{ "id": "39796a00-84f5-4b2d-9e19-d0b546e0ad4f", "created_at": "2026-04-06T00:11:55.113109Z", "updated_at": "2026-04-10T03:36:47.907209Z", "deleted_at": null, "sha1_hash": "c7c6809966de5593697ad8afe3a37e95f7a4970e", "title": "Threat Hunting: Detecting Browser Credential Stealing [T1555.003]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3803119, "plain_text": "Threat Hunting: Detecting Browser Credential Stealing\r\n[T1555.003]\r\nArchived: 2026-04-02 11:36:50 UTC\r\nPassword Managers have seen rapid adoption by organisations as they provide a safe space to store and access\r\nyour passwords. Native password managers such as Chrome and Edge Password managers offer users a\r\nconvenient way of creating secure passwords for different sites without the hassle of remembering each password.\r\nAs the usage of similar passwords across websites goes down, threat actors have adopted and have now begun to\r\ntarget these password managers present in your web browser.\r\nStealers such as Redline are in the news as they provide a low barrier of entry to new cybercriminals, who then\r\nuse these credentials to provide initial access to other sophisticated groups.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 1 of 20\n\nRedline Stealer Operation: Illustration by Jiho Kim | S2W Talon\r\nBrowser Credential Dumping - MITRE ATT\u0026CK T1555\r\nBrowser Credential dumping is a technique adversaries use to steal credentials from your browsers. People save\r\nlogin credentials in browsers to make the login process faster. Malware such as Redline Stealer, Zaraza bot, and\r\nother info stealers have been actively targeting users and organizations to gain access to browser credentials.\r\nThese credentials are made available to threat actors who use these credentials to breach various organizations.\r\nThis post will showcase how to detect browser credential extraction, weed out false positives, and improve our\r\nresilience against this threat.\r\nTools of the Trade\r\nThere are various tools, open source and closed, which adversaries use for stealing credentials from browsers.\r\nTools such as Lazagne and HackerBrowserData are open source and provide customizability to advanced\r\nattackers, whereas tools such as Nirsoft’s WebBrowserPassView are closed source and cannot be modified easily.\r\nDirect integration to C2 Frameworks such as Metasploit's post/multi/gather/firefox_creds and\r\npost/windows/gather/enum_chrome modules allow quick access to browser passwords for adversaries.\r\nExtraction of Browser passwords using lazagne\r\nMethodology\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 2 of 20\n\nTo identify how tools such as Lazagne and HackBrowserData extract browser credentials from a host machine, we\r\ncan download their source code for examination and find key detection opportunities.\r\nLazagne help menu\r\nExamining the code for Lazagne and HackBrowserData, it is clear that both tools extract data from predefined file\r\nlocations in the operating system. Both tools read the following known file paths.\r\nLazagne source code\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 3 of 20\n\nHackBrowserData source code\r\nWe can also execute both tools and observe them in Procmon to further corroborate our findings. Procmon will\r\nshow us any process creation, registry/file access and other events to help us narrow down key behaviours among\r\nbrowser credential extraction tools.\r\nLazagne process view in Procmon\r\nWe can also visualise the Procmon logs using Vision-ProcMon, which allows for a graphical view of operations\r\nsuch as file access and modification of registry keys. Utilising the Step Option in Vision-Procmon, we can trace\r\nthe events and identify multiple paths used to dump browser credentials.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 4 of 20\n\nhackbrowserdata procmon log graph view in Vision-procmon\r\nAnalysing the procmon logs of various open and closed source tools, we can confirm that all tools access fixed\r\npaths where the browsers store their data(such as cookies, credentials, history) and then process these files to\r\nextract credentials.\r\nDetecting Unauthorized Access to Browser Files\r\nTo set up correct monitoring and detection of browser credential extraction, we need to enable auditing features in\r\nWindows to receive logs. We need to get process creation logs to monitor for known malicious command lines\r\nand file access logs to monitor unauthorised access to browser files.\r\nEnabling Process Creation Event Logs\r\nEnabling Process Creation auditing will create Event ID 4688 and other necessary details such as Process Path,\r\nParent, Command line, etc, using which we can monitor for malicious command lines. We will use Group Policy\r\nEditor to set up Process Creation Auditing.\r\nConfiguring Process Auditing:\r\n1. Computer Configuration \u003e Windows Settings \u003e Security Settings \u003e Advanced Audit Policy Configuration \u003e\r\nDetailed Tracking\r\n2. Select: Audit Process Creation, Select: Success + Failure, Select: OK\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 5 of 20\n\nLocal Group Policy Editor\r\nConfiguring Command Line in Process Auditing:\r\n1. Computer Configuration \u003e Policies \u003e Administrative Templates \u003e System \u003e Audit Process Creation\r\n2. Select: Include command line in process creation events, Select Enabled, and Press OK\r\nLocal Group Policy Editor\r\nEnabling File Access Audit Logs\r\nEnabling File System auditing is a two-step process where we first enable auditing in group policy and then\r\nconfigure individual files/folders we want to monitor. Configuring File Access auditing will create Event ID\r\n4663 along with other necessary details such as Object Path and which process is accessing the files. We will use\r\nGroup Policy Editor to set up Process Creation Auditing.\r\nComputer Configuration -\u003e Policies -\u003e Windows Settings -\u003e Security Settings -\u003e Advanced Audit Policy\r\nConfiguration -\u003e Audit Policies -\u003e Object Access -\u003e Audit File System\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 6 of 20\n\nLocal Group Policy Editor\r\n1. Navigate to your Local Appdata folder at %LOCALAPPDATA% and configure auditing for each browser\r\nfolder.\r\nBrowser impotant Files / Folder directory\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 7 of 20\n\n1. Right-click the target file/folder and select \"Properties\"\r\n2. Select \"Security\" tab and click \"Advanced\"\r\n3. Select \"Auditing\" tab and click \"Continue\"\r\n4. Click \"Add\" to insert a new auditing entry\r\n5. Click \"Select a principal\" and insert \"Everyone\"\r\n6. Click \"Clear all\" in the permissions and click \"Show advanced permissions\r\n7. Tick \"List folder / read data\"\r\n8. Save all the changes\r\nEnable Auditing for List folder / read data\r\nEnsuring Visibility\r\nAfter enabling Windows event logs, if you execute Lazagne again, you can see the event logs that indicate the\r\nexecution of Lazagne with the \"browsers\" parameter.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 8 of 20\n\nLazagne Process Creation Event view in Event Viewer\r\nWe can also see the File Access Event Logs in Event Viewer → Windows Logs → Security logs by following\r\nWindows 4663 Events (An attempt was made to access an object)\r\nFile Access Event in Event Viewer\r\nThese events can also be forwarded to your SIEM dashboard so you can build appropriate alerts for these\r\nbehaviours.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 9 of 20\n\nSplunk Dashboard filter for File Access Events\r\nDetection Rules for the Win\r\nBy analyzing event logs, we can create a Sigma rule that can detect any unauthorized attempt to execute Lazagne\r\nfor dumping browser credentials. We can use these rules to detect malicious or unauthorized access to browser\r\ncredentials.\r\nCommand Line Detection\r\nCommand line detections are based on default and known command line patterns used by threat actors during the\r\nexecution of the binary. For any unmodified tool, we can detect its presence either via its hash or by the known\r\ncommand line for this tool. The Sigma rule will detect the presence of the keyword \"browser\" in the command\r\nline along with other keywords commonly used by Lazagne to extract browser credentials.\r\n1title: Access Browser Credential\r\n2description: Adversaries may search for common password storage locations to obtain user credentials.\r\n3id: 198c1a5c-72cc-11ee-b962-0242ac120002\r\n4status: test\r\n5author: Parth-FourCore\r\n6date: 2023/10/21\r\n7tags:\r\n8 - attack.t1003\r\n9 - attack.credential_access\r\n10logsource:\r\n11 product: windows\r\n12detection:\r\n13 keywords:\r\n14 - 'browsers'\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 10 of 20\n\n15 - 'Databases'\r\n16 - 'Mails'\r\n17 - 'Sysadmin'\r\n18 filter:\r\n19 EventID: 15 # Sysmon's FileStream Events\r\n20 condition: keywords and not filter\r\n21falsepositives:\r\n22 - AV Signature updates\r\n23 - Files with Browsers in their filename\r\n24level: high\r\nIn order to test the created Sigma rule, we can utilise Aurora. Aurora is a lightweight and customisable EDR that is\r\nbased on Sigma rules and can be quickly set up to test your rules.\r\nAurora Dashboard\r\nWe can use the same Sigma rule to convert into SIEM, EDR, XDR, and data lake query formats to search related\r\nevent logs and set alerts.\r\nLet us use this search query in the Splunk dashboard\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 11 of 20\n\nSplunk Dashboard\r\nConcerns with Command Line Detections\r\nCommand Line detections are very useful for closed source detections or detecting script kiddies which directly\r\nuse tools without understanding the methodologies.\r\nOn the other hand, these rules are brittle for open-source toolkits as these tools can be easily modified, and their\r\ncommand line parameters can be spoofed or modified. Since the rule specifically targets binaries with certain\r\nkeywords, it won’t detect any changes to default tools.\r\nAlso, command line tools can have lots of false positives because the same parameters or keywords can be present\r\nin other non-malicious binaries\r\nFalse positive in Detection Rule\r\nThis alert is triggered by the chrome.exe binary, which is a legitimate browser. However, the keyword \"Browsers\"\r\nin Event triggers the alert.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 12 of 20\n\nFalse Positive Event for Browser Credentials\r\nDetect Behaviours not Tools\r\nWe can create a different sigma rule which, rather than focusing on command line parameters, focuses on the file\r\naccess events by the unknown process to alert for malicious behaviours. It is essential to have all the browser\r\npaths mentioned in the Sigma rule so that we can monitor access events for all available browsers on the host\r\nmachine.\r\n1- '\\cookies.sqlite'\r\n2- 'release\\key3.db' # Firefox\r\n3- 'release\\key4.db' # Firefox\r\n4- 'release\\logins.json' # Firefox\r\n5- '\\Appdata\\Local\\Chrome\\User Data\\Default\\Login Data' # Crome\r\n6- '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies' # googel crome\r\n7- '\\AppData\\Local\\Google\\Chrome\\User Data\\Local State'\r\n8- '\\Appdata\\Local\\7Star\\7Star\\User Data' # 7Star\r\n9- '\\Appdata\\Local\\Amigo\\User Data' # amigo\r\n10- '\\Appdata\\Local\\BraveSoftware\\Brave-Browser\\User Data' # brave\r\n11- '\\Appdata\\Local\\CentBrowser\\User Data' # centbrowser\r\n12- '\\Appdata\\Local\\Chedot\\User Data' # chedot\r\n13- '\\Appdata\\Local\\Google\\Chrome SxS\\User Data' # chrome canary\r\n14- '\\Appdata\\Local\\Chromium\\User Data' # chromium\r\n15- '\\Appdata\\Local\\Microsoft\\Edge\\User Data' # chromium edge\r\n16- '\\Appdata\\Local\\CocCoc\\Browser\\User Data' # coccoc\r\n17- '\\Appdata\\Local\\Comodo\\Dragon\\User Data' # Comodo IceDragon is Firefox-based\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 13 of 20\n\n18- '\\Appdata\\Local\\Elements Browser\\User Data' # elements browser\r\n19- '\\Appdata\\Local\\Epic Privacy Browser\\User Data' # epic privacy browser\r\n20- '\\Appdata\\Local\\Kometa\\User Data' # kometa\r\n21- '\\Appdata\\Opera Software\\Opera Stable' # opera\r\n22- '\\Appdata\\Local\\Orbitum\\User Data' # orbitum\r\n23- '\\Appdata\\Local\\Sputnik\\Sputnik\\User Data' # sputnik\r\n24- '\\Appdata\\Local\\Torch\\User Data' # torch\r\n25- '\\Appdata\\Local\\uCozMedia\\Uran\\User Data' # uran\r\n26- '\\Appdata\\Local\\Vivaldi\\User Data' # vivaldi\r\n27- '\\Appdata\\Local\\Yandex\\YandexBrowser\\User Data' # yandexBrowser\r\n28- '\\Appdata\\Local\\Mozilla\\Firefox' # firefox\r\n29- '\\Appdata\\Local\\NETGATE Technologies\\BlackHawk' # blackHawk\r\n30- '\\Appdata\\Local\\8pecxstudios\\Cyberfox' # cyberfox\r\n31- '\\Appdata\\Local\\Comodo\\IceDragon' # comodo IceDragon\r\n32- '\\Appdata\\Local\\K-Meleon' # k-Meleon\r\n33- '\\Appdata\\Local\\Mozilla\\icecat' # icecat\r\n34- '\\Appdata\\Local\\UCBrowser' # UCbrowser\r\nWeeding out False Positives\r\nSince these files and paths are not only accessed by unauthorized tools and processes but also used by antivirus\r\nsoftware, legitimate binaries, 3rd party backup software, and other authorized tools in your environment, It is\r\ncrucial to add appropriate filters to the Sigma rule to prevent false positives. The following list is what we\r\nobserved in our test environment, which are false positives. Auditing the rules in your production environment is\r\ncrucial to eliminate false positives.\r\nWindows defender C:\\ProgramData\\Microsoft\\Windows Defender\\MsMpEng.exe\r\nWindows Installer C:\\Windows\\System32\\msiexec.exe\r\nBrowser Files chrome.exe, edge.exe\r\nHere, adding all file and folder paths with a filter parameter will help avoid false positives.\r\n1title: Access Browser Credential Files\r\n2description: Adversaries may search for common password storage locations to obtain user credentials.\r\n3id: 198c1a5c-72cc-11ee-b962-0242ac120002\r\n4status: experimental\r\n5author: Parth-FourCore\r\n6date: 2023/10/24\r\n7tags:\r\n8 - attack.t1003\r\n9 - attack.credential_access\r\n10logsource:\r\n11 category: file_access\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 14 of 20\n\n12 product: windows\r\n13detection:\r\n14 selection_all:\r\n15 ObjectName|contains:\r\n16 - '\\cookies.sqlite'\r\n17 - 'release\\key3.db' # Firefox\r\n18 - 'release\\key4.db' # Firefox\r\n19 - 'release\\logins.json' # Firefox\r\n20 - '\\Appdata\\Local\\Chrome\\User Data\\Default\\Login Data' # Crome\r\n21 - '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies' # googel crome\r\n22 - '\\AppData\\Local\\Google\\Chrome\\User Data\\Local State'\r\n23 - '\\Appdata\\Local\\7Star\\7Star\\User Data' # 7Star\r\n24 - '\\Appdata\\Local\\Amigo\\User Data' # amigo\r\n25 - '\\Appdata\\Local\\BraveSoftware\\Brave-Browser\\User Data' # brave\r\n26 - '\\Appdata\\Local\\CentBrowser\\User Data' # centbrowser\r\n27 - '\\Appdata\\Local\\Chedot\\User Data' # chedot\r\n28 - '\\Appdata\\Local\\Google\\Chrome SxS\\User Data' # chrome canary\r\n29 - '\\Appdata\\Local\\Chromium\\User Data' # chromium\r\n30 - '\\Appdata\\Local\\Microsoft\\Edge\\User Data' # chromium edge\r\n31 - '\\Appdata\\Local\\CocCoc\\Browser\\User Data' # coccoc\r\n32 - '\\Appdata\\Local\\Comodo\\Dragon\\User Data' # Comodo IceDragon is Firefox-based\r\n33 - '\\Appdata\\Local\\Elements Browser\\User Data' # elements browser\r\n34 - '\\Appdata\\Local\\Epic Privacy Browser\\User Data' # epic privacy browser\r\n35 - '\\Appdata\\Local\\Kometa\\User Data' # kometa\r\n36 - '\\Appdata\\Opera Software\\Opera Stable' # opera\r\n37 - '\\Appdata\\Local\\Orbitum\\User Data' # orbitum\r\n38 - '\\Appdata\\Local\\Sputnik\\Sputnik\\User Data' # sputnik\r\n39 - '\\Appdata\\Local\\Torch\\User Data' # torch\r\n40 - '\\Appdata\\Local\\uCozMedia\\Uran\\User Data' # uran\r\n41 - '\\Appdata\\Local\\Vivaldi\\User Data' # vivaldi\r\n42 - '\\Appdata\\Local\\Yandex\\YandexBrowser\\User Data' # yandexBrowser\r\n43 - '\\Appdata\\Local\\Mozilla\\Firefox' # firefox\r\n44 - '\\Appdata\\Local\\NETGATE Technologies\\BlackHawk' # blackHawk\r\n45 - '\\Appdata\\Local\\8pecxstudios\\Cyberfox' # cyberfox\r\n46 - '\\Appdata\\Local\\Comodo\\IceDragon' # comodo IceDragon\r\n47 - '\\Appdata\\Local\\K-Meleon' # k-Meleon\r\n48 - '\\Appdata\\Local\\Mozilla\\icecat' # icecat\r\n49 - '\\Appdata\\Local\\UCBrowser' # UCbrowser\r\n50 filter_main_system:\r\n51 Image: System\r\n52 ParentImage: Idle\r\n53 filter_main_generic:\r\n54 Image|startswith:\r\n55 - 'C:\\Program Files\\'\r\n56 - 'C:\\Program Files (x86)\\'\r\n57 - 'C:\\WINDOWS\\system32\\'\r\n58 - 'C:\\WINDOWS\\SysWOW64\\'\r\n59 filter_optional_defender:\r\n60 Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\r\n61 Image|endswith:\r\n62 - '\\MpCopyAccelerator.exe'\r\n63 - '\\MsMpEng.exe'\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 15 of 20\n\n64 filter_optional_msiexec:\r\n65 ParentImage: 'C:\\Windows\\System32\\msiexec.exe'\r\n66 condition: selection_all and not 1 of filter_main_* and not 1 of filter_optional_*\r\n67falsepositives:\r\n68 - Antivirus, Anti-Spyware, Anti-Malware Software\r\n69 - Backup software\r\n70 - Legitimate software\r\n71level: high\r\nLet's execute the lazagne and HackBrowserData tools with the Aurora agent to verify the new Sigma rule.\r\nAurora Dashboard\r\nWe will receive an alert when HackBrowserData attempts to access browser credential files as well.\r\nAurora Dashboard\r\nThese rules are now ready for use in our environment, albeit with a clause. This rule will not get triggered in case\r\nof a process injection attack; however, we will discuss that in a future blog. Identifying false positives and\r\nupdating your rules accordingly is a continuous process.\r\nSetting up alerts\r\nLet's convert the Sigma rule to a Splunk query and use it to search in the Splunk dashboard.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 16 of 20\n\nSplunk Dashboard\r\nWe can see the Splunk showcases logs for Lazagne, trying to extract stored login information from Google\r\nChrome's saved password file.\r\nWe can alert on this behaviour and prevent future threats by converting the query to an alert by simply clicking on\r\n\"Save As\" and selecting \"Alert\".\r\nAdding New Aleart in Splunk\r\nIn the \"Save As\" alert menu, please ensure that you fill in all the necessary details for the alert.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 17 of 20\n\nAlert Menu\r\nClick on the Save button to save the alert. Now, let's try triggering the alert with different tools to ensure that the\r\nalert we created using a Sigma rule works with any browser credential extraction tool. Once configured, we can\r\nsee that the alert is also triggered with different hacking tools.\r\nTriggered Alert\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 18 of 20\n\nWhen you click on \"View Result\", you will be able to locate the event that triggered this alert.\r\nEvent which Trigged Alert\r\nBy specifying file names and file paths in our Sigma rule, we can detect any unauthorised access to valuable files\r\nsuch as usernames and passwords stored in the browser. Additionally, we can identify any unauthorised execution\r\nof hacker tools which try to obtain browser credentials.\r\nBrowser Credential Access with FourCore ATTACK\r\nThe FourCore ATTACK platform can emulate the different types of browser-based credential access\r\ntechniques, such as via LaZagne, via using Powershell or by accessing the files directly. These variants\r\ncan be hunted using the Sigma rules shared in this post.\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 19 of 20\n\nLearn about writing your own Sigma rule via this deep dive into working with Sigma.\r\nYou can also read more about using Windows Event Log IDs for threat-hunting here.\r\nReferences\r\n1. Browser Password Managers\r\n2. Redline Stealer\r\n3. Browser Credential Harvesting MITRE\r\n4. Nirsoft WebBrowserPassView\r\n5. LaZagne open-source password stealer\r\n6. Process Auditing Event ID 4663\r\n7. Process Auditing Event ID 4688\r\n8. Sigma Rules Github\r\n9. Learn More about Splunk\r\nSource: https://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fourcore.io/blogs/threat-hunting-browser-credential-stealing" ], "report_names": [ "threat-hunting-browser-credential-stealing" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7c6809966de5593697ad8afe3a37e95f7a4970e.pdf", "text": "https://archive.orkl.eu/c7c6809966de5593697ad8afe3a37e95f7a4970e.txt", "img": "https://archive.orkl.eu/c7c6809966de5593697ad8afe3a37e95f7a4970e.jpg" } }