{ "id": "3173f0ee-5585-43d1-9293-b8379dcb3740", "created_at": "2026-04-06T00:13:51.386016Z", "updated_at": "2026-04-10T03:37:08.649021Z", "deleted_at": null, "sha1_hash": "8a32b3de1f04e4af521600820ff4edc70206df03", "title": "Trojanized Mario Installer Spreads SupremeBot Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1492941, "plain_text": "Trojanized Mario Installer Spreads SupremeBot Malware\r\nPublished: 2023-06-23 · Archived: 2026-04-05 19:02:00 UTC\r\nCyble analyzes SupremeBot, a crypto-mining client leveraging a trojanized Super Mario game installer to spread\r\nUmbral stealer malware.\r\nSupremeBot Pushes Umbral Stealer to Maximize Monetary Gain\r\nThreat Actors (TAs) use game installers to spread various malware because games have a wide user base, and users\r\ngenerally trust game installers as legitimate software. The social engineering tactics that TAs use exploit users’ trust\r\nand entice them to download and run malicious game installers. The large file size and games’ complexity provide\r\nTAs opportunities to hide malware within them.\r\nMalware distributed through game installers can be monetized through activities like stealing sensitive information,\r\nconducting ransomware attacks, and more. Previously, Cyble Research and Intelligence Labs (CRIL) has discovered\r\nseveral malware campaigns that specifically target gamers and their game-related applications, including Enlisted,\r\nMSI Afterburner, FiveM Spoofer, and others.\r\nWorld's Best AI-Native Threat Intelligence\r\nRecently, CRIL identified a trojanized Super Mario Bros game installer that delivers multiple malicious components,\r\nincluding an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer. The malware files were\r\nfound bundled with a legitimate installer file of super-mario-forever-v702e. This incident highlights another reason\r\nTAs utilize game installers as a delivery mechanism: the powerful hardware commonly associated with gaming\r\nprovides valuable computing power for mining cryptocurrencies.\r\nSuper Mario is an extremely popular video game franchise celebrated for its platforming gameplay, vibrant visuals,\r\nunforgettable characters, and captivating music. The franchise recently saw a resurgence in popularity with new\r\ngames and an animated movie. Over the years, the franchise has continuously evolved, introducing fresh game\r\nmechanics, power-ups, and levels across various titles and gaming consoles. Since its inception in the 1980s, Super\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 1 of 13\n\nMario games have garnered a massive global following, with millions of players worldwide delighting in the\r\nimmersive experiences they provide.\r\nThe figure below illustrates the GUI of the Super Mario Forever game following a successful installation.\r\nFigure 1 – Super Mario Game GUI\r\nThe image below shows the infection chain of the compromised Super Mario Game installer delivering Umbral\r\nStealer.\r\nFigure 2 – Infection chain\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 2 of 13\n\nTechnical Analysis\r\nFor this technical analysis, we analyzed a sample called “Super-Mario-Bros.exe” with SHA265 as\r\ne9cc8222d121a68b6802ff24a84754e117c55ae09d61d54b2bc96ef6fb267a54, which is a 32-bit Nullsoft Installer\r\n(NSIS) self-extracting archive executable file.\r\nFigure 3 – Static details\r\nThe icon displayed below depicts the installer application of the trojanized Super Mario game.\r\nFigure 4 – compromised Super Mario game installer file icon\r\nThe NSIS installer file “Super-Mario-Bros.exe” has been tampered with and turned into a trojanized version of a\r\nSuper Mario game installer. This executable file includes three separate executables: “super-mario-forever-v702e.exe,” which is a genuine and safe Super Mario game application, along with two malicious executables named\r\n“java.exe” and “atom.exe,” as shown below.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 3 of 13\n\nFigure 5 – Files inside the Super Mario game NSIS installer\r\nUpon executing the “Super-Mario-Bros.exe” file, it drops the “super-mario-forever-v702e.exe” executable in the\r\n%appdata% directory and initiates its execution. This action triggers the display of an Installation Wizard, allowing\r\nthe user to proceed with the installation of the “super-mario-forever-v7.02” program.\r\nThe figure below shows the Installation Wizard of the Super Mario Forever game.\r\nFigure 6 – Mario game installation wizard\r\nOnce the installation is completed successfully, a Graphical User Interface (GUI) is launched, providing the user\r\nwith an interface to play the Super Mario Forever game, as shown below.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 4 of 13\n\nFigure 7 – Super Mario game user interface\r\nIn the background, the NSIS installer discreetly drops the files “java.exe” and “atom.exe” in addition to the Super\r\nMario Forever game within the %appdata% directory with hidden attributes, as shown in Figure 8. Subsequently, the\r\ninstaller proceeds to execute these files.\r\nFigure 8 – Dropped malware files with genuine Super Mario installer in %appdata%\r\n In the dropped files, the “java.exe” functions as an XMR miner executable, which is specifically designed for\r\nmining the cryptocurrency Monero. On the other hand, “atom.exe” serves as a supreme botnet mining client,\r\nenabling the miner’s network connection, receiving mining tasks, and effectively managing the entire mining\r\nprocess.\r\nXMR Miner\r\n“java.exe” is an XMR (Monero) miner which operates stealthily in the background without the user’s knowledge or\r\nconsent, leading to unauthorized and potentially harmful utilization of computing resources for mining the\r\ncryptocurrency Monero (XMR).\r\nWhen “java.exe” is executed, the malware establishes a connection with a mining server\r\n“gulf[.]moneroocean[.]stream” to carry out cryptocurrency mining activities.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 5 of 13\n\nConcurrently, the malware gathers valuable data from the victim’s system, including computer name, username,\r\nGPU, CPU, and other relevant details. This sensitive information is then transferred to a Command and Control\r\n(C\u0026C) server via the following URL API:\r\n“hxxp://shadowlegion[.]duckdns[.]org/nam/api/endpoint[.]php”\r\nSupremeBot: Mining Client\r\nUpon execution, “atom.exe” creates a copy of itself in the ProgramData folder, using a randomly generated\r\ncharacter string as the folder name and the name of a currently running parent process as the filename. The folder\r\nname follows the format of a Globally Unique Identifier (GUID) as below.\r\nC:\\ProgramData\\{FY3PFGWN-J6QF-EIEE-KMFXFHFLWH1Q}\\Super-Mario-Bros.exe\r\nAfter that, “atom.exe” promptly initiates the execution of a scheduled task command, resulting in the creation of a\r\nnew scheduled task entry that runs every 15 minutes without an end date.\r\n“C:\\Windows\\System32\\schtasks.exe” /Create /SC MINUTE /MO 15 /TN “U757WD6WG4EDHUD873” /TR\r\n“C:\\ProgramData\\{FY3PFGWN-J6QF-EIEE-KMFXFHFLWH1Q}\\Super-Mario-Bros.exe” /F\r\nFigure 9 – Schedule task entry for persistence\r\nNext, the executable kills the “atom.exe” process and removes its associated file from the system using the below\r\ncommand-line arguments:\r\n“C:\\Windows\\System32\\cmd.exe” /c taskkill /im atom.exe /f \u0026 erase C:\\Users\\\r\n\u003cAdmin\u003e\\AppData\\Roaming\\atom.exe \u0026 exit\r\nFollowing its deletion, the dropped file initiates the execution process and establishes a connection to the C\u0026C\r\nserver “silentlegion[.]duckdns[.]org,” utilizing Windows HTTP Service API calls.\r\nThe mining client performs the following activities:\r\nIt initiates a POST request to “hxxp://silentlegion[.]duckdns[.]org/gate/update[.]php” and includes the victim\r\nsystem’s CPU and GPU versions as unique identifiers.\r\nIt subsequently sends a POST request to “hxxp://silentlegion[.]duckdns[.]org/gate/connection[.]php” to\r\nverify if the client is registered.\r\nIf the unique identifier is not found, the client sends a POST request to register the client by adding the unique\r\nidentifier.\r\nIf the client’s connection is established successfully, it receives XMRig CPU and GPU mining configuration\r\nfrom the C\u0026C server.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 6 of 13\n\nLastly, it sends an http POST request to “hxxp://silentlegion[.]duckdns[.]org/gate/config[.]php”, containing\r\nthe miner configuration specific to the victim’s machine.\r\nFurthermore, the “atom.exe” retrieves a malicious information-stealing executable from the following command and\r\ncontrol (C\u0026C) URL:\r\nhxxp[:]//shadowlegion[.]duckdns[.]org/wime[.]exe\r\nThe file named “wime.exe” is a 32-bit binary packed using the Themida packer. When executed, the file unpacks\r\nitself and loads the Umbral Stealer into the process memory. The Umbral Stealer is a Windows-based information\r\nstealer available on GitHub as an open-source project.\r\nUmbral Stealer\r\nUmbral Stealer is a lightweight and efficient information stealer written in C#. It swiftly collects data and sends them\r\nusing Discord webhooks to the attacker. The stealer has been accessible on GitHub since April and is continuously\r\nupdated by its author.\r\nIn the main function of the stealer, it consists of two key functions: Process() and Run(), as shown in the below code\r\nsnippet figure.\r\nFigure 10 – Umbral stealer main function\r\nThe Process() function is responsible for performing initialization and setup tasks before the payload execution\r\nbegins.\r\nIt starts by validating the webhook and exits if it is not provided. Then, it registers a unique mutex to prevent\r\nmultiple instances of the payload from running simultaneously.\r\nAfter that, it waits for an active internet connection to ensure proper communication with external resources.\r\nThis ensures that the payload has internet access before proceeding further.\r\nAdditionally, it checks if the payload is running on a virtual machine and exits if detected.\r\nThen, if the malware is not set to run on system startup, it requests administrative privileges from the user by\r\nprompting a UAC (User Account Control) dialog to elevate its permissions.\r\nThe function attempts to hide the payload process to maintain stealth and adds it to Windows Defender\r\nexclusions. If tamper protection is not enabled, it tries to disable Windows Defender.\r\nFurthermore, if running with administrative privileges, it adds the payload to the system startup to ensure\r\npersistence.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 7 of 13\n\nFigure 11 – Umbral stealer initialization and setup code snippet\r\nThe Run() function is responsible for executing the main functionality of the payload.\r\nIt begins by generating a random file path for temporary data storage. Then, it creates a temporary folder for\r\nstoring the collected data.\r\nIf malware runs with admin privileges, it blocks known antivirus-related websites to hinder detection attempts\r\nusing BlockAvSites().\r\nThe BlockAvSites() function modifies the Windows hosts file at “System32\\drivers\\etc\\hosts” to block designated\r\nantivirus-related websites. By inserting specific entries, the malware redirects the domain names of these sites to the\r\nIP address 0.0.0.0.\r\nThis prevents any access to the infected system’s antivirus-related websites, effectively preventing such attempts.\r\nThe below figure shows the code snippet of the BlockAvSites() function and modified hosts file.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 8 of 13\n\nFigure 12 – BlockAvSites() function\r\nThe Run() function then initiates and awaits multiple tasks to collect various types of data from the target system.\r\nThese tasks can include:\r\nCapturing screenshots\r\nRetrieving browser passwords and cookies\r\nCapturing webcam images\r\nObtaining telegram session files and discord tokens\r\nAcquiring Roblox cookies and Minecraft session files\r\nCollecting files associated with cryptocurrency wallets.\r\nUmbral Stealer focuses on targeting the following web browsers:\r\nBrave\r\nChrome\r\nChromium\r\nComodo\r\nEdge\r\nEpicPrivacy\r\nIridium\r\nOpera\r\nOperaGx\r\nSlimjet\r\nUr\r\nVivaldi\r\nYandex\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 9 of 13\n\nThe Stealer also specifically targets the below crypto wallets:\r\nZcash\r\nArmory\r\nBytecoin\r\nJaxx\r\nExodus\r\nEthereum\r\nElectrum\r\nAtomicWallet\r\nGuarda\r\nCoinomi\r\nNext, the collected data is saved to appropriate directories within the temporary folder. The function also keeps track\r\nof the count of collected data items. Finally, the function displays the counts of the collected data items, providing a\r\nsummary of the payload’s actions by using the code snippet shown in the figure below.\r\nFigure 13 – Summary of the Umbral Stealer’s actions\r\nThe collected data is transmitted to the attacker using Discord webhooks shown below.\r\nFigure 14 – Discord webhook for exfiltration\r\nBuilder:\r\nThe image below depicts the Umbral Stealer builder available on GitHub.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 10 of 13\n\nFigure 15 – Umbral stealer builder GUI\r\nConclusion\r\nThe expansive and interconnected user base within the gaming community serves as an appealing target for TAs\r\naiming to exploit vulnerabilities and carry out various malicious activities.\r\nThis coin-miner malware campaign leverages the Super Mario Forever game to target gamers and individuals\r\nutilizing high-performance computing machines for gaming purposes. Furthermore, the malware also deploys a\r\nstealer component to illicitly acquire sensitive information from the victims’ systems, aiming to generate additional\r\nfinancial profits.\r\nThe combination of mining and stealing activities leads to financial losses, a substantial decline in the victim’s\r\nsystem performance, and the depletion of valuable system resources.\r\nAs a consequence, both individual users and organizations suffer severe productivity setbacks. CRIL maintains\r\nvigilant monitoring of the most recent malware variants in circulation, ensuring the continual updating of blogs with\r\nactionable intelligence to safeguard users against such attacks.\r\nOur Recommendations\r\nUsers are advised to check their system performance and CPU usage periodically.\r\nEnterprises should prevent users from downloading pirated software from Warez/Torrent websites. The “Hack\r\nTool” present on sites such as YouTube, Torrent sites, etc., contains such malware.\r\nOrganizational information security policies/acceptable usage policies should be updated to explicitly prohibit\r\ndownloading and installing crypto mining software on end-user systems.\r\nUsers should turn on the automatic software update feature on their computer, mobile, and other connected\r\ndevices.\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 11 of 13\n\nUsing a reputed antivirus and internet security software package is recommended on connected devices,\r\nincluding PCs, laptops, and mobile devices.\r\nAs part of ongoing security awareness and training, users should be educated to refrain from opening\r\nuntrusted links and Email attachments without first verifying their authenticity.\r\nEducate employees on protecting themselves from threats like phishing attacks and untrusted URLs.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nEndpoints and Servers should be monitored for unexpected spikes in CPU and RAM utilization that could\r\npoint to a potential malware infection.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nExecution \r\nT1204\r\nT1047\r\nT1059\r\nT1059\r\nT1203\r\nUser Execution\r\nWindows Management Instrumentation\r\nPowerShell\r\nCommand and Scripting Interpreter\r\nExploitation for Client Execution\r\nPersistence\r\nT1053\r\nT1543\r\nScheduled Task/Job\r\nWindows Service\r\nPrivilege Escalation T1055 Process Injection\r\nDefense Evasion\r\nT1497\r\nT1027\r\nT1036\r\nT1562\r\nVirtualization/Sandbox Evasion\r\nObfuscated Files or Information\r\nMasquerading\r\nDisable or Modify Tools\r\nCredential Access T1056 Input Capture\r\nDiscovery   \r\nT1057\r\nT1012\r\nT1082\r\nT1083\r\nProcess Discovery\r\nQuery Registry\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nCollection\r\nT1115\r\nT1125\r\nClipboard Data\r\nVideo Capture\r\nC\u0026C T1105 Ingress Tool Transfer\r\nImpact   T1529 System Shutdown/Reboot\r\nIndicators of Compromise\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 12 of 13\n\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n90647ec1bc00c6d35ba3fd7ee214cd20\r\n0eb317fb165e87c23770ab6dff45e92dbd209b66\r\ne9cc8222d121a68b6802ff24a84754e117c55ae09d61d54b2bc96ef6fb267a54\r\nMD5\r\nSHA1\r\nSHA256\r\nSuper Mario\r\nBros\r\nInstaller\r\n(NSIS file)\r\n54d4bcd4e789a196022632e1f0922dd7\r\n41ff5729fdeafec9879f12faffa3a62391e0a6f5\r\n41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610\r\nMD5\r\nSHA1\r\nSHA256\r\nAtom.exe\r\n(SupremeBot)\r\n \r\nabbf1ee343b1cdc834be281caef875c8\r\nb72ffd7f63d4ad1de95783b7cf1ecb89cdb0056b\r\n1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f\r\nMD5\r\nSHA1\r\nSHA256\r\nJava.exe\r\n(XMR miner)\r\n \r\n1335a17d311b929988693fb526dc4717\r\n062830cb07ce430fe049627e001ef23fba8ba351\r\n88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22\r\nMD5\r\nSHA1\r\nSHA256\r\nwime.exe\r\n(Umbral\r\nStealer)\r\nhxxp://shadowlegion[.]duckdns[.]org/nam/api/endpoint[.]php URL\r\nConnect from\r\nXMR miner\r\nhxxp://silentlegion[.]duckdns[.]org/gate/update[.]php\r\nhxxp://silentlegion[.]duckdns[.]org/gate/connection[.]php\r\nhxxp://silentlegion[.]duckdns[.]org/gate/config[.]php\r\nURL\r\nConnect from\r\nSupremeBot  \r\nhxxp[:]//shadowlegion[.]duckdns[.]org/wime[.]exe URL\r\nUmbral\r\nstealer\r\ndownloaded\r\nby\r\nSupremeBot\r\nSource: https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nhttps://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/" ], "report_names": [ "trojanized-super-mario-game-installer-spreads-supremebot-malware" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434431, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a32b3de1f04e4af521600820ff4edc70206df03.pdf", "text": "https://archive.orkl.eu/8a32b3de1f04e4af521600820ff4edc70206df03.txt", "img": "https://archive.orkl.eu/8a32b3de1f04e4af521600820ff4edc70206df03.jpg" } }