{ "id": "d8113807-85eb-4356-98e7-d475b0354231", "created_at": "2026-04-06T00:07:50.836415Z", "updated_at": "2026-04-10T13:11:21.253214Z", "deleted_at": null, "sha1_hash": "c84b130d6b7363af36f7a5552fc1ef9570ef702d", "title": "BIOPASS RAT New Malware Sniffs Victims via Live Streaming", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88129, "plain_text": "BIOPASS RAT New Malware Sniffs Victims via Live Streaming\r\nPublished: 2021-07-09 · Archived: 2026-04-05 19:46:00 UTC\r\nThe injected script will try to scan the affected host by sending HTTP requests to a list of ports. If it receives any response\r\nwith an expected string from these ports, the script will stop. This step is likely designed to avoid attacking an already\r\ninfected victim.\r\nWe found that the BIOPASS RAT has the ability to open an HTTP service running on localhost on a port chosen from a\r\nhard-coded list. This functionality allows the script to identify whether the victim has already been infected by their\r\nmalware. It conducts this identification by testing whether the port is open or not and then by checking the response.\r\nIf the script confirms that the visitor has not yet been infected, it will then replace the original page content with the\r\nattackers’ own content. The new page will show an error message with an accompanying instruction telling website visitors\r\nto download either a Flash installer or a Silverlight installer, both of which are malicious loaders. It is important to note that\r\nboth Adobe Flash and Microsoft Silverlight have already been deprecated by their respective vendors.\r\nThe legitimate known application is downloaded and executed. Authenticode-signed files are either downloaded from the\r\nofficial websites (as seen in sample c47fabc47806961f908bed37d6b1bbbfd183d564a2d01b7cae87bd95c20ff8a5) or are\r\nhosted on Alibaba Cloud OSS on the attackers’ account.\r\nVisual C++ runtime, a legitimate and signed vc_redist.x??.exe, and Python runtime are then downloaded.\r\nThese files are also hosted on Alibaba Cloud OSS on an attacker-controlled account. The Python runtime is usually a ZIP\r\nfile with all required executables, as well as the DLL and Python libraries necessary for running Python scripts on machines\r\nwhere Python is not installed.\r\nScheduled tasks that are activated on a new login are created. These tasks can run a BPS backdoor or a Cobalt Strike loader. \r\nWe also noticed the path string “ServiceHub”, which is a path to the extracted Python runtime. After the hex decoding of the\r\narguments, we get a Python one-liner that downloads additional Python scripts from the cloud.\r\nExamining the BIOPASS RAT modules\r\nWe observed a few scheduled tasks being created, with the number dependent on the analyzed sample. In the following\r\nsection, we provide an analysis for each important backdoor module.\r\nOne of the modules used is called “cdaemon”. At the time of our research into this threat, only the “print(1)” command is\r\nable to be executed. An old sample of the module\r\n(30ccfbf24b7c8cc15f85541d5ec18feb0e19e75e1e4d2bca9941e6585dad7bc7) is likely a watchdog to check the status of\r\nanother module that is known as “c1222”.\r\nThe malicious actors can change this behavior by replacing the content of the cdaemon.txt service in the cloud so that when\r\ncombined with the regular execution of the scheduled task, the cdaemon task can behave like a backdoor.\r\nThe second scheduled task is called “c1222.txt,” which is a Python code run by a previously downloaded Python runtime.\r\nThis code runs an HTTP server that listens on predefined ports. If accessed by an HTTP client, it returns a marker value.\r\nAfter accessing the infected machine with an HTTP server bound to a predefined port, the module returns the marker value.\r\nWe also observed other markers — such as, “cs_online”, “online”, and “dm_online”. The purpose of the HTTP service is to\r\nact as a marker for an infected machine to avoid repeated infection, as aforementioned in the infection chain section. The\r\nmost important task of the c1222 script is to download, decode, and execute the Cobalt Strike shellcode. Based on the\r\nplatform, it downloads a file with an encoded shellcode (sc3.txt, x64.txt), and then decodes it (the shellcode is base85 and\r\nhex-encoded).\r\nThe third scheduled task —is called “big.txt”— is responsible for implementing the BIOPASS RAT malware. This is a\r\nPython-based backdoor that is distributed in plain text or compiled with Nuitka or PyArmor and PyInstaller.\r\nWhen the malware starts, it checks whether the file with the hard-coded name “%PUBLIC%/20200318” exists. This file is a\r\nmarker to determine if the scheduled task of the backdoor has been installed.\r\nIf the file (that is, the marker) is not found, the backdoor creates a new one and writes the current timestamp onto it. The\r\nmalware will then delete the scheduled tasks added by the loader and add two new scheduled tasks that are listed in Table 1.\r\nTask Name Behavior\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 1 of 15\n\nServiceHub\r\nExecutes Python with a parameter that is the Python script to download and execute Cobalt\r\nStrike loader script “c1222” module\r\nShellExperienceHost\r\nExecutes Python with a parameter that is the Python script to download and execute BIOPASS\r\nRAT script “big” module\r\nTable 1. The scheduled tasks created by BIOPASS RAT\r\nThe BIOPASS RAT malware loads a Python script, “online.txt” that will open an HTTP server that listens on one of the\r\nfollowing port numbers: 43990, 43992, 53990, 33990, 33890, 48990, 12880, 22880, 32880, 42880, 52880, or 62880. The\r\nHTTP server does nothing but returns string “BPSV3” to request.\r\nA second HTTP server will also be created to listen on one of the aforementioned port numbers. The second HTTP server\r\nbehaves the same as the first but returns a string, “dm_online”, instead. These are the markers of infection as previously\r\nmentioned. After the servers are established and running, the backdoor creates an execution root directory in the folder\r\n“%PUBLIC%/BPS/V3/”.\r\nIf the malware finds that the system username is “vbccsb”, it will stop. It must be noted that “vbccsb” is the default\r\nusername on ThreatBook Cloud Sandbox, a popular alternative to VirusTotal in China.\r\nIf the backdoor finds that the file “debug” present inside the root directory, it will wait for 130 seconds and then continue\r\nwith execution.\r\nNext, the backdoor will try to read the file “bps.key” inside the root directory. This file contains the victim ID assigned by\r\nthe command-and-control (C\u0026C) server. If the file hasn’t been created, it will set the victim ID to a null value until the C\u0026C\r\nserver assigns it.\r\nAt the end of initialization, it collects the information of the victim’s system and initializes values in the global config\r\nvariable that contains important configuration information. This includes the backdoor version (we observed V2 and V3),\r\naccess keys, endpoint address, the bucket name for Alibaba Cloud OSS, and a URL for downloading the utility sc.exe that is\r\nused for taking screenshots.\r\nThe backdoor communicates with the C\u0026C server using the Socket.io protocol. The C\u0026C communication is encrypted with\r\nAES ECB algorithm using a hard-coded password, ZLIB compression, and base85 encoding.\r\nFigures 18 and 19 show how the malware sends the “join” event to initialize C\u0026C communication and attach the victim’s\r\nencrypted data.\r\nThe BIOPASS RAT malware registers three custom Socket.io event handlers:\r\n1.      The “notice” handler is used for checking the connection with the C\u0026C server. The backdoor regularly sends a\r\n“notice” event to the server and records the timestamp if it also receives a “notice” event as the response. If the malware\r\ndoesn’t receive any “notice” event within a hard-coded threshold period, it will restart.\r\n2.      The “set key” handler is used for accepting the victim ID, a random string with six characters, assigned by the C\u0026C\r\nserver. It will be attached in each of commands sent from the server and will also be used as the folder name on a cloud\r\nstorage service to save the stolen data. The victim ID will be stored in the “bps.key” file.\r\n3.      The “accept task” handler is the main handler used to process the command sent from the C\u0026C server and to return the\r\nexecution result. We share more details of each command in the next section.\r\nAfter the malware joins the C\u0026C server, the server will assign a victim ID with “set key” event and send multiple “accept\r\ntask” events with the commands “ScreenShot”, “SnsInfo”, “PackingTelegram”, “GetBrowsersCookies”,\r\n“GetBrowsersLogins”, “GetBrowsersHistories”, and “GetBrowsersBookmarks” to instruct the malware to collect private\r\ndata from the victim.\r\nA closer look at the BIOPASS RAT commands\r\nThe BIOPASS RAT malware implements multiple commands, most of which are self-explanatory. A summary of commands\r\nis listed in Table 2, while additional details of some commands are explained in the following section.\r\nCommand Behavior\r\nCompress_Files Compresses specified files or directories to a ZIP archive\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 2 of 15\n\nDecompress_File Extracts files from a specified ZIP archive\r\nAutoRun Creates a scheduled task for persistence\r\nCloseEverything Kills the Everything process with the command “TASKKILL /F /IM Everything.exe”\r\nOpenEverything Downloads and runs Everything from voidtools\r\nCloseFFmpegLive Kills the FFmpeg process with the command “TASKKILL /F /IM ffmpeg.exe”\r\nOpenFFmpegLive Downloads and runs FFmpeg (for screen video capture)\r\nDeleteFile Deletes files or directories at specified locations\r\nCreateDir Creates a directory at a specified location\r\nShowFiles\r\nGets the disk partition or lists a specified directory with detailed information, including file\r\nname, file path, size, create time, and time of modification\r\nDownload_File Downloads a URL and saves the file to a specified location\r\nUpload_File Uploads the victim’s files to cloud storage\r\nuUninstall Kills the BIOPASS RAT process and deletes installed files.\r\nCloseObsLive Kills the OBS process with command “TASKKILL /F /IM obs64.exe”\r\nOpen_Obs_Live Downloads OBS Studio and starts live streaming\r\nProcessList Lists processes on the victim’s environment and their process identifier (PID)\r\nKillProcess Kills the process specified by PID with the TASKKILL command\r\nScreenShot Takes a screenshot and uploads it to cloud storage\r\nShell\r\nExecutes commands or scripts (subcommands with prefixes\r\nsubprocess, python, noreturn, getversion, restart)\r\nSnsInfo Lists QQ, WeChat, and Aliwangwang directories\r\nInstallTcpdump Downloads and installs the tcpdump tool\r\nPackingTelegram Compresses and uploads Telegram's “tdata” directory to cloud storage\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 3 of 15\n\nCloseProxy Kills frpc process with command “TASKKILL /F /IM frpc.exe”\r\nOpenProxy Downloads and installs the frp proxy client in the “%PUBLIC%” folder\r\nOpenVnc Downloads and installs jsmpeg-vnc tool in the “%PUBLIC%/vnc/” folder\r\nCloseVnc Kills the VNC process with the command “TASKKILL /F /IM vdwm.exe”\r\nGetBrowsersCookies Decrypts the cookie file of the browser and uploads it to cloud storage\r\nGetBrowsersLogins Decrypts the login file of the browser and uploads it to cloud storage\r\nGetBrowsersHistories Uploads the history file of the browser to cloud storage\r\nGetBrowsersBookmarks Uploads the bookmark file of the browser to cloud storage\r\nTable 2. BIOPASS RAT commands\r\nThe malware downloads “Everything” files if the “Everything” binary is not found in the “%TEMP%” folder. It then\r\nchanges the port number of the HTTP server inside the configuration file and starts the Everything process, which will open\r\nan HTTP server to allow the threat actor to access the file system of the victim.\r\nThe malware downloads FFmpeg files if they are not found on the victim’s machine. Next, it starts the FFmpeg process to\r\nmonitor the victim’s desktop via RTMP live streaming to the cloud. The malicious actor can then connect to the relevant\r\nRTMP address to watch the streaming.\r\nThe malware downloads OBS Studio files if the OBS folder and config file are not found in the root directory. It writes the\r\nbasic config and RTMP config of OBS and then starts the OBS process to monitor the victim’s desktop using RTMP live\r\nstreaming to the cloud. The malicious actor can connect to the relevant RTMP address to watch the streaming.\r\nThe malware downloads the screenshot-cmd tool if it is not found in the root directory. It takes a screenshot of the victim’s\r\nscreen with the tool and saves it as a PNG file with a random number as the file name.  The malware will then upload the\r\nscreenshot files to cloud storage.\r\nThe malware uses a number of methods to execute the shell command or script. The “Shell” command instructs the malware\r\nto execute a command using the Python function “win32api.ShellExecute” and to return the result to a C\u0026C server, applying\r\na 60-second timeout for command execution.\r\nIf the command has one of the following prefixes, it will perform a specific behavior:\r\n1.      “subprocess”: executes a system command using the Python function “subprocess.Popen”.\r\n2.      “python”: executes a Python script delivered with the command.\r\n3.      “noreturn”: executes a system command using the Python function “win32api.ShellExecute” without waiting for the\r\nresult.\r\n4.      “getversion”: returns the string “20200202”.\r\n5.      “restart”: kills the process itself and restarts it via scheduled malicious tasks.\r\nThe command will list the installation directory of several popular instant messaging applications including WeChat, QQ,\r\nand Aliwangwang and return this information to the C\u0026C server. Figures 21 and 22 show the result of running “SnsInfo”\r\ncommand to enumerate messengers.\r\nNone of the Chinese messenger applications has been installed on our testing machine, which explains the result seen in the\r\nimages.\r\nThis command is designed to steal cookie information from browsers. It will read the “Local State” file to grab the AES\r\nsecret key of Google Chrome-based browsers. Depending on the different argument “type” delivered with the command, it\r\nperforms different behaviors.\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 4 of 15\n\nIf the value of the “type” argument is “Chrome”, it will use the AES secret key or DPAPI (for Chrome versions before 80) to\r\ndecrypt the cookie file. The decrypted result will be sent to the C\u0026C server. \r\nIf the value of the “type” argument is “File”, it will directly upload the cookie file to cloud storage. The command that we\r\nreceived showed that the targeted browsers include Google Chrome, Microsoft Edge Beta, 360 Chrome, QQ Browser, 2345\r\nExplorer, Sogou Explorer, and 360 Safe Browser.\r\nThis command has a nearly identical function to “GetBrowsersCookies”, although it targets a browser’s “Login Data” files\r\ninstead.\r\nAdditional Findings on BIOPASS RAT\r\nAlthough these are not implemented inside the BIOPASS RAT malware, we have observed two additional plug-ins that are\r\nwritten in Python (“getwechatdb” and “xss_spoof”) and were deployed by the threat actor to a victim who had been infected\r\nwith Cobalt Strike.\r\nThe script “getwechatdb” is used for exfiltrating the chat history from the WeChat Windows client. The script will detect the\r\nversion of the installed WeChat client and grab the decryption key and the user ID. The predefined list of offsets is used to\r\nlocate where the decryption key and the user ID are embedded. The list supports 36 different versions of memory offsets for\r\nthe message client.\r\nThe script will then upload database files inside the WeChat folder including “MicroMsg.db” to cloud storage. These\r\ndatabase files are used for saving the chat history. Finally, the script will print out the client ID and the decryption key that\r\nallows the malicious actors to decrypt the stolen database files of the chat history.\r\nThe other plug-in, “xss_spoof”, is an archive that contains multiple Python scripts. The scripts are designed for web server\r\ninfection via a cross-site scripting (XSS) attack. This plug-in can inject malicious scripts into the response of the victim’s\r\nweb server by leveraging the WinDivert package, which is used to sniff and manipulate the network traffic on Windows.\r\nThe scripts intercept HTTP GET requests that are sent to port 80. An “ignore” list is used to filter the file extensions of\r\nURLs to avoid manipulating resources that are not JavaScript or HTML. The script then modifies the original JavaScript or\r\nHTML content and delivers it to website visitors.\r\nThe delivered script is almost the same as the malicious script previously discussed in the section on the watering hole\r\nattack. The script performs checks by scanning localhost to determine if the machine is infected by BIOPASS RAT while\r\nshowing the fake updated webpages. It is likely that the malicious actors compromised the web servers first and then ran\r\n“xss_spoof” for propagation.\r\nPotential links with the Winnti group\r\nWe have found several connections between BIOPASS RAT and the Winnti Group:\r\n1.      We discovered that many BIOPASS RAT loader binaries were signed with two valid certificates. However, these\r\ncertificates are likely stolen from game studios from South Korea and Taiwan. It is well known that the Winnti Group has\r\npreviously used stolen certificates from game studios to sign its malware.\r\nCertificate Thumbprint Valid From Valid To\r\nEFB70718BC00393A01694F255A28E30E9D2142A4 12:00 a.m.,  Jan. 2, 2019 11:59 p.m., Mar. 2, 2021\r\n8CE020AA874902C532B9911A4DCA8EFFA627DC80 12:00 a.m., Sept. 6, 2018 11:59 p.m., Oct. 5, 2021\r\nTable 3. Information from the stolen certificates\r\n2.      While checking the stolen certificates, we found a server-side variant of the Derusbi malware sample\r\n(e5fdb754c1a7c36c288c46765c9258bb2c7f38fa2a99188a623182f877da3783) that was signed with the same stolen\r\ncertificate.\r\nDerusbi is known to be used by multiple advanced persistent threat (APT) groups. The server-side variant has also been\r\nnoted to be used as a malware loader by the Winnti Group.\r\n3.      We found an interesting Cobalt Strike loader\r\n(a7e9e2bec3ad283a9a0b130034e822c8b6dfd26dda855f883a3a4ff785514f97) that embeds a URL that leads to the BIOPASS\r\nRAT loader. However, the URL is unused and was likely left inside the loader as a mistake. This file has also been\r\nmentioned in a recent report that connects it to an attack on a major certification authority (CA) in Mongolia.\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 5 of 15\n\nThe Cobalt Strike loader, which has a PDB string “C:\\Users\\test\\Desktop\\fishmaster\\x64\\Release\\fishmaster.pdb”, connects\r\nto the C\u0026C server “download[.]google-images[.]ml”. The domains and the PDB string have been mentioned in a recent\r\nreport and have been attributed to the Winnti Group.\r\nWhile these connections allow us to link the malware to the Winnti Group, the different targets between BIOPASS RAT and\r\nthe current operations by Winnti’s that we are tracking makes associating the two more difficult.\r\nBIOPASS RAT highlights the importance of downloading from trusted sources\r\nBIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. It possesses many features, such as\r\nthe ability to use scheduled tasks as a method of maintaining persistence in the infected system.  The malware abuses\r\npublicly available tools and cloud services for its malicious behavior.  Notably, a large number of features were implemented\r\nto target and steal the private data of popular web browsers and instant mes\\sengers that are primarily used in Mainland\r\nChina.\r\nGiven that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised\r\nwebsite, we advise users to be careful  with regard to the applications that they download. As much as possible, it is\r\nrecommended to download apps only from trusted sources and official websites to avoid being compromised by attacks such\r\nas the one discussed here.\r\nOrganizations can also help protect their end users by implementing security solutions that provide  a multilayered defense\r\nsystemproducts that helps with detecting, scanning, and blocking malicious URLs.\r\nNote that we’ve submitted an abuse report to Alibaba, but we have yet to receive feedback at the time of publication.\r\nIndicators of Compromise (IoCs)\r\nSHA256 Filename Note\r\n84fbf74896d2a1b62d73b9a5d0be2f627d522fc811fe08044e5485492d2d4249 big.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(Version 3)\r\nf3c96145c9d6972df265e12accfcd1588cee8af1b67093011e31b44d0200871f c1222.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(C1222\r\nmodule)\r\n0f8a87ca5f94949904804442c1a0651f99ba17ecf989f46a3b2fde8de455c4a4 c1222.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(C1222\r\nmodule)\r\nd8b1c4ad8f31c735c51cb24e9f767649f78ef5c571769fbaac9891c899c33444 c1222.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(C1222\r\nmodule)\r\nee4150f18ed826c032e7407468beea3b1f738ba80b75a6be21bb8d59ee345466 c1222.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(C1222\r\nmodule)\r\n34be85754a84cc44e5bb752ee3a95e2832e7be1f611dd99e9a1233c812a6dad2 c1222.txt BIOPASS\r\nRAT Python\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 6 of 15\n\nScript\r\n(C1222\r\nmodule)\r\n30ccfbf24b7c8cc15f85541d5ec18feb0e19e75e1e4d2bca9941e6585dad7bc7 cdaemon.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(Cdaemon\r\nmodule)\r\nf21decb19da8d8c07066a78839ffd8af6721b1f4323f10a1df030325a1a5e159 cdaemon.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(Cdaemon\r\nmodule)\r\n40ab025d455083500bfb0c7c64e78967d4d06f91580912dccf332498681ebaf6 cdaemon.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(Cdaemon\r\nmodule)\r\ne479823aa41d3f6416233dba8e765cf2abaa38ad18328859a20b88df7f1d88d5 sc2.txt\r\nBIOPASS\r\nRAT\r\nencoded\r\nCobalt Strike\r\nshellcode\r\ne567fd0f08fdafc5a89c9084373f3308ef464918ff7e4ecd7fb3135d777e946d sc3.txt\r\nBIOPASS\r\nRAT\r\nencoded\r\nCobalt Strike\r\nshellcode\r\n0c8c11d0206c223798d83d8498bb21231bbeb30536a20ea29a5d9273bc63313d s.txt\r\nBIOPASS\r\nRAT\r\nencoded\r\nCobalt Strike\r\nshellcode\r\n2beabd8a9d9a485ab6d850f67ec25abbd66bf97b933ecc13cf0d63198e9ba26e x.txt\r\nPython script\r\nof Cobalt\r\nStrike\r\nshellcode\r\nloader\r\n00977e254e744d4a242b552d055afe9d6429a5c3adb4ba169f302a53ba31795d1-CS-443.lua\r\nLUA script\r\nof Cobalt\r\nStrike\r\nshellcode\r\nloader\r\ndbb6c40cb1a49f4d1a5adc7f215e8e15f80b9f0b11db34c84e74a99e41671e06 Online.txt BIOPASS\r\nRAT Python\r\nScript (local\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 7 of 15\n\nonline\r\nserver)\r\n943e8c9b0a0a37237ec429cb8a3ff3b39097949e6c57baf43918a34b0110dd8f getwechatdb.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(getwechatdb\r\nplugin script)\r\n760fe7645134100301c69289a366bb92ab14927a7fbb9b405c1352989f16488c wechat.txt\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(getwechatdb\r\nplugin script)\r\nbdf7ebb2b38ea0c3dfb13da5d9cc56bf439d0519b29c3da61d2b2c0ab5bc6011 xss_spoof.zip\r\nBIOPASS\r\nRAT Python\r\nScript\r\n(xss_spoof\r\nplugin\r\npackage)\r\ne3183f52a388774545882c6148613c67a99086e5eb8d17a37158fc599ba8254b x.js\r\nXSS\r\nwatering\r\nhole attack\r\nscript\r\nd3956e237066a7c221cc4aaec27935d53f14db8ab4b1c018c84f6fccfd5d0058 script.txt\r\nXSS attack\r\nJavaScript\r\npayload\r\n4e804bde376dc02daedf7674893470be633f8e2bda96fa64878bb1fcf3209f60 xss.txt\r\nXSS attack\r\nHTML\r\npayload\r\n05d1c273a4caeae787b2c3faf381b5480b27d836cd6e41266f3eb505dcee6186 flash.exe\r\nBIOPASS\r\nRAT Loader\r\n09530096643b835cff71a1e48020866fd0d4d0f643fe07f96acdcd06ce11dfa4 test-ticker.exe\r\nBIOPASS\r\nRAT Loader\r\n0b16dfa3e0bbcc7b04a9a43309e911059a4d8c5892b1068e0441b177960d3eee Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n0f18694b400e14eb995003541f16f75a5afc2478cc415a6295d171ba93565a82 flash_installer.exe\r\nBIOPASS\r\nRAT Loader\r\n11b785e77cbfa2d3849575cdfabd85d41bae3f2e0d33a77e7e2c46a45732d6e4 System.exe\r\nBIOPASS\r\nRAT Loader\r\n2243c10b1bd64dfb55eda08bc8b85610d7fa5ba759527b4b4dd16dfac584ef25 test3.exe\r\nBIOPASS\r\nRAT Loader\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 8 of 15\n\n281c938448e32eb12fe8c5439ef06cea848668cf57fed5ad64b9a8d1e07de561 flash1.exe\r\nBIOPASS\r\nRAT Loader\r\n2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n30a65a54acfbf8d412ade728cad86c5c769befa4e456f7c0e552e1ab0862a446 flash-64.exe\r\nBIOPASS\r\nRAT Loader\r\n30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n3195c355aa564ea66b4b37baa9547cb53dde7cf4ae7010256db92fff0bde873d flash.exe\r\nBIOPASS\r\nRAT Loader\r\n32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac test.exe\r\nBIOPASS\r\nRAT Loader\r\n32c1460ba5707783f1bbaedab5e5eab21d762094106d6af8fa6b2f0f0d777c1a test3.exe\r\nBIOPASS\r\nRAT Loader\r\n344cdbc2a7e0908cb6638bc7b81b6b697b32755bad3bed09c511866eff3876c7 test4.exe\r\nBIOPASS\r\nRAT Loader\r\n3589e53c59d9807cca709387bbcaaffc7e24e15d9a78425b717fc55c779b928e            flash.exe\r\nBIOPASS\r\nRAT Loader\r\n36e3fcd6a4c7c9db985be77ea6394b2ed019332fdae4739df2f96a541ea52617 Silverlight.exe\r\nBIOPASS\r\nRAT Loader\r\n3e8f8b8a5f70c195a2e4d4fc7f80523809f6dbf9ead061ce8ef04fb489a577cf test-flash.exe\r\nBIOPASS\r\nRAT Loader\r\n5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba flash_installer.exe\r\nBIOPASS\r\nRAT Loader\r\n5fd2da648068f75a4a66b08d6d93793f735be62ae88085a79d839b6a0d6d859a flash1.exe\r\nBIOPASS\r\nRAT Loader\r\n660cef8210f823acb0b31d78fbce1d6f3f8c4f43231286f7ac69f75b2c42c020 flashplayerpp_install_cn.exe\r\nBIOPASS\r\nRAT Loader\r\n69d930050b2445937ec6a4f9887296928bf663f7a71132676be3f112e80fe275 test.exe\r\nBIOPASS\r\nRAT Loader\r\n6a0976e5f9d07ff3d80fa2958976183758ba5fcdd4645e391614a347b4b8e64b f0b96efe2f714e7bddf76cc90a8b8c88_se.exe\r\nBIOPASS\r\nRAT Loader\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 9 of 15\n\n6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e news.exe\r\nBIOPASS\r\nRAT Loader\r\n75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n7d0d7d416db5bd7201420982987e213a129eef2314193e4558a24f3c9a91a38e flash_installer.exe\r\nBIOPASS\r\nRAT Loader\r\n7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0 Silverlight.exe\r\nBIOPASS\r\nRAT Loader\r\n8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n89c0b2036ce8d1d91f6d8b8171219aafcd6237c811770fa16edf922cedfecc54 MTYwOTI1MzEzNQ==.exe\r\nBIOPASS\r\nRAT Loader\r\n8b5d4840bbdce0798950cd5584e3d4564581a7698bc6cfb2892c97b826129cec Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n932B45AB117960390324678B0696EF0E07D7F8DE1FA0B94C529F243610F1DCC9 flash_ins.exe\r\nBIOPASS\r\nRAT Loader\r\n98a91356e0094c96d81bd27af407dd48c3c91aaf97da6794aeb303597a773749 Silverlight1.exe\r\nBIOPASS\r\nRAT Loader\r\n9eed9a2e0edf38f6354f4e57b3a6b9bed5b19263f54bcee19e66fc8af0c29e4e test.exe\r\nBIOPASS\r\nRAT Loader\r\n9f34d28562e7e1e3721bbf679c58aa8f5898995ed999a641f26de120f3a42cf4 Silverlight1.exe\r\nBIOPASS\r\nRAT Loader\r\n9ff906ffcde32e4c6fb3ea4652e6d6326713a7fde8bb783b52f12a1f382f8798 test.exe\r\nBIOPASS\r\nRAT Loader\r\na7c4dac7176e291bd2aba860e1aa301fb5f7d880794f493f2dea0982e2b7eb31 test.exe\r\nBIOPASS\r\nRAT Loader\r\nb48e01ff816f12125f9f4cfc9180d534c7c57ef4ee50c0ebbe445e88d4ade939 test.exe\r\nBIOPASS\r\nRAT Loader\r\nb82bde3fe5ee900a76ac27b4869ed9aa0802c63bbd72b3bfb0f1abce6340cc6c Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\nb9d0838be8952ebd4218c8f548ce94901f789ec1e32f5eaf46733f0c94c77999 Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 10 of 15\n\nba44c22a3224c3a201202b69d86df2a78f0cd1d4ac1119eb29cae33f09027a9a Silverlight2.exe\r\nBIOPASS\r\nRAT Loader\r\nbd8dc7e3909f6663c0fff653d7afbca2b89f2e9bc6f27adaab27f640ccf52975 Silverlight.exe\r\nBIOPASS\r\nRAT Loader\r\nbf4f50979b7b29f2b6d192630b8d7b76adb9cb65157a1c70924a47bf519c4edd test.exe\r\nBIOPASS\r\nRAT Loader\r\nc11906210465045a54a5de1053ce0624308a8c7b342bb707a24e534ca662dc89 test-flash.exe\r\nBIOPASS\r\nRAT Loader\r\nc3fa69e15a63b151f8d1dc3018284e153ad2eb672d54555eaeaac79396b64e3b test.exe\r\nBIOPASS\r\nRAT Loader\r\nc47fabc47806961f908bed37d6b1bbbfd183d564a2d01b7cae87bd95c20ff8a5 flashplayerpp_install_cn.exe\r\nBIOPASS\r\nRAT Loader\r\nc8542bffc7a2074b8d84c4de5f18e3c8ced30b1f6edc13047ce99794b388285c flash2.exe\r\nBIOPASS\r\nRAT Loader\r\ncce6b17084a996e2373aaebbace944a17d3e3745e9d88efad4947840ae92fd55 Silverlight_ins.exe\r\nBIOPASS\r\nRAT Loader\r\nd18d84d32a340d20ab07a36f9e4b959495ecd88d7b0e9799399fcc4e959f536b flash_installer.exe\r\nBIOPASS\r\nRAT Loader\r\ne4109875e84b3e9952ef362abc5b826c003b3d0b1b06d530832359906b0b8831 flash.exe\r\nBIOPASS\r\nRAT Loader\r\ne52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb flashplayer_install_cn.exe\r\nBIOPASS\r\nRAT Loader\r\nf1ad25b594a855a3c9af75c5da74b44d900f6fbb655033f9a98a956292011c8e Silverlight.exe\r\nBIOPASS\r\nRAT Loader\r\nfa1d70b6b5b1a5e478c7d9d840aae0cc23d80476d9eea884a73d1b7e3926a209 64.exe\r\nBIOPASS\r\nRAT Loader\r\nfa7fbca583b22d92ae6d832d90ee637cc6ac840203cd059c6582298beb955aee test.exe\r\nBIOPASS\r\nRAT Loader\r\nfb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851 test4.exe\r\nBIOPASS\r\nRAT Loader\r\nfb812a2ccdab0a9703e8e4e12c479ff809a72899374c1abf06aef55abbbf8edc flash_installer.exe\r\nBIOPASS\r\nRAT Loader\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 11 of 15\n\nee2e9a1d3b593fd464f885b734d469d047cdb1bc879e568e7c33d786e8d1e8e2 aos.exe\r\nBIOPASS\r\nRAT binary\r\n(PyInstaller)\r\nafbfe16cbdd574d64c24ad97810b04db509505522e5bb7b9ca3b497efc731045 socketio.exe\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\n0b9f605926df4ff190ddc6c11e0f5839bffe431a3ddfd90acde1fcd2f91dada3 socketio.exe\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\n6fc307063c376b8be2d3a9545959e068884d9cf7f819b176adf676fc4addef7d flash_ins_bak.exe\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\n7249ad971283e164b0489110c23f4e40c64ee49b49bcc5cd0d32d9e701ec2114 files.zip\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\nde17e583a4d112ce513efd4b7cb575d272dcceef229f81360ebdfa5a1e083f11 fn.exe\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\n17e43d31585b4c3ac6bf724bd7263761af75a59335b285b045fce597b3825ed0 systemsetting.exe\r\nBIOPASS\r\nRAT binary\r\n(PyInstaller)\r\nb3bd28951789ef7cfaf659e07e198b45b04a2f3cde268e6ede4d4f877959341e systemsetting.exe\r\nBIOPASS\r\nRAT binary\r\n(PyInstaller)\r\ne0caebfbd2804fcde30e75f2c6d06e84b3bf89ed85db34d6f628b25dca7a9a0f            YIZHI_SIGNED.exe\r\nBIOPASS\r\nRAT binary\r\n(PyInstaller)\r\n2503549352527cb0ffa1811a44481f6980961d98f9d5a96d5926d5676c31b9ee socketio.exe\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\n8ba72a391fb653b2cc1e5caa6f927efdf46568638bb4fc25e6f01dc36a96533b flashplayerpp_install_cn.exe\r\nBIOPASS\r\nRAT binary\r\n(Nuitka)\r\ne5fdb754c1a7c36c288c46765c9258bb2c7f38fa2a99188a623182f877da3783 beep.sys Derusbi\r\na7e9e2bec3ad283a9a0b130034e822c8b6dfd26dda855f883a3a4ff785514f97 Browser_plugin (8).exe\r\nCobalt Strike\r\nLoader\r\nIP/Domain/URL Note\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 12 of 15\n\nwebplus-cn-hongkong-s-5faf81e0d937f14c9ddbe5a0[.]oss-cn-hongkong[.]aliyuncs[.]com\r\nCloud storage bucket used to host\r\nBIOPASS RAT loaders\r\nsoftres[.]oss-accelerate[.]aliyuncs[.]com\r\nCloud storage bucket used to host\r\nBIOPASS RAT loaders\r\nflashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com\r\nCloud storage bucket used to host\r\nBIOPASS RAT modules and stolen\r\ndata\r\nlualibs[.]oss-cn-hongkong[.]aliyuncs[.]com\r\nCloud storage bucket used to host\r\nCobalt Strike loader scripts\r\nbps-rhk[.]oss-cn-hongkong[.]aliyuncs[.]com\r\nCloud storage bucket used for RTMP\r\nlive streaming\r\nwxdget[.]oss-cn-hongkong[.]aliyuncs[.]com\r\nCloud storage bucket used for\r\nstoring stolen WeChat data\r\nchinanode[.]microsoft-update-service[.]com:38080 BIOPASS RAT C\u0026C server\r\n0x3s[.]com XSS attack domain\r\nupdate[.]flash-installer[.]com Associated fake installer domain\r\nupdate[.]flash-installers[.]com Associated fake installer domain\r\nflash[.]com[.]cm Associated fake installer domain\r\nflash[.]com[.]se Associated fake installer domain\r\nflashi[.]com[.]cn Associated fake installer domain\r\nflash[.]co[.]cm Associated fake installer domain\r\n47[.]57[.]142[.]30 Cobalt Strike C\u0026C server\r\n47[.]57[.]186[.]151 Cobalt Strike C\u0026C server\r\n103[.]158[.]190[.]58 Cobalt Strike C\u0026C server\r\n207[.]148[.]100[.]49 Cobalt Strike C\u0026C server\r\nmicrosoft[.]update[.]flash[.]com.se Cobalt Strike C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 13 of 15\n\nhxxps://webplus-cn-hongkong-s-5faf81e0d937f14c9ddbe5a0[.]oss-cn-hongkong.aliyuncs[.]com/Silverlight_ins.exe\r\nBIOPASS RAT loader download\r\nURL\r\nhxxps://webplus-cn-hongkong-s-5faf81e0d937f14c9ddbe5a0.oss-cn-hongkong.aliyuncs[.]com/flash_ins[.]exeBIOPASS RAT loader download\r\nURL\r\nhxxp://softres.oss-accelerate[.]aliyuncs[.]com/Silverlight[.]exe\r\nBIOPASS RAT loader download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/big.txt\r\nBIOPASS RAT script download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/Online.txt\r\nBIOPASS RAT script download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/files.zip\r\nPython runtime package download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/ServiceHub.zipPython runtime package download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/c1222.txt c1222 module script download URL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/cdaemon.txt cdaemon module download URL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/x.txt\r\nCobalt Strike Python loader\r\ndownload URL\r\nhxxp://lualibs.oss-cn-hongkong[.]aliyuncs.com/x86/1-CS-443.lua\r\nCobalt Strike Lua loader download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/s.txt\r\nCobalt Strike shellcode download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/sc2.txt\r\nCobalt Strike shellcode download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/sc3.txt\r\nCobalt Strike shellcode download\r\nURL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/csplugins/getwechatdb.txt\r\ngetwechatdb plug-in download URL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/csplugins/wechat.txt\r\ngetwechatdb plug-in download URL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/csplugins/xss_spoof.zip\r\nxss_spoof plug-in download URL\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 14 of 15\n\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/csplugins/xss.txt\r\nXSS payload download URL\r\nhxxp://flashdownloadserver[.]oss-cn-hongkong.aliyuncs[.]com/res/csplugins/script.txt\r\nXSS payload download URL\r\nhxxp://0x3s[.]com/x[.]js XSS injection URL\r\nSource: https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nhttps://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html" ], "report_names": [ "biopass-rat-new-malware-sniffs-victims-via-live-streaming.html" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c84b130d6b7363af36f7a5552fc1ef9570ef702d.pdf", "text": "https://archive.orkl.eu/c84b130d6b7363af36f7a5552fc1ef9570ef702d.txt", "img": "https://archive.orkl.eu/c84b130d6b7363af36f7a5552fc1ef9570ef702d.jpg" } }