{ "id": "98740562-29b7-4758-b488-204169c2849f", "created_at": "2026-04-06T00:13:01.882647Z", "updated_at": "2026-04-10T13:12:08.415662Z", "deleted_at": null, "sha1_hash": "949f71bba353d3084646b20ed8c5f53d9c16e113", "title": "VBREVSHELL (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39728, "plain_text": "VBREVSHELL (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:53:54 UTC\r\nvbs.vbrevshell (Back to overview)\r\nVBREVSHELL\r\nAccording to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on\r\nWindows API calls.\r\nReferences\r\n2023-12-02 ⋅ openhunting.io ⋅ openhunting.io\r\nThreat Hunting Malware Infrastructure\r\nVBREVSHELL AsyncRAT\r\n2022-12-12 ⋅ SOCRadar ⋅ SOCRadar\r\nDark Web Profile: APT42 – Iranian Cyber Espionage Group\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK CHAIRSMACK DOSTEALER GHAMBAR\r\nSILENTUPLOADER TAG-56\r\n2022-09-07 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nAPT42: Crooked Charms, Cons and Compromises\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK DOSTEALER GHAMBAR\r\nSILENTUPLOADER\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell" ], "report_names": [ "vbs.vbrevshell" ], "threat_actors": [ { "id": "1d2ac189-a99e-4e16-84c0-e06df96e688c", "created_at": "2023-11-14T02:00:07.086528Z", "updated_at": "2026-04-10T02:00:03.446956Z", "deleted_at": null, "main_name": "TAG-56", "aliases": [], "source_name": "MISPGALAXY:TAG-56", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434381, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/949f71bba353d3084646b20ed8c5f53d9c16e113.pdf", "text": "https://archive.orkl.eu/949f71bba353d3084646b20ed8c5f53d9c16e113.txt", "img": "https://archive.orkl.eu/949f71bba353d3084646b20ed8c5f53d9c16e113.jpg" } }