{ "id": "fc8796de-2a28-494e-9b9a-c9968f6305fb", "created_at": "2026-04-06T00:07:03.020695Z", "updated_at": "2026-04-10T13:12:03.222374Z", "deleted_at": null, "sha1_hash": "cbf02d3fd3007990d1ac17d04bafe76173cd2aa7", "title": "Lumma Stealer targets YouTubers via Spear-phishing Email", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1560181, "plain_text": "Lumma Stealer targets YouTubers via Spear-phishing Email\r\nBy S2W\r\nPublished: 2023-02-27 · Archived: 2026-04-05 22:53:56 UTC\r\n8 min read\r\nFeb 27, 2023\r\nAuthor: Jiho Kim \u0026 Sebin Lee | S2W TALON\r\nLast Modified : Feb 27, 2023\r\nPress enter or click to view image in full size\r\nPhoto by Alexander Shatov on Unsplash\r\nExecutive Summary\r\nLumma Stealer is an info stealer malware written in C language and has been sold on underground forums\r\nsince August 2022.\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 1 of 14\n\nThe seller of Lumma Stealer has been actively promoting it since at least April 2022.\r\nThe seller posts the announcement about version updates, inquiries, etc. on the underground forum,\r\ntelegram channel, and his own site.\r\nOn February 6th, 2023, a spear-phishing email impersonating a Bandai Namco game company was used\r\nto target a voice actor YouTuber in Korea, and Lumma Stealer malware was distributed through the\r\nemail.\r\nA normal video file and a malicious PDF document were downloaded from a Dropbox link in the email,\r\nand the PDF file installed an additional malware called Pure Crypter.\r\nPure Crypter, a loader that drops and executes additional malware, injects the Lumma Stealer payload\r\nbased on the configuration value.\r\nOnce installed, Lumma Stealer steals information from browsers, cryptocurrency wallets, and 2FA\r\nextensions on the infected system and sends them to a C\u0026C server.\r\nIntroduction\r\nLumma Stealer sellers use the name “LummaC” on an underground forum called XSS, which is based in Russia.\r\nThe seller has been actively promoting the malware since April 2022. In August of that year, the seller posted a\r\nnew promotional article under the name LummaC Stealer. Then, the seller continuously updates the malware,\r\nincluding changing its name to LummaC2 Stealer, as seen in a post title from December 2022.\r\nPress enter or click to view image in full size\r\nFigure 1. Activity history of LummaC users\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 2 of 14\n\nFigure 2. LummaC2 Stealer promotional post\r\nSeller Information\r\nNot only the underground forum, but the seller also uses Telegram to notify users of updates to the malware and to\r\nrespond to inquiries. The seller also operates a separate website for selling the malware. The Telegram channels\r\noperated by the seller are divided into different categories, such as providing updated information, offering\r\nsupport, and allowing users to report bugs.\r\n@LummaC2Stealer: Channel for updated information\r\n@lummaseller126: Channel for offering support\r\n@Lummanowork: Channel for reporting bugs\r\nPress enter or click to view image in full size\r\nTable 1. Terelgram channels operated by Lumma Stealer sellers\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 3 of 14\n\nPrice Policy\r\nThe seller has created their own website to sell the malware and has set different functions and pricing policies\r\ndepending on the type of level. According to a promotional post on the underground forum, the seller also offers\r\nthe ability to install a control panel on the server when using the corporate level of the service.\r\nPress enter or click to view image in full size\r\nFigure 3. Pricing policies and supported cryptocurrency for trading\r\nPayment for the Lumma Stealer is made through Coinbase, and a unique coin address is generated and provided\r\nfor each payment.\r\nPress enter or click to view image in full size\r\nTable 2. Features by pricing policy\r\nTargeted a voice actor YouTuber in South Korea\r\nOn February 6, 2023, a voice actor YouTuber in Korea received an e-mail impersonating a Bandai Namco game\r\ncompany. The e-mail embedded a Dropbox link downloading malware, then the YouTuber downloaded the\r\nmalware and executed it. Later, his YouTube channel was compromised and changed to a Tesla US channel.\r\nFortunately, the YouTuber was able to regain access to his compromised account and posted a video explaining\r\nhow the attack had taken place. Thanks to the information provided by him, we were able to obtain the original\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 4 of 14\n\nspear-phishing email and malware from VirusTotal. We would like to express our gratitude to him for their\r\nbravery in sharing the details of the attack and helping to uncover the truth.\r\nBased on our analysis, we have identified the following attack flow:\r\n1. The attacker sends a spear-phishing email targeting the YouTuber.\r\n2. Downloads a ZIP file containing malware via the Dropbox link in the spear-phishing email.\r\n3. Executes the malware, which is disguised as a PDF document inside the ZIP file.\r\n4. The malware downloads additional malware from the command and control (C\u0026C) server.\r\n5. The malware loads the additional malware, Pure Crypter.\r\n6. The Pure Crypter injects the Lumma Stealer into the process.\r\n7. The Lumma Stealer steals information from the victim’s system and sends it to the C\u0026C server.\r\nPress enter or click to view image in full size\r\nFigure 4. Lumma Stealer infection and execution flow\r\nIt has been confirmed that the victim’s YouTube account, which was infected with Lumma Stealer, was hacked\r\nand the channel name was changed to “Tesla US”.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 5 of 14\n\nFigure 5. Victim’s YouTube channel changed to the Tesla advertising account\r\nThe channel name and thumbnail changed, but the previously uploaded channel notices not changed.\r\nDistributed via Spear-phishing\r\nThe e-mail used the “bandai.namco.ma[@]kakao.com” account to impersonate Bandai Namco game company.\r\nThe email requested the victim’s cooperation in promoting a new game and urged them to download and execute\r\nthe file via the Dropbox link included in the email.\r\nTitle : Re: Bandai Namco YT Offer 2023\r\nSender : bandai.namco.ma[@]kakao.com\r\nAlthough Bandai Namco is a Japanese company, the email was sent through the account from kakao.com, one of\r\nthe most used mail domains in Korea. As the targeted YouTuber is also Korean, we assess with low-confidence\r\nthat there is a possibility that the attacker is also Korean.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 6 of 14\n\nFigure 6. A phishing email masquerading as a game company (Source: Victim’s YouTube channel)\r\nThe file downloaded through the Dropbox link contained a normal video file and a malicious file disguising a\r\nPDF document. Once executed, additional malware is downloaded from the C\u0026C server, and Lumma Stealer is\r\nfinally installed.\r\nDownloaded filename from Dropbox: One Piece Odyssey Youtube Deal.zip\r\nDropbox Link:\r\nhxxps[:]//www.dropbox[.]com/s/rcrreonkI7d0ah9/One%20Piece%20Odyssey%20Youtube%20Deal.zip?\r\ndl=1\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 7 of 14\n\nFigure 7. Malicious attachments in the phishing email\r\nPure Crypter\r\nUpon analyzing the downloaded from the C\u0026C server, it was identified as a Pure Crypter. Pure Crpyter is a tool\r\nwritten in C# and developed by an individual known as “PureCoder,” which is available for sale on underground\r\nforums in the form of software as a service (SaaS). This tool includes features designed to bypass security\r\nproducts, including obfuscation and process injection, and is commonly used to drop additional malware.\r\nPress enter or click to view image in full size\r\nTable 3. Features provided by Pure Crypter\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 8 of 14\n\nFigure 8. Pure Crypter sales site\r\nThe Pure Crypter reads the separate data included within and then decrypts it to obtain configuration values for\r\nperforming malicious actions set as desired.\r\nPress enter or click to view image in full size\r\nTable 4. Fields in configuration\r\n{\"1\":0,\"2\":\"Itself\",\"3\":\"\",\"4\":false,\"5\":\"Vszbhncwjwcaklzwbvyio\",\"6\":{\"1\":false,\"2\":false,\"3\":null,\"4\r\nAfter extracting the configuration values, an additional malware payload is read from the resource and decrypted.\r\nIn this case, the Lumma Stealer malware is loaded and injected into a separate process for execution. If the file\r\nname specified in the injection-related configuration does not exist, Pure Crypter performs injection using the\r\nProcess Hollowing technique in the current process.\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 9 of 14\n\nStolen Information via Lumma Stealer\r\nThe types of information that the finally executed Lumma Stealer steals are as follows.\r\nPress enter or click to view image in full size\r\nTable 5. Target information that Lumma Staeler steals\r\nBrowser list\r\nChrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, Firefox\r\nBrowser extension list\r\n[Crypto wallet] Metamask, TronLink, Ronnin Wallet, Binance Chain Wallet, Yoroi, Nifty, Math, Guarda,\r\nCoinbase, EQUAL, Jaxx Liberty, BitApp, Exodus Web3, Terust Wallet, iWlt, EnKrypt, Wombat, NEW CX, Cuild,\r\nSatrun, NeoLine, Clover, Liquality, Terra Station, Keplr, Sollet, Auro, Polymesh, ICOnex, Nabox, KHC, Temple,\r\nTezBox, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98, Cyano, Byone,\r\nOneKey\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n[2FA] Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager\r\n[Browser] Leaf\r\nCrypto wallet list\r\nBinance, Electrum, Ethereum, Exodus, Ledge Live, Atomic, Coinomi\r\nThe stolen information is transmitted to the C\u0026C server via HTTP communication, with the HWID of the victim\r\nsystem, Packet ID, and an identification value set by the attacker appended to the end. To disguise the\r\ncommunication as browser traffic, the Tesla Browser is set as the User-Agent.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 10 of 14\n\nFigure 9. Exfiltration traffic\r\nThe Admin Panel of Lumma Stealer is as follows. As explained in an advertisement in the forum, the panel has\r\nfunctions such as damage status by country, infection status, number of items stolen, and downloading log files.\r\nPress enter or click to view image in full size\r\nFigure 10. Lumma Stealer Admin Panel\r\nConclusion\r\nLumma Stealer is a malware written in C language that steals user credentials from infected systems.\r\nThe Lumma Stealer seller has been continuously updating since April 2022 and classifies telegram\r\nchannels by purpose\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 11 of 14\n\nThe Lumma Stealer has been distributed from phishing sites disguised as legitimate software and phishing\r\nemails, then the victim’s Youtube channel changed to an advertisement for Tesla\r\nTo prevent infection and minimize damage, users are advised to block automatic redirection and pop-ups,\r\nverify that the software download site is legitimate, and change passwords regularly.\r\nLatest trends regarding Lumma Stealer\r\nOn Feb 22, 2023, Lumma Stealer was distributed from a phishing site disguised as ChatGPT.\r\nOn Feb 06, 2023, Lumma Stealer was distributed via a phishing email disguised as a game company.\r\nOn Jan 31, 2023, Lumma Stealer was distributed from phishing sites disguised as VLC downloads.\r\nOn Dec 22, 2022, a LummaC2 Stealer promotion was posted in the forum.\r\nOn Aug 16, 2022, a LummaC Stealer promotion was posted in the forum.\r\nOn Apr 25, 2022, a 7.62mm Stealer promotion was posted in the forum.\r\nIoCs\r\n17a9e53240082bd288d35b02986769a0\r\nd18a31b0b3d20a86fc0647d7f47332d648499d52eee68d34857eec61f3b042ce\r\n817ee46423164cf2502ae2accffecaa1\r\n350edaca28b1572c31165431bafc7d1e0552c45f3186ffa039de33a58e55144e\r\nefb9b1da0d5db39485c469cd5fe3aa1e\r\ncdfecffbdda4075ee4eae8b44c3740b2450c64564d949a84a7f707d3d1a32449\r\n5aac51312dfd99bf4e88be482f734c79\r\n9b742a890aff9c7a2b54b620fe5e1fcfa553648695d79c892564de09b850c92b\r\n9cd90bc5d586721862744403d80debfc\r\n351366b6c0522c8d7454173844b7d2420b33ef245f5c7f6c8f72dd6e2c6a7571\r\n11b6c32ffdb72904d0813e7df93cef79\r\n1beadc5a862d28e69431756324b07aa61d8a077f60f81c72bc3ff324b415e3c6\r\n2bc31e3b4d6623e6053b4b77a1bce062\r\nc466284d938e9d9d40b785c346e142762f3069cc0f69bbfb81f6d5c59e720bb3\r\nec89c94613bf3208d975b9b3c758f81d\r\n89fe11874357f3fbf17e938d91957f8c4a0291853dd7f5f10077b6144162ad04\r\nc265357447e7e4910769b1817d6277cb\r\n61a9884307317bbd93aad885dc646aebbcbeb840616e36f1be314af9bcce4284\r\n16685b20847f33924fb8d849229c41f0\r\n81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21\r\n254d7550e25a597539d67ffd01e3f1bd\r\ne57cfd368ad71d81543c22d1e12ef620eca6677254556cc00375fda768f2487f\r\n1e085b39d5dae93c6f5e6f4ef31e211e\r\n0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06\r\n24c3a967a34b6657e3f84bab979d5f67\r\n72d6cd338baba81b7cef1bcd1ea4eed199adcce0ac57fe1e674527ad7258ea8d\r\nc9c0e32e00d084653db0b37a239e9a34\r\nd932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264\r\neb99b5d6ca92e932c02a8108a7512bf3\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 12 of 14\n\nf33e6f4e62b30c7e4b74c5ec9710f8481853300e1da16056efc85c01475d8913\r\n6908f7af68011665fbe453a628171101\r\n0f86014f6c59f187274a7467a58b4fd4c7f8816bd8efa12af08eb0169333897f\r\n53200921c95e7e4ce8c9959d06870416\r\nf8e52c2fd7447d6eb87394f70c6f9d6c0290ffa16bd5833b390790a1521133bd\r\n16685b20847f33924fb8d849229c41f0\r\n81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21\r\n25110b76d4543e7dcd9b9737fb47005c\r\n004f2b62840a91b011eaaafbcc429b374835b9274610f89c6a9ef6f9bfdde768\r\nfc146adbe18d3cbdd7989a02b7bcc761\r\n5aebbe7f3cee0b66e325844bfc4837a7dc36831c4b0d7201520b07530a2ad881\r\n358e7b13098e126d884b121217d10fce\r\n066fe4bb2fe09cad7df4e01f0eacc046faa304c9eb76812a636811acb44e936d\r\nhxxp[:]//77[.]73[.]134[.]68/c2sock\r\nhxxp[:]//45[.]9[.]74[.]78/c2sock\r\nhxxp[:]//195[.]123[.]226[.]91/c2sock\r\nhxxp[:]//144[.]76[.]173[.]247/c2sock\r\nhxxp[:]//217[.]12[.]206[.]197/c2sock\r\nhxxp[:]//195[.]123[.]226[.]167/c2sock\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nDrive-by Compromise (T1189)\r\nSpearphishing Link (T1566.002)\r\nExecution\r\nUser Execution (T1204)\r\nDefense Evasion\r\nDeobfuscate/Decode Files or Information (T1140)\r\nCredential Access\r\nCredentials from Password Stores: Credentials from Web Browsers (T1555.003)\r\nUnsecured Credentials: Credentials In Files (T1552.001)\r\nDiscovery\r\nSystem Information Discovery (T1082)\r\nCommand and Control\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 13 of 14\n\nApplication Layer Protocol (T1071)\r\nExfiltration\r\nExfiltration Over C2 Channel (T1041)\r\nReference\r\nhttps://www.youtube.com/watch?v=LI9fwFEU8z0\r\nSource: https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nhttps://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7" ], "report_names": [ "lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434023, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cbf02d3fd3007990d1ac17d04bafe76173cd2aa7.pdf", "text": "https://archive.orkl.eu/cbf02d3fd3007990d1ac17d04bafe76173cd2aa7.txt", "img": "https://archive.orkl.eu/cbf02d3fd3007990d1ac17d04bafe76173cd2aa7.jpg" } }