{
	"id": "67545a4f-5b2c-4079-8aad-23b661d6f31c",
	"created_at": "2026-04-06T15:53:16.704092Z",
	"updated_at": "2026-04-10T03:24:23.464043Z",
	"deleted_at": null,
	"sha1_hash": "8cbd851be576e6082cf450d5dfc0bc36ad982318",
	"title": "Chisel (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40189,
	"plain_text": "Chisel (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 15:48:53 UTC\r\nwin.chisel (Back to overview)\r\nChisel\r\nChisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via\r\nHTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by\r\nmultiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to\r\nachieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel\r\nReferences\r\n2024-11-04 ⋅ Securonix ⋅ Den Iyzvyk, Tim Peck\r\nCRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging\r\nChisel\r\n2022-09-12 ⋅ Arctic Wolf ⋅ Alex Ammons, Arctic Wolf Labs Team, Markus Neis, Ross Phillips, Steven Campbell, Teresa Whitmore\r\nChiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free\r\nChisel Lorenz\r\n2022-04-18 ⋅ SentinelOne ⋅ James Haughom\r\nFrom the Front Lines | Peering into A PYSA Ransomware Attack\r\nChisel Chisel Cobalt Strike Mespinoza\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chisel\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel"
	],
	"report_names": [
		"win.chisel"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775490796,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8cbd851be576e6082cf450d5dfc0bc36ad982318.pdf",
		"text": "https://archive.orkl.eu/8cbd851be576e6082cf450d5dfc0bc36ad982318.txt",
		"img": "https://archive.orkl.eu/8cbd851be576e6082cf450d5dfc0bc36ad982318.jpg"
	}
}