{
	"id": "171ad0b7-7b29-444f-a099-c20ef37a0a30",
	"created_at": "2026-04-06T00:11:48.412539Z",
	"updated_at": "2026-04-10T03:36:13.718424Z",
	"deleted_at": null,
	"sha1_hash": "8bdd6377492fe8d0860eb58fe05eaf4f238bc6b3",
	"title": "Cyble - EvilCoder Project Selling Multiple Dangerous Tools Online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1466261,
	"plain_text": "Cyble - EvilCoder Project Selling Multiple Dangerous Tools Online\r\nBy cybleinc\r\nPublished: 2022-08-19 · Archived: 2026-04-05 22:46:59 UTC\r\nCyble Analyzes EvilCoder, a new project spotted selling multiple dangerous tools online capable of Ransomware and\r\nHNVC attacks.\r\nSophisticated XWorm RAT with Ransomware and HNVC Attack Capabilities\r\nDuring a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer\r\nwas advertising a powerful Windows RAT.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 1 of 18\n\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 2 of 18\n\nFigure 1 – Dark Web Post for XWorm\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThis post redirected us to the website of the malware developer, where multiple malicious tools are being sold. The\r\nbelow figure shows the malware developer’s website.\r\nFigure 2 – Post by The Malicious Program Developer\r\nThe developer is selling tools to create malware, hide existing malware, crypto money grabber PowerShell scripts,\r\netc.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 3 of 18\n\nWe have mentioned all the tools posted by the malware developer and the possible impact of these tools on victim\r\nsystems. The following table shows these tools and their corresponding functionalities.\r\nTool Price Description\r\nHidden Malware\r\nBuilder v2.0/V4.0\r\n$45\r\nHidden Malware Builder is a .NET-based malware builder tool\r\nthat requires .NET Framework 4. This tool creates binary files\r\nwith the following capabilities:\r\nHiding C\u0026C server from other processes, start-up, scheduled\r\ntasks, and Hard drive.\r\nRun as Administrator permanently.\r\nMerging with another file with the AES Algorithm.\r\nAnti-analysis techniques included such as anti-VM, anti-debugger, anti-sandbox, and anti-emulator.\r\nCrypto Money\r\nGrabber PowerShell\r\nScript\r\n$40\r\nThe malware developer sells PowerShell script to steal\r\ncryptocurrency from the victims’ system.  \r\nMulti Downloader\r\nBuilder V2.0\r\n$30\r\nDownload and execute multiple files from URL (FUD 100%)\r\n(Output: 7KB).\r\nHidden CPLApplet\r\nBuilder V2.0\r\n$80  \r\nThe developer has created a tool that can build malicious\r\nCPLApplet programs. The following features are available in\r\nthe builder:\r\nInjection in explorer.exe.\r\nHidden schtasks.\r\nWDExcluion.\r\nAnti-Analysis.\r\nUAC Bypasser\r\nBuilder V2.0\r\n$50  \r\nUAC Bypasser builder tool bypasses the UAC check of the\r\noperating system for the given file. The features provided by the\r\nmalware developer are:\r\nSupport All Files.\r\nRunAs-Loop.\r\nCmstp-Bypass.\r\nWDExclusion.\r\nAnti-Analysis.\r\nTaskScheduler.\r\nXBinder V2.0 $80 XBinder tool is a Remote Access Trojan (RAT) builder and\r\nmanagement tool. The features, according to the developer, are:\r\nRunonce.\r\nHidden.\r\nSetWorkPath.\r\nREG [Start-up].\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 4 of 18\n\nWDExclusion.\r\nTask [Start-up].\r\nUAC [Normal-Bypass].\r\nDelay [seconds].\r\nBot Killer.\r\nAnti-Analysis.\r\nDelete After Run.\r\nDisable Super Hidden.\r\nPumper.\r\nIcon Changer.\r\nSpoofer.\r\nXWorm V2.2 $150\r\nThis version of the malware builder tool creates client binaries\r\nwith RAT and ransomware capabilities. The functionalities of\r\nthe RATs created using this tool are:\r\nMonitor [Mouse – Keyboard – AutoSave].\r\nRun File [Disk – Link – Memory – Script – RunPE].\r\nWebCam [AutoSave].\r\nMicrophone.\r\nDDoS Attack.\r\nLocation Manager [GPS – IP].\r\nClient operation [Restart – Close – Uninstall – Update – Block –\r\nNote].\r\nPower [Shutdown – Restart – Logoff].\r\nBlank Screen [Enable – Disable].\r\nBookmarks – Browsers – All-In-One – DiscordTokens.\r\nFileZilla – ProduKey – WifiKeys – Email Clients.\r\nKeyLogger.\r\nUSB Spread.\r\nBot killer.\r\nUAC Bypass [RunAs – Cmstp – Computerdefaults –\r\nDismCore].\r\nRun Clipper [All Cryptocurrencies].\r\nRansomware [Encrypt – Decrypt].\r\nNgrok Installer.\r\nHVNC.\r\nHidden RDP.\r\nWDDisable.\r\nWDExclusion.\r\nInstall [Start-up – Registry – schtasks].\r\nWe searched for EvilCoder Project samples in the wild and identified a few active instances of XWorm, indicating\r\nthat XWorm is a more prevalent and sophisticated variant. The malware is a .NET compiled binary, using multiple\r\npersistence and defense evasion techniques.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 5 of 18\n\nThe malicious binary can drop multiple malicious payloads at various system locations, can add and modify registry\r\nentries, and can execute commands. Figure 2 shows the XWorm builder panel as shown on the developer’s site.\r\nFigure 3 – XWorm Post on Malware Developer’s Website\r\nTechnical Analysis\r\nXWorm is a .NET binary whose size is 45.5 KB. The file details of “XWorm.exe” are:\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 6 of 18\n\nFigure 4 – File Details of XWorm.exe\r\nUpon execution, the malware sleeps for one second and performs various checks such as checking for a mutex,\r\ndetecting virtual machines, emulators, debugger, sandbox environments, and Anyrun. If any of these instances are\r\npresent, the malware terminates itself.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 7 of 18\n\nFigure 5 – Anti Analysis Techniques Used by XWorm\r\nThe malware enumerates the installed programs in the users’ machine and checks for strings, VMWare, and\r\nVirtualBox. If these are present, the malware terminates itself, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 8 of 18\n\nFigure 6 – Malware Checks for Virtualization Software\r\nThe malware uses the tick count of the machine to detect emulators. The malware then calls the\r\nCheckRemoteDebuggerPresent() method to identify the debugger’s presence in the user’s machine.\r\nThe malware can also detect the sandbox environment if “SbieDll.dll” is present in the system. The malware\r\nspecifically checks if it is running in the Anyrun sandbox environment by checking the response text from ip-api.com.\r\nIf the response is set to “True, ” it terminates its execution. The figure below shows the anti-analysis code snippet.\r\nFigure 7 – Malware Performs Various Anti-Analysis Checks\r\nTo establish persistence, the malware drops itself into the start-up folder. The malware also copies itself into the\r\n“AppData” folder and creates a scheduled task entry.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 9 of 18\n\nFinally, the malware creates an autorun entry in the registry to ensure the malware executes whenever the system\r\nrestarts. The figure below shows the persistence activities performed by the malware.\r\nFigure 8 – Malware Routine to establish persistence on a victim machine\r\nAfter establishing persistence, the malware initiates communication with the C\u0026C server. Then, the malware creates\r\na new thread that collects and sends system details to the  C\u0026C domain system6458[.]ddns[.]net on Port 6666.\r\nExfiltrated details include information such as processor count, UserName, MachineName, OSVersion, Malware\r\nversion, date of malware creation, administrative privileges, webcam details, and antivirus programs installed in the\r\nsystem.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 10 of 18\n\nFigure 9 – Malware Sending the System Details to C\u0026C\r\nAll the important information such as C\u0026C, encryption key, filename, and mutex name is stored in a public class,\r\n“Settings,” as shown in the figure below.\r\nFigure 10 – Hardcoded Configuration Details of Malware\r\nAfter the initial communication, the malware waits for instructions from the C\u0026C server. The malware can perform\r\nmultiple tasks such as keylogging, screen capture, auto-update, self-destructing, running scripts, and ransomware\r\noperations.\r\nThe malware has the routine Read(), which receives AES encrypted commands from the C\u0026C, which are then\r\ndecrypted and used to perform associated operations. Some of these important operations are discussed in the\r\nfollowing section. The below figure shows the code snippet of malware that performs DDoS and Clipper operations.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 11 of 18\n\nFigure 11 – Routine to Perform DDoS and Clipper Operations\r\nThe malware has a routine to perform file folder operations like create files/folder, show, or hide files/folder, exfiltrate\r\nfiles, etc. The figure below shows the file operation routines.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 12 of 18\n\nFigure 12 – File and Folder Operations of the Malware\r\nThe following figure shows the keylogging, screen capture, and mouse operations, along with corresponding\r\ncommands.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 13 of 18\n\nFigure 13 – Routine for Keyboard Mouse and Screen Operations\r\nThe malware author also provides an encryption routine for ransomware operations, as shown below.\r\nFigure 14 – File Encryption Routine\r\nThis malware also has a routine for performing a Hidden Virtual Network Computing (HVNC) attack. HVNC is a\r\ntactical means for malware to control a remote machine without the victim’s knowledge. The figure below shows the\r\nroutine for performing an HVNC attack.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 14 of 18\n\nFigure 15 – Routine to Perform an HVNC Attack\r\nConclusion\r\nThis post showcases that even a malware developer with minimum or no responsibility can develop malicious\r\nprograms and sell them to various forums for monetary gains.\r\nTo get more customers, the malware developers provide multiple highly impactful and dangerous features such as\r\nransomware, HVNC, etc., to TAs.\r\nWe have observed similar trends earlier, where malware developers provide highly sophisticated tools to\r\ncybercriminals for their own financial gain.\r\nWe will continue monitoring the latest threat actors and trends across the surface, deep and dark web and keep our\r\nreaders informed.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Play Store or the iOS App Store.\r\nUse a reputed antivirus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.\r\nKeep an eye on the alerts provided by Antiviruses and Android OS and take necessary actions accordingly.\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 15 of 18\n\nMITRE ATT\u0026CK® Techniques \r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nExecution T1059.001 Bypasses PowerShell execution policy\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nPrivilege Escalation T1055 Process Injection\r\nDefense Evasion T1027.003 Obfuscated Files or Information\r\nDefense Evasion T1036.005\r\nMasquerading – Drops PE files with benign system\r\nnames\r\nDiscovery T1082 System Information Discovery\r\nCommand and\r\nControl\r\nT1071.001 Application Layer Protocol\r\nIndicators of Compromise (IOCs) \r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n15f54e2562a9c6f51367327e9f19c11282f21a2de6687f73f0483e6fe3164973\r\n366133968ea8bef322a22a977da1b9c7aaab9559\r\n56b84fe8827326c715996ec14e2d6f05\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\n8cfefc291d9088ef0b3ab7dd59d8ff672e73d333c8d18bd1dff4c7695ae8af83\r\ne8c6d68e67d853180d36116e3ba27e4f12346dc2\r\ncd76badf66246e0424954805222e4f58\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\n096e33b9b0b4f843a7ea0259f75b4370f00ab90f3807eb89d5f0117da762900d\r\na7e95c1d51a278b59097524a14d042257f3e2801\r\na29c3748c9361f9fe19b87d3358cb46d\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\n8f9fff88c0c636c80ca0a4cfa37d3fb620289579a1ecae9ba1d3881235b482ee\r\n93c2c2c80274ed4c663423c596d0648e8b548ec2\r\n989b8118ff0e8e72214253e161a9887f\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\nb9a9ae029ca542aadea0b384e4cfb50611d1a92c4570db5ddc5e362c4ebe41b4\r\nfdce6ef81ccf3d697f20c020020bbb6b51f8b1f1\r\ne38e59e6d534262dd55a3b912bf169cc\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\n64519b4e63dbedc44149564f3d472c720fa3c6a87c9ad4f07d88d7fd1914f5b9\r\n2edbb78ec7c8f6a561eb30fd43c31841d74217df\r\nSHA256\r\nSHA1\r\nXWorm.exe\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 16 of 18\n\nb97cc4a173bc566365e0ab4128f2181a MD5\r\n8a399e51bdcd4b8d0a041236e80b3094987a80674bda839351fef1585c8c921b\r\naf6bd2d2732269d0b6bbb78006e4980511ac8546\r\n744a85f5ddef7c029f2f9ed816ec66ef\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\nb09bf46468d9ed8b1957246f4cf7fd15679212fe9e5df7df6101179e0594cae6\r\n72af980aaaa635bc4425b59ef523f8088b3874d5\r\n4b8235bdd494bf5b762528dd96931072\r\nSHA256\r\nSHA1\r\nMD5\r\nXWorm.exe\r\nb327ec6f6dba10eb77cf47e8486059da63d1d77c3206a8a5ba381b2f1e621651\r\nbe06e7a5bff1bcd1fd27ff6789ae87513cd9d4de\r\nfed104dae34e598ebc7fa681a39f4fcd\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nBuilder\r\nd0b9f3b7f87c8fda4dae8ec3606b7468b0a2d5d32b6b889f983b4ed15a8d2076\r\n89e68bfb7e139343d838efc8d584a1a76256bc84\r\n28347b4d82e5b28655e091dd35d218bf\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nBuilder\r\ncbc87f41023b27b31a0eeac9818fa06db2914b5cc7c18c9392944ddc721b4efb\r\n9bbb4afa7dd21e37f09ce9bb81ff7ab961a20f2a\r\ne22cdc1cd9d43143e45cc1260a87e197\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nBuilder\r\nf89b62d1cf8d2bfd83be841187502318817bc58725a5409c1c2fb6c0c7b14959\r\n716bf966c68ac8b120b8029a294e9c5d9d21f637\r\n8ae59924803c3ea7b8da29786bc4f332\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n83d59c2eb05891dcd30973ebe5c04aab99bd9371323522e9d968f67a3423d13d\r\n25b7a76554add5b5ed85e9caed7c0ab67b8cb118\r\nab67fe7c24d9c075ef7567d796cc5544\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\nd9979fead904eb5fc9f0c0f99c6551b05940f94d001411d611ad8c95b3058769\r\n2ee39858f4eabf1e469e1934277e61fe6dd5794a\r\n93ec63f85938d09a4161b8569014adee\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n107ac41ba6ecd2025027721dc98307bd2859d473b1eedabc666e7dc12f537f77\r\n2249bbf4bbfcc7aec0d6e35803074433c4aa6ae8\r\n651103da17aae5c2e3fc8f9ab45140d2\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n6cf9c275f41580a31b8869f9173589705b7ce998dfff58f735f66b97d89f08fd\r\n046c0de06a918ed6b1b6a232e276db55ae5b48ee\r\n7ae4668d2e693daa13a81c9cbeaeb31f\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n40d68523748f6eaf765970a40458faccbe84ef5dff7acbdaf29ac5a69d7cae6f\r\na6ff2293ae5bfd10dedb93bfbb12b1ec3faabfe0\r\n594472ed0352490ab2a8f89e68d30e08\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n81a3baf389888e4d554e74975fe15937a502c3b9d8c494b2f0ce4c25deb75b45\r\nd76ac6a11653c3cf7f46cb597bd8c38e5a78e124\r\nSHA256\r\nSHA1\r\nXBinder\r\nClient\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 17 of 18\n\n1263b78103ae7586a1c982e5db37e1c7 MD5\r\n4e019e68320099ff0e80a7598053d5968ee8ed91c30cc794a47f9f2f0f3f45de\r\n41f0699c96e58aadc78d0c50eaf699d9f566698d\r\n8cdaf4513877c0d4ffa3bbfabb3d44c5\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n0aae80e6ca6cbdc0a79dbdf30767182edd94ed65bc378eb6e39d2b68fd78b8e0\r\n6b16d72f6cae6d6ee7c9ed4d2a5a044effd3ab8f\r\nf3170f958826b128145589fc21ef7f32\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n0d875a09bf7fb5088aa21f26110db96d1963e743535fd16f0ceb3d16683c2921\r\na00b7c3c250c6546ac0d4f349379d943432ef573\r\nf2341a3d23188aefb43735b1fc68f7c8\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n21bcba3634c4ad91993b5033179a22b77d1d8ed1da1d1cdd506f8d8a03bc0251\r\n2f7801f2e18aa4abe2bc7964ea4626f5949feb2f\r\nba27b6fe77a27d890b02e9901a1a0335\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\nedab4840b84e16587b62b7133bb7fa030d21fcd6658c976b2b9ececa2453ec2b\r\n42a3c7e173f7951055ccb226cdc768a0e70ddeb3\r\na2431ec170f3cd0d1cd8dc1808a9d967\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n14a661bbdf915bfde309a2d42c0729fac10ce44d12c66f24b9136f4aae731f6e\r\n24a4a5262ccb6a5b2c5ec2b5f6186bf3c6352f07\r\nf5e96cfa82804513c81c7548cad9bfc0\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n54f292586ec66057a859df0225b1338c2b701d1e50e3137e94235375cd9e8c94\r\n58e6fb22e83c856e2b88b5f9a6352d999be2b374\r\n63d1d6e2ab3c1a306fc477860f45a264\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\ne2a4035f3a4f473a79f6b11f6b95254180052d5e6022b5d40fa8ea307abbfbe3\r\nb29136f7f196229630aaaf6bba0a1c184f3b92b0\r\nc4bdbb3cc647499b082dd6ea44d0c67b\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\n1eba59961ce6b1c1a8741e488cfd8012cbd6b3f4dc8540469a8dd00e8807b60f\r\n4c891516487d78a854104720b83be59af43a8df3\r\n54b32e41c9c4b6f8bab625fa6f4759e4\r\nSHA256\r\nSHA1\r\nMD5\r\nXBinder\r\nClient\r\nSource: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nhttps://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/"
	],
	"report_names": [
		"evilcoder-project-selling-multiple-dangerous-tools-online"
	],
	"threat_actors": [
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434308,
	"ts_updated_at": 1775792173,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bdd6377492fe8d0860eb58fe05eaf4f238bc6b3.pdf",
		"text": "https://archive.orkl.eu/8bdd6377492fe8d0860eb58fe05eaf4f238bc6b3.txt",
		"img": "https://archive.orkl.eu/8bdd6377492fe8d0860eb58fe05eaf4f238bc6b3.jpg"
	}
}