{ "id": "c01a87cc-2e62-45c4-b504-0b5e87c1610e", "created_at": "2026-04-06T00:22:30.983535Z", "updated_at": "2026-04-10T03:36:47.808078Z", "deleted_at": null, "sha1_hash": "72561c5d899cfba03373c547a2859427b562b959", "title": "SmokeLoader Attack Targets Companies in Taiwan | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 981675, "plain_text": "SmokeLoader Attack Targets Companies in Taiwan | FortiGuard\r\nLabs\r\nBy Pei Han Liao\r\nPublished: 2024-12-02 · Archived: 2026-04-05 15:35:46 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The stolen information can be used for future attack\r\nSeverity Level: High\r\nIn September 2024, FortiGuard Labs observed an attack using the notorious SmokeLoader malware to target\r\ncompanies in Taiwan, including those in manufacturing, healthcare, information technology, and other sectors.\r\nSmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it\r\nto perform a wide range of attacks. While SmokeLoader primarily serves as a downloader to deliver other\r\nmalware, in this case, it carries out the attack itself by downloading plugins from its C2 server.\r\nFigure 1: Attack flow\r\nPhishing\r\nFigure 2 shows a phishing email used in this campaign. The sender claims the attached malicious file is a\r\nquotation and includes a list of special instructions. While this email is persuasive, as it uses native words and\r\nphrases, these phishing emails are sent to multiple recipients with almost the same content. Even the recipient's\r\nname (the redaction in the file name) is not changed when sent to other companies. This has been observed in\r\nother attack chains of this campaign. In addition, the font and color of the email sign-off and telephone number are\r\ndifferent from the main body, which suggests that the text may have been copied from elsewhere.\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 1 of 15\n\nFigure 2: Phishing emails sent to different companies. The recipient’s name is identical.\r\nRegardless of which it uses, the third stage uses a VBS file to launch the malware loader, AndeLoader, and the\r\nfinal payload is an identical file of SmokeLoader.\r\nCVE 2017-0199\r\nCVE-2017-0199 is a vulnerability in Microsoft Office that exploits an OLE2-embedded link object. When a\r\nvictim opens the crafted file, a malicious document is automatically downloaded and executed. The file attached\r\nto the phishing email is protected, and the object containing the malicious link is hidden in a sheet.\r\nFigure 3: The download link can be found in the binary data though it’s protected\r\nCVE 2017-11882\r\nCVE 2017-11882 is an RCE (Remote Code Execution) vulnerability in the equation editor in Microsoft Office.\r\nThe shellcode contains a decryption algorithm and encrypted data. After the decryption, the shellcode gets the\r\nnecessary APIs and downloads the VBS file for the next stage with the URLDownloadToFile function.\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 2 of 15\n\nFigure 4: The decrypted shellcode\r\nHTA\r\nThe HTA file contains VBS code that is encoded using URL-encoded several times.\r\nFigure 5: Source code of the HTA file\r\nAfter decoding, we see a VBS script with numerous spaces inserted between symbols and variables. Additionally,\r\nlong variable names are used to frustrate analysis. The VBS script executes a snippet of PowerShell code, which\r\ndownloads the VBS file for AndeLoader.\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 3 of 15\n\nFigure 6: The cleaned-up PowerShell code\r\nAndeLoader\r\nFigure 7: Execution flow of AndeLoader\r\nVBS\r\nThe start of the execution flow is a VBS file cluttered with junk and irrelevant code, hiding the malicious\r\ncode that includes obfuscated PowerShell code.\r\nFigure 8: The VBS file. Only the upper code snippet is related to the malicious behavior.\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 4 of 15\n\nBelow is the deobfuscated PowerShell code. It downloads a steganographic image that contains base64-encoded\r\ndata of the injector and extracts the data enclosed by \u003c\u003cBASE64_START\u003e\u003e and \u003c\u003cBASE64_END\u003e\u003e. After this,\r\nthe data is decoded into the injector and its dnlib.IO.Home.VAI method, which receives six arguments: download\r\nlink of the data for SmokeLoader, flag for persistence, file path, filename, injection target, and an unused\r\nargument. In this case, the persistence feature is not used, so the second, third, and fourth arguments are just filled\r\nwith destivado, which translates to “disabled” in English.\r\nFigure 9: Deobfuscated PowerShell code\r\nFigure 10: The image file containing the injector data\r\nInjector\r\nThe injector in this campaign is relatively simple compared to other variants. Its code is not obfuscated and\r\nhas only two features: persistence and injection.\r\nFigure 11: The injector: Class.Start is for persistence and Tools.Ande is for injection\r\nThe Class.Start method combines all VBS files in the current working path of cmd.exe into a VBS file whose\r\npath and filename are specified by the third and fourth arguments of Tools.Ande, respectively. The file path is\r\nwritten to a new value named Path in the\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 5 of 15\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key to make the VBS\r\nfile execute automatically when the system starts up. If this feature is used, it enables the VBS file downloaded in\r\nthe previous stage to persist.\r\nFigure 12: Class.Start method\r\nAfter this, the TXT file specified by the first argument of Tools.Ande is downloaded, and its data is deobfuscated\r\nto get SmokeLoader, which is later injected into RegAsm.exe. The following process of injection is commonly\r\nused:\r\n1. Create a suspended process of targeting and writing the SmokeLoader data to a new memory.\r\n2. Modify the value at offset 0xB0 of its thread context, which indicates the entry-point of the process, to the\r\nentry-point of SmokeLoader to execute SmokeLoader when the thread is resumed.\r\nSmokeLoader\r\nBelow is SmokeLoader's execution flow. This section focuses on the plugins downloaded from its C2 server.\r\nFigure 13: Execution flow of SmokeLoader\r\nFigure 14 shows that, though the response is 404 Not Found, it still contains the payload for the attack.\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 6 of 15\n\nFigure 14: The C2 communication\r\nThe payload contains configurations and the encrypted data for plugins:\r\nIn this case, it contains configurations for Plugin 4, 5 (fgclearcookies), 8, and 9 (keylog_rules). This will be\r\nintroduced later. Nine plugins are received from the C2 server, including three individual plugins and three plugins\r\nwith 32-bit and 64-bit versions. According to the plugin's architecture, SmokeLoader uses a loop to sequentially\r\ninject these plugins into explorer.exe. SmokeLoader creates a suspended process of explorer.exe and writes\r\nencrypted data of the plugin and decryption algorithm along with a snippet of shellcode used to call the decryption\r\nalgorithm. After this, it changes the code at the start of the entry point of explorer.exe into a jump to the shellcode\r\nand calls ResumeThread to execute the plugin.\r\nFigure 15: SmokeLoader writes shellcode depending on the architecture of the plugin\r\nBelow is the plugin list:\r\nPlugin\r\n1\r\n32-\r\nbits\r\nSteals login credentials, FTP credentials, cookies, autofill data from browsers, email\r\nsoftware, and FTP client\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 7 of 15\n\nPlugin\r\n2\r\n64-\r\nbits\r\nSteals login credentials from Firefox and Thunderbird. The function is the same as what\r\nPlugin 1 uses.\r\nPlugin\r\n3\r\n32-\r\nbits\r\nRead data from email software\r\nPlugin\r\n4\r\n32-\r\nbits\r\nInjects its code into the browser and sets a hook to steal data\r\nPlugin\r\n5\r\n64-\r\nbits\r\nThe 64-bit version of Plugin 4\r\nPlugin\r\n6\r\n32-\r\nbits\r\nInjects its code into email software, browser, and FTP client and sets a hook to steal data\r\nPlugin\r\n7\r\n64-\r\nbits\r\nThe 64-bit version of Plugin 6\r\nPlugin\r\n8\r\n32-\r\nbits\r\nInjects its code into explorer.exe or processes specified by C2 server and sets a hook to\r\nsteal data\r\nPlugin\r\n9\r\n64-\r\nbits\r\nThe 64-bit version of Plugin 8\r\nPlugin 1\r\nTarget: \r\nInternetExplorer, Firefox, Chrome, Edge, Opera, Chromium, Amigo, QQBrowser\r\nOutlook, Thunderbird\r\nFileZilla, WinSCP\r\nThis plugin uses a loop to sequentially execute functions for the target software.\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 8 of 15\n\nFigure 16: The loop for running functions for information stealing\r\nThe functions can be categorized into the following types according to the target:\r\nInternetExplorer\r\nThis plugin leverages functions in vaultcli.dll to get login credentials from Internet Explorer. Credential Manager\r\nis a feature in the Windows system that is used to store passwords. vaultcli.dll provides the functions to enumerate\r\nand get information from the credential vault.\r\nFirefox, Thunderbird\r\nThis plugin enumerates the registry keys under Software\\Mozilla to find the one containing the value PathToExe\r\nto get the default location of Firefox and Thunder. Then, the plugin searches for profiles.ini in the default location\r\nand parses it to get the location of logins.json and cookies.sqlite, from which it extracts login credentials.\r\nChrome, Opera, Chromium, Edge, Amigo, QQBrowser\r\nThe plugin searches for the Local State file within Web Data, Cookies, and Login Data folders under the\r\ninstallation path and then extracts login credentials and auto-fill data. To ensure it can locate the target file, it\r\nsearches the following locations:\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 9 of 15\n\nOutlook\r\nIt enumerates the registry keys under possible related registry keys to find the following values:\r\nFileZilla\r\nIt searches for sitemanager.xml, recentservers.xml, and filezilla.xml in the installation folder under\r\n%APPDATA%, %LOCALAPPDATA% or C:\\ProgramData to collect the content in the host, Port, User, and\r\nPass tags in these files.\r\nWinSCP\r\nIt enumerates the registry keys under Software\\Martin Prikryl to find the HostName, UserName, Password,\r\nRemoteDirectory, and PortNumber values.\r\nPlugin 2\r\nThis 64-bit plugin uses functions the same as Plugin 1 but only collects information from Firefox and\r\nThunderbird.\r\nPlugin 3\r\nTarget: Outlook, Thunderbird, The Bat!\r\nThis plugin searches for the data files of email clients in specific paths using the following keywords.\r\n \r\nEmail\r\nclient\r\nkeyword Path\r\nOutlook .pst, .ost\r\n%APPDATA%\\Microsoft\\Outlook\r\n%LOCALAPPDATA%\\Microsoft\\Outlook\r\n%ALLUSERSPROFILE%\\Microsoft\\Outlook\r\nC:\\Users\\{User name}\\Documents\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 10 of 15\n\nThunderbird\r\n.mab, .msf, inbox, sent, draft,\r\ntemplate, archive\r\n%APPDATA%\\Thunderbird\r\nThe Bat! .tbb, .tbn, .abn\r\n%APPDATA%\\The Bat!\r\n%ALLUSERSPROFILE%\\The Bat!\r\n%APPDATA%\\BatMail%ALLUSERSPROFILE%\\BatMail\r\nWhen a data file is found, the plugin parses its structure to obtain the email addresses of people who sent an email\r\nto the victim or who received a copy of the email. The email addresses are then sent to the C2 server, and the\r\nprocess is closed.\r\nPlugin 4\r\nTarget: Chrome, Opera, Edge, InternetExplorer, Firefox\r\nThe process of this plugin can be divided into two parts: injection and hooking.Injection\r\nInjection\r\nThe plugin first checks if fgclearcookies is contained in the configuration from the C2 server. If\r\nfgclearcookies is found, it terminates processes related to the following processes and deletes related\r\ncookies to force the victims to enter their confidential data again:\r\n \r\niexplore.exe, microsoftedge.exe, microsoftedgecp.exe, firefox.exe, chrome.exe, opera.exe, msedge.exe, plugin-container.exe (sub-process of Firefox, the relevant cookies are for Macromedia flash player)\r\nIt then constantly monitors currently running processes and injects the other part of the plugin into target browsers\r\nto hook specified APIs. Like other plugins, the injected code includes shellcode, a decryption algorithm, and\r\nencrypted data. The difference is that the code for the jump to the shell code is written to the atan function of\r\nntdll, and the plugin calls CreateRemoteThread to run the atan function in the target process.\r\nHooking\r\nThe plugin hooks different APIs depending on where it is injected:\r\n \r\nProcess DLL API\r\nfirefox.exe Kernel32.dll VirtualQuery\r\nnspr4.dll or nss3.dll PR_GetDescType\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 11 of 15\n\nnspr4.dll PR_Write\r\niexplore.exe\r\nmicrosoftedgecp.exe\r\nwininet.dll\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nInternetWriteFile\r\nmsedge.exe\r\nopera.exe\r\nchrome.exe\r\nmsedge.dll, chrome.dll, opera.dll,\r\nopera_browser.dll\r\nUnknown function\r\nBefore setting the hook, it suspends threads except for the current thread of the injected process. Next, it modifies\r\ncode at the start of the target APIs to jump to the function to send data passed to the API to the C2 server. The\r\nplugin obtains the addresses of most target APIs by calling GetProcAddress. The only exception is the method to\r\nget the unknown function in DLL files related to the browsers based on Chromium. It parses the structure of the\r\n.rdata section to find the function matching a specific byte pattern.\r\nFigure 17: The code to search the target function\r\nWhen the hooks are set, the plugin resumes other threads of the current process and terminates the current thread.\r\nPlugin 5\r\nThe 64-bit version of Plugin 4.\r\nPlugin 6\r\nTarget:\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 12 of 15\n\nEdge, InternetExplorer, Firefox, Chrome, Opera\r\nOutlook, Thunderbird, The Bat!, MailMaster, 263EM, Foxmail, AliMail, MailChat\r\nFileZilla, SmartFTP, FlashFXP, CuteFTP\r\nWinSCP\r\nPlugin 6 uses the same method to inject hooking code snippets into target processes. The API functions to hook\r\nare WSASend and the send function in ws2_32.dll. When these functions are called, the plugin collects FTP,\r\nSMTP, IMTP, and POP3 hostnames.\r\nPlugin 7\r\nThe 64-bit version of Plugin 6\r\nPlugin 8\r\nTarget: explorer.exe or processes specified by C2\r\nLike Plugin 4, it has injection and hooking parts. If keylog_rules= is contained in the configuration from\r\nthe C2 server, it starts injecting. The shellcode is injected into explorer.exe or processes whose names\r\nfollow keylog_rules= in the configuration when they are executed. The hooks are set to the following\r\nfunctions:\r\n \r\nDLL API Target\r\nuser32.dll\r\nTranslateMessage Keyboard states and the window name where the user inputs the data\r\nGetClipboardData Get clipboard content\r\nPlugin 9\r\nThe 64-bit version of Plugin 8.\r\nConclusion\r\nSmokeLoader is a modular malware that is adaptable to different needs. In this case, SmokeLoader performs its\r\nattack with its plugins instead of downloading a completed file for the final stage. This shows the flexibility of\r\nSmokeLoader and emphasizes that analysts need to be careful even when looking at well-known malware like\r\nthis. FortiGuard will continue monitoring these attack campaigns and provide appropriate protections as required.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nJS/Kryptik.CTS!tr.dldr\r\nVBS/TrojanDownloader.AAWM!tr.dldr\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 13 of 15\n\nW32/Smokeloader.F!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service, which runs on both FortiGate and FortiMail,\r\ncan disarm the malicious macros in the document.\r\nWe also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security\r\nAwareness. This module is designed to help end users learn how to identify and protect themselves from phishing\r\nattacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP\r\n198[.]23[.]188[.]147\r\n77[.]232[.]41[.]29\r\n91[.]183[.]104[.]24\r\n185[.]228[.]234[.]237\r\nPhishing mail\r\n3e523ed80dbb592b1ff8c3345c3cd231ddd5a06e1af4c7b7d1f7f81249d0c4a3\r\nad657479d9f6322daba65638523d65631ff83ba5a717261acb5a53fd48e52209\r\n8dc06fdc2897d7c3438105ea0a39d2074774f80e051007fe7799b8195580ad2f\r\nfbe226dd0130c3c0c4db9d125cd25eca3c8e310dae8127d15c8be18041d41cd6\r\n392d201120936c1f0e77bdb4b490f2825c1e6f584f18055c742b36250f89566b\r\ne29c269a4c3ee4bbd673bfe0d24ca7d131d9221607e26a60989e81d8ffc17095\r\n00874ab2a91433dfbfdc9ee6ade6173f3280737fc81505504ace11273f640610\r\n1a1c8cdac1c3cbae5f1140e850ee06b414259876dab97152669f7c0f93469b13\r\n5dc92a6ed1ef2a5d9cf2a112532ad2c9fd70bff727e4cb60cd5d9c4966f2f77f\r\na334ba0d8ac0676d09e41aa273589ee27338c44a09109a4d5defa45f1d9bd82b\r\n35e55053bed6b3c1027a3e7c140e67303e01e8fcbf42abac27b8e9df2a090ee3\r\n858d26e697bc60b642e5d92922b625f58532fc06f028962d8add5fa497981f33\r\n7f9909677c290b98541be176251eca34b9f3d36555669a2639130adb97ca6958\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 14 of 15\n\nf4b16c3f8bff445fdcd9d7edb5883d20d7663c3744e137439fa961736d0a9471\r\nfb6ef14ac4cebf87f937f15553575f0f62ac62df917b490f602025a0985addd1\r\n9dea895b5b1c03caa2b838b8def4e082392851325794c3bd2eb5ca7372d8e09c\r\ncfe7f6c1c0560bd56cd2df856d459b7fe7fd63b2f635c35151f61d4d04ce4162\r\nDelivery\r\na4ec792538455fb56f0b89ae10ddd0b2504afba092ba5cfa2083cf61b5fac0ef\r\ncb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5f\r\neb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71\r\ne3e7a3d0ba55b8dbbe3633b1dad0a3bbf4eada72dd8df3f7b1bc76a692862f23\r\nea3b07a2356a7bfb92144f621ba551677a138c31d684072d69a4d37c1a378bb3\r\n7ab20d40431b990a9a44e96dc53519f0af72eaf56c4b20f8995f95a48039bf67\r\nbdb897e6a8bfc21302ae1ac254b1b2e779684fe75b2b824cb24c80c775898940\r\nMalware\r\nf7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6\r\nSource: https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nhttps://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader" ], "report_names": [ "sophisticated-attack-targets-taiwan-with-smokeloader" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72561c5d899cfba03373c547a2859427b562b959.pdf", "text": "https://archive.orkl.eu/72561c5d899cfba03373c547a2859427b562b959.txt", "img": "https://archive.orkl.eu/72561c5d899cfba03373c547a2859427b562b959.jpg" } }