{
	"id": "473458e2-f474-4cb7-a873-e95cc4cd580b",
	"created_at": "2026-04-06T00:07:08.812108Z",
	"updated_at": "2026-04-10T03:37:09.026348Z",
	"deleted_at": null,
	"sha1_hash": "b45ea1ccdbbf7ff95ebb216884eaa38ea66a8165",
	"title": "Xehook Stealer: Cinoshi’s Crypto \u0026 2FA Target Evolution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3469076,
	"plain_text": "Xehook Stealer: Cinoshi’s Crypto \u0026 2FA Target Evolution\r\nPublished: 2024-03-12 · Archived: 2026-04-05 20:27:29 UTC\r\nXehook Stealer: Evolution of Cinoshi’s Project Targeting Over 100 Cryptocurrencies and 2FA Extensions\r\nXehook Stealer: Evolution of Cinoshi’s Project Targeting Over 100 Cryptocurrencies and\r\n2FA Extensions\r\nCRIL analyzes Xehook stealer and it's evolution from Cinoshi project.\r\nKey Takeaways\r\nXehook Stealer, discovered by CRIL in January 2024, is a .NET-based malware targeting Windows operating\r\nsystems. \r\nThe Stealer boasts dynamic data collection capabilities from Chromium and Gecko-based browsers, supporting over\r\n110 cryptocurrencies and 2FA extensions. It also includes an API for creating custom traffic bots and a feature for\r\nrecovering dead Google cookies. \r\nCRIL investigation reveals a potential connection between Xehook Stealer, Agniane, and the Cinoshi project. \r\nThe sequence of events suggests a progression from the free MaaS Cinoshi Project to the emergence of Agniane\r\nStealer and, eventually, Xehook Stealer, indicating possible rebranding and development iterations. \r\nSmokeLoader binaries have been identified as a common vector for distributing Xehook Stealer, indicating active\r\npropagation efforts. \r\nXehook Stealer shares significant code overlaps with Agniane Stealer, suggesting an evolutionary relationship\r\nbetween the two. Configuration data similarities and communication with the same C\u0026C server reinforce this\r\nconnection. \r\nSimilarities in web panel design between Cinoshi, Agniane, and Xehook Stealer panels further support the notion of\r\ncontinuous development and iteration. \r\nOverview\r\nCRIL found a new stealer named Xehook in January 2024. Xehook Stealer targets the Windows operating system and is\r\ncoded in the .Net programming language. The Threat Actor (TA) claims this stealer offers dynamic data collection from all\r\nChromium and Gecko-based browsers, supporting over 110 cryptocurrencies and 2FA extensions. \r\nThe TA behind this stealer also mentioned that it includes customizable build settings, seamless integration with Telegram\r\nfor real-time notifications, and the ability to send logs directly to Telegram. Additionally, Xehook Stealer provides an API\r\nfor creating custom traffic bots and includes a feature for recovering dead Google cookies. \r\nThe TA claimed that this stealer gathers a wide range of data, including passwords, cookies, autofill information, and credit\r\ncards from browsers, alongside sessions from messaging platforms like Telegram and Discord. It supports over 15 desktop\r\ncryptocurrency wallets and includes a recursive file grabber for collecting specific file formats from user directories. \r\nWorld's Best AI-Native Threat Intelligence\r\nXehook Stealer is sold on a subscription model, which is available on a monthly, quarterly, and semi-annual basis, with\r\nprices ranging from $50 for one month to $600 for an unlimited period. An additional $100 provides access to the API for an\r\nindefinite duration, ensuring comprehensive support and functionality for subscribers. \r\nThe figure below shows the Xehook stealer post on a cybercrime forum. \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 1 of 14\n\nFigure 1 – Xehook Stealer Post on a Cybercrime Forum\r\nNotably, when this post about Xehook Stealer was made on a cybercrime forum, the TA’s username was “thx4drugs,” which\r\nwas subsequently changed to “Agniane,” as indicated in the figure below.  \r\nFigure 2 – TAs Renamed Account \r\nUpon further investigation, we discovered the emergence of a stealer named Agniane in August 2023, as reported by Zscaler.\r\nNotably, the Telegram handle mentioned in the Xehook stealer post corresponds to the one utilized by the Telegram bot\r\nassociated with Agniane stealer. Interestingly, Agniane stealer is believed to have connections with the Cinoshi project,\r\nwhich CRIL initially uncovered in March 2023. This project operated under a Malware-as-a-Service (MaaS ) model,\r\noffering a stealer and web panel for free upon its launch. The following sequence of events unveils the connection between\r\nthese projects: \r\nA TA launched the free MaaS Cinoshi Project in March 2023. \r\nAgniane Stealer emerged in August 2023. \r\nAgniane Stealer references Cinoshi in its note. \r\nThe Telegram bot used by Agniane Stealer mentions the TA’s handle, Agniane, in its bio. \r\nA TA named thx4drugs posts about Xehook stealer on a cybercrime forum. \r\nThe Xehook stealer post also mentions the same Telegram handle, “Agnianne,” as the Agniane stealer bot\r\nmentioned. \r\nThe account of thx4drugs is later renamed to Agniane.  \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 2 of 14\n\nFigure 3 – Linking TA Profiles\r\nThere is a high chance that the TA launched the Cinoshi project as a free M-a-a-S model to gain a user base, and after\r\nenhancing the product, the TA started renaming it on each iteration and selling it. We also observed a lot of similarities\r\nbetween the Web panel utilized by the Cinoshi project, Agniane stealer, and Xehook stealer, such as the same Font scheme\r\nand Structure of the panel. \r\nFigure 4 – Cinoshi Web Panel\r\nFigure 5 – Agniane Web Panel (Source: Zscaler)\r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 3 of 14\n\nFigure 6 – Xehook Stealer Web Panel \r\nOverlaps with Agniane Stealer\r\nDuring our analysis, we discovered that the Xehook stealer appears to be an upgraded iteration of the Agniane stealer,\r\nsharing many similarities in their code base and functionalities. Upon further investigation, we came across a Cisco report\r\ndetailing the Agniane stealer; we observed that the configuration data mentioned therein closely resembled that of the\r\nXehook stealer. However, we identified three additional fields in the Xehook stealer’s configuration, namely “selfmelf,”\r\n“domaindetect,” and “filext,” indicating that the Xehook stealer boasts enhanced capabilities compared to its predecessor.\r\nFurthermore, both stealer binaries were found to be communicating with the same command-and-control (C\u0026C) server\r\n(hxxps://trecube[.]com/), following a similar sequence of requests, suggesting a strong connection between the two variants. \r\nFigure 7 – Code Overlaps\r\nInitial Infection\r\nDuring our investigation, we came across a SmokeLoader binary (Sha256:\r\nfa7f5300459c71d70f1f7b0d0c96aa245fad2a98d55d39a53455d2a7191d8cc9) that was responsible for downloading the\r\nloader for the Xehook stealer from below URL  \r\nhxxps://45.15.156[.]174/index[.]php/s/24Sr2FjZQm8gXFA/download/ketamine[.]exe. \r\nAdditionally, Spamhaus has reported an instance of a SmokeLoader binary distributing the Xehook stealer, indicating the\r\nactive utilization of SmokeLoader in propagating the Xehook stealer payload. \r\nTechnical Analysis\r\nThe initial file is a 32bit .NET loader which is obfuscated using a crypter. This loader consists of a time-based restriction or\r\nexpiration check, where after a certain date (in this case, 14 days after February 24, 2024), the method will throw an\r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 4 of 14\n\nexception and terminate the execution of the malware.  \r\nThis time-based restriction serves as a control mechanism for the malware author. It allows them to limit the lifespan of the\r\nmalware, potentially evading detection, or analysis after a certain period. \r\nThe figure below shows the time-based check. \r\nFigure 8 – Time-Based Check\r\nAfter that, the Loader binary decodes the kernel32.dll name, which is stored in reverse order. It utilizes various functions of\r\nkernel32.dll, such as: \r\nFreeConsole() \r\nGetProcAddress() \r\nLoadLibraryA() \r\nCreateThread() \r\nWaitForSingleObject() \r\nVirtualProtect() \r\nThe loader will later leverage a few of these functions to inject the Stealer payload.  \r\nFigure 9 – Reversing DLL Name \r\nThe loader proceeds to decrypt the encrypted stealer payload contained within a byte array. This decryption occurs in two\r\nstages: the data undergoes mathematical operations and XORing.  \r\nThe figure below shows the decryption process. \r\nFigure 10 – Decrypts Stealer Payload \r\nThe loader initiates the execution of a legitimate Windows binary named RegAsm.exe located at\r\n“C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\Version_Number\\\\RegAsm.exe”. It is an assembly registration tool primarily\r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 5 of 14\n\nused to register .NET assemblies with COM (Component object model).  \r\nThe figure below shows the process tree. \r\nFigure 11 – Process Tree\r\nSubsequently, it injects the stealer payload into the RegAsm.exe process. It utilizes functions such as VirtualAlloc,\r\nVirtualProtect, and WriteProcessMemory. This technique, known as Process Injection, is commonly utilized by malware to\r\nevade detection and defense mechanisms.  \r\nThe diagram below illustrates the Process Injection method. \r\nFigure 12 – Process Injection \r\nThe stealer payload is a 64-bit .Net binary. It is highly obfuscated and stores the encrypted strings in a byte array. It uses a\r\nsingle decryption function that applies some XOR and SHIFT operations to all the strings passed to it as a parameter.\r\nInitially, the stealer payload decrypts the C\u0026C URL, as shown in the figure below.  \r\nhxxps://trecube[.]com/ \r\nhxxps://nc1337[.]online/ \r\nFigure 13 – Decrypts C\u0026C URL \r\nThen, the stealer proceeds to confirm the availability of the C\u0026C servers by employing the DownloadString() method of the\r\nWebClient instance. This method retrieves the web content of the designated C\u0026C URL as a string. Subsequently, it inspects\r\nthe returned value for the existence of “index.html.” If this string is found in the response, the stealer proceeds with the\r\ndesignated URL for C\u0026C communications. The figure below shows the check for selecting the C\u0026C URL.  \r\nFigure 14 – Check of Selecting C\u0026C\r\nNow, the malware initiates a GET request to the below C\u0026C URL:\r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 6 of 14\n\nhxxps://tricube[.]com/getjson[.]php?id=40 \r\nIn return, the C\u0026C server sends configuration information for the stealer payload in JSON format. This configuration data\r\nlikely contains instructions and settings for the malware to follow, specifying its behavior, targets, and other operational\r\nparameters.  \r\nThe figure below shows the Configuration data sent by the C\u0026C server. \r\nFigure 15 – Configuration Data\r\nThe stealer payload then parses the configuration data by splitting it into an array and then initializes a dictionary to store\r\nkey-value pairs for subsequent utilization.  \r\nThe Xehook Stealer contains a code snippet that appears to be checking for the presence of specific system languages. It\r\ninitializes an array of CultureInfo objects representing different languages. Then, it iterates through the installed system\r\nlanguage, comparing each language with the ones specified in the array. If any of the installed languages match the ones\r\nspecified in the array, the stealer payload terminates itself. This mechanism is used for language-based checks or\r\nconfigurations within a software application.  \r\nThe stealer prevents its execution in the following countries.\r\nSystem Language Code  Country \r\n{ru-RU}  Russia \r\n{kk-KZ}  Kazakhstan \r\n{ro-MD}  Moldova \r\n{uz-UZ}  Uzbekistan \r\n{be-BY}  Belarus \r\n{az-Latn-AZ}  Azerbaijan \r\n{hy-AM}  Armenia \r\n{ky-KG}  Kyrgyzstan \r\n{tg-Cyrl-TJ}  Tajikistan \r\nThe figure below shows the decoded language codes. \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 7 of 14\n\nFigure 16 – Decoded Language Codes\r\nAfter that, the stealer payload decrypts the names of processes associated with the malware analysis tools. Then, it employs\r\nthe GetProcesses() method to retrieve the current list of running processes. It then compares these process names with the\r\ndecrypted ones to determine if any match exists and terminates itself. This process allows the payload to identify potential\r\ninstances of analysis or detection environments and avoid its execution.  \r\nThe following are the process names for which the stealer does an Anti-Analysis check.  \r\nprocesshacker \r\nnetstat \r\nnetmon \r\ntcpview \r\nwireshark \r\nfilemon \r\nregmon \r\ncain \r\nThe Figure below shows the decryption process. \r\nFigure 17 – Decrypting Process Names\r\nNext, the malware utilizes DateTime.Now.Ticks method to perform a Tick count. It is a known Anti-Analysis technique\r\nutilized by the environment to detect the sandbox environment, as virtual machines often exhibit different timing behaviors\r\ncompared to physical machines due to the underlying virtualization layer.  \r\nThe figure below shows the tick count check.  \r\nFigure 18 – Checking Tick Count \r\nNow, the stealer binary uses the Windows Management Instrumentation (WMI) query “Select * from\r\nWin32_ComputerSystem” to gather information about the computer system. This query retrieves various system properties,\r\nincluding details about the hardware, operating system, and potentially installed software. \r\nThe stealer examines the data from the WMI query to determine if the computer is running in a virtual environment. It\r\nterminates itself if it finds strings like “VMware” or “VirtualBox,” often used with virtual machines.  \r\nThe figure below shows the WMI query.  \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 8 of 14\n\nFigure 19 – Using WMI Query to Detect Virtualized Environment\r\nAfterward, the stealer makes a GET request to the URL hxxp://ip-api[.]com/json/?fields=11827, which returns a JSON\r\nresponse containing information about the IP address. This response consists of the following fields:  \r\ncountry: Indicates the country where the IP address originates. \r\ncountryCode: Provides the country code corresponding to the country. \r\ncity: Specifies the city associated with the IP address (in this case, it’s empty). \r\nzip: Indicates the ZIP code of the location (empty in this response). \r\nisp: Represents the Internet Service Provider (empty in this response). \r\norg: Specifies the organization or company associated with the IP address (empty in this response). \r\nas: Provides information about the Autonomous System (AS) number or name (empty in this response). \r\nquery: Provides the IP address from which the request originated. \r\nSubsequently, the Xehook stealer employs a MemoryStream object to temporarily store sensitive data collected from the\r\nvictim’s system, which will be later converted to a stealer log.  \r\nThe Xehook stealer verifies the configuration data to identify files to extract from the victim’s system. The TA can define\r\nany file extension within the configuration, prompting the stealer to capture and transmit the specified files. In the stealer log\r\ndata, these files will be stored under a folder named “Files”. The generated search event logs from the stealer payload are\r\nillustrated in the figure below. \r\nFigure 20 – File Grabber \r\nThe TA asserted in the cybercrime forum post that this stealer can effectively target all Chromium and Gecko based\r\nbrowsers. We examined a technique employed by the TA to accomplish this. During its directory traversal process, the\r\nstealer appends “User Data\\Local State” to the directories it traverses. The presence of this path indicates the installation of\r\na Chromium-based browser on the victim’s system, allowing the stealer to proceed with the theft of browser-related data,\r\nincluding cookies, autofill, and login credentials. We did not observe this stealer binary targeting the Gecko browser. One\r\npossible reason could be that the stealer binaries are customizable through the web panel.  \r\nIn contrast to other stealers, this particular one dynamically stores stolen data and generates logs directly for data\r\nexfiltration. As a result, folders such as “Cookies” and “Autofill” are created within the log file structure to store specific\r\ntypes of data such as cookies and autofill information.  \r\nThis stealer configuration has a field named “domain detect”. The TAs utilize this field to steal login credentials for only\r\ndomains they mention in the config data.  \r\nThe figure below shows the directory enumeration performed by the stealer to locate Chromium-based browsers. \r\nFigure 21 – Searching for Chromium-Based Browsers\r\nWe have observed over 110 chromium browser extensions, which this stealer targets. Each browser extension has a unique\r\nextension ID, so the stealer utilizes these IDs to search for extensions.  \r\nThe Xehook stealer targets the following extensions. \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 9 of 14\n\nName  Extension ID  Name  Extension ID \r\nSplikity  Jhfjfclepacoldmjmkmdlmganfaalklb  YubiKey  mammpjaaoinfelloncbbpomjcihbkmmc \r\nAvira\r\nPassword\r\nManager \r\nCaljgklbbfbcjjanaijlacgncafpegll \r\nGoogle\r\nAuthenticator \r\nkhcodhlfkpmhibicdjjblnkgimdepgnd \r\niWallet  Kncchdigobghenbbaddojjnnaogfppfj \r\nMicrosoft\r\nAuthenticator \r\nbfbdnbpibgndpjfhonkflpkijfapmomn \r\nWombat  Amkmjjmmflddogmhpjloimipbofnfjih  Authy  gjffdbjndmcafeoehgdldobgjmlepcal \r\nMEW CX  Nlbmnnijcnlegkjjpcfjclmcfggfefdm  Duo Mobile  eidlicjlkaiefdbgmdepmmicpbggmhoj \r\nNeoLine  Cphhlgmgameodnhkjdmkpanlelnlohao  OTP Auth  bobfejfdlhnabgglompioclndjejolch \r\nTerra Station  Aiifbnbfobpmeekipheeijimdpnlpgpp  FreeOTP  elokfmmmjbadpgdjmgglocapdckdcpkn \r\nKeplr  Dmkamcknogkgcdfhhbddcghachkejeap \r\nAegis\r\nAuthenticator \r\nppdjlkfkedmidmclhakfncpfdmdgmjpm \r\nSollet  Fhmfendgdocmcbmfikdcogofphimnkno \r\nLastPass\r\nAuthenticator \r\ncfoajccjibkjhbdjnpkbananbejpkkjb \r\nICONex  Flpiciilemghbmfalicajoolhkkenfel  Dashlane  flikjlpgnpcjdienoojmgliechmmheek \r\nKHC  Hcflpincpppdclinealmandijcmnkbgn  Keeper  gofhklgdnbnpcdigdgkgfobhhghjmmkj \r\nTezBox  Mnfifefkajgofkcjkemidiaecocnkjeh  RoboForm  hppmchachflomkejbhofobganapojjol \r\nByone  Nlgbhdfgdhgbiamfdfmbikcdghidoadd  KeePass   lbfeahdfdkibininjgejjgpdafeopflb \r\nOneKey  Ilbbpajmiplgpehdikmejfemfklpkmke  KeePassXC  kgeohlebpjgcfiidfhhdlnnkhefajmca \r\nTrust Wallet  Pknlccmneadmjbkollckpblgaaabameg  Bitwarden  inljaljiffkdgmlndjkdiepghpolcpki \r\nMetaWallet   Pfknkoocfefiocadajpngdknmkjgakdg  NordPass  njgnlkhcjgmjfnfahdmfkalpjcneebpl \r\nGuarda\r\nWallet \r\nFcglfhcjfpkgdppjbglknafgfffkelnm  LastPass  gabedfkgnbglfbnplfpjddgfnbibkmbb \r\nExodus  Idkppnahnmmggbmfkjhiakkbkdpnmnon  Authenticator  bhghoamapcdpbohphigoooaddinpkbai \r\nJaxx Liberty  Mhonjhhcgphdphdjcdoeodfdliikapmj \r\nEOS\r\nAuthenticator \r\n oeljdldpnmdbchonielidgobddffflal \r\nAtomic\r\nWallet \r\nBhmlbgebokamljgnceonbncdofmmkedg  BrowserPass  naepdomgkenhinolocfifgehidddafch \r\nElectrum  Hieplnfojfccegoloniefimmbfjdgcgp  MYKI   bmikpgodpkclnkgmnpphehdgcimmided \r\nMycelium  Pidhddgciaponoajdngciiemcflpnnbg  Bread  jifanbgejlbcmhbbdbnfbfnlmbomjedj \r\nCoinomi  Blbpgcogcoohhngdjafgpoagcilicpjh  Airbitz  ieedgmmkpkbiblijbbldefkomatsuahh \r\nGreenAddress  Gflpckpfdgcagnbdfafmibcmkadnlhpj  KeepKey  dojmlmceifkfgkgeejemfciibjehhdcl \r\nEdge  Doljkehcfhidippihgakcihcmnknlphh  CommonKey  chgfefjpcobfbnpmiokfjjaglahmnded \r\nBRD  Nbokbjkelpmlgflobbohapifnnenbjlh  Zoho Vault  igkpcodhieompeloncfnbekccinhapdb \r\nSamourai\r\nWallet \r\nApjdnokplgcjkejimjdfjnhmjlbpgkdi \r\nNorton\r\nPassword\r\nManager \r\nadmmjipmmciaobhojoghlmleefbicajg \r\nCopay  ieedgmmkpkbiblijbbldefkomatsuahh \r\nTrezor\r\nPassword\r\nManager \r\nimloifkgjagghnncjkhggdhalmcnfklk \r\nTrezor  jpxupxjxheguvfyhfhahqvxvyqthiryh  MetaMask  nkbihfbeogaeaoehlefnkodbefgpgknn \r\nLedger Live  pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln  TronLink  ibnejdfjmmkpcnlpebklmnkoeoihofec \r\nLedger Wallet  hbpfjlflhnmkddbjdchbbifhllgmmhnm  BinanceChain  fhbohimaelbohpjbbldcngcnapndodjp \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 10 of 14\n\nBitbox  ocmfilhakdbncmojmlbagpkjfbmeinbd  Coin98  aeachknmefphepccionboohckonoeemg \r\nDigital\r\nBitbox \r\ndbhklojmlkgmpihhdooibnmidfpeaing     \r\nOther browser extension IDs include. \r\nExtension IDs \r\nlbfeahdfdkibininjgejjgpdafeopflb  fijngjgcjhjmmpcmkeiomlglpeiijkld \r\njbdaocneiiinmjbjlgalhcelgbejmnid  pdadjkfkgcafgbceimcpbkalnfnepbnk \r\nafbcbjpbpfadlkmhmclhkeeodmamcflc  bfnaelmomeimhIpmgjnjophhpkkoljpa \r\nhnfanknocfeofbddgcijnmhnfnkdnaad  fhilaheimglignddjgofkcbgekhenbh \r\nblnieiiffboillknjnepogjhkgnoac  mgfffbidihjpoaomajlbgchddlicgpn \r\ncgeeodpfagjceefieflmdfphplkenlfk  aodkkagnadcbobfpggnjeongemjbjca \r\nocefimbphcgjaahbclemolcmkeanoagc  kpopkelmapcoipemfendmdghnegimn \r\nfihkakfobkmkjojpchpfgcmhfjnmnfpi  hmeobnffcmdkdcmlb1gagmfpfboieaf \r\nnfinomegcaccbhchhgflladpfbajihdf  Ipfcbjknijpeeillifnkikgncikgfhdo \r\nnanjmdkhkinifnkgdeggcnhdaammmj  dngmlblcodfobpdpecaadgfbeggfjfnm \r\nnkddgncdjgifcddamgcmfnlhccnimig  ejbalbakoplchlghecdalmeeeajnimhm \r\nfnnegphlobjdpkhecapkijjdkgcjhkib  mlbafbjadjidk1bhgopoamemfibcpdfi \r\nnphplpgoakhhjchkkhmiggakijnkhfnd  jnlgamecbpmbajjfhmmmlhejkemejdma \r\npenjlddjkjgpnkllboccdgccekpkcbin  ppbibelpcjmhbdihakflkdcoccbgbkpo \r\nfldfpgipfncgndfolcbkdeeknbbbnhcc  mcohilncbfahbmgdjkbpemcciiolgcge \r\npnccjgokhbnggghddhahcnaopgeipafg  enabgbdfcbaehmbigakijjabdpdnimlg \r\negjidjbpglichdcondbcbdnbeeppgdph  fopmedgnkfpebgllppeddmmochcookhc \r\nimlcamfeniaidioeflifonfjeeppblda  khpkpbbcccdmmclmpigdgddabeilkdpd \r\najkifnllfhikkjbjopkhmjoieikeihjb  lnnnmfcpbkafcpgdilckhmhbkkbpkmid \r\nkkpllkodjeloidieedojogacfhpaihoh  aholpfdialjgjfhomihkjbmgjidlcdno \r\nkgdijkcfiglijhaglibaidbipiejjfdp  kilnpioakcdndlodeeceffgjdpojajlo \r\nefbglgofoippbgcjepnhiblaibcnclgk  ebfidpplhabeedpnhjnobghokpiioolj \r\nonhogfjeacnfoofkfgppdlbmlmnplgbn  mdjmfdffdcmnoblignmgpommbefadffd \r\nphkbamefinggmakgklpkljjmgibohnba  aijcbedoijmgnlmjeegjaglmepbmpkpi \r\nThis stealer also targets applications such as Steam, Telegram, Discord, and FileZilla. Additionally, the stealer captures a\r\nscreenshot of the victim’s system, which will be saved as “Screenshot.jpg” in the log file.  \r\nOnce all the stolen data is gathered in the memory stream, it is converted into a byte array and then written to a log file\r\nutilizing the File.WriteAllBytes() method.  \r\nThe resulting log file is stored within a folder created under the AppData\\Local directory, with a name generated randomly\r\nusing alphanumeric characters (A-Z, 0-9) and having a length of 32 characters. The figure below shows the method for\r\nstoring the stolen data. \r\nFigure 22 – Writing Stolen Data to Disk\r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 11 of 14\n\nThe following figure illustrates the malware directory with log files generated by the stealer. \r\nFigure 23 – Log File \r\nThe figure below shows the “About PC.txt” file containing the infected machine’s system details. \r\nFigure 24 – About PC.txt \r\nThen, the malware starts exfiltrating the data using a POST request. It exfiltrates the data to the following URL: \r\nhxxps[:]//trecube[.]com/gate.php?\r\nid=40\u0026build=new_cloudnever\u0026passwords=0\u0026cookies=0\u0026username=\u0026country=\u0026ip=\u0026BSSID=\u0026wallets=0\u0026token=xehook\u0026ext=\u0026filters=\u0026p\r\nThe figure below shows the network activity.  \r\nFigure 25 – Exfiltrating Data\r\nAfter the upload operation, the code deletes the uploaded file from the victim’s system, potentially erasing any theft traces.  \r\nThe figure below shows the code for uploading and deleting log files. \r\nFigure 26 – Deleting the Log FIle \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 12 of 14\n\nFinally, the stealer is designed to throw a fake error message, providing a layer of deception to its operation. This fake error\r\nmessage is configurable by the threat actor (TA), who can choose whether the error message should be displayed and its\r\ncontent through the configuration settings.  \r\nThe figure below shows the fake error message box.  \r\nFigure 27 – Fake Error Message Box \r\nConclusion\r\nXehook Stealer is one of the few stealers with dynamic data collection capabilities and can target many browser extensions.\r\nThe connection between Xehook Stealer, Agniane, and the Cinoshi project reveals a complex ecosystem of malware\r\ndevelopment and propagation. This linkage suggests a potential strategy of rebranding and iterative enhancement to evade\r\ndetection and prolong malicious operations.  \r\nThe codebase, communication infrastructure, and distribution vectors overlap among entities like Xehook Stealer, Agniane,\r\nand the Cinoshi project, underscoring the interconnected nature of cyber threats. This overlap indicates that cybercriminals\r\noften reuse or repurpose code, infrastructure, and tactics across different malware variants and campaigns. As a result,\r\nproactive detection and robust defense mechanisms become essential to combat such threats effectively. \r\nOur Recommendations \r\nThe initial entry point may originate via spam emails. Therefore, it’s advisable to deploy strong email filtering\r\nsystems to identify and prevent the dissemination of harmful attachments. \r\nDeploy strong antivirus and anti-malware solutions to detect and remove malicious executable files. \r\nEnhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible,\r\nactivate two-factor authentication. \r\nSet up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious\r\nactivities to prevent potential breaches. \r\nEnable two-factor authentication whenever possible for an additional layer of security. \r\nPeriodically change your passwords, especially for sensitive accounts like email, banking, and social media. \r\nRegularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the\r\nmost current phishing and social engineering methods employed by cybercriminals. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic   Technique   Procedure \r\nExecution  (TA0002)  User Execution (T1204)  \r\nThe user needs to manually execute\r\nthe   file.  \r\nDefense\r\nEvasion (TA0005) \r\nObfuscated Files or  \r\nInformation (T1027) \r\nBinary may include packed or crypted  \r\ndata. \r\nDefense\r\nEvasion (TA0005) \r\nSoftware Packing (T027.002) \r\nBinary may include packed or crypted  \r\ndata. \r\nDefense\r\nEvasion (TA0005) \r\nDeobfuscate/Decode Files or\r\nInformation (T1140) \r\nDecode data using Base64 in .NET \r\nDefense\r\nEvasion (TA0005) \r\nProcess Injection (T1055) \r\nLoader injects stealer payload\r\ninto  RegAsm.exe. \r\nDefense\r\nEvasion (TA0005) \r\nIndicator Removal (T1070)  Delete the stealer logs.  \r\nCredential  \r\nAccess (TA0006) \r\nOS Credential Dumping \r\n(T1003) \r\nTries to harvest and steal browser  \r\ninformation (cookies, passwords, etc) \r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 13 of 14\n\nDiscovery  \r\n(TA0007) \r\nSystem Information  \r\nDiscovery (T1082) \r\nQueries the system information  \r\n(host name, IP address, etc). \r\nDiscovery  \r\n(TA0007) \r\nFile and Directory Discovery \r\n(T1083) \r\nStealer enumerate files for grabbing. \r\nCollection \r\n(TA0009) \r\nData from Local System \r\n(T1005) \r\nTries to harvest and steal browser\r\ninformation (cookies, passwords, etc) \r\nCollection \r\n(TA0009) \r\nArchive Collected Data \r\n(T1560) \r\nStealer compress the stolen data with  \r\nZIP extension. \r\nC\u0026C \r\n(TA0011) \r\nApplication Layer Protocol \r\n(T1071) \r\nMalware exe communicate to C\u0026C\r\nserver. \r\nIndicators of Compromise (IOCs)\r\nIndicators    \r\nIndicator   \r\nType   \r\nDescription   \r\na3882ac90190c7ccbea744dde58f0a107b67e3eea0024b12d18e72faf9a55b1c  SHA256 \r\nLoader  Xehook\r\nstealer \r\ndaea71a3094e0c90554a77e95b0b354d1515f99e70fa5013f09302a5bb04dde0  SHA256 \r\nXehook\r\nStealer  Binary \r\nhxxps://trecube[.]com/ hxxps://nc1337[.]online/  URL  C\u0026C \r\nfa7f5300459c71d70f1f7b0d0c96aa245fad2a98d55d39a53455d2a7191d8cc9  SHA256  SmokeLoader \r\nhxxps://45.15.156.174/index[.]php/s/24Sr2FjZQm8gXFA/download/ketamine[.]exe  URL \r\n Malicious\r\nURL \r\n \r\nSource: https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/\r\nPage 14 of 14\n\nhttps://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/   \nName Extension ID Name Extension ID\nSplikity Jhfjfclepacoldmjmkmdlmganfaalklb YubiKey mammpjaaoinfelloncbbpomjcihbkmmc\nAvira   \n  Google \nPassword Caljgklbbfbcjjanaijlacgncafpegll  khcodhlfkpmhibicdjjblnkgimdepgnd\n  Authenticator \nManager   \n  Microsoft \niWallet Kncchdigobghenbbaddojjnnaogfppfj  bfbdnbpibgndpjfhonkflpkijfapmomn\n  Authenticator \nWombat Amkmjjmmflddogmhpjloimipbofnfjih Authy gjffdbjndmcafeoehgdldobgjmlepcal\nMEW CX Nlbmnnijcnlegkjjpcfjclmcfggfefdm Duo Mobile eidlicjlkaiefdbgmdepmmicpbggmhoj\nNeoLine Cphhlgmgameodnhkjdmkpanlelnlohao OTP Auth bobfejfdlhnabgglompioclndjejolch\nTerra Station Aiifbnbfobpmeekipheeijimdpnlpgpp FreeOTP elokfmmmjbadpgdjmgglocapdckdcpkn\n  Aegis \nKeplr Dmkamcknogkgcdfhhbddcghachkejeap  ppdjlkfkedmidmclhakfncpfdmdgmjpm\n  Authenticator \n  LastPass \nSollet Fhmfendgdocmcbmfikdcogofphimnkno  cfoajccjibkjhbdjnpkbananbejpkkjb\n  Authenticator \nICONex Flpiciilemghbmfalicajoolhkkenfel Dashlane flikjlpgnpcjdienoojmgliechmmheek\nKHC Hcflpincpppdclinealmandijcmnkbgn Keeper gofhklgdnbnpcdigdgkgfobhhghjmmkj\nTezBox Mnfifefkajgofkcjkemidiaecocnkjeh RoboForm hppmchachflomkejbhofobganapojjol\nByone Nlgbhdfgdhgbiamfdfmbikcdghidoadd KeePass lbfeahdfdkibininjgejjgpdafeopflb\nOneKey Ilbbpajmiplgpehdikmejfemfklpkmke KeePassXC kgeohlebpjgcfiidfhhdlnnkhefajmca\nTrust Wallet Pknlccmneadmjbkollckpblgaaabameg Bitwarden inljaljiffkdgmlndjkdiepghpolcpki\nMetaWallet Pfknkoocfefiocadajpngdknmkjgakdg NordPass njgnlkhcjgmjfnfahdmfkalpjcneebpl\nGuarda   \n Fcglfhcjfpkgdppjbglknafgfffkelnm LastPass gabedfkgnbglfbnplfpjddgfnbibkmbb\nWallet   \nExodus Idkppnahnmmggbmfkjhiakkbkdpnmnon Authenticator bhghoamapcdpbohphigoooaddinpkbai\n  EOS \nJaxx Liberty Mhonjhhcgphdphdjcdoeodfdliikapmj  oeljdldpnmdbchonielidgobddffflal\n  Authenticator \nAtomic   \n Bhmlbgebokamljgnceonbncdofmmkedg BrowserPass naepdomgkenhinolocfifgehidddafch\nWallet   \nElectrum Hieplnfojfccegoloniefimmbfjdgcgp MYKI bmikpgodpkclnkgmnpphehdgcimmided\nMycelium Pidhddgciaponoajdngciiemcflpnnbg Bread jifanbgejlbcmhbbdbnfbfnlmbomjedj\nCoinomi Blbpgcogcoohhngdjafgpoagcilicpjh Airbitz ieedgmmkpkbiblijbbldefkomatsuahh\nGreenAddress Gflpckpfdgcagnbdfafmibcmkadnlhpj KeepKey dojmlmceifkfgkgeejemfciibjehhdcl\nEdge Doljkehcfhidippihgakcihcmnknlphh CommonKey chgfefjpcobfbnpmiokfjjaglahmnded\nBRD Nbokbjkelpmlgflobbohapifnnenbjlh Zoho Vault igkpcodhieompeloncfnbekccinhapdb\n  Norton \nSamourai   \n Apjdnokplgcjkejimjdfjnhmjlbpgkdi Password admmjipmmciaobhojoghlmleefbicajg\nWallet   \n  Manager \n  Trezor \nCopay ieedgmmkpkbiblijbbldefkomatsuahh Password imloifkgjagghnncjkhggdhalmcnfklk\n  Manager \nTrezor jpxupxjxheguvfyhfhahqvxvyqthiryh MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\nLedger Live pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\nLedger Wallet hbpfjlflhnmkddbjdchbbifhllgmmhnm BinanceChain fhbohimaelbohpjbbldcngcnapndodjp\n  Page 10 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/"
	],
	"report_names": [
		"xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434028,
	"ts_updated_at": 1775792229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b45ea1ccdbbf7ff95ebb216884eaa38ea66a8165.pdf",
		"text": "https://archive.orkl.eu/b45ea1ccdbbf7ff95ebb216884eaa38ea66a8165.txt",
		"img": "https://archive.orkl.eu/b45ea1ccdbbf7ff95ebb216884eaa38ea66a8165.jpg"
	}
}