{ "id": "01cb435d-67b8-4580-9e5e-288defde8dfa", "created_at": "2026-04-06T00:11:49.294991Z", "updated_at": "2026-04-10T13:12:48.823562Z", "deleted_at": null, "sha1_hash": "ae1d0d22190bc399b4151b12ce46d057050cb7b8", "title": "Infostealer Malware Distributed Using Bundled Installer: Key Threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1352147, "plain_text": "Infostealer Malware Distributed Using Bundled Installer: Key Threats\r\nPublished: 2022-10-20 · Archived: 2026-04-05 20:18:00 UTC\r\nCyble Research and Intelligence Labs identifies a new Temp stealer and analyses how it spreads via free \u0026 cracking\r\nSoftware.\r\nNew Temp Stealer Spreading Via Free \u0026 Cracked Software\r\nWhile monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL)\r\nfound a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA\r\nnamed them Temp Loader and Temp Stealer, respectively.\r\nThe Temp Loader is developed for deploying additional malicious files into the victim system. The Temp Stealer is\r\ninformation stealer malware that can exfiltrate crypto wallets, system information, browser data, and other important\r\nsystem \u0026 software information and then send it to the attacker’s remote server.\r\nWorld's Best AI-Native Threat Intelligence\r\nAfter searching for the impact of the loader and information stealer on the surface web, we identified multiple active\r\ninstances of the Temp Stealer in the wild.\r\nThe stealer is disguised as cracks, keygens and can also be bundled with other software. The malware developer posted\r\nabout the capabilities of the stealer and loader in the Dark Web. The figure below shows the post for Temp Loader.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 1 of 16\n\nFigure 1 – Temp Loader post on the Dark Web Forum\r\nEnglish translation of the Temp Loader post is as follows:\r\nDescription:\r\nNative stub without dependencies written in C++\r\nRuns even on a clean computer!\r\nBuilt-in Anti-VM\r\nAbility to add Fake Error (and its customization)\r\nAbility to use RunPE\r\nYou can add any number of links\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 2 of 16\n\nPrice\r\n15$ (900 rub) – 1 Month\r\n49$ (3000 rub) – Lifetime\r\nMalware developers also posted about Temp Stealer and its capabilities. The figure below shows the post for Temp\r\nStealer.\r\nFigure 2 – Temp Stealer post on the Dark Web Forum\r\nThe English translation of the post by malware authors is mentioned below:\r\nDescription:\r\nCollection of more than 40 types of crypto wallets.\r\nRecursive search for browsers (even finds custom browsers or browsers with a changed folder name). Collecting\r\ninformation about the PC (IP, Country, City, Zipcode, Timezone, Ram, Processor, GPU, Screenshot).\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 3 of 16\n\nThe stub is written in C++ (native).\r\nLog collection in memory.\r\nQuick build through the bot.\r\nCollection of Telegram, Steam, and FTP sessions.\r\nCollection of Cookies, Autofills, and Passes.\r\nMultifunctional Telegram bot.\r\nPrice:\r\n7 days – 5$\r\n30 days – 15$\r\n(lolz +7%, qiwi, crypto)\r\nAccording to the malware, developers post that the stealer can collect more than forty crypto wallets, search for custom\r\nbrowsers to steal data, steal system information, and track the victim’s geolocation. Additionally, the stealer collects\r\ninformation related to Telegram, Steam, FTP Session, Cookies, Autofill, Passwords, and works as a Telegram bot.\r\nInitial Infection and Persistence:\r\nAs per our analysis, the stealer is masquerading using the following names, indicating that this stealer targets users who\r\nare interested in downloading free and cracked software.\r\nazclean3_setup.exe\r\nCheatLoader.exe\r\nShadow Fiend Game.exe\r\nRainbowCrackV4.8.exe\r\nspoofer.exe\r\nIt’s also observed that the stealer is bundled with other software installers. One example shows that Temp Stealer targets\r\nAdobe Photoshop users by bundling the malicious stealer into the Topaz Clean stylization tool installer, which installs a\r\nplugin for Adobe Photoshop Software.\r\nThe TAs usually upload this Malicious bundled software to a site that provides services to users for downloading\r\nvarious free and Cracked software. The user interested in this software will be redirected to these websites using Google\r\nSEO and download the file.\r\nThe initial infection initiates when user clicks on the installer that has Temp Stealer bundled to it. The below Figure\r\nshows the Topaz Clean installer installation wizard.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 4 of 16\n\nFigure 3 – Installation Wizard of Topaz Clean\r\nThe installer drops Temp Stealer in the %temp% location, as shown in the below figure.\r\nFigure 4 – Installer Drops Temp Stealer in the Users Machine\r\nAfter dropping the stealer, the installer then creates an autorun registry entry for Temp Stealer; the figure below shows\r\nthe registry entry created by the installer for stealer persistence.\r\nFigure 5 – Autorun Registry Entry for Temp Stealer\r\nTechnical Details of Temp Stealer\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 5 of 16\n\nThe Malicious Topaz Clean installer file dropped Temp Stealer with file hash:\r\n“SHA256:d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c”. The file is a 64-bit GUI\r\nexecutable compiled using Microsoft Visual C/C++. The figure below shows the static file details. The TimeDateStamp\r\nindicates that the malware was compiled recently.\r\nFigure 6 – Temp Stealer File Details\r\nAfter execution, the malware tries to connect to an embedded IP 79[.]137[.]199[.]73. After connecting to the mentioned\r\nIP, the stealer then checks for the wallets in the system to steal the file related to the corresponding wallets. The Stealer\r\ntargets the following crypto wallets in the Victims machine.\r\nExodus Web Wallet BitAppWallet BinanceChain\r\nBraveWallet EqualWallet iWallet\r\nMathWallet NiftyWallet Wombat\r\nCoin98Wallet Phantom XDCPay\r\nBitApp GuildWallet ICONex\r\nOxygen YoroiWallet GuardaWallet\r\nJaxxLiberty AtomicWallet SaturnWallet\r\nRoninWallet TerraStation HarmonyWallet\r\nTonCrystal KardiaChain PaliWallet\r\nLiqualityWallet XdefiWallet NamiWallet\r\nMaiarDeFiWallet Authenticator TempleWallet\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 6 of 16\n\nAlso, the stealer steals data from the following crypto wallets, which are hard coded in the stealer binary.\r\nExodus Aholpfdialjgjfhomihkjbmgjidlcdno\r\nBitApp Wallet Fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\nBinanceChain Fhbohimaelbohpjbbldcngcnapndodjp\r\nBrave wallet Odbfpeeihdkbihmopkbjmoonfanlbfcl\r\nCoinbase Wallet Hnfanknocfeofbddgcijnmhnfnkdnaad\r\nEQUAL Wallet blnieiiffboillknjnepogjhkgnoapac\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nMath Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nMetaMask Nkbihfbeogaeaoehlefnkodbefgpgknn\r\nNifty Wallet Jbdaocneiiinmjbjlgalhcelgbejmnid\r\nTronLink Ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nCoin98 aeachknmefphepccionboohckonoeemg\r\nPhantom bfnaelmomeimhlpmgjnjophhpkkoljpa\r\nMOBOX Wallet fcckkdbjnoikooededlapcalpionmalo\r\nXDCPay bocpokimicclpaiekenaeelehdjllofo\r\nGuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\nCopay cnidaodnidkbaplmghlelgikaiejfhja\r\nOxygen fhilaheimglignddkjgofkcbgekhenbh\r\nYori ffnbelfdoeiohenkjibnmadjiehjhajb\r\nGuarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nJaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne\r\nMEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nSaturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nRonin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nTerra Station aiifbnbfobpmeekipheeijimdpnlpgpp\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 7 of 16\n\nHarmony ONE fnnegphlobjdpkhecapkijjdkgcjhkib\r\nEVER Wallet cgeeodpfagjceefieflmdfphplkenlfk\r\nKardiaChain Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nPali Wallet mgffkfbidihjpoaomajlbgchddlicgpn\r\nBOLT X aodkkagnadcbobfpggfnjeongemjbjca\r\nLiquality Wallet kpfopkelmapcoipemfendmdcghnegimn\r\nXDEFI Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nNami lpfcbjknijpeeillifnkikgncikgfhdo\r\nMaiar DeFi Wallet dngmlblcodfobpdpecaadgfbcggfjfnm\r\nAuthenticator bhghoamapcdpbohphigoooaddinpkbai\r\nThe stealer also steals cookies, usernames, passwords, autofills, history from the Chromium and Firefox-based\r\nbrowsers. The Temp Stealer recursively searches for all installed browsers and steals sensitive information from them.\r\nThe below image shows the code that steals browser data.\r\nFigure 7 – Stealer Routine to get Browser Data\r\nThe stealer then checks for steam application in the system by checking registry entry\r\nHKLM\\\\Software\\\\Classes\\\\steam\\\\Shell\\\\Open\\\\Command. If the registry entry exists, then the stealer looks for Steam\r\nSentry File (SNF) and Config file to steal data which includes player profiles, passwords, etc. The figure below shows\r\nthe pseudocode of the stealer checking for steam registry key.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 8 of 16\n\nFigure 8 – Stealer Checking for Steam Application\r\nAfter collecting steam data, the stealer checks for the Telegram application and steals Telegram’s data from the victim’s\r\nsystem. First, the stealer checks If Telegram is installed in the machine by checking the registry-HKU\\\\Software\\\\Classes\\\\tdesktop.tg\\\\shell\\\\open\\\\command. If the registry entry is present, then the stealer identifies\r\nthe installation folder of Telegram and then checks for tdata and working folder, which contains Telegram session data,\r\nmessages, images, etc. The figure below shows that Stealer is looking for Telegram artifacts.\r\nFigure 9 – Stealer Checking Telegram Application in the Victims machine\r\nThe stealer takes a screenshot of the current Windows and saves it for exfiltration. The Code snippet in the figure below\r\nshows the routine to capture the screenshot.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 9 of 16\n\nFigure 10 – Routine to Capture the Screenshot\r\nAfter taking a screenshot, the stealer gets the geolocation details by calling the URL hxxp://ip-api.com/xml/, which\r\nresponse with details in XML format. The stealer then parses the XML and gets the geolocation details of the victim.\r\nThe figure below shows the routine to get the geolocation details.\r\nFigure 11 – Stealer Checking for the Geolocation of Victim\r\nThe stealer then extracts the IP address, Country, City, Zip code, and Timezone details, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 10 of 16\n\nFigure 12 – Stealer extracting the Geolocation Details\r\nThe Stealer also collects details of RAM, Processor, and GPU from the victim’s system, as shown in the figure below.\r\nFigure 13 – Stealer Getting System Information from Victim System\r\nThe stealer steals the \\\\FileZilla\\\\recentservers.xml file from the victim system, which contains session information of\r\nthe FileZilla FTP client. The figure below shows the routine to get the FileZilla session file.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 11 of 16\n\nFigure 14 – Stealer Stealing FileZilla Session File\r\nStealer then looks for discord token files and steals them; the figure below shows the location of the discord token files.\r\nFigure 15 – Stealer Checking for Discord Token File\r\nAfter getting all the above information, the stealer then sends the data to the attacker’s remote server. The figure below\r\nshows the routine to send stolen information to a remote server.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 12 of 16\n\nFigure 16 – Stealer Sending Stolen Data to Remote Server\r\nThe Temp stealer identified to be sending the stolen information to IPs 79[.]137[.]199[.]73, 157[.]90[.]126[.]84, which\r\nare hosted in Europe. The below figure shows the information of the IPs.\r\nFigure 17 – Information of the IPs (Source -ipinfo.io)\r\nConclusion\r\nBundling malware in the software tools is quite common among attackers. Now we are observing the rise of the stealers\r\nbundled into the software and utility tools to target potential victims globally. The temp stealer not only targets Crypto\r\nwallets but also steals data from Discord, Steam, and Telegram applications. The malware authors are continuously\r\ncreating new stealers as there is a rise in digital transactions and cryptocurrency usage. The increasing use of digital\r\ncurrency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to\r\ncommit financial fraud and other attacks.\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 13 of 16\n\nOur Recommendations\r\nAvoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, Torrent sites, etc., contains such malware.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC, laptop,\r\nand mobile.\r\nRefrain from opening untrusted links and Email attachments without first verifying their authenticity.\r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nCredential Access\r\nT1555\r\nT1528\r\nT1539\r\nCredentials from Password Stores Steal Application Access\r\nToken Steal Web Session Cookie\r\nDiscovery\r\nT1087\r\nT1083\r\nAccount Discovery File and Directory Discovery\r\nCollection\r\nT1213\r\nT1005\r\nT1113\r\nData from Information Repositories Data from Local System\r\nScreen Capture\r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nIndicators of Compromise\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n49aefb24f729dbd71cef9cb382692ca6\r\nf025735b2dfffe4ae43c5154881a3f7fcd9f32ea\r\nd5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\nbc6bb3430654d410bd9e40292bf32d77\r\n8b54d67c889e9f13f232cd9b4d72253f9e5af99a\r\n38b387b09dee7eefddcf164239be0bda1fb15285aea27e3f5b1008c7c727929a\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 14 of 16\n\n47dbbc7793152a8cb36cde2da0529684\r\n16dc7205c3931c0f873c8b2e236742720d1e3a55\r\n8619435c6dc202f45919fafdc7538d46220f42cadefccdba2cf094eccb09e436\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n9335349810042820689b6d558dff50c1\r\ne98cd5d2e3351d20f348fc983f9e679450c33181\r\n54d6c6372fd8bfb52431986be148d41b021376770ef13a3baf70912488dd3863\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\nad14fb5c857053d9bdebc4c63ba0a57d\r\n2322090e024942fad77e0250e8cbc7e691663993\r\n3c0856becfc32d59dc0503adb58d111ae56a1625ee99bdef4bcc5907f91dc69f\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n3c9df1d7f4835810fad268435699f1a7\r\n05e0fc8c5cd5da82e94316afe82e8408fab03974\r\n7b9830bfdd87e47b4e6995b3e88640eb690bdef7642c74775e1f3ab89e71d5ce\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\nc84a51c0e598563ff4c5b2e494da0152\r\n9f345c4e7f192380f7b2d098436a392ecf97ff73\r\nf7cd47dc867e19dfdc37a0e6c59f6993155d4ad03f9b06292f6cd21515a8c234\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\ndfbb9e4a30a266ea453637ddfe370e14\r\nddb20679f08d94e84c5e64d5f2fa00f105ad8204\r\nf642d7450c597b067ad47ee5220c8c028f0c28b4473093028e3371b450fad9e0\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n4da571eb595d83a4f3ffe3e0047efd8a\r\n063d687a6a88804000162deeb00244d22cfe3228\r\n6330b32586d7b1f4c09193cff1118aa6e33fbe2fcbf174264fe5793e45f20748\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n51a4b9154b05dde9c7e14831fc54c6b3\r\n8db134b83a65293dd675c52de2996e1c618b07ef\r\n55d86d705daefee9c692cd742d83ec670b976261d0c2e28ccb4933d4f6483182\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n42febc30a814484455ee8f31ee2f2d88\r\nb71332d1aacc1907cdaeaad0cc987621c893f8e7\r\n30a62745d4c135ee3bec73a1d4903cb42add1b2d846c16e65e73ffca41386cf2\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n72f5de4a2f52c098ba5520ebaa022290\r\n196b144cd138ab958ea0c2b5eb1a641d9936abce\r\n3dcaa05c859118dc53752f74df59f74c05e7919bd0df635584c74dc8077d11c1\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n18a5458b38dc20ecc4f9c9e50d369563\r\n7187a067b664692344a61eadaf1cd47f580add61\r\nbd95a70300f8cc5bcc0f8d7bdcd269234eff52fa79ecd97c150e58b923b4c51a\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n2996f780af9b3fdb28971e887ff8436a\r\n294dd0574cc6b953c0bebc1c15b725321073aa82\r\n54f4df7424b205b9931b87bf4b5e5635374165e1ed298642034f2fcc44a7ff70\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 15 of 16\n\n1f7a139d3c23ded0904a845b7a2db053\r\n39431e960dae6140e4603bddb890de58370b920e\r\nb8ad6a975cec6279208fd7b5073107eefbbfd7ebdb2f674e7bd0578b18484eee\r\nMD5\r\nSHA1\r\nSha256\r\nTemp Stealer\r\nExecutable\r\n79[.]137[.]199[.]73 IP\r\nCommunicating\r\nIP\r\n157[.]90[.]126[.]84 IP\r\nCommunicating\r\nIP\r\nSource: https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nhttps://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/" ], "report_names": [ "infostealer-distributed-using-bundled-installer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434309, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae1d0d22190bc399b4151b12ce46d057050cb7b8.pdf", "text": "https://archive.orkl.eu/ae1d0d22190bc399b4151b12ce46d057050cb7b8.txt", "img": "https://archive.orkl.eu/ae1d0d22190bc399b4151b12ce46d057050cb7b8.jpg" } }