{ "id": "4beffec1-89db-4012-bd48-b88494db19b1", "created_at": "2026-04-06T00:10:28.884792Z", "updated_at": "2026-04-10T13:12:12.351693Z", "deleted_at": null, "sha1_hash": "93f379a6d7ca5784ce4688294fa30c617ef51bfa", "title": "Snake and XLoader (Mac Version) – Malware Book Reports", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104607, "plain_text": "Snake and XLoader (Mac Version) – Malware Book Reports\r\nBy muzi View all posts\r\nArchived: 2026-04-05 14:31:51 UTC\r\nAccording to netmarketshare, Windows still owns about 87% of the market versus about 9% for Mac OS.\r\nAlthough Windows will likely stay the predominant leader of the pack, Mac OS continues to grow year over year,\r\nboth in consumer and commercial markets. Likewise, malware for Windows is also by far the most common, but\r\nmalware for Mac OS is gaining popularity.\r\nA few weeks ago, a sample came across that was interesting – a Java dropper that had support for both Windows\r\nand Mac OS. Depending on the operating system, the dropper would decrypt one of the two encrypted pieces of\r\nmalware stored as a resource and run it. Cross platform malware, using languages such as Java or Golang, is\r\nrelatively uncommon, but continues to gain popularity as the consumer and commercial markets diversify between\r\nWindows and Mac.\r\nJava Dropper\r\nFilename: Statement SKBMT 09818.jar\r\nMD5: 3f471e4079fe67cbc77f5705975d26fd\r\nSHA1:7f55519e3fc02feace1e4bc55d984eef6eb24353\r\nSHA256: 151d3313216b97f76fec2c0450d26de34aeb0c6817365fe3484a532b4443ed4a\r\nThis Java Dropper was received via a phishing email attachment. Zipdump provided a preview of the contents of\r\nthe JAR file:\r\nFigure 1: Java Dropper Contents\r\nThe preview from zipdump details the contents inside the JAR file, namely:\r\n2 Class files\r\n3 Resources\r\nThe MANIFEST.MF file provided the main class and starting point for the JAR file, OBSrz.class.\r\nFigure 2: MANIFEST.MF File Contents\r\nJAR files/Java Class files can be analyzed using a Java Decompiler, such as JD Project, Procyon and CFR.\r\noBSrz.Class\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 1 of 10\n\nOnce decompiled using CFR, OBSrz is straightforward to read as there is no obfuscation hampering analysis.\r\nFigure 3: OBSrz.class (main) Decompiled\r\nFirst, the dropper checks for the operating system via the GetOS function to determine which encrypted resource\r\nto decrypt.\r\nFigure 4: GetOS Function\r\nNext, the dropper gets the filename based on the operating system identified from GetOS.\r\nFigure 5: Get_Crypted_Filename (mach_o vs exe)\r\nFinally, once the OS has been determined and the correct filename has been chosen, the dropper writes the file to\r\ndisk and executes it (if Mac OS, it also changes the permissions to RWX first). Once the process is running, it will\r\nfinally overwrite the file with a .ico file and display it.\r\nResource Decryption\r\nThe three resources are encrypted using AES. The decryption function is quite simple. It takes the first 16 bytes of\r\na SHA1 hashed string as the key and decrypts using AES-128 (ECB). A quick Python script can be used to decrypt\r\nthe resources. Once decrypted, the following files become evident:\r\nNVFFY: MS Windows icon resource – 1 icon, 32×32, 32 bits/pixel\r\nfI4sWHk: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nkIbwf02ld: Mach-O 64-bit executable x86_64\r\nSnake Keylogger\r\nThe malware decrypted and executed if the dropper is run on a Windows machine is Snake Keylogger (aka 404\r\nKeylogger), a subscription based .NET keylogger with many capabilities. The infostealer can steal sensitive\r\ninformation, log keyboard strokes, take screenshots and extract information from the system clipboard.\r\nThe Snake sample analyzed in this post was packed to avoid detection by EDR and AV products. The packer starts\r\nby decoding a .NET resource using ColorTranslator.ToWin32 into a DLL and loading it with\r\nSystem.Reflection.Assembly Load .\r\nFigure 1: Decode Resource with ColorTranslator.ToWin32 and Load Assembly in Array\r\nFigure 2: Decoded DLL Loaded with System.Reflection.Assembly Load\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 2 of 10\n\nThe decoded DLL is packed with something Hatching calls the “CustAttr .NET packer.” The DLL has a number\r\nof different decoding routines, which ultimately decode another another DLL (hreWg xR太太D.dll), which is then\r\nloaded.\r\nFigure 3: One of Several Decoding Routines in the CustAttr .NET Packed DLL\r\nhreWg xR太太D.dll, similar to the previous DLL, performs a number of decoding routines to decode the packed\r\ncode inside of it. This time, rather than using System.Reflection.Assembly Load to load the next unpacked\r\nexecutable, it opts for a process injection technique called Process Hollowing. It uses the following API calls to\r\ninject/execute the final payload:\r\nCreateProcess\r\nUnmapViewOfSection\r\nVirtualAlloc\r\nReadProcessMemory\r\nWriteProcessMemory\r\nVirtualProtect\r\nGetThreadContext\r\nSetThreadContext\r\nResumeThread\r\nFigure 4: Process Hollowing API Calls from hreWg xR太太D.dll\r\nDue to an error in dnSpy which caused variables not to show , the injected executable was dumped via PE-sieve.\r\nFigure 5: dnSpy Error\r\nFigure 6: PE-sieve Dumping Injected Exe\r\nThe dumped executable is named 0DFFENDR.exe. When opened in dnSpy, it is obvious that this executable is\r\nheavily obfuscated. de4dot identified the following obfuscators:\r\nConfuserEx / Beds Protector\r\nBabel .NET\r\nFigure 7: 0DFFENDR.exe Obfuscation dnSpy\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 3 of 10\n\nWith the 0DFFENDR.exe being heavily obfuscated, it can be easier to clean up the obfuscation by first executing\r\nthe original executable, then using Megadumper to dump out the process that was injected by hreWg xR太太\r\nD.dll. Once 0DFFENDR.exe is dumped, de4dot will clean up the malware significantly, making the malware\r\nfamily apparent.\r\nFigure 8: Snake Keylogger Identified\r\nAs reported by HP’s Threat Research Team, Snake sometimes copies itself to the start-up folder as part of the\r\nunpacking process. The sample analyzed in this post did not do so, but did make a registry entry to run on startup.\r\nFigure 9: Snake Keylogger AddToStartup Function\r\nSnake comes fully featured with a number of infostealing modules supporting a wide variety of applications\r\n(Browsers, Email Clients, Chat Applications, etc) including:\r\n360_China\r\n360_English\r\n7Star\r\nAmigo\r\nAvast\r\nBlackHawk\r\nBlisk\r\nBrave\r\nCent\r\nChedot\r\nChrome\r\nChrome_Canary\r\nChromium\r\nCitrio\r\nCocCoc\r\nComodo\r\nCoolNovo\r\nCoowon\r\nCyberfox\r\nDiscord\r\nElements\r\nEpic\r\nFalkon\r\nFileZilla\r\nFirefox\r\nFoxmail\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 4 of 10\n\nGhost\r\nIceCat\r\nIceDragon\r\nIPSurf\r\nIridium\r\nIron\r\nKinzaa\r\nKometa\r\nLiebao\r\nMicrosoft\r\nNichrome\r\nOpera\r\norbitum\r\nOutlook\r\nPaleMoon\r\nPidgin\r\nPostBox\r\nQQ\r\nSalamWeb\r\nSeaMonkey\r\nSleipnir\r\nSlim\r\nSlimjet\r\nSputnik\r\nSuperbird\r\nTheWiFi_Orginal\r\nThunderbird\r\nTorch\r\nUC\r\nUran\r\nVivaldi\r\nWaterFox\r\nWindowsProductKey_Orginal\r\nXpom\r\nxVast\r\nYandex\r\nXLoader (Mac Variant)\r\nAccording to Checkpoint Research, Formbook malware has been around for 5 years already. In 2020, XLoader\r\nwas developed as a successor of Formbook, sharing codebase and capabilities but also supporting Mac. XLoader\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 5 of 10\n\nis an infostealer that harvests credentials from various web browsers and applications, collects screenshots, logs\r\nkeystrokes and can download and execute files.\r\nFilename: kIbwf02ld\r\nMD5: 997af06dda7a3c6d1be2f8cac866c78c\r\nSHA1: fb83d869f476e390277aab16b05aa7f3adc0e841\r\nSHA256: 46adfe4740a126455c1a022e835de74f7e3cf59246ca66aa4e878bf52e11645d\r\nThe XLoader Mach-O, similar to the Windows version, is stripped and obfuscates its data; running strings returns\r\nno results.\r\nStatic Analysis\r\nSentinel One has three blog posts detailing analysis tips and tricks for Mach-O binaries. These static analysis\r\nmethods were used to analyze XLoader and get a basic idea of the intents and capabilities of the malware.\r\nFirst, nm -m was used to display Mach-O segment and section names in alphabetical order. Unfortunately, this\r\nreturns little information as the binary is stripped and functions are encrypted, then resolved with dlsym().\r\nFigure 10: nm -m output showing Mach-O segment and section names\r\nNext, otool was used to extract both libs and methods from XLoader. This information can be extremely useful\r\nas it can identify great places to set breakpoints for debugging. Unfortunately, the XLoader binary once again\r\nprovides little context.\r\nFigure 11: otool -L outputs only dylib\r\nFigure 12: otool -oV Outputs Only the `Main Method\r\nThe final piece of static analysis is extracting stack strings. This can be done a variety of ways, using tool such as\r\nFloss, manually extracting with otool, etc.\r\nFigure 13: Example Stack String Within XLoader\r\nFigure 14: Extracting Stack Strings via otool\r\nFinally, using a tool that extracts hidden strings, even more information can be extracted, which provides more\r\nhints at the capabilities of the malware.\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 6 of 10\n\nFigure 15: Strings Extracted Using Hidden Strings Tool (Custom tool, Floss provides similar\r\noutput)\r\nBased on the output of our stack/hidden string extraction, it is clear that XLoader is focused on stealing Chrome\r\nand Firefox passwords, contents from the clipboard, keystrokes (usernames and passwords from other\r\napplications), etc.\r\nDynamic Analysis\r\nExecuting the sample in a sandbox reveals the hidden app’s Info.plist as well as initial network communications.\r\nUnfortunately the dynamic analysis was performed after infrastructure was taken down, so there was not very\r\nmuch additional information uncovered.\r\nFigure 16: Hidden App’s Info.plist\r\nFigure 17: XLoader Initial Network Traffic\r\nDetection\r\nJAR Resource Unpacker/Decryptor (Auto Extract both the encrypted exe and Mach-O binary)\r\nSnake Keylogger Yara Rule\r\nrule Snake_Keylogger {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-08-20\"\r\n description = \"Detects Snake Keylogger (unpacked)\"\r\n hashes = \"96a6df07b7d331cd6fb9f97e7d3f2162e56f03b7f2b7cdad58193ac1d778e025\"\r\n strings:\r\n $s1 = \"TheSMTPEmail\" ascii wide nocase\r\n $s2 = \"TheSMTPPSWD\" ascii wide nocase\r\n $s3 = \"TheSMTPServer\" ascii wide nocase\r\n $s4 = \"TheSMTPReciver\" ascii wide nocase\r\n $s5 = \"TheFTPUsername\" ascii wide nocase\r\n $s6 = \"TheFTPPSWD\" ascii wide nocase\r\n $s7 = \"TheTelegramToken\" ascii wide nocase\r\n $s8 = \"TheTelegramID\" ascii wide nocase\r\n $s9 = \"loccle\" ascii wide nocase\r\n $s10 = \"get_KPPlogS\" ascii wide nocase\r\n $s11 = \"get_Scrlogtimerrr\" ascii wide nocase\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 7 of 10\n\n$s12 = \"UploadsKeyboardHere\" ascii wide nocase\r\n $s13 = \"get_ProHfutimer\" ascii wide nocase\r\n $s14 = \"Chrome_Killer\" ascii wide nocase\r\n $s15 = \"PWUploader\" ascii wide nocase\r\n $s16 = \"TelSender\" ascii wide nocase\r\n $s17 = \"RamSizePC\" ascii wide nocase\r\n $s18 = \"ClipboardSender\" ascii wide nocase\r\n $s19 = \"ScreenshotSender\" ascii wide nocase\r\n $s20 = \"StartKeylogger\" ascii wide nocase\r\n $s21 = \"TheStoragePWSenderTimer\" ascii wide nocase\r\n $s22 = \"TheStoragePWSender\" ascii wide nocase\r\n $s23 = \"TheHardDiskSpace2\" ascii wide nocase\r\n $s24 = \"registryValueKind_0\" ascii wide nocase\r\n $s25 = \"KeyLoggerEventArgsEventHandler\" ascii wide nocase\r\n $s26 = \"decryptOutlookPassword\" ascii wide nocase\r\n $s27 = \"TheWiFisOutput\" ascii wide nocase\r\n $s28 = \"wifipassword_single\" ascii wide nocase\r\n $s29 = \"WindowsProductKey_Orginal\" ascii wide nocase\r\n $s30 = \"TheWiFi_Orginal\" ascii wide nocase\r\n $s31 = \"OiCuntJollyGoodDayYeHavin\" ascii wide nocase\r\n $s32 = \"de4fuckyou\" ascii wide nocase\r\n condition:\r\n uint16be(0) == 0x4D5A and\r\n 8 of ($s*)\r\n}\r\nCustAttr Packer Yara Rule\r\nrule CustAttr_Packer {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-08-20\"\r\n description = \"Detects CustAttr/CutsAttr, a common .NET packer/crypter.\"\r\n strings:\r\n $s1 = \"mscoree.dll\" ascii wide nocase\r\n $x1 = \"CutsAttr\" ascii wide nocase\r\n $x2 = \"SelectorX\" ascii wide nocase\r\n $x3 = \"CustAttr\" ascii wide nocase\r\n condition:\r\n uint16be(0) == 0x4D5A and\r\n $s1 and\r\n 1 of ($x*)\r\n}\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 8 of 10\n\nXLoader MacOS Yara Rule\r\nrule XLoader_MacOS {\r\n meta:\r\n author = \"muzi\"\r\n date = \"2021-08-20\"\r\n description = \"Detects XLoader for macOS\"\r\n strings:\r\n /*\r\n 100001bf8 48 8b 93 MOV RDX ,qword ptr [RBX + 0x8b8 ] lib\r\n b8 08 00\r\n 00\r\n 100001bff 48 8d b3 LEA RSI ,[RBX + 0x9d0 ] target\r\n d0 09 00\r\n 00\r\n 100001c06 b9 02 00 MOV ECX ,0x2 cfg_buffer_id\r\n 00 00\r\n 100001c0b 41 b8 1a MOV R8D ,0x1a func_num\r\n 00 00 00\r\n 100001c11 48 89 df MOV RDI ,RBX xl\r\n 100001c14 e8 57 f3 CALL ab_dlsym_get_func pthread_create\r\n ff ff\r\n 100001c19 84 c0 TEST AL ,AL\r\n 100001c1b 0f 84 64 JZ LAB_100001d85\r\n 01 00 00\r\n 100001c21 48 8b 93 MOV RDX ,qword ptr [RBX + 0x8b8 ] lib\r\n b8 08 00\r\n 00\r\n 100001c28 48 8d b3 LEA RSI ,[RBX + 0x918 ] target\r\n 18 09 00\r\n 00\r\n 100001c2f b9 02 00 MOV ECX ,0x2 cfg_buf_id\r\n 00 00\r\n 100001c34 45 31 c0 XOR R8D ,R8D func_num\r\n 100001c37 48 89 df MOV RDI ,RBX xl\r\n 100001c3a e8 31 f3 CALL ab_dlsym_get_func exit\r\n ff ff\r\n */\r\n $dlsym_resolve_thread_create = {\r\n (48|49|4c|4d) (8b|8d) ?? ?? ?? 00 00 [0-16] // MOV RDX, qword ptr [R BX + 0xb8]\r\n (48|49|4c|4d) 8d ?? ?? ?? 00 00 [0-16] // LEA RSI, [RBX + 0x9d0]\r\n (B8|B9|BA|BB|BD|BE|BF) 02 00 00 00 [0-16] // MOV ECX, 0x2\r\n (40|41|42|43|44|45|46|47) ?? 1a 00 00 00 [0-16] // MOV R8D, 0x1a\r\n (48|49|4c|4d) 8? ?? [0-16] // MOV RDI, RBX\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 9 of 10\n\n(E8|FF) ?? ?? ?? ?? // Call func\r\n }\r\n $dlsym_resolve_exit = {\r\n (48|49|4c|4d) (8b|8d) ?? ?? ?? 00 00 [0-16] // MOV RDX, qword ptr [RBX + 0xb8]\r\n (48|49|4c|4d) 8d ?? ?? ?? 00 00 [0-16] // LEA RSI, [RBX + 0x918\r\n (B8|B9|BA|BB|BD|BE|BF) 02 00 00 00 [0-32] // MOV ECX, 0x2\r\n // XOR R8D, R8D (Could be xor, could\r\n (48|49|4c|4d) 8? ?? [0-16] // MOV RDI, RBX\r\n (E8|FF) ?? ?? ?? ?? // Call func\r\n }\r\n condition:\r\n uint32be(0) == 0xCFFAEDFE and all of ($dlsym_*)\r\n}\r\nSource: https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nhttps://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/" ], "report_names": [ "cross-platform-java-dropper-snake-and-xloader-mac-version" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434228, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93f379a6d7ca5784ce4688294fa30c617ef51bfa.pdf", "text": "https://archive.orkl.eu/93f379a6d7ca5784ce4688294fa30c617ef51bfa.txt", "img": "https://archive.orkl.eu/93f379a6d7ca5784ce4688294fa30c617ef51bfa.jpg" } }