{ "id": "245d399b-f769-4b1f-b593-392b018d48f6", "created_at": "2026-04-06T00:14:54.260204Z", "updated_at": "2026-04-10T03:37:08.599327Z", "deleted_at": null, "sha1_hash": "c879df7cdc1f61895d26336a5683726818d11043", "title": "New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4759601, "plain_text": "New Wine in Old Bottle: New Azorult Variant Found in FindMyName\r\nCampaign using Fallout Exploit Kit\r\nBy Tao Yan, Xingyu Jin, Bo Qu, Zhanglin He\r\nPublished: 2018-11-21 · Archived: 2026-04-05 17:26:00 UTC\r\nOverview\r\nObserved in the wild as early as 2016, Azorult is a Trojan family which has been delivered in malicious macro-based\r\ndocuments via spam campaigns, or as a secondary payload in the RIG Exploit Kit campaigns.  On October 20th, 2018 we\r\ndiscovered that new Azorult variants were being used as primary payloads in a new ongoing campaign using the Fallout\r\nExploit Kit. We named this campaign ‘FindMyName’ because all of the final exploit pages land on the domain\r\nfindmyname[.]pw. These new Azorult samples variants use advanced obfuscation techniques, such as API flooding and\r\ncontrol flow flattening, to evade anti-virus products.  Also, we discovered that Azorult has further evolved, the samples we\r\ncaptured support stealing sensitive information in more browsers, applications, and cryptocurrency wallets than previous\r\nversions.\r\nIn this blog we will cover the FindMyName campaign, the new Azorult malware, and the obfuscation techniques used.\r\nFirst stage of FindMyName Campaign\r\nOctober 20th is when we first observed the new campaign we are dubbing FindMyName. In the following 3 days, 5 different\r\nURL chains, listed in appendix 1, led to the delivery of the Fallout Exploit Kit. All 5 different URL chains redirected victims\r\nto one domain, findmyname[.]pw.\r\nThe steps in the first stage of FindMyName campaign are shown in Figure 1.\r\nFigure 1 Overview of the first stage of the attack\r\nAlthough the 5 final pages in findmyname[.]pw were different, the content of them were similar. An example of the Fallout\r\nExploit Kit landing page is shown in Figure 2.\r\nFigure 2 obfuscated landing page\r\nThe Fallout Exploit Kit uses several html tags such as span, h3, and p to hide the real exploit code with highly obfuscated\r\ntag content. After decryption, the real VBScript code exploits an IE VBScript vulnerability CVE-2018-8174 which was\r\npatched in August.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 1 of 15\n\nFigure 3 Exploit code snippet of CVE-2018-8174 in Fallout Exploit Kit\r\nAfter the exploit succeeds, this Fallout Exploit Kit downloads a “.tmp” file to the %Temp% directory and calls\r\nCreateProcess to execute it. Further analysis revealed that the “.tmp” file was the latest variant of Azorult malware. It was\r\nthe first time we’ve seen the new variant of Azorult malware used as primary payload for Fallout Exploit Kit.\r\nSecond stage of FindMyName Campaign\r\nIn this section, we focus on analyzing the latest variant of Azorult malware we captured.\r\nMalware Analysis Overview\r\nThe Azorult malware family is a commercial Trojan sold on underground forums. We observed 3 new variants of Azorult\r\nmalware in the recent FindMyName campaign. When we discovered them, 2 of the 3 samples had not been seen in the wild\r\nyet. One of the new Azorult samples we captured and analyzed has the following malicious features (some of these features\r\nare explained in detail in the next section):\r\n1. Evades anti-virus emulator through API flooding.\r\n2. Thwarts reverse engineering analysis through a control flow flattening technique.\r\n3. Uses a process hollowing technique to build the new malware image.\r\n4. Steals credentials, cookies, histories and autofills for more browsers than previous versions.\r\n5. Steals more cryptocurrency wallets than previous versions.\r\n6. Steals skype, telegram, steam, FTP client, Email client credentials and chat history when applicable.\r\n7. Harvests victim’s information via installed programs, screenshots, machine information, user name, OS version and\r\nrunning processes.\r\n8. Collects files from the user’s Desktop.\r\n9. Anti-forensic component, cleans up all dropped files.\r\n10. Executes specific file(s) initiated by C2 communication.\r\nAPI Flooding and Control Flow Flattening Obfuscation\r\nThe initial Azorult malware was written in Microsoft Visual C++ 7.0. First, the Azorult malware attempted to use control\r\nflow flattening obfuscation to thwart reverse engineering analysis as shown in Figure 4. Second, the sample used an API\r\nFlooding technique as shown in Figure 5. API Flooding is a malware technique to evade anti-virus emulators. For timely\r\nperformance concerns, anti-virus emulators set a timer when emulating the executable file on the host machine. If the\r\nemulator emulates hundreds of time consuming functions, the emulator times out and marks the file as benign.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 2 of 15\n\nFigure 4 control flow flatten\r\nFigure 5 API flooding\r\nProcess Hollowing\r\nAzorult uses a process hollowing technique to build the new malware image. First, the sample decrypts the payload in the\r\nmemory. Then the sample creates a new suspended process of itself. The sample then injects a decrypted payload to the new\r\nprocess. Lastly, the sample resumes new process execution and exhibits malicious behaviors. The overview of the sample\r\nexecution is shown in Figure 6.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 3 of 15\n\nFigure 6 Sample process hollowing\r\nC2 Communication\r\nThe new trojan file dumped from the process was coded in the Delphi language. When the sample executes, it immediately\r\nconnects to a C2 server for further instructions. In order to evade Intrusion Prevention Systems (IPS), the C2 traffic is\r\nobfuscated. The data sent back to the C2 includes a unique victim ID for each victim’s machine by encoding the machine\r\nGUID , Windows product name, user name and computer name with hash algorithm.  Then the malware decrypts a C2\r\naddress and sends a POST request to 51[.]15[.]196[.]30/1/index.php with the encrypted victim’s ID. The C2 traffic is shown\r\nin Figure 7. The detailed example about hash algorithm and encryption is listed in Appendix 1.\r\nFigure 7 C2 request\r\nThe sample decrypts and validates the C2 response. The decrypted C2 content had three parts. The part contained inside the\r\n\u003cn\u003e\u003c/n\u003e tags  contains 48 legit DLLs which are used for information stealing, described in the following sections. The part\r\ninside the \u003cd\u003e\u003c/d\u003e tags contains application information for information stealing: application path, related registry and\r\ncredential file names. The part in the \u003cc\u003e\u003c/c\u003e tags contains a C2 configuration for the sample. The C2 configuration is\r\nshown in Figure 8. According to pcap analysis, we identified the following characters checked by this sample.\r\n1. “+”: enabling the specific malicious function.\r\n2. “-”: disabling the specific malicious function.\r\n3. “I”: collecting host IP info.\r\n4. “L”: downloading and executing file from remote server.\r\nFigure 8 C2 configuration\r\nMalicious functions specified by C2:\r\n1. Steal browser password credentials.\r\n2. Steal browser cookies, autofill credentials. Steal credentials from FTP client or Email client.\r\n3. Steal browser history.\r\n4. Steal bitcoin wallets.\r\n5. Steal skype chat message main.db.\r\n6. Steal telegram credentials.\r\n7. Steal steam credentials (ssfn) and game metadata (.vdf).\r\n8. Takes a screenshot that eventually is sent to the attacker.\r\n9. Clean-up the temporary malware files.\r\n10. Collect files from Desktop.\r\n11. Get host IP information by sending GET request to ip-api[.]com/json.\r\n12. Download and execute file specified by C2.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 4 of 15\n\nFigure 9 shows an example of C2 configuration for stealing sensitive information from Firefox and Thunderbird.\r\nFigure 9 C2 configuration for information stealing\r\nThe overview of C2 traffic is shown in Figure 10.\r\nFigure 10 C2 traffic overview\r\nInformation stealer\r\nThe sample stole credentials and user data from thirty-two browsers including Chrome, Firefox and Qihoo 360. The full list\r\nof browsers is in Appendix 2. To steal credentials from browsers, the sample downloaded 48 legitimate dll files from C2\r\nresponse to %AppData%\\Local\\Temp\\2fda folder as shown in Figure 11.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 5 of 15\n\nFigure 11 legit dll files\r\nThe purpose of this action is to load nss3.dll and load the following functions:\r\nsqlite3_open\r\nsqlite3_close\r\nsqlite3_prepare_v2\r\nsqlite3_step\r\nsqlite3_column_text\r\nsqlite3_finalize\r\nNSS_Init\r\nPK11_GetInternalKeySlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nNSS_Shutdown\r\nPK11_FreeSlot\r\nThese functions are used to dump sensitive browser information. For example, the malware tried to use sqlite3_* functions\r\nto get the Firefox browser history information as shown in figure 12.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 6 of 15\n\nFigure 12 steal Firefox sensitive information using APIs in nss3.dll\r\nHere is another example of a user name and password being stolen, this time from saved Chrome data. The sample searched\r\nthe path “%LOCALAPPDATA%\\Google\\Chrome\\User Data\\” for file \"Login Data\". If found, the sample copies the \"Login\r\nData\" file to the %AppData%\\Local\\Temp directory and called sqlite3_prepare_v2 function from nss3.dll to exfiltrate\r\ncredentials with SQL query: \"SELECT origin_url, username_value, password_value FROM logins\" as shown in Figure 13.\r\nFigure 13 select strings for stealing browser credentials\r\nThe malware also withdrawals cookies, bookmarks, and autofill information from the aforementioned browsers. Credential\r\ninformation is saved to PasswordsList.txt and cookies are saved to CookieList.txt.\r\nAdditionally, the sample steals the following cryptocurrency wallets:\r\nEthereum\r\nElectrum\r\nElectrum-LTC\r\nJaxx\r\nExodus\r\nMultiBitHD\r\nTh malware tries to find the specified file including sensitive information of cryptocurrency wallets. For example the sample\r\ntried to find and send “mbhd.wallet.aes” file located in “Coins\\MultiBitHD” as shown in Figure 14.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 7 of 15\n\nFigure 14 steal cryptocurrency wallets\r\nThe  sample steals credentials and user data from popular applications including Thunderbird, FileZilla, Outlook, WinSCP,\r\nSkype, Telegram and Steam. It also steals files from the Desktop. For example, the sample tries to find\r\n“D877F783D5*.map*” file under “%appdata%\\Telegram Desktop\\tdata” directory to steal sensitive information from\r\nTelegram as shown in Figure 15.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 8 of 15\n\nFigure 15 steal applications credentials\r\nThe sample collects the user information including current processes, installed software, system language and time zone.\r\nThe harvested credentials and user information are then sent back to the C2. Here are some highlights about system\r\ninformation stealing.\r\nThe malware captures a screenshot of the victim’s computer and saves it to an image file named scr.jpg as shown in\r\nFigure 16.\r\nFigure 16 capture screen\r\nMalware uploads files from path and driver type specified by C2 response.\r\nAcquires host IP information by sending GET request to ip-api[.]com/json. It stores json response in ip.txt.\r\nCollects the following user information and saves it to system.txt.\r\nMachine GUID.\r\nWindows Product Name.\r\nUser Name.\r\nComputer Name.\r\nSystem Architecture.\r\nScreen height and width.\r\nSystem language.\r\nCurrent local time.\r\nTime zone.\r\nNumber of CPU cores.\r\nCurrent process lists by calling CreateToolhelp32Snapshot.\r\nDisplay version and name.\r\nInstalled software. (Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\).\r\nGet current account privilege.\r\nAll information gathered by the malware is shown in figure 17.\r\nFigure 17 information gathered by malware\r\nExecute File Specified by Malware\r\nThe attacker can remotely control the infected system to execute any file through Create Process or ShellExecute as shown\r\nin Figure 18. We also observed that it had the behavior of accessing a malicious URL to get the file: plugin-update[.]space/download/10.17.18.exe.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 9 of 15\n\nFigure 18 call CreateProcess or ShellExecute to execute the file\r\nThis new variant of Azorult also has the capability to execute malware with local system privileges. It will check the current\r\nSID and token by following logic as shown in Figure 19:\r\nIf the current integrity level is local_system\r\nIt will call WTSQueryUserToken and CreateProcessAsUser to start a new process with system privilege as\r\nshown in Figure 20.\r\nFigure 19 Check SID and token\r\nFigure 20 create process as local system privilege\r\nErasing Hints and Deleting Files\r\nWe also found that the malware erases all of the files located in “%temp%\\2fda” and deletes files according to the C2’s\r\ncommand as shown in Figure 21 and Figure 22.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 10 of 15\n\nFigure 21 Erasing Hints of Infection\r\nFigure 22 delete files according C2 command\r\nConclusion\r\nA presumed new campaign surfaced in late October that caught our attention. In the span of 3 days, 5 Fallout Exploit Kit\r\nURL chains were observed, all landing on an exploit page hosted on domain findmyname[.]pw. There is a new variant of\r\nAzorult malware found to be used as a payload for Fallout Exploit Kit. It has updated features compared to the previous\r\nversions and supports stealing from more software and cryptocurrency wallets than ever before.\r\nOrganizations with up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks’ customers are\r\nfurther protected from this threat. Our threat prevention platform detects both Fallout exploit kit and Azorult malware.\r\nAutoFocus users can track this activity using the AzoRult tag.\r\nIOCs\r\nURL Chains\r\nURL chain 1\r\nhxxp://sax[.]peakonspot[.]com/dep.php?pid=6639\u0026format=POPUP\u0026subid=\u0026cid=M2018102013-\r\n11642b318a12196b7fae1559b32a45c2\r\nhxxps://gfobhk[.]peak-serving[.]com/?\u0026id=15400452977053288308437914\u0026tid=6639\u0026sr=ep\r\nhxxp://sp[.]popcash[.]net/go/161339/449201\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 11 of 15\n\nhxxp://sp[.]popcash[.]net/sgo/ad?p=161339\u0026w=449201\u0026t=33fd7220adb3c003\u0026r=\u0026vw=0\u0026vh=0\r\nhxxp://findmyname[.]pw/1981_06_18/spumier/04_05_1952/E4bI5EK9?FYpUsha=Hangmen-Avowedly-Political-montreal\u0026JAb1I5xAS=Reeled_chateaus_funduck_royalize_unconvert_Joysome\u0026Outdraft=Tr6mHo5\u0026VX1m7hhu=ugaritic_Shying_fleece_15919\r\nURL chain 2\r\nhxxp://tania[.]web[.]telrock[.]net/\r\nhxxp://api[.]clickaine[.]com/v1/apop/redirect/zone/15450\r\nhxxp://findmyname[.]pw/M6rpEF/lifted/7013-Tiddley-toadyisms-11956-8965/peevedly_Oversured_tungstic.cfml\r\nURL chain 3\r\nhxxp://manuela[.]w[.]telrock[.]org/\r\nhxxp://api[.]clickaine[.]com/v1/apop/redirect/zone/15450\r\nhxxp://findmyname[.]pw/hoivSZVRX/NV1uI/vpLnq.shtml?nXslO=indult-Cadere\u0026sAoiIFu=Tirracke\u0026KaaM=Uncloak_Becloaked\r\nURL chain 4\r\nhxxp://sl[.]ivankatraff[.]com/sl?\r\nvId\\=bmconv_20181024052548_bea8e890_2113_4ecc_951b_c90aeffde1e6\u0026publisherId\\=40152\u0026source\\=5348_8482\u0026ua\\=Mozilla%2F5.0+%28iPhone\r\nhxxp://damneddevastator[.]com/l/18358235b03f965b74d5?\r\nsub=\u0026source=\u0026code2=Y3RtATE1NDAzOTM4OTI1MDEAc3JjAWlvAHZlcgExOQBwbHQBV2luMzIAdGNoATEAaXcBNzkyAGloATUwNABhdwEx\r\nhxxp://damneddevastator[.]com/gw?\r\nsub=\u0026source=Unknown\u0026url=https%3A%2F%2Fsax.peakonspot.com%2Fdep.php%3Fpid%3D2457%26subid%3D2_Unknown%26cid%3Dbmconv_201\r\nhttps://sax.peakonspot.com/dep.php?\r\npid=2457\u0026subid=2_Unknown\u0026cid=bmconv_20181024091133_7532cd6e_41dc_445b_a538_a0f29d2af047\u0026ref=\r\nhxxp://findmyname[.]pw/pysV15/olt8uPj1/1969_04_11\r\nURL chain 5\r\nhxxp://whitepages[.]review/prpllr?\r\ncost=0.001850\u0026currency=USD\u0026external_id=76427570563780608\u0026ad_campaign_id=1382277\u0026source=PropellerAds\u0026sub_id_1=1774896\r\nhxxp://findmyname[.]pw/cymbalo/13345/13231?potteries=icL8gc96\r\nBinary SHA256\r\nSample 1:\r\n3354a1d18aa861de2e17eeec65fc6545bc52deebe86c3ef12ccb372c312d8af8\r\nSample 2:\r\n7a99eb3e340f61f800ab3b8784f718bbe2e38159a883c2fc009af740df944431\r\nSample 3:\r\n0e27bbfa70b399182f030ee18531e100d4f6e8cb64e592276b02c18b7b5d69e6\r\nAppendix\r\nAppendix 1: hash algorithm and encryption. \r\nHash algorithms and encryption for victim id that is sent to C2:\r\nfrom pwn import *\r\ndef hash_func(input):\r\n    x = 0\r\n    for i in input:\r\n        x += ord(i) ^ 0x6521458a\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 12 of 15\n\nx \u0026= 0xFFFFFFFF\r\n        x -= ((x \u003c\u003c 0xD) \u0026 0xFFFFFFFF) | (x \u003e\u003e 0x13)\r\n        x \u0026= 0xFFFFFFFF\r\n    return format(x, 'X').rjust(8, '0')\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\ndef format_hash_str(hash_str):\r\n    y = len(hash_str)\r\n    format_hash = []\r\n    format_hash.append(hash_str[:7])\r\n    hash_str = hash_str[7:]\r\n    i = 0\r\n    while i \u003c= y:\r\n        if i % 8 == 0 and y - i \u003e= 16:\r\n            format_str = hash_str[i:i+8]\r\n            if y - i \u003c 24:\r\n                format_str = hash_str[i:]\r\n            format_hash.append(format_str)\r\n        i += 1\r\n    return '-'.join(format_hash)\r\ndef obfuscate_hash_str(hash_str):\r\n    obfuscated_hash_str = ''\r\n    for i in hash_str:\r\n        t = (ord(i) - ord('A')) \u0026 0xFF\r\n        q = (ord(i) - ord('a')) \u0026 0xFF\r\n        if t \u003e= 0x1A and q \u003e= 0x1A:\r\n            obfuscated_hash_str += '%' + format(ord(i), 'X')\r\n        else:\r\n            obfuscated_hash_str += i\r\n    return obfuscated_hash_str\r\ndef xor_encrypt(hash_str):\r\n    key = (0xD, 0xA, 0xC8)\r\n    encrypted_str = ''\r\n    print hash_str\r\n    for i in range(len(hash_str)):\r\n        encrypted_str += chr(ord(hash_str[i]) ^ key[i % len(key)])\r\n    return encrypted_str\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 13 of 15\n\n36\r\nWhen malware gets machine GUID, product name, user name and computer name, it uses the aforementioned hash\r\nalgorithm and encryption algorithm to generate encrypted victim id.\r\nuser_info = ('8699cdcd-cd9c-49ca-a44a-6c7e984575dc', 'Windows 7 Professional', 'test',\r\n'WIN-GKIQOSL71B3')\r\nhash_str = ''\r\nfor i in user_info:\r\n    hash_str += hash_func(i)\r\nhash_str += hash_func(''.join(user_info)) # 344FB5D5343A2EC681928A0244CA6CE98647CCAA\r\nhash_str = format_hash_str(hash_str) # 344FB5D-5343A2EC-681928A0-244CA6CE-98647CCAA\r\nhash_str = 'G' + obfuscate_hash_str(hash_str) #\r\nG%33%34%34FB%35D%2D%35%33%34%33A%32EC%2D%36%38%31%39%32%38A%30%2D%32%34%34CA%36CE%2D%39%38%36%\r\nencrypted_victim_id = xor_encrypt(hash_str)\r\nC2 address decryption:\r\nMalware uses xor key [0x09, 0xff, 0x20] to decrypt content in .data section and get string\r\n“aHR0cDovLzUxLjE1LjE5Ni4zMC8xL2luZGV4LnBocA”. Then malware does base64 decoding to get the C2 address.\r\nAppendix 2: Targeted browser list\r\nGoogleChrome\r\nInternetMailRu\r\nYandexBrowser\r\nComodoDragon\r\nAmigo\r\nOrbitum\r\nBromium\r\nChromium\r\nNichrome\r\nRockMelt\r\n360Browser\r\nVivaldi\r\nOpera\r\nGoBrowser\r\nSputnik\r\nKometa\r\nUran\r\nQIPSurf\r\nEpic\r\nBrave\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 14 of 15\n\nCocCoc\r\nCentBrowser\r\n7Star\r\nElementsBrowser\r\nTorBro\r\nSuhba\r\nSaferBrowser\r\nMustang\r\nSuperbird\r\nChedot\r\nTorch\r\nInternet Explorer\r\nMicrosoft Edge\r\nSource: https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-e\r\nxploit-kit/\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" ], "report_names": [ "unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434494, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c879df7cdc1f61895d26336a5683726818d11043.pdf", "text": "https://archive.orkl.eu/c879df7cdc1f61895d26336a5683726818d11043.txt", "img": "https://archive.orkl.eu/c879df7cdc1f61895d26336a5683726818d11043.jpg" } }