilities and review recaptured logs to better\r\nunderstand exfiltration trends. Keep an eye out for more reverse-engineering analyses from our team at SpyCloud\r\nLabs.\r\nGet the latest cybercrime research, insights, and best practices in your inbox\r\nSource: https://spycloud.com/blog/phemedrone-stealer/\r\nhttps://spycloud.com/blog/phemedrone-stealer/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://spycloud.com/blog/phemedrone-stealer/" ], "report_names": [ "phemedrone-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434087, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/704c3c8c0bdb17696d31b57081741cfa858a78af.pdf", "text": "https://archive.orkl.eu/704c3c8c0bdb17696d31b57081741cfa858a78af.txt", "img": "https://archive.orkl.eu/704c3c8c0bdb17696d31b57081741cfa858a78af.jpg" } }