{ "id": "75d0f32e-ff6b-47b7-ad49-d266f7fcfd29", "created_at": "2026-04-06T00:19:45.665524Z", "updated_at": "2026-04-10T03:36:47.800929Z", "deleted_at": null, "sha1_hash": "8a3a2b0f4ff547e154c1cf2cef9f2e44505e01dc", "title": "FFDroider Stealer Is Targeting Social Media Platform | Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1065594, "plain_text": "FFDroider Stealer Is Targeting Social Media Platform | Blog\r\nBy Avinash Kumar, Niraj Shivtarkar\r\nPublished: 2022-04-06 · Archived: 2026-04-05 15:56:12 UTC\r\nIntroduction\r\nCredential stealing malware is commonly observed in the landscape of cyber attacks today. Zscaler ThreatLabz\r\nteam has discovered many new types of stealer malwares across different attack campaigns. Stealers are malicious\r\nprograms that threat actors use to collect sensitive information with various techniques including keylogging,\r\ncookie stealing, and sending stolen information to the Command and Control Server. \r\nRecently, ThreatLabz  identified a novel windows based malware creating a registry key as FFDroider. Based on\r\nthis observation, ThreatLabz named this new malware the Win32.PWS.FFDroider. Designed to send stolen\r\ncredentials and cookies to a Command \u0026 Control server, FFDroider disguises itself on victim’s machines to look\r\nlike the instant messaging application “Telegram”. \r\nThreatLabz observed multiple campaign related to FFDroider stealer in our zscaler cloud which arrived via the\r\ncompromised URL download.studymathlive[.]com/normal/lilay.exe and are all connected by a malicious program\r\nembedded into cracked version of installers and freeware.\r\nFigure 1: FFDroider campaign observed in Zscaler cloud\r\nKey features of this attack\r\nSteals  cookies and credentials from the victim’s machine.\r\nTargeting social media platforms to steal the credentials and cookies.\r\nThe stealer signs into victims' social media platforms using stolen cookies, and extracts account\r\ninformation like Facebook Ads-manager to run malicious advertisements with stored payment methods and\r\nInstagram via API to steal personal information.. \r\nLeverages inbound whitelisting rules in Windows Firewall allowing the malware to be copied at desired\r\nlocation.\r\nAttacker uses iplogger.org to track the infection counts.\r\nThe attack cycle\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 1 of 19\n\nFigure 2: Attack cycle Infographic\r\nThis article focuses primarily on the dissection of the stealer and its functionality.\r\nFFDroider stealer analysis\r\nThe FFDroider stealer is packed with the popular “ASPack v2.12” packer. To best understand how the stealer\r\nworks, ThreatLabz unpacked. decompiled, and debugged the malware, performing the following tasks during\r\nexecution:\r\nTo detect the full malware campaign across the Zscaler cloud, researchers unpacked the file to expose the\r\nPDB path: F:\\FbRobot\\Release\\FbRobot.pdb \r\nFigure 3: PDB path\r\nDuring execution the stealer creates a Mutex to avoid reinfecting the host with different instances of the\r\nsame malware. The observed mutex value is: “37238328-1324242-5456786-8fdff0-67547552436675”\r\nFigure 4: Mutex name created by malware\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 2 of 19\n\nTo make copies of itself for further execution, the malware creates a Directory in the Documents folder\r\nnamed “VlcpVideov1.01”.\r\nFigure 5: Creating a copy of itself in the desired directory with a renowned application icon.\r\nThen it executes a String Decryption Routine which is basically a XOR Decryption loop amongst the\r\nencrypted string and the key where in it decrypts the following strings which include DLL and API names\r\nwhich are further loaded and fetched using LoadLibraryA() and GetProcAddress() WinApi’s\r\n1. “Wininet.dll”\r\n2. “InternetGetCookieExW”\r\n3. “ieframe.dll”\r\n4. “IEGetProtectedModeCookie”\r\n5. “Netapi32.dll”\r\n6. “NetWkstaGetInfo”\r\n7. “NetAPIBufferfree”\r\n8. “Advapi32.dll”\r\n9. “Iphpapi.dll”\r\n10. “RegCreateKey”\r\n11. ‘GetAdaptersInfo\r\n12. “FFDroider”\r\n Figure 6: String Decryption Routine\r\nTo decrypt strings across the malware sample, ThreatLabz rewrote the XOR decryption logic in python,\r\nshown in the screenshot below. The complete decryption code snippet can be found in the Appendix\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 3 of 19\n\nsection of this article.\r\nFigure 7: String decryption emulation in Python\r\nInspiring the name, the FFDroider stealer uses the decrypted string and RegCreateKey() function to create\r\nthe registry key: “HKCU\\Software\\ffdroider\\FFDroider”.\r\nFigure 8: Creates a registry key named “FFDroider”\r\nThen the malware creates multiple threads using CreateThread() to speed the theft of cookies and\r\ncredentials while hindering reverse engineering.\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 4 of 19\n\nAn initial GET request is sent to the Command \u0026 Control Server along with the filename via\r\nWinHTTPSendRequest().\r\nGET Request: http[:]//152[.]32[.]228[.]19/seemorebty/il.php?e=\r\nReferrer: https[:]facebook[.]com\r\nPreviously a Cobalt Strike server according to third-party threat intel sources\r\nFigure 9: Initial request to the C\u0026C server logs the filename and IP address of the infected host.\r\nThe response to this request is an iplogger.org URL which is used to log the Public IP address of the environment\r\nwhere the malware has been detonated and might be used by the attackers to track location and IP addresses\r\ndetails of the victim. After analyzing the statistics of multiple Embedded iplogger URLs we can see how the IP\r\naddresses have been logged in the screenshots below.\r\nIPLogger URL:  https[:]//iplogger[.]org/logger/ey4zrs2miAY6\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 5 of 19\n\nFigure 10: IP address of Infected host logged using iplogger.org\r\nThe malware further initiates the Cookie and Credential Stealer functionalities and targets the following\r\nbrowsers and websites:\r\n-  Target Browsers:\r\n1. Google Chrome\r\n2. Mozilla Firefox\r\n3. Internet Explorer\r\n4. Microsoft Edge\r\nFigure 12: List of target browsers\r\n-  Target Websites:\r\n1. www[.]facebook[.]com\r\n2. www[.]instagram[.]com\r\n3. www[.]amazon[.]ca/cn/eg/fr/de/in/it.co.jp/nl/pl/sa/sg/es/se/ae/co.uk/com/com.au/com.br/mx/tr\r\n4. www[.]all-access.wax[.]io\r\n5. www[.]ebay[.]com\r\n6. www[.]etsy[.]com\r\n7. www[.]twitter[.]com\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 6 of 19\n\nFigure 13: List of Target Web applications - uses stack strings\r\nUnderstanding the Cookie and Credential Stealer Routine:\r\nGoogle Chrome: The FFDroider steals cookies and saved login credentials for the Chrome browser from\r\nthe following data stores:\r\ni) Reads and parses the Chromium SQLite Cookie store from the \r\nC:\\Users\\\\AppData\\Local\\Google\\Chrome\\UserData\\Default\\Network\\Cookies and writes the file onto the\r\npath where the binary resides using WriteFile() named as “d”\r\nFigure 14: Reads and parses the Chromium SQlite cookie store\r\nii) Reads and parses the Chromium SQLite Credential Store from the C:\\Users\\\\Appdata\\Local\\Chrome\\User\r\nData\\Default\\Login Data containing the saved credentials and writes that onto the path where the binary resides\r\nusing WriteFile() named as “p” as the credential store is been locked in the AppData directory.\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 7 of 19\n\nFigure 15: Reads and parses the “Chrome Saved Login Credentials”\r\niii) The Chrome SQlite Credential store includes attributes - action_url, username_value, password_value, out of\r\nthis the password_value is encrypted using Windows Crypt API namely CryptProtectData. The malware in this\r\ncase decrypts the encrypted password blob by first parsing the “Login Data” credential store by executing an SQL\r\nquery such as “select username_value, password-value FROM logins where origin_url like \\’%ebay.com/%\\’;”” as\r\nseen in the screenshot below. \r\nFigure 16: Execution of SQL queries across the Login Data Credential store for parsing the required credentials\r\nThe password cache is fetched from the output and passed to the CryptUnProtectData() function for in memory\r\ndecryption, revealing clear-text credentials stolen from the targeted web application Credential Store. \r\nFigure 17: Call to CryptUnprotectData to decrypt Saved chrome passwords in memory\r\niv) Then it reads and parses the local state cookies stored at\r\nC:\\Users\\\\AppData\\Local\\Google\\Chrome\\UserData\\LocalState and uses WriteFile() to write to the path\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 8 of 19\n\nnamed “u” where the binary resides.\r\nFigure 18: Reads and parses the local state chromium cookies\r\nHere the Cookies are also decrypted in memory using the CryptUnprotectData() function by loading the json\r\n“Local State” file and filtering out the two parameters: os_crypt and encrypted_key and then decrypted using\r\nthe CryptUnprotectData() and stored in memory.\r\nFigure 19: Decrypts the Local state Cookies in memory using CryptUnprotectData\r\nThe following decryption routine takes place to steal the cookies and stored credentials for all the Chrome stores\r\nimplementing the same process using the SELECT SQL queries via sqlite3 library to fetch the required value and\r\nthen CryptUnprotectData() function to decrypt the cookies and credentials in memory as per the target website.\r\nFigure 20: Different SQl Queries implemented in the binary to parse Cookie and Credentials stores \r\nInternet Explorer/Edge:  The FFDroider Stealer gathers cookie,browser history and other user specific\r\ninformation from the internet explorer in the following way:\r\ni) The malware executes InternetGetCookieRxW() function to retrieve the cookies for the target websites\r\nmentioned above (HTTP ONLY cookies are been read) if they are restricted the IEGetProtectedModeCookie()\r\nfunction is been used to access low integrity cookies for all the target applications during which it launches an\r\nanother process “IElowutil.exe” which is a utility in place to access the low integrity cookies and processes.\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 9 of 19\n\nFigure 21: Execution of InternetGetCookieExW \u0026 IEGet ProtectedMode Cookie to steal cookies from the Internet\r\nExplorer browser\r\nIt also reads the Appdata\\Roaming\\Microsoft\\Windows\\Cookies and fetches the Cookie and the URL details from\r\nthe Cookie store along with that it also parses the Cookies,History and downloads from the Microsoft Edge\r\nWebCache:\r\nC:\\Users\\\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat by copying it onto the place\r\nwhere the binary resides into the file named “d” which earlier had the chrome cookies.\r\nFigure 22: Reads and parses the web cache file of the Edge browser to steal cookies, browsing history, and session\r\ndata. \r\nFurthermore, it reads and parses the Appdata\\Roaming\\Microsoft\\-Windows\\History\\History.IE5 and \r\n\\Appdata\\Local\\Microsoft\\Windows\\Temporary internet files\\Content.IE5 which would allow the malware to read\r\nthe browsing history and the The Internet Explorer cache from the stores wherein it queries for attributes such as\r\nURL visited,Filename other metadata for the target websites. Also the malware plans to steal saved VPN/Dial Up\r\ncredentials from the \\Appdata\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk \u0026 \\Pbk\\rasphone.pbk if present,\r\nby leveraging the Rasapi32.dll API calls. \r\nMozilla FireFox: The FFDroider Stealer steals and parses the cookies from the Firefox browser initially\r\nby reading the profiles.ini (Path: C:\\Users\\\\Appdata\\Roaming\\Mozilla\\Firefox\\profiles.ini) which consists\r\nof the name(s) of the used profile(s). Further the malware uses those profile names to access SQLite cookie\r\nstores named: “cookies.sqlite” (Path:\r\nC:\\Users\\\\Appdata\\Roaming\\Mozilla\\Firefox\\Profiles\\\\cookies.sqlite) for the user profiles. The cookie\r\nattributes are then parsed by using few SQl Queries such as “SELECT host,name,path,value,expiry FROM\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 10 of 19\n\nmoz_cookies to fetch the Hostkey,Name,Path,Value and the Expiry of the Cookies stored in the Firefox\r\nCookie store.\r\nFigure 23: Reads and parses the Mozilla Firefox SQlite Cookie store.\r\nFacebook and Instagram Data Gathering: \r\nThe FFDroider Stealer holds another functionality wherein if the malware grabs cookies for facebook.com or\r\ninstagram.com from any of the target browsers the cookies are replayed to www[.]facebook[.]com and \r\nwww[.]instagram[.]com to gather intelligence from the Users Facebook or Instagram accounts.\r\nFacebook:\r\nFollowing requests were executed by the malware post grabbing the cookie values:\r\ni) Initially it sends a GET request to the https[:]//facebook[.]com along with the stealed facebook cookie from the\r\ntarget browsers to check whether the malware is able to authenticate using the following set of stealed cookies.\r\nFigure 24: Passes the stolen facebook cookie to facebook[.]com for authentication\r\nii)  If the cookies are valid and provide proper authentication, further it sends a GET /settings with the Access\r\nToken to facebook.com along with the authenticated stealed cookies in order to fetch the User Account settings of\r\nthe Compromised Account.\r\n \r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 11 of 19\n\nFigure 25: Grabs Account details and Access Token from the Compromised facebook account\r\niii) Further it starts enumerating whether the compromised user account is a business account and having access to\r\nFacebook Ads Manager and fetch the following details using the stealed cookies by parsing the responses:\r\nFetch Account Billing and Payment Information from the Facebook Adsmanager\r\nFetch users Facebook pages and bookmarks.\r\nNumber of facebook friends and other user related information\r\nFigure 26: Fetches Account Billing information from Ads manager along with the Facebook Bookmark \u0026 Pages\r\ninformation.\r\nThe following information may be leveraged later to run malicious advertisements from the victims account and\r\nutilize the compromised accounts payment method to spread the malware further.\r\nInstagram:\r\nIn the case of instagram, whenever the malware grabs any instagram cookies from the target browser cookies\r\nstores, it performs the following routine in to steal user account details from the Instagram account as follows:\r\ni)  Initially it sends a GET request to the https[:]//instagram[.]com along with the stealed instagram cookie to\r\ncheck whether the malware is able to authenticate using the following set of stealed cookies and parses the html\r\nresponse.\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 12 of 19\n\nFigure 27: Passes the Stolen Instagram cookie to instagram[.]com for authentication\r\nii) If there is a valid response, it sends the next GET request to the instagram server with the username of the\r\ncompromised account GET / which was parsed from the previous response and basically visits the profile page.\r\nFigure 28: Visits the profile of the Victim in order to grab required user information\r\niii) Further it sends another request: GET /accounts/edit/ to www[.]instagram.com which opens up the Account\r\nsettings containing all the personal account related information such as the account email address, mobile number\r\nand other details of the compromised account. \r\nFigure 29: Grabs Personal information such as email address, phone number from the instagram account edit\r\nwebpage.\r\nFurthermore, in the same manner all of the account related information such as username,password,mobile\r\nnumber and other account details are been grabbed from the target websites in the form of cookies,saved\r\ncredentials and fetched using different API’s and then sent to the command and control server in an encrypted\r\nmanner to the threat actors as discussed below. \r\nExfiltration of Stolen Information to the C2 Server:\r\nThen the malware sends an HTTP POST request to the C2 server: http[:]//152[.]32[.]228[.]19/seemorebty along\r\nwith the encrypted cache of data for exfiltration.\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 13 of 19\n\nFigure 30: Encrypted request sent to Command \u0026 Control server for exfiltrating the encrypted data cache.\r\nSuch kind of encrypted data using modified base64 encoding is sent to the C\u0026C from the infected system when a\r\nvalid facebook account cookie was provided to the malware in the chrome browser. The decrypted json body can\r\nbe seen in the screenshot below for Facebook related exfiltration where in a lot of Facebook user account\r\ninformation has been transmitted to the C2:\r\nFigure 31: Decrypted Request consisting of the Stolen information from the compromised facebook Cookie\r\nAn Instagram user’s personal account information including cookies, email password, Instagram userID, saved\r\npassword, phone number are revealed in this decrypted request..\r\nDecrypted JSON body:\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 14 of 19\n\nFigure 32: Decrypted request showing sensitive data stolen from Instagram.\r\nEncrypted request:\r\nFigure 33: Encrypted request showing stolen Instagram account information.\r\nAlso an inbound whitelisting rule in the Windows Firewall as shown below in the screenshot which requires\r\nadministrative privileges.\r\nFigure 34: Inbound Firewall rule added by the FFDroider malware which would further enable disallowed\r\nconnections to the infected host. \r\nDownloader Functionality:\r\nAfter stealing and sending across the stolen details from the target browsers and websites to the Command \u0026\r\nControl. The FFDroider Stealer further it tries to upgrade itself in a fixed interval of time by downloading other\r\nmodules from an update server by sending  across request to the following as mentioned -\r\nURL:http[:]//186[.]2[.]171[.]17/seemorebtu/poe.php?e= by calling wininet.dll APIs such as InternetOpenUrlW\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 15 of 19\n\nand InternetReadFile. The module is written onto the disk in the previously created “VlcpVideov1.01” directory as\r\n“install.exe”.\r\nFigure 35: Malware sends request to the Update server to upgrade itself in a fixed interval of time.\r\nDebugging Functionality: \r\nDuring the process of reverse engineering the malware, we came across a functionality which was developed by\r\nthe malware authors to debug the malware. If the filename at the time of execution is test.exe then the malware\r\ngoes into its debug state and pops up messages on every loop where in, it prints out the stolen cookies and the\r\nfinal json body which is to be sent to the C\u0026C from each and every browser for the target websites as shown in\r\nthe screenshot below.\r\nFigure 36: Debugging functionality implemented by the malware authors\r\nCloud Sandbox detection\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 16 of 19\n\nFigure 37: The Zscaler Cloud Sandbox successfully detected the malware.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels\r\nWin32.PWS.FFDroider\r\nConclusion\r\nOver the years, Stealer’s became one of the most commonly used malware in any cyber attack campaign. The\r\nZscaler ThreatLabz team will continue to monitor this attack, as well as others, to help keep our customers safe.\r\nMitre table\r\nT1055 Process Injection\r\nT1027 Obfuscated Files or Information\r\nT1027-002 Software Packing\r\nT1003 OS Credential Dumping\r\nT1016 System Network Configuration Discovery\r\nT1018 Remote System Discovery\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 17 of 19\n\nT1005 Data from Local System\r\nIndicators of Compromise:\r\nHash:\r\nbeb93a48eefd9be5e5664754e9c6f175\r\ne8c629383fe4b2c0cbf57b0d335fc53f\r\n6a235ccfd5dd5e47d299f664d03652b7\r\nb11fd571c6cc4b8768f33a2da71fbb6e\r\nURL:\r\ndownload[.]studymathlive[.]com/normal/vinmall880[.]exe\r\ndownload[.]studymathlive[.]com/normal/lilay[.]exe\r\ndownload[.]studymathlive[.]com/install/vinmall1[.]exe?_sm_byp=iVVkm23V4sqBFtNM\r\ndownload[.]studymathlive[.]com/install/vinmall1[.]exe?_sm_byp=iVVJWHH51nHRJTzP\r\nAppendix:\r\n1. FFDroider Stealer String Decryption Python Code -\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 18 of 19\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users" ], "report_names": [ "ffdroider-stealer-targeting-social-media-platform-users" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434785, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a3a2b0f4ff547e154c1cf2cef9f2e44505e01dc.pdf", "text": "https://archive.orkl.eu/8a3a2b0f4ff547e154c1cf2cef9f2e44505e01dc.txt", "img": "https://archive.orkl.eu/8a3a2b0f4ff547e154c1cf2cef9f2e44505e01dc.jpg" } }