{ "id": "f8d3322e-8e72-4e27-9a2e-ae4c86e42949", "created_at": "2026-04-06T00:19:59.542069Z", "updated_at": "2026-04-10T03:36:48.295205Z", "deleted_at": null, "sha1_hash": "c80afbc13ac78cbb4a8a3203a61cb6657c769b49", "title": "BRIEF: Raccoon Stealer Version 2.0", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1984670, "plain_text": "BRIEF: Raccoon Stealer Version 2.0\r\nArchived: 2026-04-05 17:59:54 UTC\r\nZeroFox Intelligence has observed the following information as of June 28, 2022, and has released the following.\r\nExecutive Summary\r\nOn June 4, 2022, ZeroFox Intelligence discovered a then-unknown information stealer being distributed by\r\nProCrackerz, a website distributing fake software cracks and key generators (keygens). The earliest known\r\ninstance of this information stealer observed by ZeroFox Intelligence was a sample uploaded to VirusTotal on\r\nApril 19, 2022. Twitter user @James_inthe_box suggested the name “Recordbreaker” for it based on the use of\r\n“record” as the User-Agent string in each sample. In May 2022, logs for sale with “Raccoon Stealer V2.0”\r\nbranding were discovered that matched what ZeroFox Intelligence was observing with Recordbreaker. Due to this\r\nand multiple other private confirmations, ZeroFox Intelligence asserts with MEDIUM confidence that Raccoon\r\nStealer has returned and that Recordbreaker is actually Raccoon Stealer version 2.0.\r\nDetails\r\nRaccoon Stealer version 2.0 is capable of targeting Chromium and Mozilla-based browsers by looking for well-known file names in specific directories. For Chromium-based browsers, threat actors using Raccoon Stealer 2.0\r\nhave the ability to specify a list of Chrome extension IDs and associated files as well. In ZeroFox Intelligence’s\r\nobservations, these consisted entirely of cryptocurrency extensions. Raccoon Stealer 2.0 attempts to collect\r\ncredentials, cookies, autofill data, credit cards, and data associated with specified Chrome extensions. For Mozilla\r\nbrowsers such as Firefox, only credentials, cookies, and autofill data were targeted. Other applications like\r\nTelegram and specific cryptocurrency applications can be targeted as well. To ensure that all cryptocurrency\r\nwallets are collected, a separate function exists solely to collect “wallet.dat” files. For any applications or files\r\nwithout specific support, a generic “grbr_” function exists to allow actors to specify files by path and a name or\r\npattern.\r\nTechnical Analysis\r\nZeroFox Intelligence first discovered Raccoon Stealer version 2.0 disguised as a crack for Microsoft Office on the\r\nProCrackerz website. Clicking on any of the download links redirected the viewer through various advertisements\r\nand click trackers until they were eventually shown a set of directions and a Discord CDN link hosting the fake\r\ncrack. The download links on ProCrackerz change regularly as the Discord links are removed.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 1 of 16\n\nFigure 1. ProCrackerz listing for a Microsoft Office crack\r\nSource: ZeroFox Intelligence\r\nFigure 2. Instructions on downloading a compressed Raccoon Stealer version 2.0 sample\r\nSource: ZeroFox Intelligence\r\nThe compressed files are small in size but inflate to hundreds of megabytes when decompressed. This is due to the\r\nsamples being padded with large amounts of repeating bytes.\r\nSamples ZeroFox Intelligence observed distributed in this way were obfuscated or packed; the unique string\r\n“edinayarossiya” was visible and used to pivot to other samples uploaded to VirusTotal. This allowed ZeroFox\r\nIntelligence to download much smaller (~56KB) unprotected samples and greatly sped up our analysis. Translated,\r\nEdinaya Rossiya means “United Russia,” which is currently the largest political party in Russia. Later analysis of\r\nthe string decryption routine determined this is an encryption key for the protected strings used by the stealer.\r\nRaccoon Stealer version 2.0 begins by importing all of the Windows API calls it needs (and some it does not).\r\nImporting API calls at runtime is a common tactic used by malware to avoid adding them to the import table to be\r\nused as a signature.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 2 of 16\n\nFigure 3. Raccoon Stealer version 2.0 resolves Windows API calls at runtime\r\nSource: ZeroFox Intelligence\r\nAfterwards, all protected strings are base64 decoded and RC4 decrypted as shown in Figure 4.\r\nFigure 4. Strings are protected by RC4 encryption and base64 encoding\r\nSource: ZeroFox Intelligence\r\nThe RC4 key “edinayarossiya” was consistent across most samples, though some also used “credit19” instead.\r\nZeroFox Intelligence is currently unsure if this is specified by each actor deploying the stealer or if this is decided\r\nby the authors for each build.\r\nUnlike the RC4 key used to decrypt strings, the RC4 key used to decrypt command and control (C2) servers is a\r\nfixed length and changes with every sample. Aside from this, C2 servers are protected in much the same way the\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 3 of 16\n\nother strings are. Up to five C2s can be configured per sample, with each C2 slot hardcoded to be 65 bytes long.\r\nAddresses that are shorter than 65 bytes after being encrypted and base64 encoded are padded with spaces.\r\nFigure 5. C2s are RC4 encrypted, base64 encoded, and padded with spaces\r\nSource: ZeroFox Intelligence\r\nThe locale on the victim’s machine is checked against two locales that can be hard-coded in the binary. ZeroFox\r\ndid observe a check for a “ru” locale, but the language check does not affect the execution in any way. A second\r\nlocale was not configured in the samples we observed.\r\nFigure 6. Checking the victim’s locale\r\nSource: ZeroFox Intelligence\r\nRaccoon Stealer 2.0 also ensures that only one instance is running at a time by checking and creating a mutex.\r\nZeroFox Intelligence observed this to be “8724643052” with every sample obtained. If it cannot open a handle to\r\nthe mutex, Raccoon Stealer 2.0 will exit with Error Code 2.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 4 of 16\n\nFigure 7. Raccoon Stealer 2.0 ensures that only one instance is running at a time\r\nSource: ZeroFox Intelligence\r\nThe victim’s security identifier (SID) is checked against the value “S-1-5-18” to determine if the process happens\r\nto be running as the SYSTEM or LOCAL SYSTEM user. If so, Raccoon Stealer 2.0 will enumerate the list of\r\nrunning processes on the infected machine.\r\nFigure 8. Enumerate running processes if running as SYSTEM\r\nSource: ZeroFox Intelligence\r\nThe first real action Raccoon Stealer 2.0 takes is to get the machine GUID and username, which are then sent as\r\nan HTTP POST request to the C2. As seen in Figure 9 below, the GUID and username are sent together in the\r\nURL parameter “machineId” separated by a pipe character. The “configId” parameter shown is the RC4 key used\r\nto decrypt C2 addresses.\r\nFigure 9. Sending a unique identifier to a Raccoon Stealer C2 server\r\nSource: ZeroFox Intelligence\r\nIf the C2 is still available, the server will respond with a simple, newline-separated configuration. If no C2 is\r\navailable, Raccoon Stealer 2.0 simply exits.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 5 of 16\n\nFigure 10. A Raccoon Stealer 2.0 C2 responds with a configuration\r\nSource: ZeroFox Intelligence\r\nThere are currently nine options that can be processed from the settings shown in Figure 10. A sample\r\nconfiguration returned by one of the C2 servers can be found here.\r\nOption Description\r\news_ Targeted Chrome browser extensions\r\ngrbr_ Targeted files to steal\r\nldr_ A command, DLL, or executable to run\r\nlibs_ DLLs to download\r\nscrnsht_ Screenshot file name\r\nsstmnfo_ Send system information to the C2 with this file name and add this template text\r\ntlgrm_ Telegram-specific files and folders to target\r\ntoken URL path to POST stolen data\r\nwlts_ Cryptocurrency wallets and associated files and folders to target\r\nDLL files downloaded using the “libs_” option are saved to the AppData\\LocalLow directory. Raccoon Stealer 2.0\r\nattempts to add this directory to the PATH environment variable but does not verify if it was successful. In our\r\nobservations, this actually failed, and the sample continued to run without issue.\r\nThe following system information is collected during a run:\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 6 of 16\n\nUser locale\r\nSystem time zone\r\nOperating system\r\nSystem architecture (32-bit or 64-bit)\r\nCPU core count\r\nInstalled RAM\r\nScreen resolution\r\nAll display devices (GPUs)\r\nInstalled software and versions\r\nOnce each of these functions has run, another POST request is made to /\u003ctoken\u003e.\r\nFigure 11. System information being sent to the C2 server\r\nSource: ZeroFox Intelligence\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 7 of 16\n\nRather than look for specific browsers, Raccoon Stealer version 2.0 targets any Chromium or Mozilla-based\r\nbrowsers by the name of the directories in which each respective browser stores its data. For Chromium, this is\r\n“User Data” while Mozilla/Gecko uses “Profiles.”\r\nFigure 12. Raccoon Stealer 2.0 targets browsers based on Chromium and Mozilla’s Gecko\r\nSource: ZeroFox Intelligence\r\nIn order for Raccoon Stealer 2.0 to be able to read the data threat actors are interested in, it must load the DLLs\r\nfrom the “libs_” options earlier.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 8 of 16\n\nFigure 13. Raccoon stealer resolving external imports to read browser data later\r\nSource: ZeroFox Intelligence\r\nData targeted from Chromium-based browsers includes:\r\nCredentials\r\nCookies\r\nAutofill data\r\nCredit cards\r\nExtensions listed in the configuration retrieved from the C2\r\nData targeted from Mozilla/Gecko-based browsers includes:\r\nCredentials\r\nCookies\r\nAutofill data\r\nAlthough the “ews_” option is not necessarily limited to only cryptocurrency-related browser extensions, ZeroFox\r\nIntelligence has only observed this to be the use case. Figure 14 below shows two more functions dedicated to\r\nstealing cryptocurrency wallets. The first, “wlts_”, exfiltrates files based on the configuration option of the same\r\nname. Other cryptocurrency wallets may still be stolen by the next function, which looks for “wallet.dat” files.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 9 of 16\n\nFigure 14. The last several functions of Raccoon Stealer version 2.0\r\nSource: ZeroFox Intelligence\r\nThe “grbr_” function uses directory paths, file names or patterns, and other options such as file size specified in\r\nthe configuration to decide which files it should exfiltrate.\r\nThe “tlgrm_” function is similar to “grbr_” but has fewer options. It is meant to target  Telegram data, though the\r\nsame functionality could have been achieved with the generic file grabber.\r\nTaking a screenshot is separated into two functions. The first, “scrnsht_” checks to see if the configuration wants it\r\nto take one, and the second function actually takes and sends the screenshot.\r\nFinally, the “ldr_” function is capable of allowing Raccoon Stealer version 2.0 to act as a loader for secondary\r\npayloads or execute commands. Each “ldr_” option contains multiple parts. It could contain a command to execute\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 10 of 16\n\nor the URL of a file to download, and if a URL is given a directory is specified to which the file should be\r\ndownloaded. The last part specifies which action should be taken (e.g., execute a command, run EXE or DLL).\r\nFigure 15. The “ldr_” function can download and execute secondary payloads\r\nSource: ZeroFox Intelligence\r\nRecommendations\r\nZeroFox Intelligence highly discourages seeking out pirated software of any kind. As in this case, such downloads\r\nare often completely fake and will not install the software the victim wanted. In some cases, the download may\r\ncontain the actual software—as well as a hidden malicious component to infect the victim.\r\nZeroFox Intelligence also highly recommends that organizations take reports of pirated software on corporate\r\nmachines seriously. With each download, the risk of infection increases. \r\nYARA\r\nZeroFox Intelligence has created a public YARA rule that can be found on GitHub.\r\nMITRE ATT\u0026CK\r\nTactic Technique Comments\r\nReconnaissance\r\nT1592.001Gather Victim\r\nHost Information: Hardware\r\nThe sstmnfo_ function collects\r\ninformation about the infected system’s\r\nCPU, installed RAM, and display\r\ndevices.\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 11 of 16\n\nTactic Technique Comments\r\nReconnaissance\r\nT1592.002Gather Victim\r\nHost Information: Software\r\nThe sstmnfo_ function collects installed\r\napplications and their version numbers.\r\nReconnaissance\r\nT1589.001\r\nGather Victim Identity\r\nInformation: Credentials\r\nRaccoon Stealer 2.0 retrieves stored\r\ncredentials from targeted web browsers.\r\nExecution\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nThe ldr_ function can be used to run\r\ncommands. \r\nExecution\r\nT1559.001Inter-Process\r\nCommunication: Component\r\nObject Model\r\nRaccoon Stealer 2.0 makes use of COM\r\nobjects in the grbr_ function.\r\nExecution\r\nT1204\r\nUser Execution\r\nSamples discovered so far relied on\r\nvictims seeking out pirated software.\r\nDefense Evasion\r\nT1027.002\r\nSoftware Packing\r\nRaccoon Stealer 2.0 can be found packed\r\nin the wild.\r\nDefense Evasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nStrings and hosts to reach out to are RC4\r\nencrypted and base64 encoded.\r\nDefense Evasion\r\nPath Interception by PATH\r\nEnvironment Variable\r\nRaccoon Stealer 2.0 attempts to add\r\nAppData\\LocalLow to the PATH\r\nvariable. \r\nDefense Evasion\r\nT1070.004\r\nIndicator Removal on Host:\r\nFile Deletion\r\nSeveral files are copied into the\r\nAppData\\LocalLow directory and\r\nsubsequently deleted after use.\r\nCredential\r\nAccess\r\nT1539Steal Web Session\r\nCookie\r\nRaccoon Stealer 2.0 steals cookies from\r\ntargeted web browsers.\r\nDiscovery\r\nT1057\r\nProcess Discovery\r\nIf the process is running as SYSTEM, it\r\nwill enumerate running processes.\r\nDiscovery T1012Query Registry\r\nThe registry is used to gather system\r\ninfo, such as the operating system and\r\ncurrently-installed software.\r\nDiscovery T1082\r\nSystem Information\r\nRaccoon Stealer 2.0 gathers system\r\ninformation, such as the victim operating\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 12 of 16\n\nTactic Technique Comments\r\nDiscovery system, system architecture, user locale,\r\ninstalled applications, and more.\r\nDiscovery\r\nT1614.001System Location\r\nDiscovery: System Language\r\nDiscovery\r\nUser locale is checked, but no specific\r\naction is taken.\r\nDiscovery\r\nT1124System Time\r\nDiscovery\r\nThe victim’s time zone is checked and\r\ncompared to GMT/UTC.\r\nCollection\r\nT1005\r\nData from Local System\r\nRaccoon Stealer 2.0 offers configurable\r\nfile-stealing capabilities for actors to\r\nchoose based on their interests.\r\nCollection\r\nT1113\r\nScreen Capture\r\nRaccoon Stealer 2.0 takes a screenshot\r\nnear the end of its execution.\r\nCommand and\r\nControl\r\nT1071.001Application Layer\r\nProtocol: Web Protocols\r\nRaccoon Stealer 2.0 uses standard HTTP\r\nrequests to exfiltrate data and download\r\nfiles.\r\nCommand and\r\nControl\r\nT1105Ingress Tool Transfer\r\nRaccoon Stealer 2.0 downloads a set of\r\nlegitimate DLL files to read browser\r\ndata.\r\nExfiltration T1020Automated Exfiltration\r\nData exfiltration is customizable by the\r\nactor through specified directories and\r\nfile name patterns.\r\nExfiltration\r\nT1030Data Transfer Size\r\nLimits\r\nActors have the ability to only steal files\r\nwithin a configurable size limit.\r\nExfiltration\r\nT1041Exfiltration Over C2\r\nChannel\r\nData is exfiltrated over HTTP and in\r\nplain text.\r\nIOCs\r\nType IOC\r\nIPv4 5.252.22.62\r\nIPv4 45.142.212.100\r\nIPv4 51.81.143.169\r\nIPv4 51.195.166.171\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 13 of 16\n\nType IOC\r\nIPv4 51.195.166.175\r\nIPv4 51.195.166.176\r\nIPv4 51.195.166.184\r\nIPv4 51.195.166.201\r\nIPv4 62.113.255.110\r\nIPv4 80.92.206.126\r\nIPv4 80.92.206.215\r\nIPv4 85.202.169.112\r\nIPv4 188.215.229.203\r\nIPv4 193.106.191.146\r\nIPv4 194.156.98.151\r\nDomain wiwirdo.ac[.]ug\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll\r\nURL hxxp://\u003cc2 address\u003e/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll\r\nURL hxxp://wiwirdo.ac[.]ug/azne.exe\r\nURL hxxp://wiwirdo.ac[.]ug/pm.exe\r\nURL hxxp://wiwirdo.ac[.]ug/cc.exe\r\nURL hxxp://wiwirdo.ac[.]ug/rc.exe\r\nSHA256 048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059\r\nSHA256 0661dbb6a0ff7d84c25ae7dd840cefd470279346bd476f1cff5d766f0902a277\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 14 of 16\n\nType IOC\r\nSHA256 0b7d9b786726641c28afda4f641baa4811e0d4c8937748075e61611843e94234\r\nSHA256 0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256\r\nSHA256 263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693\r\nSHA256 27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577\r\nSHA256 516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e\r\nSHA256 5e614758b6344d6aa9619a75c110b9af4ea2dc1b1103c542e5d10e8d5fc2d66a\r\nSHA256 7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269\r\nSHA256 79103532395036c14b755d90f9cacfdec6b588f1b031a7cba936c1b9d2ef3b51\r\nSHA256 8655a544a26bade11fbda736c2af2a475ed12f2150efce7f0500b6fc6d317cb8\r\nSHA256 89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc\r\nSHA256 960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63\r\nSHA256 99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac\r\nSHA256 9e239b12c8cc7f5f7fc0a46121aa5dbfd82306f08c4b04a6ac9f61495ecd410b\r\nSHA256 9ee50e94a731872a74f47780317850ae2b9fae9d6c53a957ed7187173feb4f42\r\nSHA256 bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5\r\nSHA256 e514d7ee18dbe841e411f03dd6e0f498b509599d81d15c0945325070cdc8c687\r\nSHA256 f20dcb9477e356e91e1b00abc351f749739f98ca395840ae3062d6cebc72f85b\r\nSHA256 f9c4d451f8c9d4e546e67348c4cc2e8810aa5c39d4fabe1ee891408a0bc53043\r\nSHA256 fb26544d45a1166e15e37853786f0b98ff876d1ce94c240a0f3bc2f9a8fb258f\r\nSHA256 fba1005e8c248ec460e6c13cb38759bd70d9db4882f88f651b194ab1800e656c\r\nSCOPE NOTE\r\nZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source\r\naccesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through\r\ncovert communication channels. Information relied upon to complete any report cannot always be independently\r\nverified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices\r\nand includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and\r\nsubstantiate our assessments and recommendations. All sources used in this particular Intelligence product were\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 15 of 16\n\nidentified prior to 12:00 PM (EDT) on June 28, 2022; per cyber hygiene best practices, caution is advised when\r\nclicking on any third-party links.\r\nSource: https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nhttps://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/" ], "report_names": [ "brief-raccoon-stealer-version-2-0" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434799, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c80afbc13ac78cbb4a8a3203a61cb6657c769b49.pdf", "text": "https://archive.orkl.eu/c80afbc13ac78cbb4a8a3203a61cb6657c769b49.txt", "img": "https://archive.orkl.eu/c80afbc13ac78cbb4a8a3203a61cb6657c769b49.jpg" } }