{ "id": "edc40313-aa05-41b6-9397-5ae2f46c5047", "created_at": "2026-04-06T00:18:01.135168Z", "updated_at": "2026-04-10T03:37:09.244717Z", "deleted_at": null, "sha1_hash": "c3b3f556f2e61480e0c61f266685ed4051516c9a", "title": "OriginBotnet Spreads via Malicious Word Document | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5766952, "plain_text": "OriginBotnet Spreads via Malicious Word Document | FortiGuard\r\nLabs\r\nBy Cara Lin\r\nPublished: 2023-09-11 · Archived: 2026-04-05 17:35:39 UTC\r\nAffected platforms: Windows\r\nImpacted parties: Any organization\r\nImpact: Remote attackers steal credentials, sensitive information, and cryptocurrency\r\nSeverity level: Critical\r\nIn August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to\r\ndownload a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase\r\nthe file's size to 400 MB. The payloads of this loader include OriginBotnet for keylogging and password recovery,\r\nRedLine Clipper for cryptocurrency theft, and AgentTesla for harvesting sensitive information. Figure 1 illustrates\r\nthe comprehensive attack flow.\r\nIn this blog, we examine the various stages of how the file is deployed and delve into the specifics of the malware\r\nit delivers.\r\nFigure 1: Attack flow\r\nDocument Analysis\r\nA phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a\r\ncounterfeit reCAPTCHA (Figure 2) to lure the recipient into clicking on it. Clicking activates an embedded\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 1 of 27\n\nmalicious link in the file “\\word_rels\\document.xml.rels,” as shown in Figure 3.\r\nFigure 2: Word document\r\nFigure 3: Malicious URL\r\nLoader Analysis\r\nThe initial loader was acquired from https://bankslip[.]info/document/scancop20233108[.]exe. This file, written in\r\n.NET, deciphers the “Main_Project” resource data in\r\n“HealthInstitutionSimulation.Properties.Resources.resources.” It uses an XOR operation with the string\r\n“WdxDFWxcf09WXfVVjLwKKcccwnawf” and then 'Activator.CreateInstance()' to execute the decoded\r\ninformation. The decoding procedure is shown in Figure 4.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 2 of 27\n\nFigure 4: Decoding resource data in “scancop20233108.exe”\r\nThe second stage uses the “Main Project.dll” with the entry point illustrated in Figure 5. In this stage, the code\r\ninitiates a “Sleep()” function within “Delation()” and establishes persistence through the “Moschop()” function.\r\nFigure 5: Entry point of “Main Project.dll”\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 3 of 27\n\nIt then loads Base64-encoded strings and uses the AES-CBC algorithm for decryption, retrieving a PowerShell\r\ncommand, as shown in Figure 6. To ensure persistence, it duplicates the EXE file into the directory\r\n“%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup” under the filename “audacity.exe.exe” to ensure\r\nthat the file runs automatically even if the victim restarts their device.\r\nFigure 6: PowerShell command for persistence in “Main Project.dll”\r\nFollowing that, it employs the command “GetType(‘I.L’).GetMethod(‘U’)” to invoke a method from the DLL that\r\nwas decrypted from the resources labeled “DataPresent.” This is passed to the third-stage payload, decrypted from\r\nthe data within the resources labeled “Moss,” using the AES-ECB algorithm, as shown in Figure 7.\r\nFigure 7: Load decrypted payload in “Main Project.dll”\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 4 of 27\n\nThe third stage uses “scancopper4647979413.exe,” which is another .NET executable file. It utilizes the\r\n“Activator.CreateInstance()” method to generate an instance decoded from the resources, “rumdisintegration.dat,”\r\neffectively triggering the execution of the fourth-stage file, “cargomind.dll.” It then uses the “CreateInstance()”\r\nmethod with two parameters: the object type for instantiation and an array of arguments to be transmitted to the\r\ncreated object.\r\nFigure 8: The entry point of “scancopper4647979413.exe”\r\nThe fourth stage is represented by a DLL file, “cargomind.dll.” Its entry point is shown in Figure 9. It comprises\r\nthree Base64-encoded strings intended for subsequent operations. The “Deserialize()” function, as shown in\r\nFigure 10, is responsible for decoding these strings, parsing the key-value pairs for each option, and ultimately\r\nreturning a dictionary.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 5 of 27\n\nFigure 9: The entry point of “cargomind.dll”\r\nFigure 10: Function for parsing data\r\nFigure 11 displays the result obtained from “list2.” It reveals the existence of three tasks, each comprising six\r\ndistinct options.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 6 of 27\n\nFigure 11: The tasks in “cargomind.dll”\r\nLet's explore the options within “list2[0]” in detail:\r\n1. “u”: URL, which is specified as https://softwarez[.]online/javau[.]exe.\r\n2. “k”: Action, with “d” indicating a download action, as shown in Figure 12.\r\n3. “df”: File directory, where “ad” designates the ApplicationData folder (%appdata%), with the associated\r\nfunction being “ConstructPath(),” as shown in Figure 13.\r\n4. “sf”: Subfolder, denoted as “Java.”\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 7 of 27\n\n5. “fn”: File name, identified as “javau.exe.”\r\n6. “e”: Execution status, where “y” signifies “yes” and triggers the execution of the downloaded file using\r\n“Process.Start.”\r\nFigure 12: Function for option “k”\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 8 of 27\n\nFigure 13: Function for constructing file path\r\nFor the remaining two tasks in “list2,” the action is set to “b.” Consequently, it invokes the “ExecuteBinder()”\r\nfunction to decode data specified in the “r_k” option, as shown in Figure 14. The targeted files in this context are\r\n“newcrisp.dat” and “backyard.dat,” both sourced from the resources section of the prior stage,\r\n“scancopper46477979413.exe,” as shown in Figure 15.\r\nFigure 14: Function for decoding payload\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 9 of 27\n\nFigure 15: Resources data in “scancopper46477979413.exe”\r\nMalware Analysis – RedLine Clipper\r\nThe initial malware originates from the URL https://softwarez[.]online/javau[.]exe. It is a .NET executable file\r\nthat has been packed using SmartAssembly. Upon deciphering the resource data, we uncovered the ultimate\r\npayload, “RedLine Clipper,” as shown in Figure 16.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 10 of 27\n\nFigure 16: Decoded data in “javau.exe”\r\nRedLine Clipper (SHA256: 4617631b4497eddcbd97538f6712e06fabdb53af3181d6c1801247338bffaad3), also\r\nknown as ClipBanker, specializes in stealing cryptocurrencies by manipulating the user's system clipboard\r\nactivities to substitute the destination wallet address with one belonging to the attacker. The compromised version\r\n(Figure 17) supports cryptocurrencies, including Bitcoin, Ethereum, Dogecoin, Litecoin, Dashcoin, and Monero. It\r\ncontinually monitors the clipboard for a copied coin wallet address, which is typically lengthy and complex,\r\nmaking manual entry impractical. When a wallet address is detected on the clipboard, RedLine Clipper covertly\r\nalters it to match the attacker's wallet address.\r\nOrdinarily, cryptocurrency wallet addresses adhere to specific formats, but due to their complexity, users often\r\ncopy and paste them during transactions. Consequently, if the wallet address is tampered with at this stage, users\r\nintending to send funds to a particular wallet may inadvertently deposit them into the attacker's wallet instead.\r\nTo carry out this operation, RedLine Clipper utilizes the “OnClipboardChangeEventHandler” to regularly monitor\r\nclipboard changes and verify if the copied string conforms to the regular expression depicted in Figure 18. It's\r\nworth noting that the attacker targets all six supported cryptocurrencies in this scheme.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 11 of 27\n\nFigure 17: Redline Clipper Cracked\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 12 of 27\n\nFigure 18: Run() function for RedLine Clipper\r\nMalware Analysis – Agent Tesla\r\nThe second file, an Agent Tesla variant, is stored as “COPPER.exe” (SHA256:\r\nc241e3b5d389b227484a8baec303e6c3e262d7f7bf7909e36e312dea9fb82798). This malware can log keystrokes,\r\naccess the host's clipboard, and conduct disk scans to uncover credentials and other valuable data. Further, it can\r\ntransmit gathered information to its Command and Control (C2) server through various communication channels,\r\nincluding HTTP(S), SMTP, FTP, or even dispatching it to a designated Telegram channel.\r\nTo ensure its persistence, the malware replicates itself to the location “%AppData%\\EbJgI\\EbJgI.exe” and\r\nestablishes itself as an auto-run entry within the system registry, as shown in Figure 20. Additionally, it compiles a\r\nlist of specific software installed on the victim's device, including web browsers, email clients, FTP clients, and\r\nmore, as shown in Figure 21.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 13 of 27\n\nFigure 19: File copy in Agent Tesla\r\nFigure 20: Registry setting in Agent Tesla\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 14 of 27\n\nFigure 21: Partial list of targeted software\r\nThis specific version of Agent Tesla employs SMTP as its C2 connection protocol. You can see the details of the\r\ntraffic session in Figure 22.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 15 of 27\n\nFigure 22: C2 connection of Agent Tesla\r\nMalware Analysis – OriginBotnet\r\nThe third file, OriginBotnet, is stored as “david.exe” (SHA256:\r\nbe915d601276635bf4e77ce6b84feeec254a900c0d0c229b0d00f2c0bca1bec7). It is named after its namespace, as\r\nseen in Figure 23. OriginBotnet has a range of capabilities, including collecting sensitive data, establishing\r\ncommunications with its C2 server, and downloading additional files from the server to execute keylogging or\r\npassword recovery functions on compromised devices.\r\nFigure 23: Entry point of OriginBotnet\r\nInitially, OriginBotnet scans running processes to determine if it is already active within the environment.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 16 of 27\n\nFigure 24: Checking process\r\nIt then initializes its settings and gathers essential information about the victim’s device, such as the installed\r\nAntiVirus Product, CPU, GPU, country, OS name, and username, as shown in Figure 25. Once the system\r\ninformation has been collected, the malware connects with the C2 server at https://nitrosoftwares[.]shop/gate.\r\nFigure 25: Settings for OriginBotnet\r\nFigure 26 shows the function responsible for transmitting messages. The communication is conducted via a POST\r\nrequest using a parameter named “p.” The POST data is subjected to TripleDES encryption (in ECB mode, with\r\nPKCS7 padding) and subsequently encoded in Base64 format. The encryption key for TripleDES is stored within\r\nthe “x-key” field of the HTTP Header. Additionally, the Content-Type and User-Agent values are hard-coded as\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 17 of 27\n\n“application/x-www-form-urlencoded” and “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)\r\nGecko/20100101 Firefox/99.0,” respectively. Figures 27 and 28 provide insights into the traffic capture and\r\ndecrypted message.\r\nFigure 26: Function for sending a message to the C2 server\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 18 of 27\n\nFigure 27: C2 connection of OriginBotnet\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 19 of 27\n\nFigure 28: Decrypted message\r\nAfter receiving an “OK” signal from the C2 server, OriginBotnet enters a waiting state and proceeds to parse\r\nincoming C2 commands. The process for handling these commands is outlined in Figure 28. The available\r\ncommands include “downloadexecute,” “uninstall,” “update,” and “load.”\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 20 of 27\n\nFigure 29: Function for handling C2 command\r\nIf the victim receives either the “downloadexecute” or “update” command, the malware proceeds to parse\r\nadditional parameters, including the URL. It then directly downloads supplementary files from the specified URL\r\nand executes them. It selects the appropriate execution method depending on the file’s extension (.exe, .msi, or\r\n.java). This may involve using “Process.Start” or invoking commands such as “msiexec.exe /I” or “java.exe -jar,”\r\nas shown in Figure 30.\r\nWhen receiving an “uninstall” command, OriginBotnet invokes “MoveFile” to relocate the file to a temporary\r\nfolder.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 21 of 27\n\nFigure 30: Function for downloading and execution\r\nThe final command, “load,” retrieves plugins from the C2 server. The POST session and the decoded data for this\r\nspecific request are displayed in Figure 31. In this context, two plugins are available for OriginBotnet: Keylogger\r\nand PasswordRecovery. The plugin DLL file is transmitted as a Base64 encoded string within the “bytes”\r\nparameter. The processing function for this operation is shown in Figure 32.\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 22 of 27\n\nFigure 31: Message and decoded data of requesting a plugin\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 23 of 27\n\nFigure 32: Function for processing plugin\r\nThe Keylogger plugin (SHA256: c204f07873fafdfd48f37e7e659e3be1e4202c8f62db8c00866c8af40a9a82c5) is\r\ndesigned to covertly record and log each keystroke executed on a computer as well as monitor user activities. It\r\nemploys techniques such as “SetWindowsHookEx” for capturing keyboard input events and\r\n“GetForegroundWindow” to determine the active window the user is working in. It also keeps tabs on clipboard\r\ntext content through “SetClipboardViewer.” The stolen text file uses a format similar to Agent Tesla's, as shown in\r\nFigure 35.\r\nFigure 33: API for starting the hook of the keyboard\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 24 of 27\n\nFigure 34: Get foreground window\r\nFigure 35: Log format for copied text\r\nThe PasswordRecovery plugin (SHA256:\r\n56ced4e1abca685a871b77fab998766cbddfb3edf719311316082b6e05986d67) retrieves and organizes the\r\ncredentials of various browser and software accounts. It records these results and reports them via HTTP POST\r\nrequests. Its primary function is shown in Figure 36. The plugin is designed to target the following browsers and\r\nsoftware applications:\r\nChromium Browsers: Opera, Yandex, Iridium, Chromium, 7Star, Torch, Cool Novo, Kometa, Amigo,\r\nBrave, CentBrowser, Chedot, Orbitum, Sputnik, Comodo Dragon, Vivaldi, Citrio, 360 Browser, Uran,\r\nLiebao, Elements, Epic Privacy, Coccoc, Sleipnir 6, QIP Surf, Coowon, Chrome, and Edge Chromium\r\nOther Browsers: Firefox, SeaMonkey, Thunderbird, BlackHawk, CyberFox, K-Meleon, IceCat, PaleMoon,\r\nIceDragon, Waterfox, Postbox, Flock, IE, UC, Safari for Windows, QQ Browser, and Falkon Browser\r\nEmail \u0026 FTP Clients: Outlook, Windows Mail App, The Bat!, Becky!, IncrediMail, Eudora, ClawsMail,\r\nFoxMail, Opera Mail, PocoMail, eM Client, Mailbird, FileZilla, WinSCP, CoreFTP, Flash FXP, FTP\r\nNavigator, SmartFTP, WS_FTP, FtpCommander, FTPGetter\r\nOthers: DynDns, OpenVPN, NordVpn, Private Internet Access, Discord, Paltalk, Pidgin, Trillian, Psi/Psi+,\r\nMySQL Workbench, Internet Downloader Manager, JDownloader 2.0, \\Microsoft\\Credentials\\, RealVNC,\r\nTightVNC\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 25 of 27\n\nFigure 36: The main function for PasswordRecovery\r\nConclusion\r\nThis cyberattack campaign uncovered by FortiGuard Labs involved a complex chain of events. It began with a\r\nmalicious Word document distributed via phishing emails, leading victims to download a loader that executed a\r\nseries of malware payloads. These payloads included RedLine Clipper, Agent Tesla, and OriginBotnet. The attack\r\ndemonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems. We\r\nalso provided a comprehensive breakdown of each attack stage, shedding light on the intricacies of the deployed\r\nmalware and the tactics employed.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nMSOffice/Agent.DA32!tr.dldr\r\nMSIL/Agent.8DF3!tr\r\nMSIL/Agent.DGH!tr\r\nMSIL/Agent.F!tr.spy\r\nMSIL/Agent.CSS!tr.spy\r\nMSIL/Kryptik.AHUA!tr\r\nMSIL/Kryptik.PSV!tr\r\nMSIL/Injector.WGW!tr\r\nMSIL/Injector.WHL!tr\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 26 of 27\n\nMSIL/ClipBanker.PK!tr\r\nMSIL/Keylogger.ELM!tr\r\nMSIL/OriginBotnet.G!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nURLs:\r\nbankslip[.]info\r\nsoftwarez[.]online\r\nnitrosoftwares[.]shop\r\nFiles:\r\nc9e72e2865517e8838dbad0ce41561b2bd75c399b7599c1711350f9408189b9b\r\n56ced4e1abca685a871b77fab998766cbddfb3edf719311316082b6e05986d67\r\nc204f07873fafdfd48f37e7e659e3be1e4202c8f62db8c00866c8af40a9a82c5\r\n21ad235118c371e2850c539040b6dcdd88196c021245440155fe80aacf6ccc7e\r\n4617631b4497eddcbd97538f6712e06fabdb53af3181d6c1801247338bffaad3\r\nbe915d601276635bf4e77ce6b84feeec254a900c0d0c229b0d00f2c0bca1bec7\r\nc241e3b5d389b227484a8baec303e6c3e262d7f7bf7909e36e312dea9fb82798\r\ndfd2b218387910b4aab6e5ee431acab864b255832eddd0fc7780db9d5844520a\r\nf36464557efef14b7ee4cebadcc0e45af46f5c06b67c5351da15391b03a19c4c\r\nb15055e75ae0eeb4585f9323ef041fa25ed9b6bf2896b6ea45d871d49a1c72b8\r\n49c969a5461b2919fd9a7dc7f76dd84101b2acc429b341f8eeee248998e9da32\r\n65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3\r\nSource: https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nhttps://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document" ], "report_names": [ "originbotnet-spreads-via-malicious-word-document" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434681, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3b3f556f2e61480e0c61f266685ed4051516c9a.pdf", "text": "https://archive.orkl.eu/c3b3f556f2e61480e0c61f266685ed4051516c9a.txt", "img": "https://archive.orkl.eu/c3b3f556f2e61480e0c61f266685ed4051516c9a.jpg" } }