{ "id": "9eef2bd9-a5d7-4c04-a221-afbc73c6b1de", "created_at": "2026-04-06T00:10:41.071431Z", "updated_at": "2026-04-10T03:35:17.265671Z", "deleted_at": null, "sha1_hash": "76fa704b8b458a12ebf09caf0fc90e6be486972e", "title": "HTTPSnoop (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35848, "plain_text": "HTTPSnoop (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:05:52 UTC\r\nwin.httpsnoop (Back to overview)\r\nHTTPSnoop\r\naka: TOFULOAD\r\nCisco Talos states that HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to\r\ninterface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S)\r\nURLs and execute that content on the infected endpoint.\r\nReferences\r\n2023-09-19 ⋅ Cisco Talos ⋅ Arnaud Zobec, Asheer Malhotra, Caitlin Huey, Sean Taylor, Vitor Ventura\r\nNew ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants\r\nHTTPSnoop PipeSnoop LightBasin ShroudedSnooper\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsnoop\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.httpsnoop\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsnoop" ], "report_names": [ "win.httpsnoop" ], "threat_actors": [ { "id": "9d63303c-817c-40d7-b703-c6d62f0dbddc", "created_at": "2023-10-14T02:03:14.471787Z", "updated_at": "2026-04-10T02:00:04.891855Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "ETDA:ShroudedSnooper", "tools": [ "HTTPSnoop", "PipeSnoop", "TOFULOAD", "TOFUPIPE" ], "source_id": "ETDA", "reports": null }, { "id": "1ddad928-ad5f-4885-9abd-e8965dd793df", "created_at": "2023-11-08T02:00:07.129402Z", "updated_at": "2026-04-10T02:00:03.421623Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "MISPGALAXY:ShroudedSnooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/76fa704b8b458a12ebf09caf0fc90e6be486972e.pdf", "text": "https://archive.orkl.eu/76fa704b8b458a12ebf09caf0fc90e6be486972e.txt", "img": "https://archive.orkl.eu/76fa704b8b458a12ebf09caf0fc90e6be486972e.jpg" } }