{ "id": "81377120-4211-46e5-907b-7b15f079d09f", "created_at": "2026-04-06T00:15:00.005081Z", "updated_at": "2026-04-10T13:12:06.82191Z", "deleted_at": null, "sha1_hash": "a5694df6e7d12d7d8a01ce968ff8f1a084732173", "title": "Death Comes Calling: Thanatos/Alphabot Trojan Hits the Market | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1247600, "plain_text": "Death Comes Calling: Thanatos/Alphabot Trojan Hits the Market |\r\nProofpoint US\r\nBy March 10, 2016 Proofpoint Staff\r\nPublished: 2016-03-11 · Archived: 2026-04-05 15:09:30 UTC\r\nProofpoint researchers discovered a never-before-documented malware strain on February 15. Dropped by the\r\nNuclear exploit kit, further investigation showed that the malware was a new Trojan called Thanatos by its\r\ndevelopers and that we refer to internally as \"Alphabot\".\r\nThanatos is being marketed as a service with both short and long-term subscriptions and support and the authors\r\nclaim it is under ongoing development with new plugins and functionality being actively added. \r\nThe following analysis details what we have observed and uncovered so far.\r\nFigure 1 :  Nuclear Pack dropping “Alphabot”, first observed on February 15, 2016\r\nThe malware sample analyzed contains the following program database (PDB) path, on which we based the bot’s\r\nname:\r\nH:\\Alpha\\Bot\\Release\\Loader.pdb\r\nThe malware performs HTTP requests to its command and control (C\u0026C) server, for example\r\nalpha[.]highclasssoftware[.]ru/gate.php, as shown in Figure 2. Proofpoint currently detects this malware based on\r\nthis C\u0026C communication.\r\nFigure 2: “Alphabot” calling home\r\nFurther examination of the malware shows that it modifies the Windows Registry to start the malicious binary\r\nduring startup (Fig. 3). Like a number of other malware authors, the registry key invokes Brian Krebs in the\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 1 of 9\n\nnaming convention:\r\nFigure 3: One more Krebs malware meme\r\nMalware For Sale\r\nOn March 6, we found an underground advertisement for a new Trojan. While we cannot publicly disclose how\r\nwe connected the dots, the following advertisement is describing “Alphabot.” The description underscores\r\nfeatures such as Download/Execute, Form Grabber, Update and future plugins such as HiddenVNC, HiddenFTP,\r\nSOCKS and WebInjects.\r\nThanatos Bot [IE/FF/Chrome/MSE]\r\nGreetings users of [REDACTED] - I would like to introduce to you trojan \"Thanatos\".\r\nImportant aspects of Thanatos?\r\nProgramming Languages: C++, Masm, Delphi\r\nOS: Windows XP/2003, Vista/2008, 7, 8, 8.1/2012, 10\r\nAdmin Rights Required: No, Thanatos runs in user-mode\r\nUnicode Supported: Yes, Thanatos can run on any system language\r\nSize of stub: 150 - 350 kb, it varies depending on your build expectation\r\nRun-time FUD Support: Yes, i will provide updates to bypass most heuristics \u0026 proactive of AV\r\nScan-time FUD Support: No, this part is on you (use any crypter that you wish)\r\nCross-architecture Support: Yes, Thanatos is able to inject code into both x86 \u0026 x64 processes, it is important to\r\ntake note that x64 code injection on Windows 10 will not work (I am working on patch to re-open Heavens Gate)\r\nWhat is functionality inside Thanatos?\r\nFormgrabber Support: Yes, form grabber will inject both x86 \u0026 x64 browsers on either x86 or x64 versions of\r\nWindows. Currently there is support for\r\nIE (Internet Explorer), IE7/8/9/10/11, hooks will bypass Protected Mode too!\r\nFF (Firefox/Mozilla), FF, all versions are supported (both nss3/nspr)\r\nGC (Chrome/Chromium), GC30-46,48+ (working on fixing an issue in 47)\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 2 of 9\n\nMSE (Microsoft Edge), Hook into explorer.exe waits for RuntimeBroker.exe, followed by injection into\r\nMicrosoftEdgeCP.exe to hook HttpSendRequestW/A (same as IE)\r\nTo-be added: Opera, Safari\r\nDownload/Execute (EXE, JAR, SCR, COM, etc) OR Inject (DLL, .PLUG = Plugins)\r\nUpdate (If you receive an update build, make an update task so your bots will live longer)\r\nAnti-hook: Removes hooks in target processes from other bots so that no one (other bots on same victim) will\r\nhave your logs\r\nBot-killer: AV-Module will scan for other bots on the system, and will remove them once detected (scans task\r\nscheduler, registry, services (if admin), and environment variable paths). If the process is considered malicious\r\n(from 3-8 hardcoded flags), it will upload file to virustotal.com and parse results from page, if detection on \u003e 3\r\nAV's then malicious file will be removed from system!\r\nWatermark: All builds are watermarked with a unique customer-id, if you leak, then your license will be\r\nterminated\r\nWhat do I get with purchase of my license?\r\nInfinite rebuilds for the duration of your term\r\nPanel (web component, if you're hosting on your own servers Ioncube loader is required)\r\nUpdates of your stub whenever a change is made (by my team)\r\nRuntime patches to evade heuristic or proactive detection engines\r\nFull support (my team is located in various countries, support can be around the clock, 24/7)\r\nImportant Notes\r\nIf you are in need of an Exploit Kit (Private), Traffic (From our affiliate), or Crypt (Home-made), Bulletproof\r\nHosting (feedback from previous customers available) then you should not worry as we can offer it as well.\r\nWhat are the plans for the future?\r\nWe will be working on improving this trojan for as long as there is interest in our product. We can make anything\r\nthat you request, and if you have any suggestions you can always let us know, and we will try our best to meet\r\nyour standards to the highest degree possible!\r\nWe also have plans to write additional plugins to help you make money. In the coming months, along with\r\neverything stated above we plan to make the follows unique plugins (from scratch):\r\nHiddenVNC\r\n- This will not be a rip-off of Zeus like everyone before us\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 3 of 9\n\n- We plan to make ours much more stable in terms of connection speed \u0026 encoding quality\r\n- This plugin will not require admin permissions and but will require a back-connect server\r\nHiddenFTP\r\n- This will be a plugin similar to that of the Ramnit bonnet\r\n- You will be able remotely download/upload files from the victim you choose\r\n- This plugin will not require admin permissions and but will require a back-connect server\r\nSOCKS4b/5\r\n- This plugin will bypass NAT/Network Firewall\r\n- It will work with a back-connect server and not through SSH\r\nWebInjects\r\n- This will be the first plugin to be added\r\n- This plugin will be much faster than Zeus Web Injects\r\n- It will not stress the loading time of webpages and will be affective with both HTTP/HTTPS\r\n- Web Injects will have the option to be grabbed remotely (can affect loading time of webpage) or they can be\r\nstored locally (will not affect the loading time of webpage)\r\n- There will also be an option to update the web injects locally from the panel (web server) when a web browser is\r\nnot opened\r\nRootkit\r\n- We have already written a rootkit for Ring-3, it works on both x86/x64\r\n- We are deciding whether to make a Ring-0 rootkit or stick with the current one\r\n- It is important to take note that in our own tests some of our bots with AVs have lived greater than 1 month\r\nwithout an update and the core component of or 4-stage dropper still remains FUD\r\nWhat is the price for a license?\r\nThe price for Thanatos depends on the term which you wish to purchase it for, the schematic is as follows (each\r\nterm comes with everything stated above):\r\n1 month rent = $1,700 USD\r\n3 month rent = $4,800 USD\r\n6 month rent = $9,200 USD\r\nLifetime License = $12,000 USD\r\nIf you wish to talk about the pricing/license/more-info you can contact me in jabber, please note ONLY the jabbers\r\nbelow are used by me, every other jabber that is NOT listed below should be assumed a ripper.\r\nESCROW IS ACCEPTED\r\nJabber (XMPP):\r\n#1 - [redacted]@sj.ms\r\n#2 - [redacted]@null.pm\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 4 of 9\n\n#3 - [redacted]@exploit.im\r\nThe author of the advertisement is also showing images of the C\u0026C panel which are included below. Here are a\r\nfew important takeaways from the advertisement:\r\nThe authors appear to be well-embedded in the cybercrime underground and are ready to make life as easy\r\nas possible for future customers. Offering private exploit kits, affiliate traffic, packing (crypt services), and\r\nhosting makes this something of a one-stop shop for cyber criminals.\r\nThe malware makes use of VirusTotal to scan for other suspected malware on infected machines. While the\r\n\"bot killer\" functionality isn't new, the conditional upload to VirusTotal is unusual, helping to ensure that\r\nother malware doesn't have access to the data on the infected PC.\r\nOngoing updates make this \"malware as a service\" even more attractive to prospective customers.\r\nThe malware supports all major versions of Microsoft Windows, and they specifically mention support for\r\nMicrosoft's 8-month-old Edge browser.\r\nThanatos in action\r\nThe following screenshot is the Thanatos home page, according to the ad.\r\nFigure 4: Thanatos C\u0026C home page\r\nThe remaining panel pages from the advertisement are self explanatory and we present them with captions only.\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 5 of 9\n\nFigure 5: Bots Page\r\nFigure 6: Create a Task\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 6 of 9\n\nFigure 7: Viewing a Task\r\nFigure 8: Task Information\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 7 of 9\n\nFigure 9: Viewing Logs\r\nFigure 10: User Management\r\nFigure 11: User Permissions\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 8 of 9\n\nFigure 12: Panel Settings\r\nConclusion\r\nAlthough we have yet to see widespread use of Thanatos, it appears to be a robust, full-featured new Trojan.\r\nBased on the author's description in the ad, Thanatos will be a flexible tool for threat actors. The comparisons to\r\nZeus give hints about expected uses. For Thanatos/Alphabot, the authors appear to be ready to provide access to a\r\ncomplete ecosystem of underground tools, making this new Trojan attractive to malicious actors and worthy of\r\nattention from organizations and security vendors.\r\nWe will be actively watching for new developments and appearances in the wild and updating protection as\r\nneeded.\r\nIOCs\r\nThanatos :\r\n6b6978726960c090479ab6a67b05eb62d1d4894b89fa6d094be31b7f71c3913a\r\n2085db7e7764e0693fe128fa7530338af8c8c598d1f3a85a2299991248ec553a\r\n6043a9d69eee2994d330b891d29115e95d5466fb0673932e85c16a4c0232b81b\r\nC\u0026C :\r\nalpha[.]highclasssoftware[.]ru 85.93.5.121\r\nRules :\r\n2816233          ETPRO TROJAN Thanatos CnC Post\r\nSource: https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nhttps://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" ], "report_names": [ "Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434500, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5694df6e7d12d7d8a01ce968ff8f1a084732173.pdf", "text": "https://archive.orkl.eu/a5694df6e7d12d7d8a01ce968ff8f1a084732173.txt", "img": "https://archive.orkl.eu/a5694df6e7d12d7d8a01ce968ff8f1a084732173.jpg" } }