{ "id": "29d887cf-4cff-4303-9a23-fd2844ab4d8c", "created_at": "2026-04-06T00:10:22.465221Z", "updated_at": "2026-04-10T03:37:09.362495Z", "deleted_at": null, "sha1_hash": "94f42f8cd807741556432fea71ceacd6c0e33b00", "title": "Deep Analysis of Redline Stealer: Leaked Credential with WCF", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2759592, "plain_text": "Deep Analysis of Redline Stealer: Leaked Credential with WCF\r\nBy S2W\r\nPublished: 2022-05-24 · Archived: 2026-04-05 14:17:58 UTC\r\nAuthor: Jiho Kim | S2W TALON\r\nLast Modified : 2022.03.03.\r\nPress enter or click to view image in full size\r\nPhoto by S Migaj on Unsplash\r\nExecutive Summary\r\nRedline Stealer, which is currently being distributed, has changed the C2 communication method and the way of\r\ndelivering the collected information from the previous Redline Stealer, but the overall execution flow is the same.\r\nRedline Stealer has hard-coded encoded data such as C2 Server IP and Unique ID, and the XOR Key required to\r\ndecode this data. When Redline is executed, the value is extracted first. After that, the information is collected and\r\nleaked by referring to the configuration data received from the C2 server, and the collected information is\r\ncomposed of Environment Details and Credential Details. The collected information includes system\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 1 of 18\n\ninformation, browser credentials, crypto wallet information, FTP information, Telegram and Discord information,\r\netc.\r\nAfter collecting and leaking information, Redline Stealer also has the ability to download executable files and\r\nperform additional malicious actions.\r\nIntroduction of Redline Stealer\r\nSince its release in February 2020, Redline Stealer has been delivered through various channels. Redline Stealer is\r\nmostly distributed through Phishing Emails or malicious software disguised as installation files such as Telegram,\r\nDiscord, and cracked software. However, recently, Phishing Link that downloads Chrome Extension containing\r\nRedline Stealer by abusing YouTube Video Description and Google Ads is utilized, or Python Script that runs\r\nRedline Stealer through FTP is being distributed.\r\nPress enter or click to view image in full size\r\nIssues related to Redline Stealer\r\nAccording to BleepingComputer released in October 2020, Redline Stealer was distributed through malicious\r\nlinks posted on YouTube Video Description related to free downloading of specific utility.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 2 of 18\n\nRedline via YouTube Video Description Link (Source: BleepingComputer)\r\nRedline Stealer in DDW\r\nRedline Stealer first appeared in a Russian-based forum in February 2020. The user with the nickname\r\n“REDGlade” posted the promotion article and has been updating the version of Builder and Panel until at least\r\nJanuary 2022. Redline Stealer is being rented for $100 per month and sold for $150 per month and $800 for a\r\nlifetime. Additional services, such as scanner and crypto subscription, appear differently depending on the cost.\r\nThe builder program of Redline Stealer is sold by the official seller on the DDW forum, but also by other users\r\nwho sell the cracked version of Redline Stealer. In addition, some users sell only the collected Redline Stealer\r\nLogs.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 3 of 18\n\nRedline Stealer Promotion Article\r\nRedline Stealer’s Pricing Policy\r\nRENT ($100 / a month)\r\n1 month of cryptor @spectrcrypt_bot (autocrypt + scanner)\r\nLITE ($150 / a month)\r\n1 month of crypt subscription\r\nPRO ($200 / forever)\r\n3 months of scanner subscription\r\n3 months of cryptor @spectcrypt_bot\r\nChannels operated by Redline Stealer Seller\r\nTelegram channels operated by the Redline Stealer official seller are divided into 3 categories: Official Page,\r\nOfficial Chat, and Buy Redline bot. Announcement and updated information are posted on the Official Page\r\nchannel, chat is freely available on the Official Chat channel, and Redline Stealer is sold on the Buy Redline bot.\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 4 of 18\n\nRedline Stealer Telegram Channel\r\n@REDLINESTEALER — Official page\r\n@REDLINE_EN — Official Chat\r\n@REDLINESUPPORT_bot — Buy Redline bot\r\nPress enter or click to view image in full size\r\nRedline Stealer Telegram Channel: Official Page\r\nCracked Redline Stealer \u0026 Log Seller\r\nAs Redline Stealer is an infostealer malware used by attackers a lot, there are several cracked versions, and other\r\nstealers derived from it. In addition, stealer logs collected through Redline Stealer are sold on the DDW forums,\r\nand they account for the largest portion of infostealer logs.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 5 of 18\n\nCracked Redline Stealer Sales Post\r\nPress enter or click to view image in full size\r\nRedline Stealer Log Sales Post\r\nRedline Stealer Update Information\r\nRedline Stealer Seller notifies update information on Telegram channel. As of January 2022, it has been updated to\r\nBuilder v23, Panel v3.3.4. The main update information posted so far is shown in the table below.\r\nRedline Stealer Major Update\r\nEspecially among the updates in May 2020 to June 2020, supporting *.scr extension and added Browser\r\nExtension Wallet information were also applied to issues related to NFT hacking that occurred in June 2021. At\r\nthat time, most of the victims infected by Redline Stealer had *.scr extension. Also, the victims’ stolen crypto\r\nwallets were leaked by Redline Stealer.\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 6 of 18\n\nMalware analysis\r\nSample Information\r\nFile Name: 9882_1643998124_6086.exe\r\nFile Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMalware Type: Redline Stealer v22\r\nMD5: d81d3c919ed3b1aaa2dc8d5fbe9cf382\r\nSHA256: cd3f0808ae7fc8aa5554192ed5b0894779bf88a9c56a7c317ddc6a4d7c249e0e\r\nRedline Stealer Execution Flow\r\n1. The attachment in phishing mail contains cracked software with Redline Stealer.\r\n2. When the cracked software is executed, Redline Stealer is also executed in the background.\r\n3. Encoded data such as C2 Server IP and Unique ID are decoded along with the XOR key and used for C2\r\ncommunication.\r\n4. After finishing the decoding process, Redline Stealer requests configuration data from the C2 Server.\r\nEntity2: a structure that stores configuration data.\r\n5. The C2 Server transmits configuration data to the infected PC.\r\n6. Information is collected from the infected PC referring to stored configuration data.\r\nEntity7: a structure that stores collected results. (Environment Details + Entity1)\r\nEntity1: a structure that stores Credential Details.\r\n7. The information is leaked twice.\r\nEnvironment Details including infected PC information\r\nCredential Details including crypto wallet, accounts, and user data information\r\n8. Collected information is converted into XML format and transmitted to the C2 Server through SOAP Message.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 7 of 18\n\nRedline Stealer Execution Flow\r\nConfiguration of C2 Communication\r\nRedline Stealer with WCF\r\nThe framework Redline Stealer uses for C2 communication is WCF(Windows Communication Foundation). WCF\r\nis a system that allows endpoints to exchange messages and communicate across multiple computers connected to\r\nthe network.\r\nAt least one endpoint must be configured to use WCF. When configuring the endpoint, three elements are\r\nrequired: Address, Binding, and Contract. ‘Address’ is the address providing the service, ‘Binding’ is the\r\ninformation related to the communication protocol used to access the service, and ‘Contract’ defines the service\r\ninterface. The WCF Client can call the service defined as Service Contract, and when a specific method is called,\r\na method of the same name implemented in the server is called. [ServiceContract] keyword, a service interface, is\r\nused to define the contract, [DataContract] keyword is used to define a data structure to be transmitted, and\r\n[OperationContract] keyword is used to define the function of the service.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 8 of 18\n\nWCF Communication\r\nThe previous Redline Stealer used BasicHTTPBinding() for communication. However, from Redline Stealer v22\r\nupdated in August 2020, the communication protocol was changed to NetTcpBinding(). NetTcpBinding() has a\r\nperformance advantage compared to BasicHTTPBinding() because SOAP messages are binary encoded and\r\ndelivered.\r\nRedline Stealer collects information by specifying a Service Contract named Entity and defines 24 Operation\r\nContracts and 17 Data Contracts. When a method defined as Operation Contract is called from an infected PC to\r\nthe C2 Server, a method of the same name implemented on the C2 Server is called. At this time, ‘Entity7 result’ is\r\ndelivered to the C2 Server.\r\nPress enter or click to view image in full size\r\nWCF Service Call/Response\r\nDecoding C2 Server and Unique ID\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 9 of 18\n\nIn Redline Stealer, the encoded C2 Server address and Unique ID are hard-coded. Therefore, when the malware is\r\nexecuted, they are decoded and used for C2 communication.\r\nHardcoded data\r\nC2 Server address: Dw0oGCQnJh4tByxCDjRVWScZLlUvOTwJDDZcUA\r\nUnique ID: DyMgXCcJKlcvBwJB\r\nMessage: “”\r\nVersion: 1\r\nDecoding Process\r\nFromBase64 → XOR → FromBase64\r\nXOR Key: Agamis\r\nDecoding Result\r\nC2 Server address: 62.182.159.86:65531\r\nUnique ID: 405794696\r\nMessage: “”\r\nVersion: 1\r\nPress enter or click to view image in full size\r\nDecoding Method: Read()\r\nCommunication Method\r\nAs mentioned, Redline Stealer uses WCF for C2 communication.\r\nEndpoint Configuration: Address \u0026 Binding\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 10 of 18\n\nAddress: net.tcp//62.182.159.86:65531/\r\nBinding: NetTcpBinding()\r\nEndpoint Configuration: Contract\r\nRedline Stealer has a Service Contract named Entity, 17 Data Contracts that define the structure to store\r\ninformation, and 24 Operation Contracts that define the functionality of the service. Among them, the description\r\nof the Data Contract storing information is shown in the table below.\r\n(*Functional descriptions for each Operation Contract are described in Appendix.)\r\nPress enter or click to view image in full size\r\nData Contract List\r\nTry to connect\r\nAfter configuring the endpoint, Redline Stealer tries to connect with the C2 Server and receives the response.\r\nRedline Stealer periodically checks whether it maintains a connection with the C2 Server during execution.\r\nConfiguration Data Request/Receive\r\nRequest configuration data\r\nThe Redline Stealer requests configuration data that specifies what information to collect, and includes the paths\r\nand keywords required to collect browser and local file information, and the name of crypto wallets to be\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 11 of 18\n\nexplored.\r\nResponse configuration data\r\nThe configuration data is stored in Entity2 and used to collect information to be leaked. The configuration data\r\nconsists of Flag indicating whether each item is collected and Setting indicating paths and keywords for\r\ncollecting files.\r\nPress enter or click to view image in full size\r\nCollected information\r\nWay to collect and store information\r\nThe information collected from the infected PC is stored in Entity7. Entity7 includes Environment Details and\r\nEntity1, and Entity1 separately stores Credential Details information. Each item in Entity1 uses the structure of\r\nEntity3~Entity5, Entity8~Entity12, and Entity14 to store related information. At this time, Entity1 may or may not\r\nbe used depending on Redline Stealer’s information leakage mode.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 12 of 18\n\nA structure of Entity7\r\nWay to leak information\r\nRedline Stealer defines two ways to leak information.\r\nSend Log by Parts (Default)\r\nThe “Send Log by Parts” is a method of collecting information from the infected PC and then partially leaking it.\r\nThat is, the collected ‘Environment Details’ are first leaked to the C2 Server by putting it in Entity7. In this case,\r\neach item of Entity1 is stored empty. After that, ‘Credential Details’ are collected, but not stored in Entity1 and\r\nimmediately leaked after being collected by the item.\r\nPress enter or click to view image in full size\r\nSend Log by Parts Flow\r\nSend Log by Full\r\nThis method stores all the collected information in Entity7 and leaks it. First, ‘Environment Details’ are collected\r\nand stored in Entity7. Credential Details are then collected and stored in Entity1. If Environment Details and\r\nEntity1 are filled in Entity7, it is leaked to the C2 Server.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 13 of 18\n\nSend Log by Full-Flow\r\nThe biggest difference between the two methods is whether Entity1 is used or not. Environment Details and\r\nEntity1 collected from the infected PC are stored in Entity7, while Entity1 stores Credential Details. In the “Send\r\nLog by Full” method, Entity1 is used to leak information at once, but in the “Send Log by Parts” method, Entity1\r\nis not used and each item of Credential Details is leaked as soon as it is collected.\r\nWhat method Redline Stealer uses can be checked through the “Version” value among hard-coded data. If the\r\nversion is 1, “Send Log by Parts” method is used, and in other cases, “Send Log by Full” method is used. In the\r\ncase of the sample, since the version is set to 1, the “Send Log by Parts” method can be seen, which partially leaks\r\nthe collected information to be used. Therefore, among the collected information, Credential Details is collected\r\nfor each item and then leaked immediately.\r\nCollect Environment Details\r\nDevice information of the infected PC is collected and stored in Entity7.\r\nEntity7 includes hardware information, Unique ID, machine name, OS information, available languages, monitor\r\ninformation, IPv4, the malware file location, Redline Stealer infection history, and monitor screenshots where\r\neach item of Credential Details (Entity1) excluding monitor screenshots is stored empty.\r\nLeak Environment Details\r\nEnvironment Details stored in Entity7 result prepares to access service via Id6() method. Thereafter, the collected\r\ninformation is leaked by calling the defined [OperationContract] Id4() method. Upon receiving the leaked\r\ninformation, the C2 Server sends a response to the infected PC, which is stored and delivered in Entity13. The\r\nresponse type can be divided into Unknown(Entity13.Id1), Success(Entity13.Id2), RepeatPart(Entity13.Id3),\r\nNotFound(Entity13.Id4)\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 14 of 18\n\nCollect \u0026 Leak Credential Details\r\n‘Credential Details’ are leaked whenever one item is collected. The information leakage process is the same as\r\n‘Environment Details’ leakage process, but there is a difference in the information delivered to the C2 Server.\r\nEach item of Credential Details is leaked by calling the matched [OperationContract] Id#() method. When the C2\r\nServer receives information, it sends a response to the infected PC, which is the same type of response it receives\r\nwhen Environment Details is leaked.\r\nResult: Collected Information\r\nTargets collected by Redline Stealer are largely divided into infection device information, installation information,\r\ncrypto wallet information, account information, User Data information, and local file information. In the case of\r\ncrypto wallet information, in addition to the crypto wallet list specified in configuration data, the installed\r\nBrowser Extension Wallet list is checked to collect related information. The table summarizing the collected\r\ninformation by type is as follows.\r\nSummarizing of collected information by type\r\nConclusion\r\nRedline Stealer is one of the most popular infostealers along with Vidar, Raccoon, and Ficker.\r\nLogs stolen through Redline Stealer are the most traded logs on DDW Forums.\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 15 of 18\n\nRedline Stealer has been updating versions until recently, and continuous analysis is needed in that the\r\nstructure of Redline Stealer is gradually changing according to major updates.\r\nAppendix\r\nDescription of each Operation Contract function.\r\nChromium-based Browser List\r\nBattle.net, Chromium, Chrome, Opera Software, ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivald\r\nGecko-based Browser List\r\nFirefox, Waterfox, K-Meleon, Thunderbird, Comodo, Cyberfox, BlackHaw, Pale Moon\r\nBrowser Extension Wallet List\r\nYoroiWallet, Tronlink, NiftyWallet, MetaMask, Coinbase, BinanceChain, BraveWallet, GuardaWallet, Equ\r\nMethods collecting Environment Details\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 16 of 18\n\nMethods collecting Credential Details\r\nRedline Stealer IoCs\r\nd81d3c919ed3b1aaa2dc8d5fbe9cf382 |\r\ncd3f0808ae7fc8aa5554192ed5b0894779bf88a9c56a7c317ddc6a4d7c249e0e\r\naf90600728c9d3d1270dd4da39a0f9e5 |\r\n38a5b96fd07f03041f6eff913b85fc621fa314e1de87326accb00ee218c37756\r\nd6e630749bdd4f16c37ca15886fc6bdc |\r\n020fbe48b4da34a90d3422f211aa0338681a7cb9e99292b2b9d738a354ed97de\r\nce70574f6c90835076d9b195e90cd275 |\r\nc6d48514031cc6e83445b95f9ed4e975f2cdcebc2e9cc1914605058ff7af7764\r\n10adb0969eb2b385d6bb8ad8e91bb0c4 |\r\n9ac01cc861cfe9e340c66a5cd527ab8a7e3de345b851ebcf07a7ca08eeee2f88\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 17 of 18\n\nSource: https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nhttps://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904\r\nPage 18 of 18\n\nThis method stores and stored in Entity7. all the collected Credential Details information are then in Entity7 and collected and leaks it. First, stored in Entity1. ‘Environment Details’ If Environment are collected Details and\nEntity1 are filled in Entity7, it is leaked to the C2 Server.\nPress enter or click to view image in full size\n Page 13 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904" ], "report_names": [ "deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434222, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/94f42f8cd807741556432fea71ceacd6c0e33b00.pdf", "text": "https://archive.orkl.eu/94f42f8cd807741556432fea71ceacd6c0e33b00.txt", "img": "https://archive.orkl.eu/94f42f8cd807741556432fea71ceacd6c0e33b00.jpg" } }