{ "id": "f907b4d2-dd1e-420f-b4b5-b24da6c983cd", "created_at": "2026-04-06T00:20:12.402943Z", "updated_at": "2026-04-10T03:36:47.956028Z", "deleted_at": null, "sha1_hash": "b909a8ea4e39b5ba9c1e0c2568cfe823f3151f32", "title": "Cinoshi Project And The Dark Side Of Free MaaS - Cyble", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2440825, "plain_text": "Cinoshi Project And The Dark Side Of Free MaaS - Cyble\r\nPublished: 2023-03-23 · Archived: 2026-04-05 15:14:30 UTC\r\nCyble Research \u0026 Investigation Labs investigates a New MaaS platform dubbed Cinoshi Project and its malware\r\narsenal.\r\nCinoshi Clipper Targets Gamers Using Steam Trade Links\r\nCyble Research and Intelligence Labs (CRIL) discovered a new Malware-as-a-Service (MaaS) platform called\r\n“Cinoshi”. Cinoshi’s arsenal consists of a stealer, botnet, clipper, and cryptominer. Currently, this MaaS platform is\r\noffering stealer and web panel for free, and such free services are rarely seen. The availability of free malware\r\nservices means that attackers no longer need technical expertise or resources to launch cyber-attacks. They can simply\r\ndownload and use malware from these platforms, which often provide detailed instructions on effectively deploying\r\nthe malware. This makes it easier for cybercriminals to carry out attacks on a larger scale, increasing the overall risk\r\nto businesses, governments, and individuals.\r\nMalware-as-a-service (MaaS) is a cybercrime model in which TAs use online platforms to sell or rent malware to\r\nother TAs. These platforms provide a wide range of malware services, including malware creation \u0026 distribution,\r\nbotnet rentals, phishing campaigns, etc. These platforms provide a convenient way for attackers to launch attacks that\r\ncan steal sensitive data, infect systems with different malware families, or disrupt critical infrastructure.\r\nWorld's Best AI-Native Threat Intelligence\r\nCinoshi surfaced on a cybercrime forum in March 2023.\r\nThe figure below shows the post made by the TA on a cybercrime forum.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 1 of 16\n\nFigure 1 – Post on a Cybercrime Forum\r\nCinoshi MaaS is available on a monthly subscription model for 1000 rubles or 15 dollars a month and includes Botnet\r\nand Clipper functionality. The cryptominer is sold on a lifetime subscription model for 2000 rubles or 30 dollars.\r\nThe figure below shows the pricing details.\r\nFigure 2 – Cinoshi MaaS Pricing Details\r\nThis MaaS platform offers a web panel that provides the following functionalities:\r\nCompilation of builds with unique tags directly on the panel.\r\nConfiguring stealer, as well as notifications via Telegram.\r\nTask management for bots in a botnet.\r\nSetting up wallets for replacement in the clipper.\r\nConfiguring cryptominer.\r\nThe figure below shows Cinoshi’s web panel.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 2 of 16\n\nFigure 3 – Cinoshi Web Panel\r\nCinoshi Stealer\r\nCinoshi Stealer is offered for free and comes with a panel that supports the integration of the build. TAs don’t require\r\nany server to host this panel and can utilize the Developers Panel to build the binary.\r\nThe TA claims that this stealer has the following functionalities:\r\nCollection of data (passwords, cookies, cards) from browsers based on Gecko, Chromium, and Edge.\r\nCollect data from 35+ crypto wallets and browser extensions.\r\nSteal sessions of Steam, Telegram, and Discord.\r\nCollect information about the victim’s computer.\r\nScreenshot from the victim’s computer.\r\nCaptures photos from the victim’s webcam.\r\nThe stealer build can be configured on the web panel, which enables features that\r\nprevent the exfiltration of the same logs or the logs which do not have much data. TAs can also prevent the execution\r\nof the malware build in Commonwealth of Independent States (CIS) countries. This panel also allows TAs to\r\nconfigure the build to receive notifications on Telegram.\r\nThe figure below shows the panel for configuring the stealer build.\r\nFigure 4 – Configure Stealer Settings\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 3 of 16\n\nThe free service generates a stealer payload without any obfuscation or encryption. An encrypted build can be\r\ngenerated by paying 300 Rubles.\r\nThe figure below shows the option for generating the stealer payload.\r\nFigure 5 – Create Build\r\nThe stealer web panel contains statistics of logs and details of the infected system.\r\nThe figure below shows the Cinoshi stealer web panel.\r\nFigure 6 – Stealer Panel\r\nCinoshi Botnet\r\nUsing the Cinoshi panel, the TAs can build Botnet, which allows them to download and execute additional malware\r\nfamilies on the victim’s system. The TA claims that Cinoshi Botnet has the following functionality:\r\nAdds payload to startup with system attributes.\r\nAdds payload to the Windows Defender exception.\r\nThe figure below shows the Botnet panel.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 4 of 16\n\nFigure 7 – Botnet panel\r\nThe figure below shows the Botnet configuration panel that can execute other payloads on the infected system.\r\nFigure 8 – Botnet configuration panel\r\nCinoshi Clipper\r\nCinoshi clipper can target multiple crypto addresses such as Bitcoin, Ethereum, Monero, Stellar, Ripple, Litecoin,\r\nNeocoin, Bitcoin Cash, and Dashcoin. Usually, clippers target cryptocurrency users, but it appears that this clipper\r\nalso targets Steam users by swapping their steam trade link with the TA’s trade link.\r\nThe reason for swapping the Steam trade link is likely because it allows the TA to receive any items that the victim\r\nmay be trading with other Steam users. By replacing the victim’s trade link with their own, the TA can intercept these\r\ntrades and potentially profit from them.\r\nThe figure below shows the clipper panel.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 5 of 16\n\nFigure 9 – Clipper Panel\r\nCinoshi Cryptominer\r\nCinoshi cryptominer is capable of mining cryptocurrencies such as Ethereum and Monero. Using the web panel TAs\r\ncan customize the miner build. The web panel offers functionality to specify the CPU consumption, wallet details, and\r\ntime period to stop the mining activities.\r\nThe figure below shows the Miner panel.\r\nFigure 10 – Cryptominer Panel\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 6 of 16\n\nTechnical Analysis of Cinoshi Stealer\r\nThe Cinoshi stealer payload is a 32-bit .Net binary (SHA256:\r\ne3aafd9f478b82cbb53ec020cdc2e00e0c4de60a7f66a1166e54ab75b6a9e8c3). The Cinoshi Stealer employs several\r\nanti-tampering techniques, including heavy obfuscation and the use of empty methods. It modifies its code during\r\nruntime and generates error messages when automatic de-obfuscation tools are used. As a result, obtaining readable\r\ncode is more challenging, hindering analysis and giving the attacker an advantage.\r\nThe figure below shows the stealer payload.\r\nFigure 11 – Stealer Payload\r\nAfter execution, the stealer payload makes a request to hxxps[:]//tryno[.]ru/robots and fetches the base-64 encoded\r\ncontent hosted on this site using “WebClient.DownloadString”. After this, it decodes the content, which is Command\r\nand Control (C\u0026C) URL (hxxps[:]//anaida.evisyn[.]lol/).\r\nThe figure below shows the C\u0026C URL decoding process.\r\nFigure 12 – Decoding C\u0026C URL\r\nAfterward, the stealer attempts to acquire various .NET dependencies files from the previously decoded URL and\r\nsaves them with hidden attributes in the stealer’s assembly location. The stealer obtains the following dependencies:\r\nIonic.Zip.dll\r\nEntityFramework.dll\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 7 of 16\n\nEntityFramework.SqlServer.dll\r\nSystem.Data.SQLite.dll\r\nSystem.Data.SQLite.EF6.dll\r\nSystem.Data.SQLite.Linq.dll\r\nSQLite.Interop.dll\r\nSQLite.Interop.dll\r\nThe figure below shows the requests made by the stealer to download the .Net binaries.\r\nFigure 13 – Downloading .Net Dependencies.\r\nNow the stealer initiates multiple threads to carry out malicious actions. It initializes the paths to the directories that\r\ncontain sensitive information for various applications and verifies their presence on the victim’s system using the\r\nDirectory.Exists() method.\r\nInstead of creating physical files to store the stolen data, this stealer employs a MemoryStream. Finally, all the\r\ncollected data is added to a zip file named “Arch666.zip”, which is created in the AppData\\Local\\ directory and will\r\nbe used to exfiltrate the data.\r\nFigure 14 – Using MemoryStream for Storing Stolen Data\r\nThe Cinoshi stealer targets sensitive data from web browsers, including login credentials, credit card information, and\r\ncookies. Additionally, it can harvest data from crypto extensions, cold crypto wallets, and session keys used in\r\npopular applications such as Discord, Telegram, and Steam.\r\nThe figure below shows the applications targeted by the Cinoshi stealer.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 8 of 16\n\nFigure 15 – Applications targeted by Cinoshi Stealer\r\nAlong with stealing data from applications, the stealer makes a get request to “hxxps[:]//ipwho[.]is/?output=xml” to\r\nidentify the victim’s location detail.\r\nThe figure below shows the Geoinformation fetched by the stealer.\r\nFigure 16 – Victim’s Geo-Info\r\nNow it grabs all files on the desktop that are below 1 MB and have the following file extensions:\r\n“.txt”,\r\n“.doc”,\r\n“.mafile”,\r\n“.rdp”,\r\n“.jpg”,\r\n“.png”,\r\n“.db”\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 9 of 16\n\nThe Cinoshi stealer generates a URL pattern using the following parameters, combines with the C\u0026C server\r\nhxxps[:]//anaida[.]evisyn[.]lol/, and sends\r\nPOST requests to exfiltrate the stolen data.\r\nownerid\r\nbuildid\r\ncountp\r\ncountc\r\nusername\r\ncountry\r\nipaddr\r\nBSSID\r\nCountw\r\nAfter exfiltrating the data, the stealer payload deletes the zip archive, which was created in the above steps to remove\r\ntraces of suspicious activities.\r\nFigure 17 – Data Exfiltration\r\nPersistence\r\nThe malware generates a new directory named “ChromeUpdater” within the “AppData\\Roaming” directory and\r\nexecutes in this location under the name “chrome.exe”. It then adds itself to the startup location to maintain\r\npersistence.\r\nThe figure below shows the persistence method used by the stealer.\r\nFigure 18 – Adding itself to the Startup Folder\r\nClipper\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 10 of 16\n\nThe stealer comes equipped with Clipper functionality in its code, allowing it to perform clipper activities.\r\nAdditionally, it communicates with the following URLs to retrieve updated crypto wallet addresses and Steam trade\r\nlinks from the C\u0026C server. This approach empowers the TA to keep adding new addresses even after the payload has\r\nbeen disseminated.\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=eth\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=xmr\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=xlm\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=xrp\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=ltc\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=1\u0026wallet=nec\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=bch\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=dash\r\nhxxps://anaida.evisyn.lol/getwallet.php?id=\u0026wallet=steam\r\nFigure 19 – Fetching Wallet addresses and Steam Trade Link\r\nCoinminer\r\nThe stealer creates a file named “UpdateLinks” within the “AppData\\Local” folder. The file contains links and\r\ninstructions for subsequent malicious activities. The content of this file is illustrated in the figure below.\r\nFigure 20 – UpdateLinks File\r\nAfter this, the stealer downloads a file from the link hxxps[:]//anaida.evisyn.lol/collector[.]exe, which is the Cinoshi\r\nminer. The miner is stored within the AppData\\Local directory, with a random name generated between 111111 to\r\n999999. The activity logs for this operation are conserved in a file named “WinUpdateLog” within the\r\n“AppData\\Roaming” directory.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 11 of 16\n\nFigure 21 – Downloading Other Malware Payloads\r\nThe stealer payload now enters a dormant state for more than five minutes, serving as a defensive evasion\r\nmechanism. The figure below displays the Thread.Sleep() method invoked by the stealer.\r\nFigure 22 – Long Sleep Cycle\r\nThe miner, upon execution, proceeds to execute multiple PowerShell commands, as illustrated in the process tree\r\ndepicted in the following figure.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 12 of 16\n\nFigure 23 – Process Tree\r\nThe miner copies itself as a file named “updater.exe” to  “C:\\Program Files\\Google\\Chrome\\” and then executes the\r\nfollowing PowerShell command:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Add-MpPreference -ExclusionPath\r\n@($env:UserProfile, $env:ProgramFiles) -Force\r\nThis command adds exclusions to Windows Defender’s real-time protection scan for the current user’s profile\r\ndirectory and the Program Files directory, as these directories are used for mining activities.\r\nAfter this, it executes the following commands using command prompts.\r\nsc stop UsoSvc: This command stops the Windows Update service.\r\nsc stop WaaSMedicSvc: This command stops the Windows Update Medic Service.\r\nsc stop wuauserv: This command stops the Windows Update Agent service.\r\nsc stop bits: This command stops the Background Intelligent Transfer Service.\r\nsc stop dosvc: This command stops the Delivery Optimization service.\r\nreg delete “HKLM\\SYSTEM\\CurrentControlSet\\Services\\UsoSvc” /f: This command deletes the registry key\r\nfor the Windows Update service.\r\nreg delete “HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc” /f: This command deletes the\r\nregistry key for the Windows Update Medic Service.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 13 of 16\n\nreg delete “HKLM\\SYSTEM\\CurrentControlSet\\Services\\wuauserv” /f: This command deletes the registry key\r\nfor the Windows Update Agent service.\r\nreg delete “HKLM\\SYSTEM\\CurrentControlSet\\Services\\bits” /f: This command deletes the registry key for\r\nthe Background Intelligent Transfer Service.\r\nreg delete “HKLM\\SYSTEM\\CurrentControlSet\\Services\\dosvc” /f: This command deletes the registry key for\r\nthe Delivery Optimization service.\r\npowercfg /x -hibernate-timeout-ac 0: This command sets the hibernate timeout to 0 (disabled) when the\r\ncomputer is connected to AC power.\r\npowercfg /x -hibernate-timeout-dc 0: This command sets the hibernate timeout to 0 (disabled) when the\r\ncomputer is running on battery power.\r\npowercfg /x -standby-timeout-ac 0: This command sets the standby timeout to 0 (disabled) when the computer\r\nis connected to AC power.\r\npowercfg /x -standby-timeout-dc 0: This command sets the standby timeout to 0 (disabled) when the computer\r\nis running on battery power.\r\nAfterward, it executes a PowerShell script to achieve persistence. It creates a task scheduler entry to make the miner\r\nexecute during startup.\r\nThe figure below shows the Task scheduler entry disguised as a Google update.\r\nFigure 24 – Persistence Using Task Scheduler\r\nThe miner now commences its cryptocurrency mining activities.\r\nConclusion\r\nThe Cinoshi platform is a recent addition to the MaaS category and provides a web panel and a free stealer service.\r\nTAs can develop the binary for this stealer using the Developers Panel without the need for any server to host it.\r\nA major cause for concern with such platforms is the availability of free malware tools, like stealers, which are\r\ncreated to illicitly obtain sensitive information from victims’ devices.\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 14 of 16\n\nThe easy accessibility of these tools means that even those with limited technical knowledge can execute attacks,\r\namplifying the overall risk to businesses, governments, and individuals. Our analysis revealed that the Cinoshi stealer\r\nshares some similarities with the Zingo stealer discovered in 2022. Still, it’s currently unclear whether there’s any\r\nconnection between the threat actors behind the two stealers.\r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices as mentioned below:    \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., mainly contains such malware.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.\r\nUse a reputed antivirus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity. \r\nEducate employees on protecting themselves from threats like phishing/untrusted URLs.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques  \r\nTactic   Technique ID   Technique Name  \r\nExecution    T1204   User Execution  \r\nPersistence\r\nT1547\r\nT1053\r\nBoot or Logon Autostart Execution\r\nScheduled Task/Job\r\nDéfense Evasion  \r\nT1497.001\r\nT1027   \r\nVirtualization/Sandbox Evasion: System Checks  \r\nObfuscated Files or Information\r\nCredential Access  \r\nT1555  \r\nT1539  \r\nT1552  \r\nT1528  \r\nCredentials from Password Stores  \r\nSteal Web Session Cookies  \r\nUnsecured Credentials  \r\nSteal Application Access Token  \r\nCollection   T1113   Screen Capture  \r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 15 of 16\n\nDiscovery  \r\nT1087  \r\nT1518  \r\nT1057  \r\nT1124  \r\nT1007  \r\nT1614  \r\nAccount Discovery  \r\nSoftware Discovery  \r\nProcess Discovery  \r\nSystem Time Discovery  \r\nSystem Service Discovery  \r\nSystem Location Discovery     \r\nCommand and Control    T1071  Application Layer Protocol  \r\nExfiltration  \r\nT1041  \r\nT1567  \r\nExfiltration Over C\u0026C Channel  \r\nExfiltration Over Web Service        \r\nImpact T1489 Service Stop\r\nIndicators of Compromise (IoCs)\r\nIndicators \r\nIndicator\r\ntype  \r\nDescription   \r\n1798e35f14a67741f3425ba67373667d\r\nb929ed50142b9b43fb85c5b1ddb87ec00ca09f24 \r\ne3aafd9f478b82cbb53ec020cdc2e00e0c4de60a7f66a1166e54ab75b6a9e8c3 \r\nMD5 \r\nSHA1\r\nSHA256   \r\nCinoshi\r\nStealer \r\n40a85e9ac222d66a0f5cf526868ef2a9\r\nb4553412217971d814650995ce9d98c78660fdab\r\ncf1705c39dc3dbf65856ac6f5462027d9a290ab2d38da08f76aabd684b8a9944  \r\nMD5 \r\nSHA1\r\nSHA256   \r\nCinoshi\r\nStealer \r\n29f3e408da86aafe535e179767fb2345\r\n783303902cafad79efc585fd25705853b4150338\r\n9b7d799895932d8359d7eb5da378b67a481331fa1a912075339d972496d122d6\r\nMD5\r\nSHA1\r\nSHA256   \r\nMiner\r\nhxxps[:]//tryno.ru/robots URL\r\nMalicious\r\nURLs\r\nhxxps[:]//anaida[.]evisyn[.]lol URL C\u0026C\r\nSource: https://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nhttps://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/" ], "report_names": [ "cinoshi-project-and-the-dark-side-of-free-maas" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434812, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b909a8ea4e39b5ba9c1e0c2568cfe823f3151f32.pdf", "text": "https://archive.orkl.eu/b909a8ea4e39b5ba9c1e0c2568cfe823f3151f32.txt", "img": "https://archive.orkl.eu/b909a8ea4e39b5ba9c1e0c2568cfe823f3151f32.jpg" } }