{ "id": "25cf4d06-95b6-4b87-827f-1cec4ca7d6eb", "created_at": "2026-04-06T00:11:11.808103Z", "updated_at": "2026-04-10T03:35:17.284889Z", "deleted_at": null, "sha1_hash": "a4acc7d5708c11570dff84b26412355d6670f0c5", "title": "STEELCORGI (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41885, "plain_text": "STEELCORGI (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:17:35 UTC\r\nSTEELCORGI\r\nAccording to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by\r\nsourcing decryption key material from environment variables.\r\nReferences\r\n2022-03-16 ⋅ Mandiant ⋅ Joshua Homan, Logeswaran Nadarajan, Martin Co, Mathew Potaczek, Sylvain Hirsch, Takahiro Sugiyama,\r\nYu Nakamura\r\nHave Your Cake and Eat it Too? An Overview of UNC2891\r\nSLAPSTICK STEELCORGI LightBasin\r\n2021-01-12 ⋅ Yoroi ⋅ Antonio Pirozzi, Luca Mella, Luigi Martire\r\nOpening “STEELCORGI”: A Sophisticated APT Swiss Army Knife\r\nSTEELCORGI\r\n2020-11-02 ⋅ FireEye ⋅ Adrian Pisarczyk, Antonio Monaca, Daniel Caban, Daniel Susin, Justin Moore, Luis Rocha, Sara Rincon,\r\nWojciech Ledzion\r\nLive off the Land? How About Bringing Your Own Island? An Overview of UNC1945\r\nSLAPSTICK STEELCORGI\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi" ], "report_names": [ "elf.steelcorgi" ], "threat_actors": [ { "id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8", "created_at": "2022-10-25T16:07:24.364598Z", "updated_at": "2026-04-10T02:00:04.955871Z", "deleted_at": null, "main_name": "UNC2891", "aliases": [], "source_name": "ETDA:UNC2891", "tools": [ "BINBASH", "CAKETAP", "MIGLOGCLEANER", "SLAPSTICK", "STEELCORGI", "STEELHOUND", "SUN4ME", "Tiny SHell", "WINGCRACK", "WINGHOOK", "WIPERIGHT", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434271, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4acc7d5708c11570dff84b26412355d6670f0c5.pdf", "text": "https://archive.orkl.eu/a4acc7d5708c11570dff84b26412355d6670f0c5.txt", "img": "https://archive.orkl.eu/a4acc7d5708c11570dff84b26412355d6670f0c5.jpg" } }