{ "id": "0ce576d8-b8e8-4167-9f3e-b49a3e81382a", "created_at": "2026-04-06T00:16:33.02779Z", "updated_at": "2026-04-10T03:37:09.032888Z", "deleted_at": null, "sha1_hash": "747f92f807f96a7dfce7addbd06bb4da9597371b", "title": "Exploiting CVE-2024-21412: A Stealer Campaign Unleashed | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65966, "plain_text": "Exploiting CVE-2024-21412: A Stealer Campaign Unleashed |\r\nFortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2024-07-23 · Archived: 2026-04-05 23:49:40 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The stolen information can be used for future attack\r\nSeverity Level: High\r\nCVE-2024-21412 is a security bypass vulnerability in Microsoft Windows SmartScreen that arises from an error\r\nin handling maliciously crafted files. A remote attacker can exploit this flaw to bypass the SmartScreen security\r\nwarning dialog and deliver malicious files. Over the past year, several attackers, including Water Hydra, Lumma\r\nStealer, and Meduza Stealer, have exploited this vulnerability.\r\nFortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to\r\ndownload malicious executable files. Initially, attackers lure victims into clicking a crafted link to a URL file\r\ndesigned to download an LNK file. The LNK file then downloads an executable file containing an HTA script.\r\nOnce executed, the script decodes and decrypts PowerShell code to retrieve the final URLs, decoy PDF files, and\r\na malicious shell code injector. These files aim to inject the final stealer into legitimate processes, initiating\r\nmalicious activities and sending the stolen data back to a C2 server.\r\nThe threat actors have designed different injectors to evade detection and use various PDF files to target specific\r\nregions, including North America, Spain, and Thailand. This article elaborates on how these files are constructed\r\nand how the injector works.\r\nInitial Access\r\nTo start, the attacker constructs a malicious link to a remote server to search for a URL file with the following\r\ncontent: \r\nThe target LNK file employs the “forfiles” command to invoke PowerShell, then executes “mshta” to fetch an\r\nexecution file from the remote server “hxxps://21centuryart.com.” \r\nDuring our investigation, we collected several LNK files that all download similar executables containing an HTA\r\nscript embedded within the overlay. This HTA script has set WINDOWSTATE=”minimize” and\r\nSHOWTASKBAR=”no.” It plays a crucial role in the infection chain by executing additional malicious code and\r\nseamlessly facilitating the next stages of the attack.\r\nAfter decoding and decrypting the script, a PowerShell code downloads two files to the “%AppData%” folder.\r\nThe first is a decoy PDF, a clean file that extracts the victim’s attention from malicious activity, and the other is an\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 1 of 11\n\nexecution file that injects shell code for the next stage.\r\nShell Code Injector\r\nIn this attack chain, we identified two types of injectors. The first leverages an image file to obtain a shell code. As\r\nof mid-July, it had low detection rates on VirusTotal.\r\nAfter anti-debugging checking, it starts downloading a JPG file from the Imghippo website,\r\n“hxxps://i.imghippo[.]com/files/0hVAM1719847927[.]png.” It then uses the Windows API\r\n“GdipBitmapGetPixel” to access the pixels and decode the bytes to get the shell code.\r\nIt then calls “dword ptr ss:[ebp-F4]” to the entry point of the shell code. The shell code first obtains all the APIs\r\nfrom a CRC32 hash, creates a folder, and drops files in “%TEMP%.” We can tell that these dropped files are\r\nHijackLoader based on the typical bytes “\\x49\\x44\\x 41\\x54\\xC6\\xA5\\x79\\xEA” found in the encrypted data.\r\nThe other injector is more straightforward. It decrypts its code from the data section and uses a series of Windows\r\nAPI functions—NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection, NtMapViewOfSection again,\r\nand NtProtectVirtualMemory—to perform shell code injection.\r\nFinal Stealers\r\nThis attack uses Meduza Stealer version 2.9 and the panel found at hxxp://5[.]42[.]107[.]78/auth/login.\r\nWe also identified an ACR stealer loaded from HijackLoader. This ACR stealer hides its C2 with a dead drop\r\nresolver (DDR) technique on the Steam community website,\r\nhxxps://steamcommunity[.]com/profiles/76561199679420718. \r\nWe also found the C2 for other ACR Stealers on Steam by searching for the specific string, “t6t”. \r\nAfter retrieving the C2 hostname, the ACR stealer appends specific strings to construct a complete URL,\r\n“hxxps://pcvcf[.]xyz/ujs/a4347708-adfb-411c-8f57-c2c166fcbe1d”. This URL then fetches the encoded\r\nconfiguration from the remote server. The configuration data typically contains crucial information, such as target\r\nspecifics and operational parameters for the stealer. By decoding the C2 from Steam, the stealer can adapt\r\nlegitimate web services to maintain communications with its C2 server.\r\nExcept for local text files in paths “Documents” and “Recent, “ ACR Stealer has the following target applications:\r\nBrowser: Google Chrome, Google Chrome SxS, Google Chrome Beta, Google Chrome Dev, Google\r\nChrome Unstable, Google Chrome Canary, Epic Privacy Browser, Vivaldi, 360Browser Browser, CocCoc\r\nBrowser, K-Melon, Orbitum, Torch, CentBrowser, Chromium, Chedot, Kometa, Uran, liebao, QIP Surf,\r\nNichrome, Chromodo, Coowon, CatalinaGroup Citrio, uCozMedia Uran, Elements Browser, MapleStudio\r\nChromePlus, Maxthon3, Amigo, Brave-Browser, Microsoft Edge, Opera Stable, Opera GX Stable, Opera\r\nNeon, Mozilla Firefox, BlackHawk, and TorBro.\r\nCryptoWallet: Bitcoin, Binance, Electrum, Electrum-LTC, Ethereum, Exodus, Anoncoin, BBQCoin,\r\ndevcoin, digitalcoin, Florincoin, Franko, Freicoin, GoldCoin (GLD), GInfinitecoin, IOCoin, Ixcoin,\r\nLitecoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Dogecoin, ElectronCash,\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 2 of 11\n\nMultiDoge, com.liberty.jaxx, atomic, Daedalus Mainnet, Coinomi, Ledger Live, Authy Desktop, Armory,\r\nDashCore, Zcash, Guarda, WalletWasabi, and Monero.\r\nMessenger: Telegram, Pidgin, Signal, Tox, Psi, Psi+, and WhatsApp.\r\nFTP Client: FileZilla, GoFTP, UltraFXP, NetDrive, FTP Now, DeluxeFTP, FTPGetter, Steed, Estsoft\r\nALFTP, BitKinex, Notepad++ plugins NppFTP, FTPBox, INSoftware NovaFTP, and BlazeFtp.\r\nEmail Clients: Mailbird, eM Client, The Bat!, PMAIL, Opera Mail, yMail2, TrulyMail, Pocomail, and\r\nThunderbird.\r\nVPN Service: NordVPN and AzireVPN.\r\nPassword Manager: Bitwarden, NordPass, 1Password, and RoboForm.\r\nOther: AnyDesk, MySQL Workbench, GHISLER, Sticky Notes, Notezilla , To-Do DeskList, snowflake-ssh, and GmailNotifierPro.\r\nThe following Chrome Extensions:\r\nnphplpgoakhhjchkkhmiggakijnkhfnd apbldaphppcdfbdnnogdikheafliigcf\r\nfldfpgipfncgndfolcbkdeeknbbbnhcc ckdjpkejmlgmanmmdfeimelghmdfeobe\r\nomaabbefbmiijedngplfjmnooppbclkk iodngkohgeogpicpibpnaofoeifknfdo\r\nafbcbjpbpfadlkmhmclhkeeodmamcflc hnefghmjgbmpkjjfhefnenfnejdjneog\r\nlodccjjbdhfakaekdiahmedfbieldgik fpcamiejgfmmhnhbcafmnefbijblinff\r\nhcflpincpppdclinealmandijcmnkbgn egdddjbjlcjckiejbbaneobkpgnmpknp\r\nbcopgchhojmggmffilplmbdicgaihlkp nihlebdlccjjdejgocpogfpheakkpodb\r\nfhmfendgdocmcbmfikdcogofphimnkno ilbibkgkmlkhgnpgflcjdfefbkpehoom\r\nkpfopkelmapcoipemfendmdcghnegimn oiaanamcepbccmdfckijjolhlkfocbgj\r\nfhbohimaelbohpjbbldcngcnapndodjp ldpmmllpgnfdjkmhcficcifgoeopnodc\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 3 of 11\n\ncnmamaachppnkjgnildpdmkaakejnhae mbcafoimmibpjgdjboacfhkijdkmjocd\r\nnlbmnnijcnlegkjjpcfjclmcfggfefdm jbdpelninpfbopdfbppfopcmoepikkgk\r\namkmjjmmflddogmhpjloimipbofnfjih onapnnfmpjmbmdcipllnjmjdjfonfjdm\r\ncphhlgmgameodnhkjdmkpanlelnlohao cfdldlejlcgbgollnbonjgladpgeogab\r\nkncchdigobghenbbaddojjnnaogfppfj ablbagjepecncofimgjmdpnhnfjiecfm\r\njojhfeoedkpkglbfimdfabpdfjaoolaf fdfigkbdjmhpdgffnbdbicdmimfikfig\r\nffnbelfdoeiohenkjibnmadjiehjhajb njojblnpemjkgkchnpbfllpofaphbokk\r\npdgbckgdncnhihllonhnjbdoighgpimk hjagdglgahihloifacmhaigjnkobnnih\r\nookjlbkiijinhpmnjffcofjonbfbgaoc pnlccmojcmeohlpggmfnbbiapkmbliob\r\nmnfifefkajgofkcjkemidiaecocnkjeh ljfpcifpgbbchoddpjefaipoiigpdmag\r\nflpiciilemghbmfalicajoolhkkenfel bhghoamapcdpbohphigoooaddinpkbai\r\njfdlamikmbghhapbgfoogdffldioobgl gaedmjdfmmahhbjefcbgaolhhanlaolb\r\nnkbihfbeogaeaoehlefnkodbefgpgknn imloifkgjagghnncjkhggdhalmcnfklk\r\naiifbnbfobpmeekipheeijimdpnlpgpp oeljdldpnmdbchonielidgobddffflal\r\naeachknmefphepccionboohckonoeemg ilgcnhelpchnceeipipijaljkblbcobl\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 4 of 11\n\nhpglfhgfnhbgpjdenjgmdgoeiappafln nngceckbapebfimnlniiiahkandclblb\r\nnknhiehlklippafakaeklbeglecifhad oboonakemofpalcgghocfoadofidjkkk\r\ndmkamcknogkgcdfhhbddcghachkejeap fdjamakpfbbddfjaooikfcpapjohcfmg\r\njnmbobjmhlngoefaiojfljckilhhlhcj fooolghllnmhmmndgjiamiiodkpenpbb\r\nklnaejjgbibmhlephnhpmaofohgkpgkd bfogiafebfohielmmehodmfbbebbbpei\r\nibnejdfjmmkpcnlpebklmnkoeoihofec lfochlioelphaglamdcakfjemolpichk\r\nejbalbakoplchlghecdalmeeeajnimhm hdokiejnpimakedhajhdlcegeplioahd\r\nkjmoohlgokccodicjjfebfomlbljgfhk naepdomgkenhinolocfifgehidddafch\r\nfnjhmkhhmkbjkkabndcnnogagogbneec bmikpgodpkclnkgmnpphehdgcimmided\r\nnhnkbkgjikgcigadomkphalanndcapjk nofkfblpeailgignhkbnapbephdnmbmn\r\nhnfanknocfeofbddgcijnmhnfnkdnaad jhfjfclepacoldmjmkmdlmganfaalklb\r\ncihmoadaighcejopammfbmddcmdekcje chgfefjpcobfbnpmiokfjjaglahmnded\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa igkpcodhieompeloncfnbekccinhapdb\r\ndjclckkglechooblngghdinmeemkbgci cfhdojbkjhnklbpkdaibdccddilifddb\r\njiidiaalihmmhddjgbnbgdfflelocpak kmmkllgcgpldbblpnhghdojehhfafhro\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 5 of 11\n\nlgmpcpglpngdoalbgeoldeajfclnhafa ibegklajigjlbljkhfpenpfoadebkokl\r\negjidjbpglichdcondbcbdnbeeppgdph ijpdbdidkomoophdnnnfoancpbbmpfcn\r\nflhbololhdbnkpnnocoifnopcapiekdi llalnijpibhkmpdamakhgmcagghgmjab\r\nkkhmbjifakpikpapdiaepgkdephjgnma mjdmgoiobnbombmnbbdllfncjcmopfnc\r\nekkhlihjnlmjenikbgmhgjkknoelfped dlcobpjiigpikoobohmabehhmhfoodbb\r\njngbikilcgcnfdbmnmnmnleeomffciml jnlgamecbpmbajjfhmmmlhejkemejdma\r\nhcjginnbdlkdnnahogchmeidnmfckjom kbdcddcmgoplfockflacnnefaehaiocb\r\nogphgbfmhodmnmpnaadpbdadldbnmjji kgdijkcfiglijhaglibaidbipiejjfdp\r\nhhmkpbimapjpajpicehcnmhdgagpfmjc epapihdplajcdnnkdeiahlgigofloibg\r\nojhpaddibjnpiefjkbhkfiaedepjheca mgffkfbidihjpoaomajlbgchddlicgpn\r\nfmhjnpmdlhokfidldlglfhkkfhjdmhgl ebfidpplhabeedpnhjnobghokpiioolj\r\ngjhohodkpobnogbepojmopnaninookhj dngmlblcodfobpdpecaadgfbcggfjfnm\r\nhmglflngjlhgibbmcedpdabjmcmboamo ldinpeekobnhjjdofggfgjlcehhmanlj\r\neklfjjkfpbnioclagjlmklgkcfmgmbpg mdjmfdffdcmnoblignmgpommbefadffd\r\njbkfoedolllekgbhcbcoahefnbanhhlh aflkmfhebedbjioipglgcbcmnbpgliof\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 6 of 11\n\nmcohilncbfahbmgdjkbpemcciiolgcge dmjmllblpcbmniokccdoaiahcdajdjof\r\njbdaocneiiinmjbjlgalhcelgbejmnid lnnnmfcpbkafcpgdilckhmhbkkbpkmid\r\nblnieiiffboillknjnepogjhkgnoapac odpnjmimokcmjgojhnhfcnalnegdjmdn\r\ncjelfplplebdjjenllpjcblmjkfcffne bopcbmipnjdcdfflfgjdgdjejmgpoaab\r\nfihkakfobkmkjojpchpfgcmhfjnmnfpi cpmkedoipcpimgecpmgpldfpohjplkpp\r\nkkpllkodjeloidieedojogacfhpaihoh khpkpbbcccdmmclmpigdgddabeilkdpd\r\nnanjmdknhkinifnkgdcggcfnhdaammmj mcbigmjiafegjnnogedioegffbooigli\r\nnkddgncdjgjfcddamfgcmfnlhccnimig fiikommddbeccaoicoejoniammnalkfa\r\nacmacodkjbdgmoleebolmdjonilkdbch heefohaffomkkkphnlpohglngmbcclhi\r\nphkbamefinggmakgklpkljjmgibohnba ocjdpmoallmgmjbbogfiiaofphbjgchh\r\nefbglgofoippbgcjepnhiblaibcnclgk hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nlpfcbjknijpeeillifnkikgncikgfhdo kfdniefadaanbjodldohaedphafoffoh\r\nejjladinnckdgjemekebdpeokbikhfci kmhcihpebfmpgmihbkipmjlmmioameka\r\nopcgpfmipidbgpenhmajoajpbobppdil gafhhkghbfjjkeiendhlofajokpaflmk\r\naholpfdialjgjfhomihkjbmgjidlcdno kglcipoddmbniebnibibkghfijekllbl\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 7 of 11\n\nonhogfjeacnfoofkfgppdlbmlmnplgbn iokeahhehimjnekafflcihljlcjccdbe\r\nmopnmbcafieddcagagdcbnhejhlodfdd idnnbdplmphpflfnlkomgpfbpcgelopg\r\nfijngjgcjhjmmpcmkeiomlglpeiijkld kmphdnilpmdejikjdnlbcnmnabepfgkh\r\nhifafgmccdpekplomjjkcfgodnhcellj cgeeodpfagjceefieflmdfphplkenlfk\r\nijmpgkjfkbfhoebgogflfebnmejmfbm pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nlkcjlnjfpbikmcmbachjpdbijejflpcm odbfpeeihdkbihmopkbjmoonfanlbfcl\r\nonofpnbbkehpmmoabgpcpmigafmmnjh fhilaheimglignddkjgofkcbgekhenbh\r\ndkdedlpgdmmkkfjabffeganieamfklkm aodkkagnadcbobfpggfnjeongemjbjca\r\nnlgbhdfgdhgbiamfdfmbikcdghidoadd dngmlblcodfobpdpecaadgfbcggfjfnm\r\ninfeboajgfhgbjpjbeppbkgnabfdkdaf lpilbniiabackdjcionkobglmddfbcjo\r\nppbibelpcjmhbdihakflkdcoccbgbkpo bhhhlbepdkbapadjdnnojkbgioiodbic\r\nklghhnkeealcohjjanjjdaeeggmfmlpl jnkelfanjkeadonecabehalmbgpfodjm\r\nenabgbdfcbaehmbigakijjabdpdnimlg jgaaimajipbpdogpdglhaphldakikgef\r\nmmmjbcfofconkannjonfmjjajpllddbg kppfdiipphfccemcignhifpjkapfbihd\r\nbifidjkcdpgfnlbcjpdkdcnbiooooblg loinekcabhlmhjjbocijdoimmejangoa\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 8 of 11\n\nnebnhfamliijlghikdgcigoebonmoibm anokgmphncpekkhclmingpimjmcooifb\r\nfcfcfllfndlomdhbehjjcoimbgofdncg cnncmdhjacpkmjmkcafchppbnpnhdmon\r\nojggmchlghnjlapmfbnjholfjkiidbch mkpegjkblkkefacfnmkajcjmabijhclg\r\nConclusion\r\nThis campaign primarily targets CVE-2024-21412 to spread LNK files for downloading execution files that\r\nembed HTA script code within their overlays. The HTA script runs silently, avoiding any pop-up windows, and\r\nclandestinely downloads two files: a decoy PDF and an execution file designed to inject shell code, setting the\r\nstage for the final stealers.\r\nTo mitigate such threats, organizations must educate their users about the dangers of downloading and running\r\nfiles from unverified sources. Continuous innovation by threat actors necessitates a robust and proactive\r\ncybersecurity strategy to protect against sophisticated attack vectors. Proactive measures, user awareness, and\r\nstringent security protocols are vital components in safeguarding an organization's digital assets.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus:\r\nLNK/Agent.OQ!tr\r\nLNK/Agent.BNE!tr\r\nLNK/Agent.ACX!tr\r\nW32/Agent.DAT!tr\r\nW64/Agent.EDE6!tr\r\nW32/Agent.AAN!tr\r\nW64/Agent.A8D2!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs.\r\nFortiGuard Labs provides IPS signature against attacks exploiting CVE-2024-21412:\r\nMS.Windows.SmartScreen.CVE-2024-21412.Security.Feature.Bypass\r\nWe also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security\r\nAwareness. This module is designed to help end users learn how to identify and protect themselves from phishing\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 9 of 11\n\nattacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP Addresses\r\n62[.]133[.]61[.]26\r\n62[.]133[.]61[.]43\r\n5[.]42[.]107[.]78\r\nHostnames\r\n21centuryart[.]com\r\nscratchedcards[.]com\r\nproffyrobharborye[.]xyz\r\nanswerrsdo[.]shop\r\npcvcf[.]xyz\r\npcvvf[.]xyz\r\npdddk[.]xyz\r\npdddj[.]xyz\r\npddbj[.]xyz\r\npbpbj[.]xyz\r\npbdbj[.]xyz\r\nptdrf[.]xyz\r\npqdrf[.]xyz\r\nFiles\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 10 of 11\n\ne15b200048fdddaedb24a84e99d6d7b950be020692c02b46902bf5af8fb50949\r\n547b6e08b0142b4f8d024bac78eb1ff399198a8d8505ce365b352e181fc4a544\r\nbd823f525c128149d70f633e524a06a0c5dc1ca14dd56ca7d2a8404e5a573078\r\n982338768465b79cc8acd873a1be2793fccbaa4f28933bcdf56b1d8aa6919b47\r\nbc6933a8fc324b907e6cf3ded3f76adc27a6ad2445b4f5db1723ac3ec86ed10d\r\n59d2c2ca389ab1ba1fefa4a06b14ae18a8f5b70644158d5ec4fb7a7eac4c0a08\r\n8568226767ac2748eccc7b9832fac33e8aa6bfdc03eafa6a34fb5d81e5992497\r\n4043aa37b5ba577dd99f6ca35c644246094f4f579415652895e6750fb9823bd9\r\n0604e7f0b4f7790053991c33359ad427c9bf74c62bec3e2d16984956d0fb9c19\r\n8c6d355a987bb09307e0af6ac8c3373c1c4cbfbceeeb1159a96a75f19230ede6\r\nde6960d51247844587a21cc0685276f966747e324eb444e6e975b0791556f34f\r\n6c779e427b8d861896eacdeb812f9f388ebd43f587c84a243c7dab9ef65d151c\r\n08c75c6a9582d49ea3fe780509b6f0c9371cfcd0be130bc561fae658b055a671\r\nabc54ff9f6823359071d755b151233c08bc2ed1996148ac61cfb99c7e8392bfe\r\n643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2\r\nSource: https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nhttps://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed" ], "report_names": [ "exploiting-cve-2024-21412-stealer-campaign-unleashed" ], "threat_actors": [ { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434593, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/747f92f807f96a7dfce7addbd06bb4da9597371b.pdf", "text": "https://archive.orkl.eu/747f92f807f96a7dfce7addbd06bb4da9597371b.txt", "img": "https://archive.orkl.eu/747f92f807f96a7dfce7addbd06bb4da9597371b.jpg" } }