{ "id": "d3fdc4c0-76a4-4b5e-98ee-13131c4dd3a3", "created_at": "2026-04-06T00:11:07.833969Z", "updated_at": "2026-04-10T03:37:08.65253Z", "deleted_at": null, "sha1_hash": "bff31936868336cb88609533858299e3b9eca1ac", "title": "New Agent Tesla Variant Being Spread by Crafted Excel Document | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2374555, "plain_text": "New Agent Tesla Variant Being Spread by Crafted Excel Document\r\n| FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2023-09-05 · Archived: 2026-04-05 15:29:58 UTC\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Collects sensitive information from a victim’s computer\r\nSeverity level: Critical\r\nOur FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known\r\nmalware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often\r\nused for Malware-as-a-Service (MaaS).\r\nI performed an in-depth analysis of this campaign, from the initial phishing email to the actions of Agent Tesla\r\ninstalled on the victim’s machine to the collecting of sensitive information from the affected device. In this\r\nanalysis, you will learn about the contents of this attack, such as how the phishing email starts the campaign, how\r\nthe CVE-2017-11882/CVE-2018-0802 vulnerability (and not the VBS macro) is exploited to download and\r\nexecute the Agent Tesla file on the victim’s device, as well as how Agent Tesla collects the sensitive data from the\r\nvictim’s device, such as the credentials, key loggings, and screenshots of the victim’s screen.\r\nDespite fixes for CVE-2017-11882/CVE-2018-0802 being released by Microsoft in November, 2017 and January,\r\n2018, this vulnerability remains popular amongst threat actors, suggesting there are still unpatched devices in the\r\nwild, even after over five years. We are observing and mitigating 3000 attacks per day, at the IPS level. The\r\nnumber of observed vulnerable devices is around 1300 per day.\r\nPhishing Email\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 1 of 18\n\nFigure 1.1: The captured phishing email\r\nThe phishing email is disguised as a Purchase Order notification, shown in Figure 1.1, that asks for the recipient to\r\nconfirm an order from an industrial equipment supplier company. An Excel document is attached to this email\r\ncalled “Order 45232429.xls”.\r\nCVE-2017-11882/CVE-2018-0802 Exploited by the Excel Document\r\nThe attached Excel document is in OLE format. It contains crafted equation data that exploits the CVE-2017-\r\n11882/CVE-2018-0802 vulnerability to execute a malicious shellcode.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 2 of 18\n\nFigure 2.1: The content of the Excel file\r\nOpening the attached Excel document displays a deceptive message to the user (Figure 2.1). Meanwhile, the\r\nshellcode inside the crafted equation data is secretly executed.\r\nCVE-2017-11882/CVE-2018-0802 is an RCE (remote code execution) vulnerability that results in memory\r\ncorruption inside the EQNEDT32.EXE process when parsing the crafted equation data when exploited. This can\r\nlead to arbitrary code execution.\r\nFigure 2.2 shows the Excel document parsed in an OLE compound reader, where the equation data is inside the\r\nstream “\\x01Ole10NativE” under the storage folder “MBD0057E612”.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 3 of 18\n\nFigure 2.2: The equation content inside the OLE Excel document\r\nOnce the crafted Excel document is opened, the malicious equation data is parsed automatically by an MS Office\r\nprocess called “EQNEDT32.EXE.” This triggers the CVE-2017-11882/CVE-2018-0802 vulnerability, and the\r\nmalicious shellcode inside the equation data is executed in the background.\r\nFigure 2.3: The ShellCode about to execute in the vulnerable EQNEDT32.EXE process\r\nIn Figure 2.3, we can see that the crafted equation data overrides the stack of the EQNEDT32.EXE and makes it\r\njump twice (through the fixed addresses of 0x450650 and 0x44C329) to the shellcode at 0x33C006C (in the\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 4 of 18\n\nstack).\r\nAfter self-decryption, we observe that the shellcode’s main job is downloading and executing an additional\r\nmalware file from the URL “hxxp://23[.]95.128.195/3355/chromium.exe”. To do this, it calls several APIs, such as\r\nURLDownloadToFileW(), to download the malware to a local folder, and ShellExecuteW() to run the malware on\r\nthe victim’s device. In Figure 2.4, we can see that the shellcode is about to call the API URLDownloadToFileW()\r\nto download it into a local file and rename it as “dasHost.exe” under the “%TEMP%” folder.\r\nFigure 2.4: Calling the API to download the malware\r\nA Look into the Downloaded File\r\nThe downloaded file (“dasHost.exe”) is a .Net program protected by two packers, IntelliLock and .NET Reactor.\r\nFigure 3.1 displays the EntryPoint function of the downloaded file inside dnSpy, where the assembly name of the\r\nfile is “Nvgqn7x”. As you may have noticed, all the names of the namespaces, classes, methods, and variables are\r\nthoroughly obfuscated.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 5 of 18\n\nFigure 3.1: The EntryPoint function of the obfuscated downloaded file\r\nThere are resource files inside the downloaded file’s .Net Resources section. The downloaded file (“dasHost.exe”)\r\nextracts two fileless execution modules from the .Net Resources section. One is the payload module of Agent\r\nTesla, and the other is a Loader module to the payload file of Agent Tesla.\r\nFigure 3.2: The .Net Resources section of the downloaded file\r\nFigure 3.2 shows all the resources in the .Net Resources section. According to my analysis, the resource\r\n\"rTMIRNhcvIYnT8lMa6.UJQcCvWAsvT8GV6hyn.resources\" is the encoded Loader module, whose assembly\r\nname is “Cassa.” The resource \"FinalProject.Resources\" is the encrypted and compressed Agent Tesla payload\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 6 of 18\n\nmodule, whose assembly name is “NyZELH bX.” It gets decrypted, decompressed, and loaded as a module in the\r\n“DeleteMC()” function of the Loader module, as shown in Figure 3.3.\r\nFigure 3.3: Loader “Cassa”‘s DeleteMC() function\r\nAs you may have noticed, the resource is disguised as a Bitmap resource and is mixed up with the payload.\r\nBitmap.GetPixel() and Color.FromArgb() are the two APIs being called to read the payload from the resource. It\r\nthen goes through decryption and gzip decompression to restore the payload file, which is loaded as an executable\r\nmodule by calling the AppDomain.CurrentDomain.Load() method. Finally, the payload file’s “EntryPoint”\r\nfunction is invoked from the Loader module (“Cassa”).\r\nAgent Tesla Payload Module \u0026 Process Hollowing\r\nThe payload module is a .Net program and is fully obfuscated. Fortunately, I managed to have it de-obfuscated\r\nusing several analysis tools.\r\nAs with most malware, the developers run the malware’s core module in a separate process. This is a common\r\nprotection strategy to increase the malware's chance of survival on the victim's device.\r\nThe primary function (other than persistence) of the payload is to perform the process hollowing and then place\r\nanother decrypted executable file—sourced from a separate resource (called “7gQsJ0ugxz.resources”) within the\r\npayload file—onto the hollowed process and execute it. In this analysis, I call this decrypted executable file the\r\ncore module of Agent Tesla.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 7 of 18\n\nFigure 4.1: APIs to perform Process Hollowing\r\nFigure 4.1 contains the key APIs the payload module invokes to perform the ProcessHollowing. It invokes\r\nCreateProcess() to create a suspended process of “dasHost.exe.” Next, it allocates memory in this process via the\r\nAPI VirtualAllocEx() for the core module. Then WriteProcessMemory() is invoked numerous times to copy the\r\ncore module, saved in the array variable byte_1, onto the new process. It finally calls the APIs SetThreadContext()\r\nand ResumeThread() to restore the new process from a suspended state to execute the core module of Agent Tesla.\r\nAfter that, the payload module exits by calling Environment.Exit() in the Loader module’s DeleteMC() (refer to\r\nFigure 3.3).\r\nPersistence\r\nTo persist in collecting the victim’s sensitive data, even if the affected system is restarted or the Agent Tesla\r\nprocess is killed, it does the following two things.\r\n1. TaskScheduler\r\nIt executes a command to create a task in the system TaskScheuler inside the payload module. The command in\r\nmy analysis environment is \"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\kCqKCO\" /XML\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 8 of 18\n\n\"C:\\Users\\Bobs\\AppData\\Local\\Temp\\tmp68E9.tmp,\" where \"Updates\\kCqKCO\" is the task name and \"/XML\"\r\nspecifies it’s been created from an XML file that is provided by following a parameter (i.e. tmp68E9.tmp). Figure\r\n5.1 shows the details of the XML content, where the file “C:\\Users\\Bobs\\AppData\\Roaming\\kCqKCO.exe” is a\r\nduplication of the downloaded “dasHost.exe.” The task is set to start at the victim’s logon.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 9 of 18\n\nFigure 5.1: Creating a task inside the system TaskScheduler\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 10 of 18\n\n2. Auto-run in the system registry\r\nFigure 5.2: Auto-run item in the system registry\r\nThe core module adds an auto-run item in the system\r\nregistry“C:\\Users\\Bobs\\AppData\\Roaming\\sOFvE\\sOFvE.exe” (shown in Figure 5.2). It is another duplication of\r\n“dasHost.exe” that is launched automatically at system startup.\r\nStealing Sensitive Information from the Victim\r\nThe Agent Tesla core module collects sensitive information from the victim’s device. This information includes\r\nthe saved credentials of some software, the victim’s keylogging information, and screenshots of the victim’s\r\ndevice.\r\nStealing credentials\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 11 of 18\n\nFigure 6.1: Web browser information from which Agent Tesla steals credentials\r\nIt steals saved credentials from specified software installed on the victim’s device, including web browsers, email\r\nclients, FTP clients and more.\r\nBased on their features, the affected software can be categorized as below:\r\nWeb Browsers:\r\n\"Opera Browser\", \"Yandex Browser\", \"Iridium Browser\", \"Chromium\", \"7Star\", \"Torch Browser\", \"Cool Novo\",\r\n\"Kometa\", \"Amigo\", \"Brave\", \"CentBrowser\", \"Chedot\", \"Orbitum\", \"Sputnik\", \"Comodo Dragon\", \"Vivaldi\",\r\n\"Citrio\", \"360 Browser\", \"Uran\", \"Liebao Browser\", \"Elements Browser\", \"Epic Privacy\", \"Coccoc\", \"Sleipnir 6\",\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 12 of 18\n\n\"QIP Surf\", \"Coowon\", \"Chrome\", \"Flock Browser\", \"QQ Browser\", \"IE/Edge\", \"Safari\", \"UC Browser\", \"Falkon\r\nBrowser\".\r\nEmail clients:\r\n\"Outlook\", \"ClawsMail\", \"IncrediMail\", \"FoxMail\", \"eM Client\", \"Opera Mail\", \"PocoMail\", \"Windows Mail\r\nApp\", \"Mailbird\", \"The Bat!\", \"Becky!\", \"Eudora\".\r\nFTP clients:\r\n\"Flash FXP\", \"WS_FTP\", \"FTPGetter\", \"SmartFTP\", \"FTP Navigator\", \"FileZilla\", \"CoreFTP\", \"FtpCommander\",\r\n\"WinSCP\".   \r\nVPN clients:\r\n\"NordVPN\", \"Private Internet Access\", \"OpenVPN\",\r\nIM client:\r\n\"Discord\", \"Trillian\", \"Psi/Psi+\".\r\nOthers:\r\n\"Mysql Workbench\", \"\\Microsoft\\Credentials\\\", \"Internet Download Manager\", \"JDownloader\".\r\nKeylogging\r\nAgent Tesla calls the API SetWindowsHookEx() to set a keyboard hook to monitor low-level input events.\r\nFigure 6.2: Set hook procedure to log keystrokes\r\nIn Figure 6.2, the callback hook procedure “this.EiqpViCm9()” is called whenever the victim is typing on their\r\ndevice. Agent Tesla records the program title, time, and victim’s keyboard input contents into a local file\r\n“%Temp%/log.tmp” from time to time.\r\nIt also has a method called by a Timer every 20 minutes to check the “log.tmp” file and submit its content via\r\nSMTP.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 13 of 18\n\nRecording screenshots\r\nIn the core module, Agent Tesla sets another Timer with a 20-minute interval to call another Timer function. This\r\nTimer function checks for any activity on the device and determines whether to record the screenshot and submit\r\nit. To do this, it calls the API GetLastInputInfo() to retrieve the time of the last input event received by the system\r\nand then compare it with the current time.\r\nThe following pseudo-code snippet illustrates how Agent Tesla captures a screenshot.\r\nbitmap = new Bitmap(bounds.Width, Screen.PrimaryScreen.Bounds.Height);\r\nencoderParameters = new EncoderParameters(1);\r\nencoder = 25Tl1j7fiou.KIOsJnSv3(ImageFormat.Jpeg);\r\nEncoderParameter encoderParameter = new EncoderParameter(Encoder.Quality, (long)Convert.ToInt32(60L));\r\nencoderParameters.Param[0] = encoderParameter;\r\ngraphics = Graphics.FromImage(bitmap);\r\ngraphics.CopyFromScreen(new Point(0, 0), new Point(0, 0), blockRegionSize);\r\nbitmap.Save(memoryStream, encoder, encoderParameters);\r\nThe “memoryStream” variable saves the screenshot in jpeg format.\r\nSubmitting Sensitive Data via SMTP\r\nAgent Tesla provides multiple ways to submit the stolen data, such as using the HTTP POST method or as the\r\nbody of an email over SMTP. This variant chooses to submit the data collected from the victim’s device over\r\nemail SMTP protocol. The SMTP server address and port hardcoded in the variant are \"mail.daymon.cc\" and 587.\r\nFigure 7.1 shows the malware about to call the smtpClient.Send() function to submit credentials data. The email\r\nsubject starts with the keyword “PW_” followed by the User name/Computer name for credentials data. \r\nFigure 7.1: Submitting stolen credentials in an email\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 14 of 18\n\nThe email body is formatted in HTML. It is shown in Figure 7.2 when parsing the email body as HTML in a\r\nbrowser.\r\nFigure 7.2: Example of stolen credentials\r\nFigure 7.3: Example of the information that the keylogger collected\r\nThe email’s subject is “KL_{User name/Computer name},” where KL is short for keylogger, and the email body\r\nis the collected keylogging data. As displayed in Figure 7.3, the email body includes the records of my keystrokes\r\ntyped in a Notepad titled “Untitled - Notepad.”\r\nThe captured screenshot is kept in a variable and added as an email attachment when submitted to the attacker.\r\nFigure 7.4 shows it about to add screenshot data to the email as an attachment. The email subject format for\r\nScreenShots is “SC_{User name/Computer name},” and the email body is just the basic information about the\r\nvictim’s device.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 15 of 18\n\nFigure 7.4: Example of submitting victim’s screenshot\r\nSummary\r\nThe following flowchart roughly describes the outline of the malicious campaign.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 16 of 18\n\nThis analysis shows that a malicious Excel document attached to a phishing email exploits an aging security\r\nvulnerability to execute a shellcode that downloads Agent Tesla. It keeps relevant modules encrypted and encoded\r\nin the Resource section to protect its core module from being analyzed.\r\nI then explained how this variant establishes persistence on the victim’s device. I also showed the kind of software\r\nand data Agent Tesla is able to steal from the infected device, including credentials, keylogging data, and active\r\nscreenshots.\r\nLastly, I provided several examples of the kind of sensitive data this variant of Agent Tesla obtained from my\r\nanalysis environment and how this stolen sensitive data is submitted to the attacker via emails over SMTP\r\nprotocol.\r\nFortinet Protections\r\nFortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, and\r\nAntiVirus services as follows:\r\nThe downloading URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nFortiMail has recognized the phishing email as SPAM.\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 17 of 18\n\nFortiGuard Antivirus service detects the attached Excel document and the downloaded file with AV signatures\r\n“MSExcel/CVE_2017_11882.EQMA!exploit” and “MSIL/AgentTesla.BEDA!tr”.\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious Equation data inside\r\nthe Excel document.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nURLs:\r\nHxxp[:]//23[.]95.128.195/3355/chromium.exe\r\nC2 Server List:\r\nSMTP server @ mail.daymon.cc:587\r\nRelevant Sample SHA-256:\r\n[Order 45232429.xls]\r\nFDC04DC72884F54A4E553B662F1F186697DAF14EF8A2DC367BC584D904C22638\r\n[chromium.exe / dasHost.exe / downloaded file]\r\n36B17C4534E34B6B22728DB194292B504CF492EF8AE91F9DDA7702820EFCFC3A\r\nSource: https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nhttps://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document\r\nPage 18 of 18\n\nFigure 2.3: The In Figure 2.3, ShellCode about we can see that the to execute in the crafted equation vulnerable EQNEDT32.EXE data overrides the stack of the process EQNEDT32.EXE and makes it\njump twice (through the fixed addresses of 0x450650 and 0x44C329) to the shellcode at 0x33C006C (in the\n Page 4 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document" ], "report_names": [ "agent-tesla-variant-spread-by-crafted-excel-document" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434267, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bff31936868336cb88609533858299e3b9eca1ac.pdf", "text": "https://archive.orkl.eu/bff31936868336cb88609533858299e3b9eca1ac.txt", "img": "https://archive.orkl.eu/bff31936868336cb88609533858299e3b9eca1ac.jpg" } }