{ "id": "48a897b9-c33a-431c-8f50-0a5b4a2e1deb", "created_at": "2026-04-06T00:18:45.896126Z", "updated_at": "2026-04-10T13:12:11.107333Z", "deleted_at": null, "sha1_hash": "a75d75032efc0add097c847ce18652c9cb68e5ba", "title": "Snake Keylogger’s Many Skins: Analysing Code Reuse Among Infostealers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1729148, "plain_text": "Snake Keylogger’s Many Skins: Analysing Code Reuse Among\r\nInfostealers\r\nBy Patrick Schläpfer\r\nPublished: 2021-06-28 · Archived: 2026-04-05 21:02:59 UTC\r\nSnake is a modular .NET keylogger and credential stealer first spotted in late November 2020. Since then, we’ve\r\nseen campaigns spreading this malware almost daily. Snake’s name was derived from strings found in its log files\r\nand string obfuscation code. Using the malware’s builder, a threat actor can select and configure desired features\r\nthen generate new payloads. For this reason, the capabilities of samples found in the wild can vary. This article\r\ndescribes Snake’s capabilities, its infection chain and code similarities with four other commodity keyloggers.\r\nFigure 1 – Publicly reported Snake keylogger detections over time.\r\nInfection Chain\r\nCampaigns delivering Snake in 2021 used malicious spam to distribute the malware, either in RTF or archive\r\nattachments.\r\nDelivery\r\nThe first type of downloader we’ve seen used to deploy Snake are RTF documents containing the well-known\r\nMicrosoft Office Equation Editor exploit (CVE-2017-11882). The documents were renamed with .DOC file\r\nextensions and attached to emails themed as legitimate business communications. If the recipient runs a\r\nvulnerable version of Microsoft Office, the exploit downloads an executable from a remote server and executes it.\r\nThis file is a packed version of Snake keylogger.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 1 of 14\n\nFigure 2 – A malicious RTF email attachment exploiting CVE-2017-11882 isolated by HP Wolf Security.\r\nWith the second method, attackers send spam with archive files attachments containing packed Snake executables.\r\nWhen the recipient opens the archive file, it contains a packed copy of Snake, requiring the user to double click\r\nthe executable to run it. We found Snake being distributed in IMG, ZIP, TAR, Z, GZ, ISO, CAB, 7z and RAR\r\nattachments.\r\nFigure 3 – A malicious IMG email attachment delivering Snake Keylogger isolated by HP Wolf Security.\r\nUnpacking and execution\r\nTo reduce chances of detection by endpoint security tools, the Snake samples we analysed were packed. Shortly\r\nafter execution, the malware unpacks itself by following the process in Figure 4.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 2 of 14\n\nFigure 4 – Snake’s unpacking and execution process.\r\nFirst, the malware decrypts and loads an encrypted file in the resources section of the .NET file using DES, a\r\ncommon block cipher.\r\nFigure 5 – Call to decryption method with .NET resource and key as argument.\r\nThe key used to decrypt the file are the first 8 bytes of the SHA256 hash of a string in the source code. Since the\r\nUTF-16 encoded so you need to choose the correct encoding when calculating the hash to decrypt the file. Figure\r\n5 shows the key (a string of Unicode characters) being passed as the second argument to the PerSec function.\r\nSince DES is a block cipher, a mode of operation needs to be specified so that the decryption method knows how\r\nto process multiple blocks of ciphertext. Snake’s packer uses electronic codebook (ECB) as its mode, meaning no\r\ninitialisation vector is required and therefore only the ciphertext and the key are needed.\r\nFigure 6 – DES decryption method.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 3 of 14\n\nThe decrypted file is a dynamic link library (DLL) called CaptIt.dll, which is loaded. This file contains two\r\nencrypted files as resources, which are unpacked and executed at runtime. The first is the Snake keylogger\r\npayload, and the other is an executable file that is used to run and hide the malware’s presence. Before decrypting\r\nthese files, CaptIt.dll copies the packed executable to the user’s start-up folder (C:\\Users\\\r\n\u003cUsername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup) so that it runs whenever the\r\ndevice is restarted.\r\nFigure 7 – DLL decryption and string decryption calls.\r\nThis time, AES in ECB mode is used to decrypt another DLL file in CapIt.dll. Again, a SHA256 hash of a string is\r\nused as the key.\r\nFigure 8 – AES decryption method.\r\nIn addition to decrypting the DLL, the function decrypts a string that corresponds to the method name of the DLL\r\nthat has just been unpacked. This method, which is started in a new thread, expects two arguments: a file path and\r\npayload name (Figure 9).\r\nFigure 9 – DLL load and execution.\r\nThe second encrypted resource in CapIt.dll is decrypted in the same way as CaptIt.dll, using DES in ECB mode\r\nwith a key passed to the method as an argument.\r\nFigure 10 – Call to DES decryption method with resource and key as argument.\r\nThe Snake payload is hidden inside a legitimate process using RunPE, a well-known process hollowing technique.\r\nFirst, the file path passed as the first argument is used to start a new process in suspended mode. This is followed\r\nby calls to Windows APIs GetThreadContext, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory,\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 4 of 14\n\nSetThreadContext and ResumeThread. These replace the context of the newly-created process with the malware\r\nand then launches it. We found a C# implementation of this function on GitHub. At this point, the Snake payload\r\nis unpacked and starts running the modules configured by the attacker.\r\nCode Obfuscation\r\nSnake is written in .NET so instead of being compiled into native code, it is compiled into Microsoft Intermediate\r\nLanguage with meta data about the project. It’s possible to recover a decompiled version of the source code that\r\nhas almost the same structure as the original code using tools such as dnSpy, which significantly simplifying\r\nanalysis. However, many threat actors who use .NET malware try to prevent decompilation by obfuscating their\r\ncode. In March 2021, we found Snake samples reported to MalwareBazaar were obfuscated using five tools:\r\nConfuserEx / Beds Protector\r\nDeepSea 4.1\r\nBabel .NET\r\nNET\r\nObfuscar\r\nThese obfuscators make it difficult to analyse the source code by renaming symbols, complicating the code’s\r\ncontrol flow and encrypting strings and resources. Fortunately, there are often counter-techniques to reverse these\r\nobfuscations, such as those in the de4dot and DeObfuscar-Static projects.\r\nSnake’s Features\r\nBecause Snake is modular, the behaviour of samples in the wild varies depending on what features are enabled\r\nwhen the malware is built. It is highly likely that functionality is configured and created using a builder tool.\r\nInstead of adding only the selected functionalities to the payload, the builder appears to integrate all features and\r\nsimply activates the ones selected by the operator. Figure 11 shows Snake’s features mapped to MITRE ATT\u0026CK\r\ntechniques.\r\nFigure 11 – MITRE ATT\u0026CK techniques that Snake can use.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 5 of 14\n\nUnsurprisingly, most of Snake keylogger’s features fall into the tactic categories of Credential Access, Collection\r\nand Exfiltration. Here are some descriptions of Snake’s features:\r\nPersistence\r\nAs described in the unpacking and execution section, the malware copies itself into the start-up folder to be\r\nactivated again after a reboot of the device. As a further persistence functionality, Snake keylogger has the option\r\nof creating a run registry key, which has the same effect and launches the malware when the computer is started.\r\nDefense Evasion\r\nSnake uses two defense evasion techniques. The first is a function that terminates a list of security tool processes.\r\nThese include anti-virus processes and tools that are commonly used to analyse malware. In the case of OllyDbg,\r\nthe process name was misspelled meaning Snake would would fail to kill the process. Moreover, modern anti-virus programs will not be terminated by this technique because they will just restart themselves, or use a kernel\r\ndriver to prevent the malware from opening a handle to their process without the right permissions. The second\r\ntechnique is a self-termination function where Snake removes itself from the infected system and terminates its\r\nown process.\r\nCredential Access\r\nMost of Snake’s functionality relates to collecting sensitive information from infected computers, such as\r\ncredentials and configurations. Snake parses login credentials from web browser databases, email clients, Discord\r\nand Pidgin chat clients and stored passwords for WiFi networks. Snake can extract credentials from Google\r\nChrome, Mozilla Firefox and Microsoft Edge as well as several other less well-known web browsers. It can also\r\nsteal credentials from a variety of email clients, including Microsoft Outlook, Mozilla Thunderbird, Foxmail and\r\nPostbox. A full list of all credential stealing modules can be found in the appendix.\r\nDiscovery\r\nBefore harvesting credentials, Snake runs a series of host and network checks to determine if it is running in a\r\nsandbox and to orientate the attacker within the victim’s environment. The host discovery function checks the\r\noperating system version, the computer name, hard disk size, time and date configuration as well as installed\r\nRAM. One sample we analysed needed the host to have more than 3.75 GB of RAM and its hostname not match a\r\nlist of blocklisted names to pass the checks. Further checks are executed by the network discovery module which\r\nfirst resolves the client’s public IP address using the online service, checkip.dyndns[.]org. If the public IP matches\r\na blocklist of addresses used by malware analysis services, Snake does not run any credential stealing. Using the\r\npublic IP address, Snake resolves an approximate geolocation using the freegeoip[.]app service. Those domains\r\nwith Snake’s User-Agent (see appendix) can be used to detect its presence.\r\nCollection\r\nSnake also collects configuration files that can contain sensitive information. One program targeted by Snake is\r\nFileZilla. FileZilla can be used as FTP client and therefore saves configurations of previously accessed servers.\r\nSnake also looks for the infected system’s Windows product key. Another feature is Snake’s clipboard stealer,\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 6 of 14\n\nwhich differs from its other stealing functionality because it runs periodically rather than once at first execution.\r\nThis module saves the contents of the clipboard, which may contain sensitive information such as passwords that\r\nare temporarily stored in the clipboard when copied from a password manager. Snake also periodically takes\r\nscreenshots of the infected system. The images are stored in a folder called “Snake keylogger” in the user’s\r\ndocuments folder until they are sent to the attacker. Afterwards, the images are deleted. Snake’s keylogger\r\nfunction runs permanently in the background by calling the SetWindowsHookExA API, thereby adding itself to\r\nthe keyboard hook chain. Each time a key is pressed, a callback function is called, which saves the input and\r\npasses the call to the next link in the hook chain. Collected input is periodically sent back to the attacker using one\r\nof multiple available exfiltration functionalities. Interestingly, the keylogging module was not activated in the\r\nSnake keylogger samples found since the end of February 2020. Whether this was a mistake on the part of the\r\nattacker or a deliberate choice is not clear.\r\nExfiltration\r\nSnake has several configurable data exfiltration channels. These include the option of uploading the data to a\r\nserver using the FTP protocol, sending the data as an attachment via email, or publishing it in a Telegram channel\r\nvia a POST request. The attacker decides which of these exfiltration techniques to choose when configuring the\r\nmalware using the builder. Therefore, the necessary credentials, configurations and tokens, are stored directly in\r\nthe malware. In the samples we observed, attackers preferred to exfiltrate data via Telegram or email.\r\nImpact\r\nIn addition to the function that terminates security programs to bypass endpoint defenses, the malware also has a\r\nfunction that terminates the Chrome web browser. Since terminating a web browser is not done for prevention or\r\ndetection reasons, there must be another reason. One possibility is that Snake can only access credentials stored in\r\nChrome if it isn’t running. Another keylogger called Matiex also had this flaw, raising the suspicion that the two\r\nfamilies share code.\r\nFigure 12 – Excerpt from a review of Matiex from a hacking forum.\r\nSnake’s Link to Matiex Keylogger\r\nIn November 2020, a malware researcher commented about possible code links between Snake and Matiex.\r\nAccording to adverts on hacking forums, Matiex’s developer sold a keylogger builder used to configure and\r\ngenerate malware clients using a subscription model that is common for malware-as-a-service operations.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 7 of 14\n\nFigure 13 – Matiex’s subscription model advertised on a hacking forum.\r\nComparing the source code of the two malware families uncovered many similarities. Both families have\r\nfunctions to terminate a list of the same anti-virus and security tool processes.\r\nFigure 14 – Comparison of process termination functions.\r\nFurthermore, both have procedures to uninstall themselves, using the same command.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 8 of 14\n\nFigure 15 – Comparison of self-destruction functions.\r\nTheir functions to upload recorded keystrokes via POST requests are also identical.\r\nFigure 16 – Comparison of keystroke exfiltration functions.\r\nBoth families have the option to exfiltrate data to a Telegram channel. The functions are identical, but for their\r\nnames.\r\nFigure 17 – Comparison of Telegram exfiltration functions.\r\nThe only difference between the families’ GeoIP functions are the names.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 9 of 14\n\nFigure 18 – Comparison of GeoIP orientation functions.\r\nThe logging functions reveals the names of the keyloggers. But the code is nearly identical, including variable\r\nnames.\r\nFigure 19 – Comparison of logging functions.\r\nTheInfo is a variable that contains information about the infected system. Matiex collects far more information\r\nthan Snake, which is then transmitted to the attacker. Snake, however, has an AntiBot function that terminates the\r\nmalware if the infected system has a blocklisted IP address or hostname.\r\nFigure 20 – Comparison of variables showing collected information.\r\nMany of the variable names used between the families are similar. For example, the exfiltration channel is defined\r\nanalogously via a string variable in both families. Furthermore, the keylogger class is named identically and both\r\nhave a HSHChecker variable with the same initialisation value.\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 10 of 14\n\nFigure 21 – Similar initialised variables between Snake and Matiex.\r\nBased on the code similarities shown and the corresponding malware analysis, we think it is likely that Matiex and\r\nSnake share the same code base and that Snake is derived from the former. The families do have a few minor\r\ndifferences between them:\r\nMatiex does not check for a list of excluded IP addresses, hostnames or the amount of RAM installed.\r\nMatiex can make audio recordings.\r\nMatiex can exfiltrate data over Discord, an instant messaging service.\r\nThe question is when and how was Matiex’s source code first reused in Snake? In February 2021, Matiex’s source\r\ncode was offered for sale in an underground forum. One possibility is that someone bought the source code of\r\nMatiex and rebranded it into Snake. However, our first sighting of Snake was months before the source code was\r\nput up for sale, so Snake’s developers must have obtained Matiex’s source code by another means.\r\nMatiex’s Link to Other Keyloggers\r\nDuring this research, we found other .NET keyloggers advertised as a service, similar to Matiex. Analysing the\r\ncode of the 404, Cheetah and Phoenix keyloggers revealed they were also very similar to Matiex. Figure 22 shows\r\nwhen each family was offered for sale as a service and when its source code was offered for sale.\r\nFigure 22 – Timeline of sales activity across hacking forums.\r\nLooking at the code similarity of the different keyloggers, it struck us how similar their code is. 404 and Phoenix\r\nkeylogger use a slightly different function to record keystrokes and can exfiltrate data using the Pastebin API, but\r\nare otherwise extremely similar to the other families. Cheetah uses the same keylogging functions as Snake and\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 11 of 14\n\nMatiex, but has fewer modules for extracting passwords. The data is exfiltrated in the same way as Snake via\r\nTelegram, FTP or SMTP.\r\nFigure 23 – An overview of the capabilities of keyloggers linked to Snake.\r\nConclusion\r\nAnalysing Snake reveals that it is indeed a comprehensive keylogger and data stealer. Based on our analysis, we\r\nthink five keylogger families active in the last two years are likely derived from the same code base. However, this\r\nis not an exhaustive list so it is possible that other keyloggers with similar code are also in circulation. This\r\n“remix” behaviour of opportunistically copying source code from established malware families demonstrates how\r\neasy it is for cybercriminals to create their own malware-as-service businesses – and the importance for enterprise\r\ndefenses to stay ahead of malware developers.\r\nIndicators of Compromise\r\nSnake’s Credential Stealing Modules:\r\nOutlook Chrome Cent Yandex FireFox\r\nFoxmail Coowon xVast Nichrome WaterFox\r\nKinzaa CocCoc Chedot Amigo Thunderbird\r\nSputnik Uran Superbird Kometa SeaMonkey\r\nFalkon QQ 360_English Xpom IceDragon\r\nSalamWeb orbitum 360_China Elements CyberFox\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 12 of 14\n\nCoolNovo Slimjet Comodo Microsoft Slim\r\nQIPSurf Iridium Brave Opera IceCat\r\nBlackHawk Vivaldi Torch FileZilla PostBox\r\n7Star Iron UC Pidgin PaleMoon\r\nSleipnir Chromium Blisk Liebao TheWiFi_Orginal\r\nCitrio Ghost Epic avast WindowsProductKey_Orginal\r\nChrome_Canary Discord\r\nExcluded IP Addresses:\r\n1.254.1[.]255\r\n34.122.197[.]93\r\n89.187.165[.]47\r\n89.208.29[.]133\r\n92.118.13[.]18\r\n91.132.136[.]174\r\n95.26.248[.]29\r\n95.26.253[.]176\r\n170.55.59[.]2\r\n185.220.101[.]5\r\n192.64.6[.]217\r\n195.74.76[.]237\r\n195.239.51[.]117\r\nExcluded Hostnames:\r\nJohn\r\nadmin\r\nAdmin\r\nADMIN\r\nUSER\r\nUser\r\nuser\r\nJOHN\r\nJOHN-PC\r\nWALKER-PC\r\nJohn-PC\r\nWALKER\r\nUser Agents\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 13 of 14\n\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)\r\nContacted Domains\r\ndyndns[.]org\r\nfreegeoip[.]app\r\nSource: https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nhttps://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/" ], "report_names": [ "the-many-skins-of-snake-keylogger" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434725, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a75d75032efc0add097c847ce18652c9cb68e5ba.pdf", "text": "https://archive.orkl.eu/a75d75032efc0add097c847ce18652c9cb68e5ba.txt", "img": "https://archive.orkl.eu/a75d75032efc0add097c847ce18652c9cb68e5ba.jpg" } }