{ "id": "ad3da8b1-360e-4599-8396-d2dddf0027dd", "created_at": "2026-04-06T00:12:32.028086Z", "updated_at": "2026-04-10T03:36:47.798581Z", "deleted_at": null, "sha1_hash": "b1b2b6aa8e6c3713426e440d694d8c27ec69542d", "title": "Recover lost passwords stored in your Web browser", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142901, "plain_text": "Recover lost passwords stored in your Web browser\r\nArchived: 2026-04-05 15:35:22 UTC\r\n \r\nWebBrowserPassView v2.18\r\nCopyright (c) 2011 - 2025 Nir Sofer\r\nSee Also\r\nWindows Password Recovery Tools\r\nSaved Password Locations For Popular Windows Applications\r\nBrowsingHistoryView - View browsing history of your Web browsers.\r\nDescription\r\nWebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web\r\nbrowsers: Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and\r\nOpera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites,\r\nlike Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.\r\nAfter retrieving your lost passwords, you can save them into text/html/csv/xml file, by using the 'Save Selected\r\nItems' option (Ctrl+S).\r\nSystem Requirements And Limitations\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 1 of 10\n\nThis utility works on any version of Windows, starting from Windows 2000, and up to Windows 11,\r\nincluding 64-bit systems. Older versions of Windows (Windows 98/ME) are not supported, because this\r\nutility is a Unicode application.\r\nCurrently, WebBrowserPassView cannot retrieve passwords from external hard-drive (Except of Firefox\r\nWeb browser). Support for that might be added in future versions.\r\nOn Internet Explorer 7.0-9.0, the passwords are encrypted with the URL of the Web site, so\r\nWebBrowserPassView uses the history file of Internet Explorer to decrypt the passwords. If you clear the\r\nhistory of Internet Explorer, WebBrowserPassView won't be able to decrypt the passwords.\r\nOn Google Chrome - passwords originally imported from Internet Explorer 7.0-9.0, cannot be decrypted.\r\nVersions History\r\nVersion 2.18:\r\nUpdated to decrypt the passwords for the encryption change of Firefox 144.\r\nFixed a problem with getting the passwords of Opera.\r\nVersion 2.17:\r\nUpdated to decrypt the passwords encrypted with app-bound encryption on new versions of Chrome\r\n(Third version of the app-bound encryption key).\r\nVersion 2.16:\r\nUpdated to read the 'Login Data for Account' file of Google Chrome. Chrome Web browser may\r\nstore passwords in this file when using a Chrome profile with Google account.\r\nVersion 2.15:\r\nAdded support for decrypting passwords encrypted with app-bound encryption on new versions of\r\nChrome (Version 135). This feature only works when you run WebBrowserPassView as\r\nAdministrator (Ctrl+F11).\r\nVersion 2.13:\r\nFixed a crash problem on Windows 11 24H2.\r\nVersion 2.12:\r\nFixed to display the password of Chromium-based Web browser if it's not encrypted (Like in the\r\nportable version of Brave).\r\nUpdated to work properly in high DPI mode.\r\nVersion 2.11:\r\nAdded new file type to save the passwords list: 'Firefox import/export csv file'. When you save the\r\npasswords in this file type, you can use the import feature of Firefox to import the saved passwords\r\ninto Firefox: Import login data from a file\r\nIn order to save the passwords as 'Firefox import/export csv file', simply select the items you want\r\nto save (or press Ctrl+A to select all passwords), press Ctrl+S (Save Selected Items), choose\r\n'Firefox import/export csv file' from the file type combo-box, type the filename to save and then\r\nclick the 'Save' button to save the file.\r\nVersion 2.10:\r\nAdded support for Brave Web browser.\r\nVersion 2.07:\r\nFixed to decrypt passwords of Firefox profile that uses both 3DES and AES-256.\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 2 of 10\n\nVersion 2.06:\r\nFixed WebBrowserPassView to decrypt the new password encryption on Opera Web browser\r\nVersion 2.05:\r\nAdded support for decrypting the encryption key of new Firefox profiles (AES-256 instead of\r\n3DES).\r\nVersion 2.00:\r\nAdded support for the new password encryption of Chromium / Chrome Web browsers, starting\r\nfrom version 80.\r\nBe aware that the 'Local State' file, located inside the 'User Data' folder, is needed for decrypting the\r\npasswords of Chrome 80 or later.\r\nVersion 1.94:\r\nAdded new file format to export the passwords: Chrome CSV File. It's the same file format that\r\nChrome Web browser exports the passwords from chrome://settings/passwords\r\nVersion 1.93:\r\nAdded support for Chromium-Based Edge Web browser.\r\nThe download zip file is now password-protected.\r\nVersion 1.92:\r\nFixed bug: WebBrowserPassView could crash when decrypting empty passwords in Firefox.\r\nWebBrowserPassView now automatically detects the Waterfox Web browser.\r\nVersion 1.91:\r\nFixed bug: WebBrowserPassView crashed when reading Firefox key file (key3.db) without a master\r\nkey.\r\nVersion 1.90:\r\nFixed WebBrowserPassView to work with Firefox 64-bit, and also WebBrowserPassView doesn't\r\nneed anymore the installation of Firefox to decrypt the passwords. This change also fixes a crash\r\nproblem occurred on some systems.\r\nVersion 1.86:\r\nAdded 'Quick Filter' feature (View -\u003e Use Quick Filter or Ctrl+Q). When it's turned on, you can\r\ntype a string in the text-box added under the toolbar and WebBrowserPassView will instantly filter\r\nthe passwords table, showing only lines that contain the string you typed.\r\nVersion 1.85:\r\nIn 'Advanced Options' window, you can now specify the base profiles folder for Firefox and\r\nChrome (e.g: E:\\Users\\user1\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles ) and\r\nWebBrowserPassView will scan all profiles stored under the specified folder.\r\nVersion 1.82:\r\nAdded 'Filename' column (For Chrome and Firefox Web browsers).\r\nVersion 1.81:\r\nAdded support for Vivaldi Web browser.\r\nVersion 1.80:\r\nFinally... Fixed a crash problem occurred on some Windows 10 systems (The problem occurred if\r\nyou added Gmail or other email account into Windows 10 Mail application). Also,\r\nWebBrowserPassView now displays the modified time of IE10/IE11 items.\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 3 of 10\n\nVersion 1.75:\r\nYou can now choose the desired encoding (ANSI, UTF-8, UTF-16) to save the csv/xml/text/html\r\nfiles. (Under the Options menu)\r\nFixed problem with saving the KeePass csv file.\r\nVersion 1.70:\r\nWebBrowserPassView now automatically detect the passwords of Yandex Web browser.\r\nVersion 1.68:\r\nAnother try to fix this mysterious Windows 10 crash problem, also added more debug info to\r\n/debugwin10\r\nVersion 1.67:\r\nMade another fix for Windows 10 crash problem...\r\nVersion 1.66:\r\nMade a small change in the password extraction of IE10/IE11/Microsoft Edge that hopefully will\r\nsolve the crash problems occur on some Windows 10 systems.\r\nIf you have Windows 10 and WebBrowserPassView still crashes, please run WebBrowserPassView\r\nwith /debugwin10 parameter, run also the DebugView tool of SysInternals, and then send me the\r\nlast 4 debug lines that appeared before the crash.\r\nVersion 1.65:\r\nAdded 'Created Time' and 'Modified Time' columns (These columns are active only for Web\r\nbrowesers that provide this information).\r\nVersion 1.60:\r\nWebBrowserPassView now automatically detects the passwords of Portable Firefox if it's running in\r\nthe background.\r\nVersion 1.58:\r\nFixed WebBrowserPassView to display properly user name/password with non-English characters\r\non Chrome Web browser.\r\nVersion 1.57:\r\nWebBrowserPassView now detects the profile folder of Chromium Web browser.\r\nVersion 1.56:\r\nRemoved the command-line options that export the passwords to a file from the official version. A\r\nversion of this tool with full command-line support will be posted on separated Web page.\r\nVersion 1.55:\r\nAdded support for Firefox 32 (logins.json).\r\nVersion 1.50:\r\nUpdated to work with the latest versions of Opera.\r\nVersion 1.46:\r\nAdded secondary sorting support: You can now get a secondary sorting, by holding down the shift\r\nkey while clicking the column header. Be aware that you only have to hold down the shift key when\r\nclicking the second/third/fourth column. To sort the first column you should not hold down the Shift\r\nkey.\r\nVersion 1.45:\r\nAdded support for SeaMonkey Web browser.\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 4 of 10\n\nVersion 1.43:\r\nFixed to work with Firefox 22.\r\nVersion 1.42:\r\nOpera Web browser: Fixed to detect properly the passwords of login.live.com and probably other\r\nWeb sites\r\nVersion 1.41:\r\nImproved the password decryption on IE10 / Windows 7.\r\nVersion 1.40:\r\nAdded support for the passwords of Internet Explorer 10.\r\nVersion 1.37:\r\nWebBrowserPassView now reads the passwords from all profiles of Chrome Web browser.\r\nVersion 1.36:\r\nFixed bug: WebBrowserPassView failed to work with master password of Firefox containing non-English characters.\r\nVersion 1.35:\r\nWebBrowserPassView now extracts the passwords from all profiles of Firefox Web browser and\r\nreads the profiles.ini file of Firefox to get the correct profile folders.\r\nAdded 'Mark Odd/Even Rows' option, under the View menu. When it's turned on, the odd and even\r\nrows are displayed in different color, to make it easier to read a single line.\r\nFixed issue: The properties dialog-box and other windows opened in the wrong monitor, on multi-monitors system.\r\nVersion 1.30:\r\nAdd new command-line options: /LoadPasswordsIE , /LoadPasswordsFirefox ,\r\n/LoadPasswordsChrome , /LoadPasswordsOpera , and more...\r\nVersion 1.26:\r\nFixed bug: WebBrowserPassView failed to get the passwords of Firefox and Chrome, if the path of\r\ntheir password file contained non-English characters.\r\nVersion 1.25:\r\nAdded 'User Name Field' and 'Password Field' columns for Chrome, Firefox, and Opera Web\r\nbrowsers.\r\nVersion 1.20:\r\nAdded 'Password Strength' column, which calculates the strength of the password and displays it as\r\nVery Weak, Weak, Medium, Strong, or Very Strong.\r\nVersion 1.15:\r\nAdded support for Safari Web browser (passwords are decrypted from keychain.plist)\r\nVersion 1.12:\r\nWebBrowserPassView now automatically extracts the passwords of Chrome Canary.\r\nVersion 1.11:\r\nThe passwords of Chrome Web browser are now displayed properly even when the password file is\r\nlocked by Chrome.\r\nVersion 1.10:\r\nAdded option to choose the desired Opera password file (wand.dat).\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 5 of 10\n\nImporved the detection of Opera password file (wand.dat).\r\nVersion 1.05:\r\nAdded new options for Firefox passwords: Use a master password to decrypt the passwords, Load\r\nthe passwords from the specified profile folder, and the option to use the specified Firefox\r\ninstallation.\r\nAdded option specify the profile folder (User Data) of Google Chrome (For example:\r\nC:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\User\r\nData\\Default)\r\nBe aware that this feature only works if the profile was created by the current logged on user.\r\nLoading from external drive is not supported yet.\r\nVersion 1.00 - First release.\r\nUsing WebBrowserPassView\r\nWebBrowserPassView doesn't require any installation process or additional DLL files. In order to start using it,\r\nsimply run the executable file - WebBrowserPassView.exe\r\nAfter running it, the main window of WebBrowserPassView displays the list of all Web browser passwords found\r\nin your system. You can select one or more passwords and then copy the list to the clipboard (Ctrl+C) or export\r\nthem into text/xml/html/csv file (Ctrl+S).\r\nFalse Virus/Trojan Warning\r\nWebBrowserPassView is a tool that retrieves secret passwords stored in your system, and thus your Antivirus may\r\nfalsely detect this tool is infected with Trojan/Virus. Click here to read more about false alerts in Antivirus\r\nprograms.\r\nCommand-Line Options\r\nNotice: The save command-line options are disabled on the build you download from this Web page. You can find\r\na package of password-recovery tools with full command-line support on the following Web page: Windows\r\nPassword Recovery Tools\r\n/LoadPasswordsIE \u003c0 | 1\u003e\r\nSpecifies whether to load the passwords of Internet Explorer Web\r\nbrowser. 0 = No, 1 = Yes.\r\n/LoadPasswordsFirefox \u003c0 | 1\u003e\r\nSpecifies whether to load the passwords of Firefox Web browser. 0 = No,\r\n1 = Yes.\r\n/LoadPasswordsChrome \u003c0 | 1\u003e\r\nSpecifies whether to load the passwords of Chrome Web browser. 0 =\r\nNo, 1 = Yes.\r\n/LoadPasswordsOpera \u003c0 | 1\u003e\r\nSpecifies whether to load the passwords of Opera Web browser. 0 = No,\r\n1 = Yes.\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 6 of 10\n\n/LoadPasswordsSafari \u003c0 | 1\u003e\r\nSpecifies whether to load the passwords of Safari Web browser. 0 = No,\r\n1 = Yes.\r\n/UseFirefoxProfileFolder \u003c0 | 1\u003e\r\n/FirefoxProfileFolder \u003cFolder\u003e\r\nSpecifies the profile folder of Firefox to load, for example:\r\nWebBrowserPassView.exe /UseFirefoxProfileFolder 1\r\n/FirefoxProfileFolder \"C:\\Documents and Settings\\admin\\Application\r\nData\\Mozilla\\Firefox\\Profiles\\7a2ttm2u.default\"\r\n/UseFirefoxInstallFolder \u003c0 | 1\u003e\r\n/FirefoxInstallFolder \u003cFolder\u003e\r\nSpecifies the installation folder of Firefox to use, for example:\r\nWebBrowserPassView.exe /UseFirefoxInstallFolder 1\r\n/FirefoxInstallFolder \"C:\\Program Files\\Mozilla Firefox\"\r\n/UseChromeProfileFolder \u003c0 | 1\u003e\r\n/ChromeProfileFolder \u003cFolder\u003e\r\nSpecifies the profile folder of Chrome Web browser to load.\r\n/UseOperaPasswordFile \u003c0 | 1\u003e\r\n/OperaPasswordFile \u003cPassword\u003e\r\nSpecifies the master password of Opera, for example:\r\nWebBrowserPassView.exe /UseOperaPasswordFile 1\r\n/OperaPasswordFile \"Thgr55f6\"\r\n/stext \u003cFilename\u003e Save the passwords list into a regular text file.\r\n/stab \u003cFilename\u003e Save the passwords list into a tab-delimited text file.\r\n/scomma \u003cFilename\u003e Save the passwords list into a comma-delimited text file (csv).\r\n/stabular \u003cFilename\u003e Save the passwords list into a tabular text file.\r\n/shtml \u003cFilename\u003e Save the passwords list into HTML file (Horizontal).\r\n/sverhtml \u003cFilename\u003e Save the passwords list into HTML file (Vertical).\r\n/sxml \u003cFilename\u003e Save the passwords list into XML file.\r\n/skeepass \u003cFilename\u003e\r\nSave the passwords list into csv file that can be imported into KeePass\r\nPassword Manager.\r\n/sort \u003ccolumn\u003e This command-line option can be used with other save options for\r\nsorting by the desired column. If you don't specify this option, the list is\r\nsorted according to the last sort that you made from the user interface.\r\nThe \u003ccolumn\u003e parameter can specify the column index (0 for the first\r\ncolumn, 1 for the second column, and so on) or the name of the column,\r\nlike \"URL\" and \"Web Browser\". You can specify the '~' prefix character\r\n(e.g: \"~Web Browser\") if you want to sort in descending order. You can\r\nput multiple /sort in the command-line if you want to sort by multiple\r\ncolumns.\r\nExamples:\r\nWebBrowserPassView.exe /shtml \"f:\\temp\\passwords.html\" /sort 2 /sort\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 7 of 10\n\n~1\r\nWebBrowserPassView.exe /shtml \"f:\\temp\\passwords.html\" /sort \"Web\r\nBrowser\" /sort \"URL\"\r\n/nosort\r\nWhen you specify this command-line option, the list will be saved\r\nwithout any sorting.\r\nTranslating WebBrowserPassView to other languages\r\nIn order to translate WebBrowserPassView to other language, follow the instructions below:\r\n1. Run WebBrowserPassView with /savelangfile parameter:\r\nWebBrowserPassView.exe /savelangfile\r\nA file named WebBrowserPassView_lng.ini will be created in the folder of WebBrowserPassView utility.\r\n2. Open the created language file in Notepad or in any other text editor.\r\n3. Translate all string entries to the desired language. Optionally, you can also add your name and/or a link to\r\nyour Web site. (TranslatorName and TranslatorURL values) If you add this information, it'll be used in the\r\n'About' window.\r\n4. After you finish the translation, Run WebBrowserPassView, and all translated strings will be loaded from\r\nthe language file.\r\nIf you want to run WebBrowserPassView without the translation, simply rename the language file, or move\r\nit to another folder.\r\nLicense\r\nThis utility is released as freeware. You are allowed to freely use it at your home or in your company. However,\r\nyou are not allowed to make profit from this software or to charge your customers for recovering their passwords\r\nwith this software, unless you got a permission from the software author.\r\nYou are also allowed to freely distribute this utility via floppy disk, CD-ROM, Internet, or in any other way, as\r\nlong as you don't charge anything for this. If you distribute this utility, you must include all files in the distribution\r\npackage, without any modification !\r\nDisclaimer\r\nThe software is provided \"AS IS\" without any warranty, either expressed or implied, including, but not limited to,\r\nthe implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any\r\nspecial, incidental, consequential or indirect damages due to loss of data or any other reason.\r\nFeedback\r\nIf you have any problem, suggestion, comment, or you found a bug in my utility, you can send a message to\r\nnirsofer@yahoo.com\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 8 of 10\n\nWebBrowserPassView is also available in other languages. In order to change the language of\r\nWebBrowserPassView, download the appropriate language zip file, extract the 'webbrowserpassview_lng.ini', and\r\nput it in the same folder that you Installed WebBrowserPassView utility.\r\nLanguage Translated By Date Version\r\nArabic Mohamed Bajdouai 23/04/2015 1.60\r\nBrazilian Portuguese Jaff (Oprea Nicolae) 23/09/2017 1.86\r\nCroatian RandomCroatianGuy 28/08/2016 1.80\r\nCzech Shar (viteco(at-sign)centrum.cz) 29/04/2025 2.15\r\nDutch Jan Verheijen 07/11/2025 2.18\r\nFrench Largo 04/11/2025 2.18\r\nFrench Cyberini 23/04/2019 1.86\r\nFrench Dimitri Janczak 04/09/2022 2.11\r\nGeorgian Mamuka Cheliashvili 13/10/2014 1.00\r\nGerman «Latino» 04/11/2025 2.18\r\nGreek geogeo.gr 05/07/2025 2.16\r\nHebrew peterg 01/06/2011 1.11\r\nHellenic ÈáíÜóçò Êáôóáãåþñãçò 03/03/2011 1.00\r\nHungarian Timinoun 16/12/2025 2.18\r\nItalian Jaff (Oprea Nicolae) 23/09/2017 1.86\r\nItalian Andrea Carli e bovirus 16/10/2025 2.17\r\nJapanese coolvitto 28/04/2025 2.15\r\nKorean VenusGirl (비너스걸) 08/06/2025 2.16\r\nPersian ZendegiyeSabz 09/05/2025 2.15\r\nPolish Hightower 07/05/2025 2.15\r\nPolish Daniel Sajdyk (www.sajdyk.pl) 06/01/2016 1.70\r\nRomanian Jaff (Oprea Nicolae) 23/09/2017 1.86\r\nRussian Dmitry Yerokhin 04/11/2025 2.18\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 9 of 10\n\nSimplified Chinese 李柏均 (Localized by Bojun Li) 01/07/2017 1.86\r\nSimplified Chinese DickMoore 31/05/2025 2.15\r\nSimplified Chinese Qiang 29/04/2020 2.00\r\nSerbian Bojan Maksimovic 03/11/2014 1.56\r\nSlovak František Fico 10/01/2026 2.18\r\nSpanish Jaff (Oprea Nicolae) 23/09/2017 1.86\r\nSpanish Jose (Anunciosgoogle) 02/04/2014 1.45\r\nSwedish Jaff (Oprea Nicolae) 22/11/2013 1.45\r\nTraditional Chinese Danfong Hsieh 28/04/2025 2.15\r\nTraditional Chinese 丹楓(虫二電氣診所) 01/03/2015 1.58\r\nThai น้องพร WiFi ค่ะ 16/08/2013 1.43\r\nTurkish Cemil Kaynar 11/04/2017 1.85\r\nTurkish HARUN ARI 11/12/2022 2.12\r\nUkrainian Vasyl Belynets 01/02/2017 1.82\r\nUzbek Shamsiddinov Zafar 18/10/2020 2.05\r\nValencian Jaff (Oprea Nicolae) 23/09/2017 1.86\r\nVietnamese Nhok35 04/07/2014 1.43\r\nVietnamese Phạm Tuấn Khanh - pk911 10/05/2015 1.60\r\n  \r\nSource: https://www.nirsoft.net/utils/web_browser_password.html\r\nhttps://www.nirsoft.net/utils/web_browser_password.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.nirsoft.net/utils/web_browser_password.html" ], "report_names": [ "web_browser_password.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434352, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1b2b6aa8e6c3713426e440d694d8c27ec69542d.pdf", "text": "https://archive.orkl.eu/b1b2b6aa8e6c3713426e440d694d8c27ec69542d.txt", "img": "https://archive.orkl.eu/b1b2b6aa8e6c3713426e440d694d8c27ec69542d.jpg" } }