{ "id": "817f6eb9-99b6-40f6-bfb2-337a8f5a89bf", "created_at": "2026-04-06T01:31:27.41249Z", "updated_at": "2026-04-10T03:37:08.875044Z", "deleted_at": null, "sha1_hash": "b11f977a20c70a90cf18b0718d8b5d5472bbb235", "title": "Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4142167, "plain_text": "Mint Stealer: A Comprehensive Study of a Python-Based\r\nInformation Stealer - CYFIRMA\r\nArchived: 2026-04-06 00:38:38 UTC\r\nPublished On : 2024-07-30\r\nExecutive Summary\r\nAt Cyfirma, we are dedicated to provide current insights into prevalent threats and the strategies employed by\r\nmalicious entities targeting both organizations and individuals. This report offers a comprehensive analysis of\r\nMint Stealer, an information-stealing malware operating within a malware-as-a-service (MaaS) framework. Mint\r\nStealer is designed to target sensitive data and uses sophisticated techniques to evade detection. This report\r\nexplores Mint Stealer’s evasion tactics, methods for concealing malicious activities, and highlights the evolving\r\nstrategies of cyber threat actors in the contemporary threat landscape.\r\nIntroduction\r\nMint-stealer is a potent piece of malware operating as a malware-as-a-service (MaaS) tool, designed to covertly\r\nexfiltrate a wide range of sensitive data from compromised systems. This malware targets and extracts critical\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 1 of 20\n\ninformation, including web browser data, cryptocurrency wallet details, gaming credentials, VPN client\r\ninformation, messaging app data, FTP client data, and more.\r\nMint-stealer employs techniques such as encryption and obfuscation to evade detection and enhance its\r\neffectiveness. It is marketed and sold through multiple dedicated websites, with support provided through\r\nTelegram. This report examines Mint-stealer’s operational methods, its impact on cybersecurity, and offers\r\nguidance for professionals on developing effective defense strategies against such sophisticated threats.\r\nKey Findings\r\nMint-stealer is a potent malware functioning as a malware-as-a-service (MaaS) tool, designed to covertly\r\nexfiltrate a wide range of sensitive data from compromised systems.\r\nIt targets data from web browsers, cryptocurrency wallets, gaming credentials, VPN clients, messaging\r\napps, and FTP client data.\r\nThis malware is sold through multiple dedicated websites, with support provided via Telegram.\r\nIt is also associated with other malware-selling sites and the hosting service that facilitates malicious\r\nactivities.\r\nMint-stealer is created using the Nuitka Python compiler and relies on Python dynamic modules to support\r\nits functionality.\r\nThe primary specimen acts as a dropper, with the main payload hidden in a compressed form within the\r\nresource section of the executable.\r\nChecks for debuggers and analysis tools running in the environment.\r\nMint-stealer uploads stolen data to free file-sharing websites and then sends the URL of the uploaded data\r\nto its command-and-control server (C2).\r\nIt sends and receives updates and instructions from the C2 server.\r\nETLM Attribution\r\nMint-stealer is being sold as malware-as-a-service (MaaS)on mint-stealer[.]top and mint-c2[.]top, with both\r\ndomains hosting the same website. Additionally, mint-c2[.]top is used as the command and control (C2) server for\r\nthe stealer:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 2 of 20\n\nmint-c2[.]top/ mint-c2[.]top\r\nThe website details Mint-stealer’s features, including its usage, Telegram contact support, and frequent updates to\r\nbypass Windows Defender. It also claims to be the best stealer available at a low price:\r\nMint-stealer provides a login panel for its subscribers to access the stealer logs from compromised systems:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 3 of 20\n\nStealer login panel: mint-stealer[.]top/panel/login\r\nIt also provides support through a Telegram group and has 407 subscribers at the time of writing:\r\nThe threat actor behind the Mint-stealer has provided a Telegram contact on their website, confirming their\r\nassociation with another malware-selling website, cashout[.]pw:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 4 of 20\n\nThreat actor’s telegram contact\r\ncashout[.]pw sells malware including RATs (Remote Access Trojans), crypters, and ransomware, and also features\r\nMint-stealer:\r\nCashout[.]pw\r\nThe threat actor(s) also offer hosting services on cash-hosting[.]pw, including VPN, VPS, RDP, and cPanel, which\r\ndo not respect DMCA requests:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 5 of 20\n\ncash-hosting[.]pw\r\nThreat Landscape:\r\nThe external threat landscape is constantly shifting, with sophisticated threats like Mint-stealer emerging as new\r\nchallenges. The creator(s) of Mint-stealer are particularly skilled at adapting their tactics, using methods like\r\nencryption and obfuscation to stay under the radar and strengthen their attacks. Their methods also involve\r\nutilizing unrestricted hosting services and maintaining robust command and control systems. This ongoing\r\nadaptability highlights the persistent challenge in cybersecurity and highlights the necessity for continuous\r\nvigilance and evolving defense strategies.\r\nAnalysis of Mint Stealer\r\nFile Analysis\r\nFile Name Setup.exe\r\nFile Size 9.49 MB (9955840 bytes)\r\nSigned Not signed\r\nMD5 e6e620e5cac01f73d0243dc9cf684193\r\nSHA-256 1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa\r\nDate Modified 23-06-2024\r\nThe primary specimen of Mint-stealer is a 64-bit console-based executable, compiled using Microsoft Visual\r\nC/C++. It is originally named vadimloader.exe and claims to be a Setup file copyrighted by Microsoft:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 6 of 20\n\nThe executable consists of 9 sections, with the resource section containing 97.51% of the file data and an entropy\r\nof 7.999. The green region of the byte-usage-histogram shows all possible byte values (ranging from 0x00 to\r\n0xFF) on the X-axis, with their frequency of occurrence on the Y-axis. The red region of the histogram orders\r\nthese byte values in descending order of occurrence. The section’s high entropy and the uniform distribution of\r\nbyte values confirm that the resource section is compressed:\r\nThe specimen does not require administrative rights and can execute with the current user’s privileges:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 7 of 20\n\nBehavioral \u0026 Code Analysis\r\n1st Stage Execution:\r\nIn the initial stage of execution, Setup.exe accesses its resource section to retrieve the content that it will use as the\r\nnext stage payload:\r\nSetup.exe creates a directory under the user’s Temp directory (C:\\Users\\user\\AppData\\Local\\Temp). The directory\r\nname is based on the string ‘onefile,’ the process ID of Setup.exe, and the system time (retrieved using the\r\nGetSystemTimeAsFileTime API):\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 8 of 20\n\nNext, it creates a file named vadimloader.exe inside the newly created directory. Then, it writes the executable\r\ncode from memory (loaded earlier from the resource section) to the .data section, which is subsequently written to\r\nvadimloader.exe:\r\nIn a similar manner, it also drops additional files into the same directory (Temp/onefile_1512_…). These files\r\ninclude Python dynamic modules (‘.pyd’ files), DLLs, and a file containing CA certificates (‘cacert.pem’):\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 9 of 20\n\nFile Name vadimloader.exe\r\nFile Size 14.26 MB (14950912 bytes)\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 10 of 20\n\nSigned Not signed\r\nMD5 9f037593071344bc1354e5a619f914f4\r\nSHA-256 db47e673cccdbe2abb11cc07997aeabf4d2bdc9bec286674b58c6baafa09b823\r\nDate Modified 23-06-2024\r\nvadimloader.exe is a 64-bit console-based Windows executable, created using the Nuitka Python compiler. The\r\nTemp/onefile_1512_… directory contains all the files needed to support the execution and functionality of the\r\nMint-stealer.\r\n2nd Stage Execution:\r\nIn the second stage, Setup.exe executes vadimloader.exe as a child process, using the RtlUserThreadStart API call.\r\nThis function does not require explicit definition or adjustment of the thread context before resuming execution. It\r\nsets up the initial context and prepares the thread to execute user-defined code, and the Windows kernel ensures\r\nthat the thread’s initial context, including registers and stack setup, is properly initialized for execution.\r\nvadimloader.exe reads all the files in the Temp/onefile_1512_… directory, including subfolders, and loads the\r\nrequired libraries and code into the process memory for its operation.\r\n3rd Stage Execution:\r\nMint-stealer begins collecting data from the infected system, including web browser data, cryptocurrency wallet\r\ninformation, gaming data, VPN client details, messaging applications, FTP clients, file management applications,\r\nand clipboard data.\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 11 of 20\n\nThe following applications and services are targeted by the Mint-stealer:\r\n•Web Browsers: Opera, Edge, Mozilla Firefox, Yandex, Iridium, Epic, Sputnik, 7star, Cent, Orbitum, Kometa,\r\nTorch, Amigo, Thunderbird, Vivaldi.\r\n•Cryptocurrency Wallets: Exodus, Electrum, Atomic, MultiDoge, Bitcoin Core, Binance, Coinomi, Jaxx,\r\nElectron Cash, Ethereum\r\n•Gaming: Battle.net, Growtopia, Minecraft, Purple\r\n•VPNs: Proton VPN, OpenVPN\r\n•Messaging/Chat Applications: Skype, Element, Signal, ICQ, Steam, Telegram, Tox.\r\n•FTP/File Management: FileZilla, Shadow (PC \u0026 Drive), Ghisler Total Commander\r\nMint-stealer also collects system information using wmic commands:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 12 of 20\n\nIt also continuously executes PowerShell commands to capture clipboard data:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 13 of 20\n\nThe malware creates another directory within Temp/onefile_1512_… named ‘Save-’ followed by a randomly\r\ngenerated string, and saves all the harvested data into that directory\r\nThe Save-~ folder is then compressed into a ZIP archive with a name starting with ‘Save-’ followed by a different\r\nrandom string before being deleted:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 14 of 20\n\nThe Exfiltration:\r\nThe malware first checks the IP address of the compromised host by sending an HTTP request to api[.]ipify[.]org,\r\nand then uploads the ZIP file (containing harvested data) to free file hosting sites, such as anonfiles[.]com,\r\ngofile[.]io, and fileditch[.]com:\r\nThe cacert.pem file (Temp/onefile_1512_…/certifi/cacert.pem) contains multiple CA certificates, which Mint-stealer uses to encrypt data over the network:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 15 of 20\n\nThe file upload request responds with a specific URL from which the uploaded file can be downloaded, and it is\r\npublicly accessible:\r\nInterestingly, the Mint-stealer sends a summary of the exfiltrated data, which has already been uploaded to the\r\nfile-sharing site, along with the URL for downloading the file, to its C2 server (mint-c2[.]top). This transmission\r\noccurs over an unsecured network, unlike the file upload, which is done over a secure connection:\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 16 of 20\n\nMint-Stealer Capabilities\r\nAnalyzing Mint-stealer offers important insights into its operational features. Based on this analysis, the following\r\npoints highlight the capabilities of this information-stealing malware:\r\n1.Targets and steals a wide range of sensitive information, including web browser data, cryptocurrency wallet\r\ndetails, gaming credentials, VPN client information, messaging app data, and FTP client data.\r\n2.Captures system information.\r\n3.Creates and manages directories in the TEMP folder to store and organize the harvested data.\r\n4.Detects debugger and analysis environment.\r\n5.Continuously captures clipboard data through PowerShell commands.\r\n6.Encrypts exfiltrated data to enhance security and evade detection during unauthorized data transfers.\r\n7.It sends and receives updates and instructions from the C2 server.\r\nConclusion:\r\nThe examination of the Mint-stealer reveals a sophisticated and versatile information-stealing malware that\r\noperates as a malware-as-a-service (MaaS) tool. It effectively exfiltrates a wide array of sensitive data from\r\ncompromised systems, including web browser information, cryptocurrency wallet details, and more. By\r\nleveraging advanced techniques, such as encryption, obfuscation, and file compression, Mint-stealer evades\r\ndetection and maximizes its impact. Its operational model, involving data uploads to free file-sharing sites and\r\ncommunications with command-and-control servers, underscores its adaptability and the significant threat it\r\nposes. The malware’s distribution through specialized websites and support via Telegram highlights the broader\r\necosystem of cybercrime, emphasizing the need for robust and adaptive cybersecurity measures to counter such\r\nevolving threats.\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 17 of 20\n\nAs threats like Mint-stealer continue to evolve, it is important for organizations to implement robust cybersecurity\r\nmeasures and proactive defense strategies to mitigate the associated risks. To reduce the threat of Mint-stealer,\r\nusers should exercise caution when opening files from untrusted sources or clicking on unfamiliar links, especially\r\nthose promoting dubious software or content. Additionally, deploying strong cybersecurity practices – such as\r\nusing reputable antivirus software, keeping all software up to date, and remaining vigilant against social\r\nengineering attacks – can significantly enhance protection against such sophisticated malware.\r\nIndicators Of Compromise\r\nIndicators     Type Context\r\ne6e620e5cac01f73d0243dc9cf684193 File Setup.exe\r\n1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa File Setup.exe\r\n9f037593071344bc1354e5a619f914f4 File vadimloader.exe\r\ndb47e673cccdbe2abb11cc07997aeabf4d2bdc9bec286674b58c6baafa09b823 File vadimloader.exe\r\nmint-c2[.]top Domain C2\r\nmint-stealer[.]top Domain C2\r\nmint-c2[.]top/api/won URL Exfiltration\r\nmint-c2[.]top/api/injection URL Exfiltration\r\n188[.]114[.]96[.]3 IP address C2\r\n94[.]156[.]79[.]162 IP address C2\r\ncashout[.]pw Domain C2\r\n MITRE ATT\u0026CK Tactics and Techniques\r\nNo. Tactic Technique\r\n1 Reconnaissance (TA0043) T1592: Gather Victim Host Information\r\n2 Execution (TA0002) T1204.002: Malicious File\r\n4 Defense Evasion (TA0005)\r\nT1622: Debugger Evasion\r\nT1497: Virtualization/Sandbox Evasion\r\nT1140: Deobfuscate/Decode Files or Information\r\n5 Discovery (TA0007) T1622: Debugger Evasion\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 18 of 20\n\nT1497: Virtualization/Sandbox Evasion\r\nT1083: File and Directory Discovery\r\n6 Command and Control (TA0011) T1071.001: Web Protocols\r\n7 Exfiltration (TA0010) T1041: Exfiltration Over C2 Channel\r\nYARA Rules\r\nrule MintStealer\r\n{\r\nmeta:\r\ndescription = “Detects Mint-stealer based on known IoCs”\r\nauthor = Cyfirma Research\r\nstrings:\r\n$setup_exe_hash = “e6e620e5cac01f73d0243dc9cf684193” // MD5 hash of Setup.exe\r\n$setup_exe_hash_alt = “1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa” // SHA-256\r\nhash of Setup.exe\r\n$vadimloader_exe_hash = “9f037593071344bc1354e5a619f914f4” // MD5 hash of vadimloader.exe\r\n$vadimloader_exe_hash_alt = “db47e673cccdbe2abb11cc07997aeabf4d2bdc9bec286674b58c6baafa09b823” //\r\nSHA-256 hash of vadimloader.exe\r\n$c2_domain1 = “mint-c2.top”\r\n$c2_domain2 = “mint-stealer.top”\r\n$url1 = “mint-c2.top/api/won”\r\n$url2 = “mint-c2.top/api/injection”\r\n$ip_address1 = “188.114.96.3”\r\n$ip_address2 = “94.156.79.162”\r\n$malware_site = “cashout.pw”\r\ncondition:\r\n(any of ($setup_exe_hash, $setup_exe_hash_alt) or\r\nany of ($vadimloader_exe_hash, $vadimloader_exe_hash_alt)) or\r\n(any of ($c2_domain1, $c2_domain2) or\r\nany of ($url1, $url2) or\r\nany of ($ip_address1, $ip_address2) or\r\n$malware_site)\r\n}\r\nRecommendations\r\n• Implement threat intelligence to proactively counter the threats associated with the Mint-stealer.\r\n• To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection,\r\nsuch as Antimalware security suit and host-based intrusion prevention system.\r\n• Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 19 of 20\n\nfilter/block suspicious activity provides comprehensive protection from compromise due to encrypted payloads.\r\n• Configure firewalls to block outbound communication to known malicious IP addresses and domains associated\r\nwith Mint-stealer command and control servers.\r\n• Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes\r\nattempting to make unauthorized network connections.\r\n• Employ application whitelisting to allow only approved applications to run on endpoints, preventing the\r\nexecution of unauthorized or malicious executables.\r\n• Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening\r\nthe security by finding the security loopholes, followed by a remediation process.\r\n• The use of security benchmarks to create baseline security procedures and organizational security policies is also\r\nrecommended.\r\n• Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection,\r\nincluding isolating affected systems and notifying relevant stakeholders.\r\n• Security awareness and training programs help to protect from security incidents such as social engineering\r\nattacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving\r\nthreats posed by the Mint-stealer malware.\r\n• Update security patches which can reduce the risk of potential compromise.\r\nSource: https://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nhttps://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyfirma.com/research/mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer/" ], "report_names": [ "mint-stealer-a-comprehensive-study-of-a-python-based-information-stealer" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439087, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b11f977a20c70a90cf18b0718d8b5d5472bbb235.pdf", "text": "https://archive.orkl.eu/b11f977a20c70a90cf18b0718d8b5d5472bbb235.txt", "img": "https://archive.orkl.eu/b11f977a20c70a90cf18b0718d8b5d5472bbb235.jpg" } }