{ "id": "725d3a2f-d241-4400-b10e-50de4e4ed70d", "created_at": "2026-04-06T00:15:40.46736Z", "updated_at": "2026-04-10T13:12:47.841052Z", "deleted_at": null, "sha1_hash": "bb95908e7da43eda77201d64e1ea8493ad06c651", "title": "THREAT ANALYSIS REPORT: Snake Infostealer Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1959340, "plain_text": "THREAT ANALYSIS REPORT: Snake Infostealer Malware\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 18:59:43 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform on\r\nimpacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for\r\nprotecting against them.\r\nIn this Threat Analysis report, the GSOC investigates Snake, a feature-rich information-stealing malware. This report\r\nprovides an overview of key information-stealing features of the Snake malware and discusses similarities that we\r\ndiscovered in the staging mechanisms of samples from Snake and two common information-stealing malware programs,\r\nFormBook and Agent Tesla.\r\nKey Findings:\r\nSerious threat to privacy and security: Snake is a feature-rich information-stealing malware. Snake has\r\nkeystroke logging as well as clipboard data, screenshot, and credential theft capabilities. Snake can steal\r\ncredentials from over 50 applications, which include File Transfer Protocol (FTP) clients, email clients,\r\ncommunication platforms, and web browsers. Snake can exfiltrate stolen data through a variety of protocols,\r\nsuch as FTP, Simple Mail Transfer Protocol (SMTP), and Telegram.\r\nNo industry or geographical preferences: Snake has been present in the threat landscape since November\r\n2020 and has been a constant threat to users’ privacy and security since then. The Cybereason GSOC observed\r\na spike in infections using the Snake malware in late August 2021 with no specific trend in the industry or the\r\ngeographical locations of the targeted victims.\r\nDetected and prevented: The Cybereason Defense Platform effectively detects and prevents the Snake\r\nmalware.\r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards\r\nattacks that involve information-stealing malware, such as Snake, and categorizes such attacks as critical,\r\nhigh-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to customers when\r\nsuch an incident occurs. The report provides an in-depth overview of the incident, which helps to scope the\r\nextent of compromise and the impact on the customer’s environment. In addition, the report provides\r\nattribution information when possible as well as recommendations for mitigating and isolating the threat.\r\nIntroduction\r\nThe Snake malware is an information-stealing malware that is implemented in the .NET programming language. We suspect\r\nthat the malware authors themselves named the malware Snake, since the malware’s name is present in the data that Snake\r\nexfiltrates from compromised systems. Malicious actors distribute Snake as attachments to phishing emails with various\r\nthemes, such as payment requests.\r\nThe attachments are typically archive files with file name extensions such as img, zip, tar, and rar, and store a .NET\r\nexecutable that implements the Snake malware. Users have to first decompress and then start the .NET executable to infect\r\ntheir systems. The executable stages the information-stealing features of the Snake malware on compromised systems and\r\nestablishes persistence:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 1 of 27\n\nThe data that the Snake malware exfiltrates contains the malware’s name\r\nSnake first appeared on the threat landscape in late November 2020. The malware is currently available for purchase in the\r\nunderground scene for a price range between US $25 and $500. Malicious actors have been distributing Snake continuously\r\nthrough phishing campaigns since November 2020. The Cybereason GSOC observed a spike in infections using the Snake\r\nmalware in late August 2021 with no specific trend in the industry or the geographical locations of the targeted victims.\r\nSnake is a feature-rich malware and poses a significant threat to users’ privacy and security. Snake has keystroke logging as\r\nwell as clipboard data, screenshot, and credential theft capabilities. We observed that Snake can steal credentials from over\r\n50 applications, which include FTP clients, mail clients, communication platforms, and web browsers. Snake supports data\r\nexfiltration through a variety of protocols, such as FTP, SMTP, and Telegram.\r\nResearchers have identified many similarities between the code of the information-stealing features of Snake and the code of\r\nthe Matiex malware. Although the source code of Matiex has been available for purchase in the underground scene since\r\nFebruary 2021, the information-stealing features of Snake samples that date earlier than February 2021 have code that is\r\nvery similar to Matiex code.\r\nIn this report, we show that in addition to the information-stealing features of Snake, the staging mechanism of Snake\r\nsamples is almost identical to that of two common information-stealing malware programs, FormBook and Agent Tesla.\r\nAnalysis\r\nThe Snake Staging Mechanism\r\nMalicious actors distribute the Snake malware as attachments in phishing emails. These attachments are typically archive\r\nfiles that store a .NET Windows executable, which stages the information-stealing features of Snake on compromised\r\nsystems and establishes persistence. \r\nIn this report, we focus on a Snake sample with a secure hash algorithm (SHA)-1 hash\r\n392597dabf489b682dd10c20d2d84abc3b49abaa and a filename SeptemberOrderlist.pdf.exe:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 2 of 27\n\nPhishing emails that distribute the Snake malware\r\nWhen a user runs the compressed .NET Snake executable, SeptemberOrderlist.pdf.exe, the executable unpacks (i.e., decodes\r\nand decrypts) a base-64 encoded and encrypted .NET assembly. The Snake executable stores the encoded and encrypted\r\ncode of this assembly in a string variable. SeptemberOrderlist.pdf.exe decrypts the code of the .NET assembly by using a\r\nsymmetric encryption key of the Triple Data Encryption Standard (DES) encryption algorithm. \r\nThe name of the decrypted .NET assembly is representative. SeptemberOrderlist.pdf.exe then loads and executes the\r\nrepresentative assembly by instantiating an Panamera.Porsche object that the assembly implements: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 3 of 27\n\nSnake decrypts the .NET assembly representative using the Triple DES encryption algorithm\r\nOne of the functionalities of the representative assembly is decoding and loading an image resource of\r\nSeptemberOrderlist.pdf.exe called TaskWrapperAsyncResu. To avoid detection by sandbox analysis engines, the\r\nrepresentative assembly decodes TaskWrapperAsyncResu after a random sleep time of 38–47 seconds. The decoded\r\nTaskWrapperAsyncResu image resource is another .NET assembly named CF_Secretaria:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 4 of 27\n\nThe representative assembly decodes and loads the CF_Secretaria assembly\r\nThe CF_Secretaria assembly is encoded as an image resource\r\nAmong other activities, the CF_Secretaria assembly establishes persistence of the Snake malware on the compromised\r\nsystem as follows:\r\nCF_Secretaria copies the Snake executable, SeptemberOrderlist.pdf.exe, in the user’s AppData folder under a\r\nrandom name, such as C:\\Users\\User\\AppData\\Roaming\\vxhnIvyvbHAK.exe. The name vxhnIvyvbHAK may\r\ndiffer for different samples of the Snake malware.\r\nCF_Secretaria creates an Extensible Markup Language (XML)-formatted scheduled task configuration file\r\nwith the file name extension .tmp in the user’s temporary folder, such as\r\nC:\\Users\\User\\AppData\\Local\\Temp\\tmp55AB.tmp.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 5 of 27\n\nCF_Secretaria creates a scheduled task named, for example, \r\nUpdates\\vxhnIvyvbHAK. To create this scheduled\r\ntask, CF_Secretaria issues the following command:\r\nC:\\Windows\\System32\\schtasks.exe /Create /TN Updates\\vxhnIvyvbHAK /XML\r\nC:\\Users\\User\\AppData\\Local\\Temp\\tmp55AB.tmp \r\nThe scheduled task executes the C:\\Users\\User\\AppData\\Roaming\\vxhnIvyvbHAK.exe executable—that is, the Snake\r\nmalware—at user logon:\r\nCF_Secretaria creates an XML-formatted scheduled task configuration file\r\nThe staging process results in the execution of another instance of SeptemberOrderlist.pdf.exe. This instance of\r\nSeptemberOrderlist.pdf.exe maps in its context and executes the final payload, an obfuscated .NET assembly that\r\nimplements the information-stealing features of Snake, which we discuss in the The Features of Snake section below:\r\nSnake Meets FormBook and Agent Tesla\r\nThe staging mechanisms of recent samples of the FormBook and Agent Tesla malware are almost identical to those of Snake\r\nsamples. FormBook has extensive information-stealing capabilities, such as keystroke logging, credential theft, and\r\nscreenshot theft. The FormBook malware has been available for sale in the underground scene since early 2016 as a one-time purchase or as malware-as-a-service following a subscription model. Agent Tesla is a common remote access tool\r\n(RAT) and information-stealing malware, first discovered in late 2014. Agent Tesla is also available for sale in the\r\nunderground scene. \r\nThe following table presents example Snake, FormBook, and Agent Tesla samples that have similar staging mechanisms. We\r\nnow provide a detailed overview of the similarities between the staging mechanisms of the Snake and FormBook samples:\r\nSnake\r\nSHA-1 Hash 392597dabf489b682dd10c20d2d84abc3b49abaa\r\nFirst submission to VirusTotal 2021-09-09\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 6 of 27\n\nFormBook\r\nSHA-1 Hash 43d8881c9bda6344a352d2744913dda5c64ea843\r\nFirst submission to VirusTotal 2021-08-26\r\nAgent Tesla\r\nSHA-1 Hash ae2e277a848421b4be46f1c6ccff727b5a07d90c\r\nFirst submission to VirusTotal 2021-08-26\r\nThe Snake and FormBook samples unpack the same .NET assembly, representative, from a string variable. The way in\r\nwhich the actors behind Snake and FormBook samples pack the representative assembly in the variable may differ across\r\nsamples. In addition, both samples load and execute the representative assembly by instantiating a Panamera.Porsche object\r\nthat the assembly implements:\r\n(a) (b)\r\nThe representative assembly loaded by Snake (a) and FormBook (b)\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 7 of 27\n\n(a)\r\n(b)\r\nSnake (a) and FormBook (b) instantiate a Panamera.Porsche object\r\nThe representative assemblies unpacked by the Snake and the FormBook sample decode image resources of the respective\r\nsamples. The decoded image resources are the same .NET assembly, called CF_Secretaria, which the representative\r\nassemblies load after decoding:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 8 of 27\n\n(a) (b)\r\nThe CF_Secretaria assembly loaded by Snake (a) and FormBook (b)\r\nThe staging mechanisms of the Snake and FormBook samples significantly diverge at the point of deployment of the final\r\npayloads, or the information-stealing features of Snake and FormBook. The final payload of the Snake sample is a .NET\r\nassembly that runs in the context of a separate instance of the sample, while the final payload of the FormBook sample is a\r\nnative Windows executable. \r\nThe FormBook sample injects its final payload in legitimate Windows processes, such as explorer.exe and wlanext.exe.\r\nPrevious research documents the deployment of the final payload of the FormBook sample in greater detail:\r\n(a) (b)\r\nProcess tree: The deployment of the final payload of the Snake sample (a) and the FormBook sample (b)\r\nThe fact that the staging mechanisms of the Snake and other common information-stealing malware, such as FormBook and\r\nAgent Tesla, are almost identical indicates that the actors behind the Snake sample that we analyzed may have purchased or\r\notherwise obtained the staging mechanism from other actors on the malware marketplace. The same actors might also\r\ndistribute the Snake, FormBook and Agent Tesla samples that share the staging mechanism. \r\nAdding the strong indications that the staged information-stealing features of the Snake malware themselves are based on\r\nthe Matiex malware, the former scenario shows how easy it is for malware developers to create new malware by code reuse.\r\nAlthough this report focuses on samples of the Snake, FormBook, and Agent Tesla malware, other malware could use the\r\nsame staging mechanism as the samples that we analyzed.\r\nThe Features of Snake\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 9 of 27\n\nThis section provides an overview of key information-stealing features of the Snake sample that we analyzed,\r\nSeptemberOrderlist.pdf.exe. We emphasize that different Snake samples do not use all implemented features. Previous\r\nresearch indicates that malicious actors build Snake samples by using a builder tool that integrates all Snake features in built\r\nsamples, but enables only the features selected by the actors.\r\nFor persistence, in addition to creating a scheduled task by using its staging mechanism, Snake can also edit the registry key:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to execute itself at user logon.\r\nTo avoid detection, Snake can disable solutions that may detect the malware’s operation by killing associated processes,\r\nsuch as the avastui process, which is related to the Avast antivirus, and the wireshark process, which is related to the\r\nWireshark network traffic analyzer. \r\nThe table below lists the names of the processes that Snake stops. In addition, Snake can add itself to the exclusion list of the\r\nWindows Defender security mechanism by executing the PowerShell command powershell.exe Add-MpPreference -\r\nExclusionPath and specifying the path to the Snake executable:\r\nzlclient\r\negui\r\nbdagent\r\nnpfmsg\r\nolydbg\r\nanubis\r\nwireshark\r\navastui\r\n_Avp32\r\nvsmon\r\nmbam\r\nkeyscrambler\r\n_Avpcc\r\n_Avpm\r\nAckwin32\r\nOutpost\r\nAnti-Trojan\r\nANTIVIR\r\nApvxdwin\r\nATRACK\r\nAutodown\r\nAvconsol\r\nAve32\r\nIcload95\r\nIcloadnt\r\nIcmon\r\nIcsupp95\r\nIcsuppnt\r\nIface\r\nIomon98\r\nJedi\r\nLockdown2000\r\nLookout\r\nLuall\r\nMCAFEE\r\nMoolive\r\nMpftray\r\nN32scanw\r\nNAVAPSVC\r\nNAVAPW32\r\nNAVLU32\r\nNavnt\r\nNAVRUNR\r\nNavw32\r\nNavwnt\r\nNeoWatch\r\nVsecomr\r\nVshwin32\r\nVsstat\r\nWebscanx\r\nWEBTRAP\r\nWfindv32\r\nZonealarm\r\nLOCKDOWN2000\r\nRESCUE32\r\nLUCOMSERVER\r\navgcc\r\navgcc\r\navgamsvr\r\navgupsvc\r\navgw\r\navgcc32\r\navgserv\r\navgserv9\r\navgserv9schedapp\r\navgemc\r\nashwebsv\r\nashdisp\r\nashmaisv\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 10 of 27\n\nAvgctrl\r\nAvkserv\r\nAvnt\r\nAvp\r\nAvp32\r\nAvpcc\r\nAvpdos32\r\nAvpm\r\nAvptc32\r\nAvpupd\r\nAvsched32\r\nAVSYNMGR\r\nAvwin95\r\nAvwupd32\r\nBlackd\r\nBlackice\r\nCfiadmin\r\nCfiaudit\r\nCfinet\r\nCfinet32\r\nClaw95\r\nClaw95cf\r\nCleaner\r\nCleaner3\r\nDefwatch\r\nDvp95\r\nDvp95_0\r\nEcengine\r\nEsafe\r\nEspwatch\r\nF-Agnt95\r\nFindviru\r\nFprot\r\nNISSERV\r\nNisum\r\nNmain\r\nNormist\r\nNORTON\r\nNupgrade\r\nNvc95\r\nOutpost\r\nPadmin\r\nPavcl\r\nPavsched\r\nPavw\r\nPCCIOMON\r\nPCCMAIN\r\nPccwin98\r\nPcfwallicon\r\nPersfw\r\nPOP3TRAP\r\nPVIEW95\r\nRav7\r\nRav7win\r\nRescue\r\nSafeweb\r\nScan32\r\nScan95\r\nScanpm\r\nScrscan\r\nServ95\r\nSmc\r\nSMCSERVICE\r\nSnort\r\nSphinx\r\nSweep95\r\nashserv\r\naswUpdSv\r\nsymwsc\r\nnorton\r\nNorton Auto-Protect\r\nnorton_av\r\nnortonav\r\nccsetmgr\r\nccevtmgr\r\navadmin\r\navcenter\r\navgnt\r\navguard\r\navnotify\r\navscan\r\nguardgui\r\nnod32krn\r\nnod32kui\r\nclamscan\r\nclamTray\r\nclamWin\r\nfreshclam\r\noladdin\r\nsigtool\r\nw9xpopen\r\nWclose\r\ncmgrdian\r\nalogserv\r\nmcshield\r\nvshwin32\r\navconsol\r\nvsstat\r\navsynmgr\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 11 of 27\n\nF-Prot\r\nF-Prot95\r\nFp-Win\r\nFrw\r\nF-Stopw\r\nIamapp\r\nIamserv\r\nIbmasn\r\nIbmavsp\r\nSYMPROXYSVC\r\nTbscan\r\nTca\r\nTds2-98\r\nTds2-Nt\r\nTermiNET\r\nVet95\r\nVettray\r\nVscan40\r\navcmd\r\navconfig\r\nlicmgr\r\nsched\r\npreupd\r\nMsMpEng\r\nMSASCui\r\nAvira.Systray\r\nThe names of the processes that the Snake malware kills\r\nThe Snake malware kills processes \r\nSnake has a self-deletion feature such that the malware deletes itself using the del command after a timeout of three seconds\r\nonce Snake has started the self-deletion process:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 12 of 27\n\nThe Snake malware can delete itself\r\nSnake can gather the following type of information about the compromised environment in which the malware runs:\r\nOperating system and hardware information: Snake obtains the operating system name and version, amount of\r\nhard disk and physical memory, and machine name.\r\nGeolocation and date-time information: Snake issues requests to the web services  checkip.dyndns.org and\r\nfreegeoip.app to discover the IP address of the operating system on which Snake runs, and the system’s\r\ngeolocation based on the IP address. \r\nPrevious research states that the Snake malware uses the above information to decide whether to fully execute on a\r\ncompromised system. The Snake sample that we analyzed does not do this, but only exfiltrates the geolocation and date/time\r\ninformation among other stolen data:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 13 of 27\n\nThe Snake malware gathers operating system, hardware, geolocation, and date-time information\r\nSnake has many information-stealing features and poses a significant threat to users’ privacy and security. The figure below\r\ndepicts a systematization of the information-stealing features of the Snake malware:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 14 of 27\n\nA systematization of the information-stealing features of Snake\r\nKeystroke Logging\r\nThe Snake malware uses the SetWindowsHookExA and CallNextHookEx functions to capture key press events. Snake logs\r\nthe key when a user presses a system key, that is, a key that a user presses after the F10 key or together with the ALT key.\r\nSnake also logs the key when a user presses a non-system key—a key that a user presses without pressing the ALT key at the\r\nsame time. Snake stores logged keystrokes in a variable:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 15 of 27\n\nThe Snake malware logs keystrokes\r\nClipboard Data Theft\r\nSnake invokes the IsClipboardFormatAvailable function to determine whether clipboard data in Unicode text format\r\n(Microsoft Standard Clipboard Format CF_UNICODETEXT) is available. Snake then invokes the OpenClipboard function\r\nto open and lock the Clipboard data, followed by the GetClipboardData function to retrieve the data in Unicode text format.\r\nIn addition, the Snake malware uses the ClipboardProxy.GetText function to retrieve clipboard data in standard American\r\nNational Standards Institute (ANSI) or Unicode text format. Snake stores clipboard data in a variable:\r\nThe Snake malware retrieves clipboard data\r\nScreenshot Theft\r\nThe Snake malware uses the Graphics.CopyFromScreen function to take a screenshot of the entire screen. Snake stores the\r\nscreenshot in the %MyDocuments%\\SnakeKeylogger\\Screenshot.png file. Snake creates the\r\n%MyDocuments%\\SnakeKeylogger directory if the directory does not exist. After taking a screenshot, Snake first exfiltrates\r\nthe Screenshot.png file as we describe in the Data Exfiltration section, and then deletes the file:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 16 of 27\n\nThe Snake malware takes and stores screenshots\r\nCredential Theft\r\nSnake can steal saved credentials from credential databases of communication platforms, FTP clients, email clients, and web\r\nbrowsers. The table below lists the applications (column ‘Application’) from which Snake can steal saved credentials and\r\nthe locations of the applications’ credential databases (column ‘Credential database’) that Snake accesses to retrieve\r\ncredentials. The sample of the Snake malware we analyzed can steal credentials from 59 applications, out of which 52 are\r\nweb browsers. In the table below:\r\n%AppData% and %LocalAppData% are Windows environment variables that resolve to filesystem paths,\r\nsuch as C:\\Users\\user\\AppData and C:\\Users\\user\\AppData\\Local\r\n%FoxmailInstallation% refers to an installation directory of the Foxmail email client, such as C:\\Program\r\nFiles\\Foxmail 7.2, and $email refers to a configured email address, such as test@domain.com\r\nApplication Credential database (files or Windows Registry values)\r\nCommunication platforms\r\nDiscord %AppData%\\discord\\Local Storage\\leveldb\\[*].ldb\r\nPidgin %AppData%\\.purple\\accounts.xml\r\nFTP clients\r\nFileZilla %AppData%\\FileZilla\\FileZilla\\recentservers.xml\r\nMail clients\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 17 of 27\n\nFoxmail $FoxmailInstallation\\Storage\\$email\\Accounts\\Account.rec0\r\nOutlook\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2\r\n[Email\\IMAP Password\\POP3 Password\\HTTP Password\\SMTP Password]\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\[Email\\IMAP Password\\POP3 Password\\HTTP\r\nPassword\\SMTP Password]\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging\r\nSubsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\[Email\\IMAP Password\\POP3 Password\\HTTP\r\nPassword\\SMTP Password]\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2\r\n[Email\\IMAP Password\\POP3 Password\\HTTP Password\\SMTP Password]\r\nPostBox %AppData%\\PostboxApp\\Profiles\\logins.json\r\nThunderbird %AppData%\\Thunderbird\\Profiles\\logins.json\r\nWeb browsers\r\n360 Browser %LocalAppData%\\360Browser\\Browser\\User Data\\Default\\Login Data\r\n360Chrome %LocalAppData%\\360Chrome\\Chrome\\User Data\\Default\\Login Data\r\n7 Star %LocalAppData%\\7Star\\7Star\\User Data\\Default\\Login Data\r\nAmigo %LocalAppData%\\Amigo\\User Data\\Default\\Login Data\r\nAvast Secure\r\nBrowser\r\n%LocalAppData%\\AVAST Software\\Browser\\User Data\\Default\\Login Data\r\nBlackHawk %LocalAppData%\\BlackHawk\\User Data\\Default\\Login Data\r\nBlisk %LocalAppData%\\Blisk\\User Data\\Default\\Login Data\r\nBrave %LocalAppData%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 18 of 27\n\nCentBrowser %LocalAppData%\\CentBrowser\\User Data\\Default\\Login Data\r\nChedot %LocalAppData%\\Chedot\\User Data\\Default\\Login Data\r\nChrome %LocalAppData%\\Google\\Chrome\\User Data\\Default\\Login Data\r\nChrome\r\nCanary\r\n%LocalAppData%\\Google\\Chrome SxS\\User Data\\Default\\Login Data\r\nChromePlus %LocalAppData%\\MapleStudio\\ChromePlus\\User Data\\Default\\Login Data\r\nChromium %LocalAppData%\\Chromium\\User Data\\Default\\Login Data\r\nCitrio %LocalAppData%\\CatalinaGroup\\Citrio\\User Data\\Default\\Login Data\r\nCoc Coc %LocalAppData%\\CocCoc\\Browser\\User Data\\Default\\Login Data\r\nComodo\r\nDragon\r\n%LocalAppData%\\Comodo\\Dragon\\User Data\\Default\\Login Data\r\nCoowon %LocalAppData%\\Coowon\\Coowon\\User Data\\Default\\Login Data\r\nCyberfox %AppData%\\8pecxstudios\\Cyberfox\\Profiles\\logins.json\r\nEdge %LocalAppData%\\Microsoft\\Edge\\User Data\\Default\\Login Data\r\nElements %LocalAppData%\\Elements Browser\\User Data\\Default\\Login Data\r\nEpic %LocalAppData%\\Epic Privacy Browser\\User Data\\Default\\Login Data\r\nFirefox %AppData%\\Mozilla\\Firefox\\Profiles\\logins.json\r\nGhost\r\nBrowser\r\n%LocalAppData%\\GhostBrowser\\User Data\\Default\\Login Data\r\nIceCat %AppData%\\Mozilla\\icecat\\Profiles\\logins.json\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 19 of 27\n\nIceDragon %AppData%\\Comodo\\IceDragon\\Profiles\\logins.json\r\nIridium %LocalAppData%\\Iridium\\User Data\\Default\\Login Data\r\nKinza %LocalAppData%\\Kinza\\User Data\\Default\\Login Data\r\nKometa %LocalAppData%\\Kometa\\User Data\\Default\\Login Data\r\nLiebao %LocalAppData%\\Liebao7\\User Data\\Default\\EncryptedStorage\r\nNichrome %LocalAppData%\\Nichrome\\User Data\\Default\\Login Data\r\nOpera %AppData%\\Opera Software\\Operate Stable\\Login Data\r\nOpera %AppData%\\Opera\\Opera\\profile\\wand.dat\r\nOrbitum %LocalAppData%\\Orbitum\\User Data\\Default\\Login Data\r\nPale Moon %AppData%\\Moonchild Productions\\Pale Moon\\Profiles\\logins.json\r\nQIP Surf %LocalAppData%\\QIP Surf\\User Data\\Default\\Login Data\r\nQQBrowser %LocalAppData%\\Tencent\\QQBrowser\\User Data\\Default\\Login Data\r\nSalamWeb %LocalAppData%\\SalamWeb\\User Data\\Default\\Login Data\r\nSeaMonkey %AppData%\\Mozilla\\SeyMonkey\\Profiles\\logins.json\r\nSleipnir %AppData%\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\\Default\\Login Data\r\nSlimBrowser %AppData%\\FlashPeak\\SlimBrowser\\Profiles\\logins.json\r\nSlimjet %LocalAppData%\\Slimjet\\User Data\\Default\\Login Data\r\nSputnik %LocalAppData%\\Sputnik\\Sputnik\\User Data\\Default\\Login Data\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 20 of 27\n\nSuperBird %LocalAppData%\\SuperBird\\User Data\\Default\\Login Data\r\nTorch %LocalAppData%\\Torch\\User Data\\Default\\Login Data\r\nUC Browser %LocalAppData%\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.18\r\nUran %LocalAppData%\\uCozMedia\\Uran\\User Data\\Default\\Login Data\r\nVivaldi %LocalAppData%\\Vivaldi\\User Data\\Default\\Login Data\r\nWaterfox %AppData%\\Waterfox\\Profiles\\logins.json\r\nXpom %LocalAppData%\\Xpom\\User Data\\Default\\Login Data\r\nXvast %LocalAppData%\\Xvast\\User Data\\Default\\Login Data\r\nYandex %LocalAppData%\\Yandex\\YandexBrowser\\User Data\\Default\\Ya Login Data\r\nApplications and their credential databases from which Snake can steal credentials \r\nIn addition to communication platforms, FTP clients, email clients, and web browsers, Snake can steal saved credentials of\r\nwireless networks. To do this, Snake first invokes the netsh wlan show profile command to list existing wireless network\r\nprofiles and then retrieves these from the command output. \r\nWireless network profiles are sets of network settings that include saved credentials. Snake then invokes the netsh wlan\r\nshow profile name=”%name%” key=clear command for each profile, where %name is the profile name, and retrieves from\r\nthe command output the unencrypted saved password stored as part of the profile.\r\nThe Snake malware can steal the Product Key of the Windows instance on which the malware runs. To do this, Snake\r\nretrieves and decodes the registry value HKEY_LOCAL_MACHINE\\ Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\DigitalProductID.\r\nThe credential databases of the communication platforms, FTP clients, email clients, and web browsers that Snake targets\r\ntypically store credentials in encrypted form. Snake decrypts credentials, stores the decrypted credentials in a variable, and\r\nexfiltrates the credentials as we describe in the Data Exfiltration section. Most of the web browsers from which Snake steals\r\ncredentials store credentials either in Login Data files (primarily used by Chromium-based browsers) or logins.json files\r\n(primarily used by Gecko-based browsers). \r\nLogin Data files are SQLite databases. These databases have a logins table that stores credential-protected Uniform\r\nResource Locators (URLs) in the origin_url field, and the saved usernames and passwords for the URLs in the\r\nusername_value and password_value fields, respectively. The passwords are encrypted. Recent versions of Chromium-based\r\nbrowsers encrypt saved passwords with a symmetric Advanced Encryption Standard (AES)-256 encryption key. \r\nThe browsers store the AES key in an encrypted form on the file system, in a Local State file placed in the\r\n%LocalAppData% directory, for example, %LocalAppData%\\Google\\Chrome\\User Data\\Local State. Browsers encrypt the\r\nAES key using the Microsoft Data Protection Application Programming Interface (DPAPI) encryption mechanism, which\r\nsupports two data protection (encryption) scopes: i) user, which encrypts data using a user-specific encryption key such that\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 21 of 27\n\nonly a specific logged in user can decrypt the data, and ii) machine, which encrypts data using a machine-specific encryption\r\nkey such that any user logged in a specific machine can decrypt the data. Older versions of Chromium-based browsers do\r\nnot use AES to encrypt saved passwords, but encrypt saved passwords directly using the DPAPI mechanism in user\r\nprotection scope. \r\nThe Snake malware can decrypt passwords that a Chromium-based browser has encrypted directly using DPAPI or an AES\r\nkey first:\r\nSnake decrypts passwords by using DPAPI in user protection scope and invoking the CryptUnprotectData\r\nfunction.\r\nSnake first decrypts an AES encryption key stored in a Local State file by using DPAPI in user protection\r\nmode and invoking the ProtectedData.Unprotect function, and then decrypts the saved password by using the\r\nAES encryption key and invoking the BCryptDecrypt function:\r\nThe Snake malware decrypts passwords stored in a Login Data file\r\nThe logins.json files are JavaScript Object Notation(JSON)-formatted files that store encrypted usernames in the\r\nencryptedUsername field and encrypted passwords in the encryptedPassword field. Gecko-based browsers encrypt saved\r\nusernames and passwords using the Triple-DES algorithm. \r\nMozilla’s Network Security Services (NSS) library implements the PKCS11_Decrypt function that decrypts credentials\r\nencrypted by Gecko-based browsers:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 22 of 27\n\nThe Snake malware decrypts credentials stored in a logins.json file\r\nThe Snake malware decrypts credentials that logins.json files store as follows: \r\n1. Snake locates and loads the dynamic-link library (DLL) file that implements the NSS library, nss3.dll, and initializes\r\nNSS by invoking the NSS_Init function. \r\n2. Snake searches for nss3.dll in multiple locations in the %ProgramFilesX86% and %ProgramFiles% directories. \r\n3. Snake decrypts encrypted usernames and passwords by invoking the PK11SDR_Decrypt function.\r\n4. Snake shuts down the NSS library by invoking the NSS_Shutdown function.\r\nData Exfiltration\r\nSnake can exfiltrate logged keystrokes and stolen credentials, clipboard data, and screenshots  using the following protocols:\r\nFTP: Snake logs into an attacker-controlled FTP server and issues the STOR command to upload the stolen\r\ndata to the server. Snake stores the uploaded data on the FTP server in:\r\na file with the file name extension .txt and a name that contains Passwords ID, keystroke Logs ID, or\r\nClipboard Logs ID, when the data is credentials, logged keystrokes, or clipboard data, respectively.\r\na file with the file name extension .png and a name that contains Screenshot Logs ID, when the data is\r\na screenshot. \r\nSMTP: Snake logs into an attacker-controlled SMTP server, and then composes and sends to a malicious\r\nemail address an email message that has attachments. The attachments store the stolen data. The attachments\r\nare files:\r\nwith the filename Clipboard.txt or Keystrokes.txt, when the stolen data is clipboard data or logged\r\nkeystrokes, respectively.\r\nwith the file name Passwords.txt and User.txt, when the stolen data is credentials, that is, passwords\r\nand usernames, respectively.\r\nwith the filename Screenshot.png, when the stolen data is a screenshot.\r\nTelegram/HyperText Transfer Protocol Secure (HTTPS): Snake issues a POST request to the Telegram\r\nendpoint api.telegram.org to send a document to an attacker-controlled Telegram chat. The document contains\r\nthe stolen data. The document has the file name Clipboard.txt, Screenshot.png, SnakeKeylogger.txt, or\r\nSnakePW.txt, when the data is clipboard data, screenshot, logged keystrokes, or credentials, respectively. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 23 of 27\n\nSnake can exfiltrate logged keystrokes, screenshots, clipboard data, and credentials on a regularly timed interval:\r\nThe Snake malware exfiltrates\r\nstolen credentials through SMTP\r\nCybereason Detects and Prevents Snake Malware\r\nThe Cybereason Defense Platform is able to detect and prevent the execution of the Snake malware using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV)\r\ncapabilities:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 24 of 27\n\nThe Cybereason Defense Platform detects and blocks Snake malware\r\nCybereason GSOC MDR Recommendations\r\nThe Cybereason GSOC recommends the following:\r\nEnable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of this\r\nfeature. \r\nSecurely handle email messages that originate from external sources. This includes disabling hyperlinks and\r\ninvestigating the content of email messages to identify phishing attempts.\r\nUse secure passwords, regularly rotate passwords, and use multi-factor authentication where possible. \r\nRegularly monitor outgoing network traffic for data exfiltration activities.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting\r\nqueries for detecting specific threats - to find out more about threat hunting and Managed Detection and\r\nResponse with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nFor Cybereason customers: More details available on the NEST including custom threat hunting\r\nqueries for detecting this threat.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere.\r\nSchedule a demo today to learn how your organization can benefit from an operation-centric approach to security.\r\nMITRE ATT\u0026CK Techniques\r\nInitial Access Execution Persistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection Exfiltration\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 25 of 27\n\nPhishing:\r\nSpearphishing\r\nAttachment\r\nUser\r\nExecution:\r\nMalicious\r\nFile\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nIndicator\r\nRemoval\r\non Host:\r\nFile\r\nDeletion\r\nUnsecured\r\nCredentials:\r\nCredentials\r\nIn Files\r\nFile and\r\nDirectory\r\nDiscovery\r\nClipboard\r\nData\r\nAutomated\r\nExfiltration\r\n   \r\nBoot or\r\nLogon\r\nAutostart\r\nExecution:\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nModify\r\nregistry\r\nUnsecured\r\nCredentials:\r\nCredentials\r\nin Registry\r\nSystem\r\nInformation\r\nDiscovery\r\nData from\r\nLocal\r\nSystem\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\n     \r\nImpair\r\nDefenses:\r\nDisable\r\nor\r\nModify\r\nTools\r\n \r\nSystem\r\nLocation\r\nDiscovery\r\nInput\r\nCapture:\r\nKeylogging\r\nScheduled\r\nTransfer\r\n     \r\nImpair\r\nDefenses:\r\nDisable\r\nor\r\nModify\r\nSystem\r\nFirewall\r\n \r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nScreen\r\nCapture\r\n \r\n         \r\nSystem Time\r\nDiscovery\r\n   \r\nAbout the Researchers:\r\nAleksandar Milenkoski,Senior Threat and Malware Analyst, Cybereason Global SOC\r\nAleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC team. He is involved\r\nprimarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. Prior to Cybereason,\r\nhis work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows 10\r\noperating system.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 26 of 27\n\nBrian Janower, Security Analyst, Cybereason Global SOC\r\nBrian Janower is a Security Analyst with the Cybereason Global SOC (GSOC) team. He is involved in malware analysis and\r\ntriages security incidents effectively and precisely. Brian has a deep understanding of the malicious operations prevalent in\r\nthe current threat landscape. He is in the process of obtaining a Bachelor of Science degree in Systems Information \u0026 Cyber.\r\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every\r\ncontinent. Led by cybersecurity experts with experience working for government, the military and multiple industry\r\nverticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support\r\nour mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nhttps://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware\r\nPage 27 of 27\n\n https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware \nCentBrowser %LocalAppData%\\CentBrowser\\User Data\\Default\\Login Data\nChedot %LocalAppData%\\Chedot\\User Data\\Default\\Login Data\nChrome %LocalAppData%\\Google\\Chrome\\User Data\\Default\\Login Data\nChrome \n %LocalAppData%\\Google\\Chrome SxS\\User Data\\Default\\Login Data\nCanary \nChromePlus %LocalAppData%\\MapleStudio\\ChromePlus\\User Data\\Default\\Login Data\nChromium %LocalAppData%\\Chromium\\User Data\\Default\\Login Data\nCitrio %LocalAppData%\\CatalinaGroup\\Citrio\\User Data\\Default\\Login Data\nCoc Coc %LocalAppData%\\CocCoc\\Browser\\User Data\\Default\\Login Data\nComodo \n %LocalAppData%\\Comodo\\Dragon\\User Data\\Default\\Login Data\nDragon \nCoowon %LocalAppData%\\Coowon\\Coowon\\User Data\\Default\\Login Data\nCyberfox %AppData%\\8pecxstudios\\Cyberfox\\Profiles\\logins.json \nEdge %LocalAppData%\\Microsoft\\Edge\\User Data\\Default\\Login Data\nElements %LocalAppData%\\Elements Browser\\User Data\\Default\\Login Data\nEpic %LocalAppData%\\Epic Privacy Browser\\User Data\\Default\\Login Data\nFirefox %AppData%\\Mozilla\\Firefox\\Profiles\\logins.json \nGhost \n %LocalAppData%\\GhostBrowser\\User Data\\Default\\Login Data\nBrowser \nIceCat %AppData%\\Mozilla\\icecat\\Profiles\\logins.json \n Page 19 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware" ], "report_names": [ "threat-analysis-report-snake-infostealer-malware" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434540, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb95908e7da43eda77201d64e1ea8493ad06c651.pdf", "text": "https://archive.orkl.eu/bb95908e7da43eda77201d64e1ea8493ad06c651.txt", "img": "https://archive.orkl.eu/bb95908e7da43eda77201d64e1ea8493ad06c651.jpg" } }