{ "id": "59ed3707-fb2a-4820-8e1f-a4f695f20b69", "created_at": "2026-04-06T00:14:13.520888Z", "updated_at": "2026-04-10T13:12:28.639176Z", "deleted_at": null, "sha1_hash": "a8c3c9916b934d4edc0c66c1c1cb69353c119370", "title": "CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1232445, "plain_text": "CVE-2023-36025 Exploited for Defense Evasion in Phemedrone\r\nStealer Campaign\r\nPublished: 2024-01-12 · Archived: 2026-04-05 18:07:36 UTC\r\nExploits \u0026 Vulnerabilities\r\nThis blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows\r\nDefender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.\r\nBy: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Jan 12, 2024 Read time: 10 min (2634 words)\r\nDuring routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-\r\n36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.\r\nPhemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram,\r\nSteam, and Discord. It also takes screenshots and gathers system information regarding hardware, location, and\r\noperating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control\r\n(C\u0026C) server. This open-source stealer is written in C# and is actively maintained on GitHub and Telegram. \r\nCVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and\r\nassociated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url\r\nfiles that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and\r\nchecks.  \r\nMicrosoft patched CVE-2023-36025 on Nov. 14, 2023. However, due to evidence of in-the-wild exploitation, the\r\nCybersecurity and Infrastructure Security Agency (CISA) also added this vulnerability to the Known Exploited\r\nVulnerabilities (KEV) list. It has come to public attention that various demos and proof-of-concept codes have\r\nbeen circulated on social media, detailing the exploitation of CVE-2023-36025. Since details of this vulnerability\r\nfirst emerged, a growing number of malware campaigns, one of which distributes the Phemedrone Stealer\r\npayload, have incorporated this vulnerability into their attack chains.  \r\nInitial access via cloud-hosted malicious URLs\r\nIt's important to note that this analysis is based on the modified version that was used in the attack we\r\ninvestigated. To bootstrap the Phemedrone Stealer infection process, the attacker hosts a series of malicious\r\nInternet Shortcut files on Discord or other cloud services such as FileTransfer.io. The files are also often disguised\r\nusing URL shorteners such as shorturl.at. An unsuspecting user might then be enticed to or tricked into opening a\r\nmaliciously crafted .url file that exploits CVE-2023-36025. \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 1 of 15\n\nFigure 1. Phemedrone Stealer’s infection chain\r\nDefense evasion by exploiting CVE-2023-36025\r\nOnce the malicious .url file exploiting CVE-2023-36025 is executed, it connects to an attacker-controlled server to\r\ndownload and execute a control panel item (.cpl) file. Microsoft Windows Defender SmartScreen should warn\r\nusers with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a\r\nWindows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a\r\nmalicious payload delivery mechanism. Threat actors leverage MITRE ATT\u0026CK technique T1218.002, which\r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 2 of 15\n\nabuses the Windows Control Panel process binary (control.exe) to execute .cpl files. Note that these files are DLL\r\nfiles.  \r\nFigure 2. Malicious Internet Shortcut .url file\r\nWhen the malicious .cpl file is executed through the Windows Control Panel process binary, it in turn calls\r\nrundll32.exe to execute the DLL. This malicious DLL acts as a loader that then calls on Windows PowerShell to\r\ndownload and execute the next stage of the attack, hosted on GitHub. The next stage is another PowerShell loader\r\nnamed DATA3.txt.  \r\nFigure 3. First DLL downloads and executes a payload with PowerShell\r\nThe file DATA3.txt is an additional obfuscated loader that uses PowerShell string and digit manipulation\r\ntechniques to mask its contents and make deciphering its true purpose more difficult during static analysis. \r\nUsing a combination of static and dynamic analysis, we can deobfuscate the GitHub-hosted loader, which gives us\r\na series of PowerShell commands that this script executes. This loader downloads a ZIP file hosted on the same\r\nGitHub repository to a hidden directory created using the Windows attribute utility binary (attrib.exe).   \r\nThe zip archive contains three files:  \r\nWerFaultSecure.exe. This is a legitimate Windows Fault Reporting binary. \r\nWer.dll. This is a malicious binary that is sideloaded when WerFaultSecure.exe is executed. \r\nSecure.pdf. This is an RC4-encrypted second stage loader. \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 3 of 15\n\nFigure 4. Deobfuscated DATA3.txt PowerShell commands\r\nPersistence using scheduled tasks and DLL sideloading\r\nThe wer.dll file is a crucial component of the loader's functionality as it decrypts and runs the second stage loader\r\nand achieves persistence by creating scheduled tasks that we will detail here. The malware utilizes multiple\r\ntechniques to evade detection and complicate reverse engineering, such as API hashing and string encryption.\r\nAdditionally, this DLL is packed and protected by VMProtect.  \r\nThe loader is executed using the DLL sideloading technique, where the attacker spoofs a malicious DLL file in the\r\napplication's directory. This tricks the operating system into loading the malicious file instead of the legitimate\r\none. In the case we investigated, WerFaultSecure.exe executes the WerpSetExitListeners function from wer.dll,\r\nwhich triggers the loader to run.  \r\nFigure 5. “WerFaultSecure.exe” calls WerpSetExitListeners\r\nThe loader uses a technique called dynamic API resolving to hide its API imports and make it harder for static\r\nanalysis. This technique involves storing the hashes of the necessary APIs instead of their names, and then\r\nimporting them dynamically at runtime. In the case we investigated, the loader uses the Cyclic Redundancy Check\r\n32 (CRC-32) hashing algorithm, contents of which are detailed in the following table.\r\n998B531E KERNEL32.DLL  \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 4 of 15\n\n46DED02D GetModuleHandleExW \r\n0FC6B42F1 GetModuleFileNameW\r\n0C97C1FFF GetProcAddress \r\n3FC1BD8D LoadLibraryA \r\n0F29DDD0C lstrcatW \r\n759903FC  CreateDirectoryW\r\n0A1EFE929 CreateFileW \r\n0A7FB4165 GetFileSize\r\n8B35A289 LocalAlloc \r\n95C03D0 ReadFile \r\n0B09315F4 CloseHandle\r\n0B1866570 GetModuleHandleA\r\n0F54D69C8 CopyFileW \r\nTable 1. The hashes in the loader’s dynamic API resolving, and their corresponding API names\r\nThe loader uses an XOR-based algorithm with dynamic key generation for string decryption. For each byte, the\r\nalgorithm generates a unique key based on its position in the buffer, using the formula (characterIndex %\r\n\u003cnum1\u003e + \u003cnum2\u003e). This key is then XORed with the byte to reveal the original character. Each encrypted string\r\nhas its own decryption function with unique \u003cnum1\u003e and \u003cnum2\u003e to make the string decryption automation\r\nharder.   \r\nFigure 6. Example of a string decryption process\r\nThe following is a list of decrypted strings from the first stage loader:  \r\n“/F /CREATE /TN \"Licensing2\" /tr \"C:\\Users\\Public\\Libraries\\Books\\WerFaultSecure.exe\" /sc minute /MO\r\n90\" \r\n\\\\secure.pdf  \r\n\\\\wer.dll  \r\n\\\\WerFaultSecure.exe  \r\nActiveds.dll  \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 5 of 15\n\nadvapi32  \r\nAllocADsMem  \r\nC:\\\\Users\\\\Public\\\\Libraries\\\\Books\\\\secure.pdf \r\nC:\\\\Users\\\\Public\\\\Libraries\\\\Books\\\\wer.dll  \r\nC:\\\\Users\\\\Public\\\\Libraries\\\\Books\\\\WerFaultSecure.exe  \r\nC:\\Windows\\explorer.exe \r\nC:\\Windows\\System32\\schtasks.exe \r\nCreateProcessW  \r\nCryptCATCDFOpen  \r\nkernel32.dll \r\nPathRemoveFileSpecW \r\nReallocADsMem  \r\nShlwapi.dll \r\nSystemFunction032 \r\nWintrust.dll \r\nThe loader maintains persistence by creating a directory named C:\\Users\\Public\\Libraries\\Books and copies\r\nwer.dll, secure.pdf, and WerFaultSecure.exe from the current execution directory to this location. It then executes\r\nthe schtasks.exe command with the arguments \"/F /CREATE /TN \\\"Licensing2\\\" /tr\r\n\\\"C:\\\\Users\\\\Public\\\\Libraries\\\\Books\\\\WerFaultSecure.exe\\\" /sc minute /MO 90\", scheduling the\r\nWerFaultSecure.exe to run at 90-minute intervals. \r\nFigure 7. Persistence via a scheduled task (click to enlarge)\r\nThe loader then advances to the second stage wherein the encrypted second-stage loader is in a file called\r\nsecure.pdf. To decrypt it, the malware utilizes an undocumented function, SystemFunction032 from advapi32.dll,\r\nwhich performs RC4 decryption. It then uses the AllocADsMem and ReallocADsMem functions from Activeds.dll\r\nto allocate memory and relocate the decrypted content. Finally, it calls VirtualProtect to modify the memory\r\nregion of the decrypted buffer to Executable-Read-Write. \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 6 of 15\n\nFigure 8. RC4 decryption process via the SystemFunction032 API (click to enlarge)\r\nThe malware then uses API callback functions to redirect the flow of execution to the second stage. Callback\r\nfunctions are routines that are passed as a parameter to Windows API functions. Later, these routines are called by\r\nthe API to perform specific functionalities. In the case we investigated, the malware uses the CryptCATCDFOpen\r\nfunction, which is used for handling cryptographic catalog files in Windows. It requires two parameters: a file path\r\n(pwszFilePath) and an optional callback function (PFN_CDF_PARSE_ERROR_CALLBACK). The loader passes\r\nthe second stage shellcode Entry Point (EP) to the second parameter, PFN_CDF_PARSE_ERROR_CALLBACK.\r\nWhen the API function is called, the callback function is executed and the malicious code is run.  \r\nFigure 9. Execution of second stage via API callback functions\r\nSecond-stage defense evasion\r\nThe attacker used a second-stage loader known as Donut, an open-source shellcode that allows the execution of\r\nVBScript, JScript, EXE files, DLL files, and .NET assemblies in memory. Donut can be embedded directly into\r\nthe loader, or it can be staged from an HTTP server or a DNS server. In the case we investigated, the attacker\r\nchose to embed it directly into the loader.   \r\nDonut can compress input files using aPLib, LZNT1, Xpress, and Xpress Huffman using RtlCompressBuffer. It\r\ncan also encrypt the payload using the Chaskey block cipher. However, in this case, only payload encryption is\r\nused, without any compression.   \r\nFor the final payload execution, Donut is configured to use the Unmanaged CLR Hosting API to load the\r\nCommon Language Runtime (CLR). Once the CLR is successfully loaded into the host process, a new\r\nApplication Domain is created to allow for running assemblies in disposable AppDomains. After the AppDomain\r\nis ready, Donut loads the .NET assembly and invokes the payload’s entry point.  \r\nPhemedrone Stealer paylaod analysis\r\nPhemedrone credential access\r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 7 of 15\n\nWhen executed, the malware initializes its configuration and decrypts certain items such as a Telegram API token,\r\nchat ID, and Email_To mutex (used for synchronization). This is done using a predefined salt and encryption key\r\nand the RijndaelManaged symmetric encryption algorithm. The process involves removing the \"CRYPTED:\"\r\nprefix from the strings, converting the remaining base64-encoded strings into byte arrays and decrypting these\r\narrays to extract the original plain- text values. \r\nFigure 10. Phemedrone configuration (click to view full image)\r\nThe malware program uses the “MutexCheck.Check()” method to ensure that it doesn't operate concurrently with\r\nanother instance of itself. It does this by creating a mutex and using the value of \"Config.Email_To\" as a\r\nsynchronization mechanism. If the mutex is already in use, indicating that another instance of the malware is\r\nactive, the program will immediately terminate itself using “Environment.FailFast(\"\")”. The decrypted mutex\r\nvalue is detected as 5dad16bd-6884-4ab8-b182-a504b4c99bcf.\r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 8 of 15\n\nFigure 11. MutexCheck mechanism\r\nThe malware targets a wide range of applications and services that might exist on a victim's computer, aiming in\r\neach case to extract specific types of sensitive information:  \r\nChromium-based browsers. The malware harvests data, including passwords, cookies, and autofill\r\ninformation stored in apps such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and\r\nMicrosoft Authenticator, among others. \r\nCrypto wallets. It extracts files from various cryptocurrency wallet applications such as Armory, Atomic,\r\nBytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda. \r\nDiscord. Phemedrone extracts authentication tokens from the Discord application, enabling unauthorized\r\naccess to the user's account. \r\nFileGrabber. The malware uses this service to gather user files from designated folders such as\r\nDocuments and Desktop. \r\nFileZilla. Phemedrone captures FTP connection details and credentials from FileZilla. \r\nGecko. The malware targets Gecko-based browsers for user data extraction. \r\nSystem Information. Phemedrone collects extensive system details, including hardware specs,\r\ngeolocation, and operating system information, and takes screenshots. \r\nSteam. Phemedrone accesses files related to the Steam gaming platform. \r\nTelegram. The malware extracts user data from the installation directory, specifically targeting\r\nauthentication-related files within the “tdata” folder. This includes seeking out files based on size and\r\nnaming patterns. \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 9 of 15\n\nThe malware uses a custom method called RuntimeResolver.GetInheritedClasses\u003cIService\u003e() to dynamically find\r\nall subclasses of IService. This method uses reflection to scan the assembly. The services are grouped based on\r\ntheir priority levels, allowing them to be processed in a specific order. For each service in the grouped\r\nlist, Phemedrone creates and starts a new thread. This enables each service to begin its Run method concurrently,\r\nwhich in turn executes the Collect method defined in each service.  \r\nCommand and control for data exfiltration\r\nOnce all threads have completed execution, the code iterates through the services again. For each service, it\r\ncollects the data gathered by the service, and uses the MemoryStream and ZipStorage classes to handle and\r\ncompress this information. MemoryStream is a flexible in-memory buffer that can store data temporarily, allowing\r\nfor quick and efficient handling of the information without the need for disk I/O operations. Following this,\r\nZipStorage is utilized to compress the data into a ZIP file format directly within the MemoryStream.  \r\nFigure 12. Phemedrone dynamically run services\r\nFigure 13. Implementation of FileZilla service (click to view full image)\r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 10 of 15\n\nFigure 14. IService class handling record gathering and data compression\r\nBefore initiating data exfiltration, the malware validates the Telegram API token using the TokenIsValid method\r\nby making an API call to Telegram's getMe endpoint. This API call is constructed using the stored Telegram API\r\ntoken. If the response received starts with {\"ok\":true, then it is considered a valid token. However, if any\r\nexception occurs during this process, the exception is logged and the method returns false, indicating that the\r\ntoken is not valid. If the token is not valid, it immediately terminates the process by calling Environment.Exit(0).  \r\nFigure 15. Telegram token validation\r\nFigure 16. Implementation of TokenIsValid (click to enlarge)\r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 11 of 15\n\nFigure 17. An example of a network token validation request\r\nAfter validating the Telegram API token, the malware proceeds to send the attacker various system information\r\nand statistics. This is achieved through the SendMessage method in the global::Telegram.Telegram class.  \r\nThe Collect method gathers extensive system information and statistics, including geolocation data (such as IP,\r\ncountry, city, postal code), hardware information (such as username, machine name, operating system, hardware\r\nID, GPU, CPU, RAM), and data from web browsers (passwords, cookies, credit cards, autofills, extensions,\r\nwallets, files), as well as details about installed antivirus products. \r\nFigure 18. The malware's data collection report tracks counts of passwords, cookies, and credit\r\ncards, among others. (Click to view full image)\r\nThe following images are an example of a summary report generated by the Phemedrone Stealer, detailing how\r\nextensive the data exfiltration via network traffic can be. This report includes key information about the\r\ncompromised system and user data, encompassing aspects such as geolocation, hardware specifications, web data\r\nstatistics, and security features of the system. \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 12 of 15\n\nFigure 19. URL decoded summary report of exfiltrated data\r\nThe next step is to exfiltrate the ZIP-compressed stream containing the full version of the harvested data. This is\r\ndone through the SendZip method, which uses an HTTP POST request to communicate with the Telegram API.\r\nThe compressed file is sent as a “document” through this request.  \r\nThe SendZip and MakeFormRequest2 methods are responsible for constructing the multipart/form-data request.\r\nThey ensure that the appropriate headers are set and that the file data is streamed correctly. This request is sent to\r\nthe Telegram sendDocument API endpoint using the bot token and chat ID. The process includes error handling\r\nand retries, ensuring that the file upload is successful.  \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 13 of 15\n\nFigure 20. Malware exfiltrating compressed data via Telegram API (click to view full image)\r\nThe snippet in Figure 21 is an example of compressed data exfiltration via Telegram network traffic:  \r\nFigure 21. Data exfiltration network traffic\r\nConclusion \r\nDespite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows\r\nDefender SmartScreen protections to infect users with a plethora of malware types, including ransomware and\r\nstealers like Phemedrone Stealer.  \r\nMalware strains such as Phemedrone Stealer highlight the evolving nature of sophisticated malware threats and\r\nmalicious actors' ability to quickly enhance their infection chains by adding new exploits for critical\r\nvulnerabilities in everyday software. The case discussed here explores the relationship between open-source\r\nmalware and public proof-of-concept exploits, as significant cross-pollination occurs between the release of a\r\npublic proof-of-concept and its incorporation into malware infection chains.  \r\nOrganizations must make sure to update Microsoft Windows installations to prevent being exposed to the\r\nMicrosoft Windows Defender SmartScreen Bypass (CVE-2023-36025). Public proof-of-concept exploit code\r\nexists on the web increasing the risk to organizations who have not yet updated to the latest patched version.\r\nIt is critical for organizations to adopt technologies such as Trend Vision One™️one-platform to protect mission-critical data from advanced cyberthreats. Trend Vision One enables security teams to continuously identify known,\r\nunknown, managed, and unmanaged cyber assets. It also offers comprehensive prevention, detection, and response\r\ncapabilities backed by AI, advanced threat research, and intelligence, leading to faster detection, response, and\r\nremediation.  \r\nOrganizations should also consider employing a cutting-edge multilayered defensive strategyproducts via\r\ncomprehensive security solutions such as Trend Micro™ Managed XDRservices, which can detect, scan, and\r\nblock malicious content across the modern threat landscape. \r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 14 of 15\n\nIndicators of Compromise (IoCs)\r\nYou can find the full list of Phemedrone Stealer IoCs here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nhttps://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html" ], "report_names": [ "cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8c3c9916b934d4edc0c66c1c1cb69353c119370.pdf", "text": "https://archive.orkl.eu/a8c3c9916b934d4edc0c66c1c1cb69353c119370.txt", "img": "https://archive.orkl.eu/a8c3c9916b934d4edc0c66c1c1cb69353c119370.jpg" } }