{ "id": "0b1c1d61-6ea7-40b3-97f2-41ebfd9bfef8", "created_at": "2026-04-06T00:14:10.797383Z", "updated_at": "2026-04-10T03:37:09.161897Z", "deleted_at": null, "sha1_hash": "c264707a4d52f1399bad9362bcfaafa90c4ae1dd", "title": "Let’s play (again) with Predator the thief", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2994459, "plain_text": "Let’s play (again) with Predator the thief\r\nPublished: 2019-12-25 · Archived: 2026-04-05 17:30:43 UTC\r\nWhenever I reverse a sample, I am mostly interested in how it was developed, even if in the end the techniques\r\nemployed are generally the same, I am always curious about what was the way to achieve a task, or just simply\r\nunderstand the code philosophy of a piece of code. It is a very nice way to spot different trending and discovering\r\n(sometimes) new tricks that you never know it was possible to do. This is one of the main reasons, I love digging\r\nmostly into stealers/clippers for their accessibility for being reversed, and enjoying malware analysis as a kind of\r\ngame (unless some exceptions like Nymaim that is literally hell).\r\nIt’s been 1 year and a half now that I start looking into “Predator The Thief”, and this malware has evolved over\r\ntime in terms of content added and code structure. This impression could be totally different from others in terms\r\nof stealing tasks performed, but based on my first in-depth analysis,, the code has changed too much and it was\r\nnecessary to make another post on it.\r\nThis one will focus on some major aspects of the 3.3.2 version, but will not explain everything (because some\r\ndetails have already been mentioned in other papers,  some subjects are known). Also, times to times I will add\r\nsome extra commentary about malware analysis in general.\r\nAnti-Disassembly\r\nWhen you open an unpacked binary in IDA or other disassembler software like GHIDRA, there is an amount of\r\ncode that is not interpreted correctly which leads to rubbish code, the incapacity to construct instructions or\r\nshowing some graph. Behind this, it’s obvious that an anti-disassembly trick is used.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 1 of 44\n\nThe technique exploited here is known and used in the wild by other malware, it requires just a few opcodes to\r\nprocess and leads at the end at the creation of a false branch. In this case, it begins with a simple xor instruction\r\nthat focuses on configuring the zero flag and forcing the JZ jump condition to work no matter what, so, at this\r\nstage, it’s understandable that something suspicious is in progress. Then the MOV opcode (0xB8) next to the jump\r\nis a 5 bytes instruction and disturbing the disassembler to consider that this instruction is the right one to interpret\r\nbeside that the correct opcode is inside this one, and in the end, by choosing this wrong path malicious tasks are\r\nhidden.\r\nOf course, fixing this issue is simple, and required just a few seconds. For example with IDA, you need to\r\nundefine the MOV instruction by pressing the keyboard shortcut “U”, to produce this pattern.\r\nThen skip the 0xB8 opcode, and pushing on “C” at the 0xE8 position, to configure the disassembler to interpret\r\ninstruction at this point.\r\nReplacing the 0xB8 opcode by 0x90. with a hexadecimal editor, will fix the issue. Opening again the patched PE,\r\nyou will see that IDA is now able to even show the graph mode.\r\nAfter patching it, there are still some parts that can’t be correctly parsed by the disassembler, but after reading\r\nsome of the code locations, some of them are correct, so if you want to create a function, you can select the “loc”\r\nsection then pushed on “P” to create a sub-function, of course, this action could lead to some irreversible thing if\r\nyou are not sure about your actions and end to restart again the whole process to remove a the ant-disassembly\r\ntricks, so this action must be done only at last resort.\r\nCode Obfuscation\r\nWhenever you are analyzing Predator, you know that you will have to deal with some obfuscation tricks almost\r\neverywhere just for slowing down your code analysis. Of course, they are not complicated to assimilate, but as\r\nalways, simple tricks used at their finest could turn a simple fun afternoon to literally “welcome to Dark Souls”.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 2 of 44\n\nThe concept was already there in the first in-depth analysis of this malware, and the idea remains over and over\r\nwith further updates on it. The only differences are easy to guess :\r\nMore layers of obfuscation have been added\r\nTechniques already used are just adjusted.\r\nMore dose of randomness\r\nAs a reversing point of view, I am considering this part as one the main thing to recognized this stealer, even if of\r\ncourse, you can add network communication and C\u0026C pattern as other ways for identifying it, inspecting the code\r\nis one way to clarify doubts (and I understand that this statement is for sure not working for every malware), but\r\nthe idea is that nowadays it’s incredibly easy to make mistakes by being dupe by rules or tags on sandboxes, due\r\nto similarities based on code-sharing, or just literally creating false flag.\r\nGetModuleAddress\r\nAlready there in a previous analysis, recreating the GetProcAddress is a popular trick to hide an API call behind a\r\nsimple register call. Over the updates, the main idea is still there but the main procedures have been modified,\r\nreworked or slightly optimized.\r\nFirst of all, we recognized easily the PEB retrieved by spotting fs[0x30] behind some extra instructions.\r\nthen from it, the loader data section is requested for two things:\r\nGetting the InLoadOrderModuleList pointer\r\nGetting the InMemoryOrderModuleList pointer\r\nFor those who are unfamiliar by this, basically, the PEB_LDR_DATA is a structure is where is stored all the\r\ninformation related to the loaded modules of the process.\r\nThen, a loop is performing a basic search on every entry of the module list but in “memory order” on the loader\r\ndata, by retrieving the module name, generating a hash of it and when it’s done, it is compared with a hardcoded\r\nobfuscated hash of the kernel32 module and obviously, if it matches, the module base address is saved, if it’s not,\r\nthe process is repeated again and again.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 3 of 44\n\nThe XOR kernel32 hashes compared with the one created\r\nNowadays, using hashes for a function name or module name is something that you can see in many other\r\nmalware, purposes are multiple and this is one of the ways to hide some actions. An example of this code behavior\r\ncould be found easily on the internet and as I said above, this one is popular and already used.\r\nGetProcAddress / GetLoadLibrary\r\nAlways followed by GetModuleAddress, the code for recreating GetProcAddress is by far the same architecture\r\nmodel than the v2, in term of the concept used. If the function is forwarded, it will basically perform a recursive\r\ncall of itself by getting the forward address, checking if the library is loaded then call GetProcAddress again with\r\nnew values.\r\nXor everything\r\nIt’s almost unnecessary to talk about it, but as in-depth analysis, if you have never read the other article before, it’s\r\nalways worth to say some words on the subject (as a reminder). The XOR encryption is a common cipher that\r\nrequired a rudimentary implementation for being effective :\r\nOnly one operator is used (XOR)\r\nit’s not consuming resources.\r\nIt could be used as a component of other ciphers\r\nThis one is extremely popular in malware and the goal is not really to produce strong encryption because it’s\r\nridiculously easy to break most of the time, they are used for hiding information or keywords that could be\r\ntriggering alerts, rules…\r\nCommunication between host \u0026 server\r\nHiding strings\r\nOr… simply used as an absurd step for obfuscating the code\r\netc…\r\nA typical example in Predator could be seeing huge blocks with only two instructions (XOR \u0026 MOV), where\r\nstacks strings are decrypted X bytes per X bytes by just moving content on a temporary value (stored on EAX),\r\nXORed then pushed back to EBP, and the principle is reproduced endlessly again and again. This is rudimentary,\r\nIn this scenario, it’s just part of the obfuscation process heavily abused by predator, for having an absurd amount\r\nof instruction for simple things.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 4 of 44\n\nAlso for some cases, When a hexadecimal/integer value is required for an API call, it could be possible to spot\r\nanother pattern of a hardcoded string moved to a register then only one XOR instruction is performed for\r\nrevealing the correct value, this trivial thing is used for some specific cases like the correct position in the TEB for\r\nretrieving the PEB, an RVA of a specific module, …\r\nFinally, the most common one, there is also the classic one used by using a for loop for a one key length XOR key,\r\nseen for decrypting modules, functions, and other things…\r\nstr = ... # encrypted string\r\nfor i, s in enumerate(str):\r\n s[i] = s[i] ^ s[len(str)-1]\r\nSub everything\r\nLet’s consider this as a perfect example of “let’s do the same exact thing by just changing one single instruction”,\r\nso in the end, a new encryption method is used with no effort for the development. That’s how a SUB instruction\r\nis used for doing the substitution cipher. The only difference that I could notice it’s how the key is retrieved.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 5 of 44\n\nBesides having something hardcoded directly, a signed 32-bit division is performed, easily noticeable by the use\r\nof cdq \u0026 idiv instructions, then the dl register (the remainder) is used for the substitution.\r\nStack Strings\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 6 of 44\n\nWhat’s the result in the end?\r\nMerging these obfuscation techniques leads to a nonsense amount of instructions for a basic task, which will\r\nobviously burn you some hours of analysis if you don’t take some time for cleaning a bit all that mess with the\r\nhelp of some scripts or plenty other ideas, that could trigger in your mind. It could be nice to see these days some\r\nscripts released by the community.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 7 of 44\n\nSimple tricks lead to nonsense code\r\nAnti-Debug\r\nThere are plenty of techniques abused here that was not in the first analysis, this is not anymore a simple\r\nPEB.BeingDebugged or checking if you are running a virtual machine, so let’s dig into them. one per one except\r\nCheckRemoteDebugger! This one is enough to understand by itself :’)\r\nNtSetInformationThread\r\nOne of the oldest tricks in windows and still doing its work over the years. Basically in a very simple way\r\n(because there is a lot thing happening during the process), NtSetInformationThread is called with a value (0x11)\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 8 of 44\n\nobfuscated by a XOR operator. This parameter is a ThreadInformationClass with a specific enum called\r\nThreadHideFromDebugger and when it’s executed, the debugger is not able to catch any debug information. So\r\nthe supposed pointer to the corresponding thread is, of course, the malware and when you are analyzing it with a\r\ndebugger, it will result to detach itself.\r\nCloseHandle/NtClose\r\nInside WinMain, a huge function is called with a lot of consecutive anti-debug tricks, they were almost all\r\nindirectly related to some techniques patched by TitanHide (or strongly looks like), the first one performed is a\r\nreally basic one, but pretty efficient to do the task.\r\nBasically, when CloseHandle is called with an inexistent handle or an invalid one, it will raise an exception and\r\nwhenever you have a debugger attached to the process, it will not like that at all. To guarantee that it’s not an issue\r\nfor a normal interaction a simple __try / __except method is used, so if this API call is requested, it will safely\r\nlead to the end without any issue.\r\nThe invalid handle used here is a static one and it’s L33T code with the value 0xBAADAA55 and makes me bored\r\nas much as this face.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 9 of 44\n\nThat’s not a surprise to see stuff like this from the malware developer. Inside jokes, l33t values, animes and\r\nprobably other content that I missed are something usual to spot on Predator.\r\nProcessDebugObjectHandle\r\nWhen you are debugging a process, Microsoft Windows is creating a “Debug” object and a handle corresponding\r\nto it. At this point, when you want to check if this object exists on the process, NtQueryInformationProcess is used\r\nwith the ProcessInfoClass initialized by  0x1e (that is in fact, ProcessDebugObjectHandle).\r\nIn this case, the NTStatus value (returning result by the API call) is an error who as the ID 0xC0000353, aka\r\nSTATUS_PORT_NOT_SET. This means, “An attempt to remove a process’s DebugPort was made, but a port was\r\nnot already associated with the process.”. The anti-debug trick is to verify if this error is there, that’s all.\r\nNtGetContextThread\r\nThis one is maybe considered as pretty wild if you are not familiar with some hardware breakpoints. Basically,\r\nthere are some registers that are called “Debug Register” and they are using the DRX nomenclature  (DR0 to\r\nDR7). When GetThreadContext is called, the function will retrieve al the context information from a thread.\r\nFor those that are not familiar with a context structure, it contains all the register data from the corresponding\r\nelement. So, with this data in possession, it only needs to check if those DRX registers are initiated with a value\r\nnot equal to 0.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 10 of 44\n\nOn the case here, it’s easily spottable to see that 4 registers are checked\r\nif (ctx-\u003eDr0 != 0 || ctx-\u003eDr1 != 0 || ctx-\u003eDr2 != 0 || ctx-\u003eDr3 != 0)\r\nInt 3 breakpoint\r\nint 3 (or Interrupt 3) is a popular opcode to force the debugger to stop at a specific offset. As said in the title, this\r\nis a breakpoint but if it’s executed without any debugging environment, the exception handler is able to deal with\r\nthis behavior and will continue to run without any issue. Unless I missed something, here is the scenario.\r\nBy the way,  as another scenario used for this one (the int 3), the number of this specific opcode triggered could be\r\nalso used as an incremented counter, if the counter is above a specific value, a simplistic condition is sufficient to\r\ncheck if it’s executed into a debugger in that way.\r\nDebug Condition\r\nWith all the techniques explained above, in the end, they all lead to a final condition step if of course, the\r\ndebugger hasn’t crashed. The checking task is pretty easy to understand and it remains to a simple operation:\r\n“setting up a value to EAX during the anti-debug function”, if everything is correct this register will be set to zero,\r\nif not we could see all the different values that could be possible.\r\nbloc in red is the correct condition over all the anti-debug tests\r\n…And when the Anti-Debug function is done, the register EAX is checked by the test operator, so the ZF flag is\r\ndeterminant for entering into the most important loop that contains the main function of the stealer.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 11 of 44\n\nAnti-VM\r\nThe Anti VM is presented as an option in Predator and is performed just after the first C\u0026C requests.\r\nTricks used are pretty olds and basically using Anti-VM Instructions\r\nSIDT\r\nSGDT\r\nSTR\r\nCPUID (Hypervisor Trick)\r\nBy curiosity, this option is not by default performed if the C\u0026C is not reachable.\r\nParanoid \u0026 Organized Predator\r\nWhen entering into the “big main function”, the stealer is doing “again” extra validations if you have a valid\r\npayload (and not a modded one), you are running it correctly and being sure again that you are not analyzing it.\r\nThis kind of paranoid checking step is a result of the multiple cases of cracked builders developed and released in\r\nthe wild (mostly or exclusively at a time coming from XakFor.Net). Pretty wild and fun to see when Anti-Piracy\r\nprotocols are also seen in the malware scape.\r\nThen the malware is doing a classic organized setup to perform all the requested actions and could be represented\r\nin that way.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 12 of 44\n\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 13 of 44\n\nOf course as usual and already a bit explained in the first paper, the C\u0026C domain is retrieved in a table of function\r\npointers before the execution of the WinMain function (where the payload is starting to do tasks).\r\nYou can see easily all the functions that will be called based on the starting location (__xc_z) and the ending\r\nlocation (__xc_z).\r\nThen you can spot easily the XOR strings that hide the C\u0026C domain like the usual old predator malware.\r\nData Encryption \u0026 Encoding\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 14 of 44\n\nBesides using XOR almost absolutely everywhere, this info stealer is using a mix of RC4 encryption and base64\r\nencoding whenever it is receiving data from the C\u0026C. Without using specialized tools or paid versions of IDA (or\r\nwhatever other software), it could be a bit challenging to recognize it (when you are a junior analyst), due to some\r\nmodification of some part of the code.\r\nBase64\r\nFor the Base64 functions, it’s extremely easy to spot them, with the symbol values on the register before and after\r\ncalls. The only thing to notice with them, it’s that they are using a typical signature… A whole bloc of XOR stack\r\nstrings, I believed that this trick is designed to hide an eventual Base64 alphabet from some Yara rules.\r\nBy the way, the rest of the code remains identical to standard base64 algorithms.\r\nRC4\r\nFor RC4, things could be a little bit messy if you are not familiar at all with encryption algorithm on a\r\ndisassembler/debugger, for some cases it could be hell, for some case not. Here, it’s, in fact, this amount of code\r\nfor performing the process.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 15 of 44\n\nBlocs are representing the Generation of the array S, then performing the Key-Scheduling Algorithm (KSA) by\r\nusing a specific secret key that is, in fact, the C\u0026C domain! (if there is no domain, but an IP hardcoded, this IP is\r\nthe secret key), then the last one is the Pseudo-random generation algorithm (PRGA).\r\nFor more info, some resources about this algorithm below:\r\nStack Overflow example\r\nRC4 Algorithm (Wikipedia)\r\nMutex \u0026 Hardware ID\r\nThe Hardware ID (HWID) and mutex are related, and the generation is quite funky,  I would say, even if most of\r\nthe people will consider this as something not important to investigate, I love small details in malware, even if\r\ntheir role is maybe meaningless, but for me, every detail counts no matter what (even the stupidest one).\r\nHere the hardware ID generation is split into 3 main parts. I had a lot of fun to understand how this one was\r\ncreated.\r\nFirst, it will grab all the available logical drives on the compromised machine, and for each of them, the serial\r\nnumber is saved into a temporary variable. Then, whenever a new drive is found, the hexadecimal value is added\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 16 of 44\n\nto it. so basically if the two drives have the serial number “44C5-F04D” and “1130-DDFF”, so ESI will receive\r\n0x44C5F04D then will add 0x1130DFF.\r\nWhen it’s done, this value is put into a while loop that will divide the value on ESI by 0xA and saved the\r\nremainder into another temporary variable, the loop condition breaks when ESI is below 1. Then the results of this\r\noperation are saved, duplicated and added to itself the last 4 bytes (i.e 1122334455 will be 112233445522334455).\r\nIf this is not sufficient, the value is put into another loop for performing this operation.\r\nfor i, s in enumerate(str):\r\n if i \u0026 1:\r\n a += chr(s) + 0x40\r\n else:\r\n a += chr(s)\r\nIt results in the creation of an alphanumeric string that will be the archive filename used during the POST request\r\nto the C\u0026C.\r\nthe generated hardware ID based on the serial number devices\r\nBut wait! there is more… This value is in part of the creation of the mutex name… with a simple base64 operation\r\non it and some bit operand operation for cutting part of the base64 encoding string for having finally the mutex\r\nname!\r\nAnti-CIS\r\nA classic thing in malware, this feature is used for avoiding infecting machines coming from the Commonwealth\r\nof Independent States (CIS) by using a simple API call GetUserDefaultLangID.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 17 of 44\n\nThe value returned is the language identifier of the region format setting for the user and checked by a lot of\r\nspecific language identifier, of courses in every situation, all the values that are tested, are encrypted.\r\nLanguage ID SubLanguage Symbol Country\r\n0x0419 SUBLANG_RUSSIAN_RUSSIA Russia\r\n0x042b SUBLANG_ARMENIAN_ARMENIA Armenia\r\n0x082c SUBLANG_AZERI_CYRILLIC Azerbaijan\r\n0x042c SUBLANG_AZERI_LATIN Azerbaijan\r\n0x0423 SUBLANG_BELARUSIAN_BELARUS Belarus\r\n0x0437 SUBLANG_GEORGIAN_GEORGIA Georgia\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 18 of 44\n\n0x043f SUBLANG_KAZAK_KAZAKHSTAN Kazakhstan\r\n0x0428 SUBLANG_TAJIK_TAJIKISTAN Tajikistan\r\n0x0442 SUBLANG_TURKMEN_TURKMENISTAN Turkmenistan\r\n0x0843 SUBLANG_UZBEK_CYRILLIC Uzbekistan\r\n0x0443 SUBLANG_UZBEK_LATIN Uzbekistan\r\n0x0422 SUBLANG_UKRAINIAN_UKRAINE Ukraine\r\nFiles, files where are you?\r\nWhen I reversed for the first time this stealer, files and malicious archive were stored on the disk then deleted. But\r\nright now, this is not the case anymore. Predator is managing all the stolen data into memory for avoiding as much\r\nas possible any extra traces during the execution.\r\nPredator is nowadays creating in memory a lot of allocated pages and temporary files that will be used for\r\ninteractions with real files that exist on the disk. Most of the time it’s basically getting handles, size and doing\r\nsome operation for opening, grabbing content and saving them to a place in memory. This explanation is\r\nsummarized in a “very” simplify way because there are a lot of cases and scenarios to manage this. \r\nAnother point to notice is that the archive (using ZIP compression), is also created in memory by selecting\r\nfolder/files.\r\nThe generated archive in memory\r\nIt doesn’t mean that the whole architecture for the files is different, it’s the same format as before.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 19 of 44\n\nan example of archive intercepted during the C\u0026C Communication\r\nStealing\r\nAfter explaining this many times about how this stuff, the fundamental idea is boringly the same for every stealer:\r\nCheck\r\nAnalyzing (optional)\r\nParsing (optional)\r\nCopy\r\nProfit\r\nRepeat\r\nWhat could be different behind that, is how they are obfuscating the files or values to check… and guess what…\r\nevery malware has their specialties (whenever they are not decided to copy the same piece of code on Github or\r\nsome whatever generic .NET stealer) and in the end, there is no black magic, just simple (or complex) enigma to\r\nsolve. As a malware analyst, when you are starting into analyzing stealers, you want literally to understand\r\neverything, because everything is new, and with the time, you realized the routine performed to fetch the data and\r\nhow stupid it is working well (as reminder, it might be not always that easy for some highly specific stuff).\r\nIn the end, you just want to know the targeted software, and only dig into those you haven’t seen before, but every\r\ntime the thing is the same:\r\nChecking dumbly a path\r\nChecking a register key to have the correct path of a software\r\nChecking a shortcut path based on an icon\r\netc…\r\nBeside that Predator the Thief is stealing a lot of different things:\r\n1. Grabbing content from Browsers (Cookies, History, Credentials)\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 20 of 44\n\n2. Harvesting/Fetching Credit Cards\r\n3. Stealing sensible information \u0026 files from Crypto-Wallets\r\n4. Credentials from FTP Software\r\n5. Data coming from Instant communication software\r\n6. Data coming from Messenger software\r\n7. 2FA Authenticator software\r\n8. Fetching Gaming accounts\r\n9. Credentials coming from VPN software\r\n10. Grabbing specific files (also dynamically)\r\n11. Harvesting all the information from the computer (Specs, Software)\r\n12. Stealing Clipboard (if during the execution of it, there is some content)\r\n13. Making a picture of yourself (if your webcam is connected)\r\n14. Making screenshot of your desktop\r\n15. It could also include a Clipper (as a modular feature).\r\n16. And… due to the module manager, other tasks that I still don’t have mentioned there (that also I don’t\r\nknow who they are).\r\nLet’s explain just some of them that I found worth to dig into.\r\nBrowsers\r\nSince my last analysis, things changed for the browser part and it’s now divided into three major parts.\r\nInternet Explorer is analyzed in a specific function developed due that the data is contained into a “Vault”,\r\nso it requires a specific Windows API to read it.\r\nMicrosoft Edge is also split into another part of the stealing process due that this one is using unique files\r\nand needs some tasks for the parsing.\r\nThen, the other browsers are fetched by using a homemade static grabber\r\nGrabber n°1 (The generic one)\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 21 of 44\n\nIt’s pretty fun to see that the stealing process is using at least one single function for catching a lot of things. This\r\ngeneric grabber is pretty “cleaned” based on what I saw before even if there is no magic at all, it’s sufficient to\r\nmake enough damages by using a recursive loop at a specific place that will search all the required files \u0026 folders.\r\nBy comparing older versions of predator, when it was attempting to steal content from browsers and some wallets,\r\nit was checking step by step specific repositories or registry keys then processing into some loops and tasks for\r\nfetching the credentials. Nowadays, this step has been removed (for the browser part) and being part of this raw\r\ngrabber that will parse everything starting to %USERS% repository.\r\nAs usual, all the variables that contain required files are obfuscated and encrypted by a simple XOR algorithm and\r\nin the end, this is the “static” list that the info stealer will be focused\r\nFile grabbed Type Actions\r\nLogin Data Chrome / Chromium based Copy \u0026 Parse\r\nCookies Chrome / Chromium based Copy \u0026 Parse\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 22 of 44\n\nWeb Data Browsers Copy \u0026 Parse\r\nHistory Browsers Copy \u0026 Parse\r\nformhistory.sqlite Mozilla Firefox \u0026 Others Copy \u0026 Parse\r\ncookies.sqlite Mozilla Firefox \u0026 Others Copy \u0026 Parse\r\nwallet.dat Bitcoin Copy \u0026 Parse\r\n.sln Visual Studio Projects Copy filename into Project.txt\r\nmain.db Skype Copy \u0026 Parse\r\nlogins.json Chrome Copy \u0026 Parse\r\nsignons.sqlite Mozilla Firefox \u0026 Others Copy \u0026 Parse\r\nplaces.sqlite Mozilla Firefox \u0026 Others Copy \u0026 Parse\r\nLast Version Mozilla Firefox \u0026 Others Copy \u0026 Parse\r\nGrabber n°2 (The dynamic one)\r\nThere is a second grabber in Predator The Thief, and this not only used when there is available config loaded in\r\nmemory based on the first request done to the C\u0026C. In fact, it’s also used as part of the process of searching \u0026\r\ncopying critical files coming from wallets software, communication software, and others…\r\nThe “main function” of this dynamic grabber only required three arguments:\r\nThe path where you want to search files\r\nthe requested file or mask\r\nA path where the found files will be put in the final archive sent to the C\u0026C\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 23 of 44\n\nWhen the grabber is configured for a recursive search, it’s simply adding at the end of the path the value “..” and\r\nchecking if the next file is a folder to enter again into the same function again and again.\r\nIn the end, in the fundamentals, this is almost the same pattern as the first grabber with the only difference that in\r\nthis case, there are no parsing/analyzing files in an in-depth way. It’s simply this follow-up\r\n1. Find a matched file based on the requested search\r\n2. creating an entry on the stolen archive folder\r\n3. setting a handle/pointer from the grabbed file\r\n4. Save the whole content to memory\r\n5. Repeat\r\nOf course, there is a lot of particular cases that are to take in consideration here, but the main idea is like this.\r\nWhat Predator is stealing in the end?\r\nIf we removed the dynamic grabber, this is the current list (for 3.3.2) about what kind of software that is impacted\r\nby this stealer, for sure, it’s hard to know precisely on the browser all the one that is impacted due to the generic\r\ngrabber, but in the end, the most important one is listed here.\r\nVPN\r\nNordVPN\r\nCommunication\r\nJabber\r\nDiscord\r\nSkype\r\nFTP\r\nWinSCP\r\nWinFTP\r\nFileZilla\r\nMails\r\nOutlook\r\n2FA Software\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 24 of 44\n\nAuthy (Inspired by Vidar)\r\nGames\r\nSteam\r\nBattle.net (Inspired by Kpot)\r\nOsu\r\nWallets\r\nElectrum\r\nMultiBit\r\nArmory\r\nEthereum\r\nBytecoin\r\nBitcoin\r\nJaxx\r\nAtomic\r\nExodus\r\nBrowser\r\nMozilla Firefox (also Gecko browsers using same files)\r\nChrome (also Chromium browsers using same files)\r\nInternet Explorer\r\nEdge\r\nUnmentioned browsers using the same files detected by the grabber.\r\nAlso beside stealing other actions are performed like:\r\nPerforming a webcam picture capture\r\nPerforming a desktop screenshot\r\nLoader\r\nThere is currently 4 kind of loader implemented into this info stealer\r\n1. RunPE\r\n2. CreateProcess\r\n3. ShellExecuteA\r\n4. LoadPE\r\n5. LoadLibrary\r\nFor all the cases, I have explained below (on another part of this analysis) what are the options of each of the\r\ntechniques performed. There is no magic, there is nothing to explain more about this feature these days. There are\r\nenough articles and tutorials that are talking about this. The only thing to notice is that Predator is designed to load\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 25 of 44\n\nthe payload in different ways, just by a simple process creation or abusing some process injections (i recommend\r\non this part, to read the work from endgame).\r\nModule Manager\r\nSomething really interesting about this stealer these days, it that it developed a feature for being able to add the\r\nadditional tasks as part of a module/plugin package. Maybe the name of this thing is wrongly named (i will\r\nprobably be fixed soon about this statement). But now it’s definitely sure that we can consider this malware as a\r\nmodular one.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 26 of 44\n\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 27 of 44\n\nWhen decrypting the config from check.get, you can understand fast that a module will be launched, by looking at\r\nthe last entry…\r\n[PREDATOR_CONFIG]#[GRABBER]#[NETWORK_INFO]#[LOADER]#[example]\r\nThis will be the name of the module that will be requested to the C\u0026C. (this is also the easiest way to spot a new\r\nmodule).\r\nexample.get\r\nexample.post\r\nThe first request is giving you the config of the module (on my case it was like this), it’s saved but NOT decrypted\r\n(looks like it will be dealt by the module on this part). The other request is focused on downloading the payload,\r\ndecrypting it and saving it to the disk in a random folder in %PROGRAMDATA% (also the filename is generated\r\nalso randomly), when it’s done, it’s simply executed by ShellExecuteA.\r\nAlso, another thing to notice, you know that it’s designed to launch multiple modules/plugins.\r\nClipper (Optional module)\r\nThe clipper is one example of the Module that could be loaded by the module manager. As far as I saw, I only see\r\nthis one (maybe they are other things, maybe not, I don’t have the visibility for that).\r\nDisclaimer: Before people will maybe mistaken, the clipper is proper to Predator the Thief and this is NOT\r\nsomething coming from another actor (if it’s the case, the loader part would be used).\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 28 of 44\n\nClipper WinMain function\r\nThis malware module is developed in C++, and like Predator itself, you recognized pretty well the obfuscation\r\nproper to it (Stack strings, XOR, SUB, Code spaghetti, GetProcAddress recreated…). Well, everything that you\r\nlove for slowing down again your analysis.\r\nAs detailed already a little above, the module is designed to grab the config from the main program, decrypting it\r\nand starting to do the process routine indefinitely:\r\n1. Open Clipboard\r\n2. Checking content based on the config loaded\r\n3. If something matches put the malicious wallet\r\n4. Sleep\r\n5. Repeat\r\nThe clipper config is rudimentary using “|” as a delimiter. Mask/Regex on the left, malicious wallet on the right.\r\n1*:1Eh8gHDVCS8xuKQNhCtZKiE1dVuRQiQ58H|\r\n3*:1Eh8gHDVCS8xuKQNhCtZKiE1dVuRQiQ58H|\r\n0x*:0x7996ad65556859C0F795Fe590018b08699092B9C|\r\nq*:qztrpt42h78ks7h6jlgtqtvhp3q6utm7sqrsupgwv0|\r\nG*:GaJvoTcC4Bw3kitxHWU4nrdDK3izXCTmFQ|\r\nX*:XruZmSaEYPX2mH48nGkPSGTzFiPfKXDLWn|\r\nL*:LdPvBrWvimse3WuVNg6pjH15GgBUtSUaWy|\r\nt*:t1dLgBbvV6sXNCMUSS5JeLjF4XhhbJYSDAe|\r\n4*:44tLjmXrQNrWJ5NBsEj2R77ZBEgDa3fEe9GLpSf2FRmhexPvfYDUAB7EXX1Hdb3aMQ9FLqdJ56yaAhiXoRsceGJCRS3Jxkn|\r\nD*:DUMKwVVAaMcbtdWipMkXoGfRistK1cC26C|\r\nA*:AaUgfMh5iVkGKLVpMUZW8tGuyjZQNViwDt|\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 29 of 44\n\nThere is no communication with the C\u0026C when the clipper is switching wallet, it’s an offline one.\r\nSelf Removal\r\nWhen the parameters are set to 1 in the Predator config got by check.get, the malware is performing a really\r\nsimple task to erase itself from the machine when all the tasks are done.\r\nBy looking at the bottom of the main big function where all the task is performed, you can see two main blocs that\r\ncould be skipped. these two are huge stack strings that will generate two things.\r\nthe API request “ShellExecuteA”\r\nThe command “ping 127.0.0.1 \u0026 del %PATH%”\r\nWhen all is prepared the thing is simply executed behind the classic register call. By the way, doing a ping request\r\nis one of the dozen way to do a sleep call and waiting for a little before performing the deletion.\r\nThis option is not performed by default when the malware is not able to get data from the C\u0026C.\r\nTelemetry files\r\nThere is a bunch of files that are proper to this stealer, which are generated during the whole infection process.\r\nEach of them has a specific meaning.\r\nInformation.txt\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 30 of 44\n\n1. Signature of the stealer\r\n2. Stealing statistics\r\n3. Computer specs\r\n4. Number of users in the machine\r\n5. List of logical drives\r\n6. Current usage resources\r\n7. Clipboard content\r\n8. Network info\r\n9. Compile-time of the payload\r\nAlso, this generated file is literally “hell” when you want to dig into it by the amount of obfuscated code.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 31 of 44\n\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 32 of 44\n\nI can quote these following important telemetry files:\r\nSoftware.txt\r\nWindows Build Version\r\nGenerated User-Agent\r\nList of software installed in the machine (checking for x32 and x64 architecture folders)\r\nActions.txt\r\nList of actions \u0026 telemetry performed by the stealer itself during the stealing process\r\nProjects.txt\r\nList of SLN filename found during the grabber research (the static one)\r\nCookeList.txt\r\nList of cookies content fetched/parsed\r\nNetwork\r\nUser-Agent “Builder”\r\nSometimes features are fun to dig in when I heard about that predator is now generating dynamic user-agent, I was\r\nthinking about some things but in fact, it’s way simpler than I thought.\r\nThe User-Agent is generated in 5 steps\r\n1. Decrypting a static string that contains the first part of the User-Agent\r\n2. Using GetTickCount and grabbing the last bytes of it for generating a fake builder version of Chrome\r\n3. Decrypting another static string that contains the end of the User-Agent\r\n4. Concat Everything\r\n5. Profit\r\nTihs User-Agent is shown into the software.txt logfile.\r\nC\u0026C Requests\r\nThere is currently 4 kind of request seen in Predator 3.3.2 (it’s always a POST request)\r\nRequest Meaning\r\napi/check.get Get dynamic config, tasks and network info\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 33 of 44\n\napi/gate.get ?…… Send stolen data\r\napi/.get Get modular dynamic config\r\napi/.post Get modular dynamic payload (was like this with the clipper)\r\nThe first step – Get the config \u0026 extra Infos\r\nFor the first request, the response from the server is always in a specific form :\r\nString obviously base64 encoded\r\nEncrypted using RC4 encryption by using the domain name as the key\r\nWhen decrypted, the config is pretty easy to guess and also a bit complex (due to the number of options \u0026\r\nparameters that the threat actor is able to do).\r\n[0;1;0;1;1;0;1;1;0;512;]#[[%userprofile%\\Desktop|%userprofile%\\Downloads|%userprofile%\\Documents;*.xl\r\nIt’s easily understandable that the config is split by the “#” and each data and could be summarized like this\r\n1. The stealer config\r\n2. The grabber config\r\n3. The network config\r\n4. The loader config\r\n5. The dynamic modular config (i.e Clipper)\r\nI have represented each of them into an array with the meaning of each of the parameters (when it was possible).\r\nPredator config\r\nArgs Meaning\r\nField 1 Webcam screenshot\r\nField 2 Anti VM\r\nField 3 Skype\r\nField 4 Steam\r\nField 5 Desktop screenshot\r\nField 6 Anti-CIS\r\nField 7 Self Destroy\r\nField 8 Telegram\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 34 of 44\n\nField 9 Windows Cookie\r\nField 10 Max size for files grabbed\r\nField 11 Powershell script (in base64)\r\nGrabber config\r\n[]#[GRABBER]#[]#[]#[]\r\nArgs Meaning\r\nField 1 %PATH% using “|” as a delimiter\r\nField 2 Files to grab\r\nField 3 Max sized for each file grabbed\r\nField 4 Whitelist\r\nField 5 Recursive search (0 – off | 1 – on)\r\nNetwork info\r\n[]#[]#[NETWORK]#[]#[]\r\nArgs Meaning\r\nField 1 City\r\nField 2 Country\r\nField 3 GPS Coordinate\r\nField 4 Time Zone\r\nField 5 Postal Code\r\nLoader config\r\n[]#[]#[]#[LOADER]#[]\r\nFormat\r\n[[URL;3;2;;;;1;amazon.com;0;0;1;0;0;5]]\r\nMeaning\r\n1. Loader URL\r\n2. Loader Type\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 35 of 44\n\n3. Architecture\r\n4. Targeted Countries (“,” as a delimiter)\r\n5. Blacklisted Countries (“,” as a delimiter)\r\n6. Arguments on startup\r\n7. Injected process OR Where it’s saved and executed\r\n8. Pushing loader if the specific domain(s) is(are) seen in the stolen data\r\n9. Pushing loader if wallets are presents\r\n10. Persistence\r\n11. Executing in admin mode\r\n12. Random file generated\r\n13. Repeating execution\r\n14. ???\r\nLoader type (argument 2)\r\nValue Meaning\r\n1 RunPE\r\n2 CreateProcess\r\n3 ShellExecute\r\n4 LoadPE\r\n5 LoadLibrary\r\nArchitecture (argument 3)\r\nValue Meaning\r\n1 x32 / x64\r\n2 x32 only\r\n3 x64 only\r\nIf it’s RunPE (argument 7)\r\nValue Meaning\r\n1 Attrib.exe\r\n2 Cmd.exe\r\n3 Audiodg.exe\r\nIf it’s CreateProcess / ShellExecuteA / LoadLibrary (argument 7)\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 36 of 44\n\nValue Meaning\r\n1 %PROGRAMDATA%\r\n2 %TEMP%\r\n3 %APPDATA%\r\nThe second step – Sending stolen data\r\nFormat\r\n/api/gate.get?p1=X\u0026p2=X\u0026p3=X\u0026p4=X\u0026p5=X\u0026p6=X\u0026p7=X\u0026p8=X\u0026p9=X\u0026p10=X\r\nGoal\r\n1. Sending stolen data\r\n2. Also victim telemetry\r\nMeaning\r\nArgs Field\r\np1 Passwords\r\np2 Cookies\r\np3 Credit Cards\r\np4 Forms\r\np5 Steam\r\np6 Wallets\r\np7 Telegram\r\np8 ???\r\np9 ???\r\np10 OS Version (encrypted + encoded)*\r\nThis is an example of crafted request performed by Predator the thief\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 37 of 44\n\nThird step – Modular tasks (optional)\r\n/api/Clipper.get\r\nGive the dynamic clipper config\r\n/api/Clipper.post\r\nGive the predator clipper payload\r\nServer side\r\nThe C\u0026C is nowadays way different than the beginning, it has been reworked with some fancy designed and\r\nbeing able to do some stuff:\r\n1. Modulable C\u0026C\r\n2. Classic fancy index with statistics\r\n3. Possibility to configure your panel itself\r\n4. Dynamic grabber configuration\r\n5. Telegram notifications\r\n6. Backups\r\n7. Tags for specific domains\r\nIndex\r\nThe predator panel changed a lot between the v2 and v3. This is currently a fancy theme one, and you can easily\r\nspot the whole statistics at first glance. the thing to notice is that the panel is fully in Russian (and I don’t know at\r\nthat time if there is an English one).\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 38 of 44\n\nMenu on the left is divide like this (but I’m not really sure about the correct translation)\r\nМеню (Menu)\r\nСтатистика (Stats)\r\nЛогов (Logs)\r\nПо странам (Country stats)\r\nЛоадера (Loader Stats)\r\nЛоги (Logs)\r\nОбычная\r\nМодули (Modules)\r\nЗагрузить модуль (Download/Upload Module)\r\nНастройки (Settings)\r\nНастройки сайта (Site settings)\r\nТелеграм бот (Telegram Bot)\r\nКонфиг (Config)\r\nГраббер (Grabber)\r\nЛоадер (Loader)\r\nDomain Detect\r\nBackup\r\nПоиск (Search)\r\nКонвертация (Converter =\u003e Netscape Json converter)\r\nStatistics / Landscape\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 39 of 44\n\nPredator Config\r\nIn term of configuring predator, the choices are pretty wild:\r\nThe actor is able to tweak its panel, by modifying some details, like the title and detail that made me laugh\r\nis you can choose a dark theme.\r\nThere is also another form, the payload config is configured by just ticking options. When done, this will\r\nupdate the request coming from check.get\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 40 of 44\n\nAs usual, there is also a telegram bot feature\r\nCreating Tags for domains seen\r\nSmall details which were also mentioned in Vidar, but if the actor wants specific attention for bots that have data\r\ncoming from specific domains, it will create a tag that will help him to filter easily which of them is probably\r\nworth to dig into.\r\nLoader config\r\nThe loader configuration is by far really interesting in my point of view and even it has been explained totally for\r\nits functionalities, I considered it pretty complete and user-friendly for the Threat Actor that is using it.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 41 of 44\n\nIoCs\r\nHashes for this analysis\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 42 of 44\n\np_pckd.exe – 21ebdc3a58f3d346247b2893d41c80126edabb060759af846273f9c9d0c92a9a\r\np_upkd.exe – 6e27a2b223ef076d952aaa7c69725c831997898bebcd2d99654f4a1aa3358619\r\np_clipper.exe – 01ef26b464faf08081fceeeb2cdff7a66ffdbd31072fe47b4eb43c219da287e8\r\nC\u0026C\r\ncadvexmail19mn.world\r\nOther predator hashes\r\n9110e59b6c7ced21e194d37bb4fc14b2\r\n51e1924ac4c3f87553e9e9c712348ac8\r\nfe6125adb3cc69aa8c97ab31a0e7f5f8\r\n02484e00e248da80c897e2261e65d275\r\na86f18fa2d67415ac2d576e1cd5ccad8\r\n3861a092245655330f0f1ffec75aca67\r\ned3893c96decc3aa798be93192413d28\r\nConclusion\r\nInfostealer is not considered as harmful as recent highly mediatize ransomware attacks, but they are enough\r\neffective to perform severe damage and they should not be underrated, furthermore, with the use of\r\ncryptocurrencies that are more and more common, or something totally normal nowadays, the lack of security\r\nhygiene on this subject is awfully insane. that I am not surprised at all to see so much money stolen, so they will\r\nbe still really active, it’s always interesting to keep an eye on this malware family (and also on clippers), whenever\r\nthere is a new wallet software or trading cryptocurrency software on the list, you know easily what are the\r\npossible trends (if you have a lack of knowledge in that area).\r\nNowadays, it’s easy to see fresh activities in the wild for this info stealer, it could be dropped by important\r\nmalware campaigns where notorious malware like ISFB Gozi is also used. It’s unnecessary (on my side) to\r\nspeculate about what will be next move with Predator, I have clearly no idea and not interested in that kind of\r\nstuff. The thing is the malware scene nowadays is evolving really fast, threat actor teams are moving/switching\r\neasily and it could take only hours for new updates and rework of malware by just modifying a piece of code with\r\nsomething already developed on some GitHub repository, or copying code from another malware. Also, the price\r\nof the malware has been adjusted, or the support communication is moved to something else.\r\nDue to this,  I am pretty sure at that time, this current in-depth analysis could be already outdated by some\r\nmodifications. it’s always a risk to take and on my side, I am only interested in the malware itself, the main\r\nideas/facts of the major version are explained and it’s plenty sufficient. There is, of course, some topics that I\r\nhaven’t talk like nowadays predator is now being to work as a classic executable file or a DLL, but it was\r\ndeveloped some times ago and this subject is now a bit popular. Also, another point that I didn’t find any\r\nexplanation, is that seeing some decrypting process for strings that leads to some encryption algorithm related to\r\nTor.\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 43 of 44\n\nThis in-depth analysis is also focused on showing that even simple tricks are an efficient way to slow down\r\nanalysis and it is a good exercise to practice your skills if you want to improve yourself into malware analysis.\r\nAlso, reverse engineering is not as hard as people could think when the fundamental concepts are assimilated, It’s\r\njust time, practice and motivation.\r\nOn my side, I am, as usual, typically irregular into releasing stuff due to some stuff (again…). By the way,\r\nupdating projects are still one of my main focus, I still have some things that I would love to finish which are not\r\nnecessarily into malware analysis, it’s cool to change topics sometimes.\r\n#HappyHunting\r\nSource: https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nhttps://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/\r\nPage 44 of 44", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/" ], "report_names": [ "lets-play-again-with-predator-the-thief" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434450, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c264707a4d52f1399bad9362bcfaafa90c4ae1dd.pdf", "text": "https://archive.orkl.eu/c264707a4d52f1399bad9362bcfaafa90c4ae1dd.txt", "img": "https://archive.orkl.eu/c264707a4d52f1399bad9362bcfaafa90c4ae1dd.jpg" } }