{
	"id": "e3db3885-8b82-4ceb-b4f0-1f2acbc01af4",
	"created_at": "2026-04-06T00:21:15.989046Z",
	"updated_at": "2026-04-10T13:12:33.44517Z",
	"deleted_at": null,
	"sha1_hash": "bb47b08e4b02e6618ed50ab3d75fd2200b1990bf",
	"title": "USBCulprit (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28617,
	"plain_text": "USBCulprit (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:34:24 UTC\r\nUSBCulprit\r\nActor(s): Hellsing\r\nAccording to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines,\r\ncollecting documents with particular extensions and passing them on to USB drives when they are connected to\r\nthe system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it\r\ncan be spread laterally by having designated drives infected and the executable in them opened manually.\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit"
	],
	"report_names": [
		"win.usbculprit"
	],
	"threat_actors": [
		{
			"id": "78090a48-ca66-4cd8-a454-04d947e9c887",
			"created_at": "2023-01-06T13:46:38.303662Z",
			"updated_at": "2026-04-10T02:00:02.919567Z",
			"deleted_at": null,
			"main_name": "Hellsing",
			"aliases": [],
			"source_name": "MISPGALAXY:Hellsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434875,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb47b08e4b02e6618ed50ab3d75fd2200b1990bf.pdf",
		"text": "https://archive.orkl.eu/bb47b08e4b02e6618ed50ab3d75fd2200b1990bf.txt",
		"img": "https://archive.orkl.eu/bb47b08e4b02e6618ed50ab3d75fd2200b1990bf.jpg"
	}
}