{ "id": "ae2423f4-5542-45fc-80c7-113b387debe3", "created_at": "2026-04-06T00:12:55.668604Z", "updated_at": "2026-04-10T03:37:09.065769Z", "deleted_at": null, "sha1_hash": "cbf8b9501fa0f68f2fe596e8d4423cea59c79420", "title": "Mars Stealer: Oski refactoring", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 572283, "plain_text": "Mars Stealer: Oski refactoring\r\nBy 3xp0rt\r\nPublished: 2022-02-01 · Archived: 2026-04-05 17:01:21 UTC\r\nAnalysis of a new malware called Mars Stealer, which is a further development of Oski Stealer.\r\nIt has been noticed that Oski support stopped answering its customers and deleted its telegram account and bot\r\naround July 2, 2020. This disappearance has raised eyebrows, as major projects like KPOT Stealer and Predator\r\nThe Thief don’t usually just go away.\r\nRecently, I came across a sample of Mars Stealer, which appears to be an upgraded version of Oski Stealer. Since\r\nMars Stealer is gaining popularity, I have decided to write a technical analysis about this stealer. Enjoy reading!\r\nMars Stealer written in ASM/C with using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls,\r\nencrypts strings, collects information in the memory, supports secured SSL-connection with C\u0026C, doesn’t use\r\nCRT, STD.\r\nBrowsers (supports Chrome V80):\r\nInternet Explorer, Microsoft Edge (Chromium Version), Kometa, Amigo, Torch, Orbitium, Comodo\r\nDragon, Nichrome, Maxxthon5, Maxxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc,\r\nUran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave,\r\nOpera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, CyberFox,\r\nBlackHawk, IceCat, K-Meleon, Thunderbird.\r\nCrypto extensions:\r\nTronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda,\r\nEQUAL Wallet, Jaox Liberty, BitAppWllet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet,\r\nRonin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh\r\nWallet, ICONex, Nabox Wallet, KHC, Temple, TezBox Cyano Wallet, Byone, OneKey, Leaf Wallet,\r\nDAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, Coin98 Wallet.\r\n2FA plugins:\r\nAuthenticator, Authy, EOS Authenticator, GAuth Authenticator, Trezor Password Manager.\r\nCrypto wallets:\r\nBitcoin Core and all derivatives (Dogecoin, Zcash, DashCore, LiteCoin, etc), Ethereum, Electrum,\r\nElectrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance, Coinomi.\r\nComputer information:\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 1 of 17\n\nIP and country\r\nWorking path to EXE file\r\nLocal time and time zone\r\nLanguage system\r\nLanguage keyboard layout\r\nNotebook or desktop\r\nProcessor model\r\nComputer name\r\nUser name\r\nDomain computer name\r\nMachine ID\r\nGUID\r\nInstalled software and their versions\r\nAdditional functional:\r\nFiles grabber\r\nLoader\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 2 of 17\n\nMost strings are encrypted using combinations of RC4 and Base64. The decryption key of RC4 is stored in the\r\ndecrypt_key variable that was declared in the Run-Time Dynamic Linking function. In this case, the decryption\r\nkey is 86223203794583053453 .\r\nThe first called function from WinMain declares decryption key for encrypted strings and unencrypted strings,\r\nwhich contain names of WinApi functions for Run-Time Dynamic Linking.\r\nMars gets a module handle of kernel32.dll by parsing InLoadOrderModuleList which usually contains kernel32\r\nlibrary as its 3rd element (0x18 address). After obtaining the base address of kernel32.dll, it parses the PE file and\r\nloops over the exported functions of the DLL to get the address of the LoadLibaryA() and GetProcAddress()\r\nfunctions.\r\nAfter procedures with kernel32 functions, LoadLibraryA() loads advapi32.dll library and gets the address of\r\nthe GetUserNameA() for anti-emulation check. The same thing program does with crypt32.dll and gets the\r\naddress of CryptStringToBinaryA() for strings decryption.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 3 of 17\n\nMalware initializes a double word (4 bytes) and calls the GetTickCount() function that returns the number of\r\nmilliseconds that have elapsed since the system has started. Then calls the Sleep() to suspend the execution of\r\nthe current thread until 15000 milliseconds (15 seconds). GetTickCount() again gets the time and malware uses\r\nthe first result to subtract then checks if a gotten number is greater than 10000 milliseconds (10 seconds). If the\r\nfunction returns true, it means that the Sleep() hasn’t been skipped by the debugger and malware continues\r\nexecution flow.\r\nAnti-emulation is used to avoid running in the Windows Defender emulator. Malware compares the current\r\ncomputer name with HAL9TH and the username with JohnDoe . If the computer name and username have\r\ncoincided, the malware finishes execution.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 4 of 17\n\nThis feature is used to avoid infection of machines from the Commonwealth of Independent States (CIS) by using\r\nGetUserDefaultLangID() that returns the language identifier of the region format setting for the current user. If\r\nthe user language ID matches one from the list, the stealer finishes execution.\r\nLanguage ID Language-tag Country\r\n0x43F kk-KZ Kazakhstan\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 5 of 17\n\nLanguage ID Language-tag Country\r\n0x443 us-Latb-US Uzbekistan\r\n0x82C az-Cyrl-AZ Azerbaijan\r\n0x43Fu kk-KZ Kazakhstan\r\n0x419u ru-RU Russia\r\n0x423u ru-BY Belarus\r\nIf all checks have passed, the malware creates a mutex object using CreateMutexA() to avoid repeat launch.\r\nMutex name is the same as a strings decryption key, but they are stored in different variables. Then calls\r\nGetLastError() which gets the last error, and if the error code is equal to 183 (ERROR_ALREADY_EXIST) it\r\nmeans that mutex already exists therefore malware finishes execution.\r\nThe compilation_date variable contains 28/08/2021 00:00:00 . The month on this date has increased by 1\r\nunit, so malware can’t run after a month of compilation. Accordingly, this sample was compiled not on\r\n28/08/2021 , but on 28/07/2021 .\r\nMars uses GetSystemTime() to put current system time to a struct, then calls sscanf() to parse the compilation\r\ndate. SystemTimeToFileTime() is used to convert the current date and compilation date from system time to file\r\ntime format.\r\nIf the current file time is bigger than the compile time, the malware calls `ExitProcess()` to finish the process.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 6 of 17\n\nWhen stealing Gecko browsers credentials, the malware makes 6 requests using WinINet libary to download\r\ndependencies from the public folder and saves them in the ProgramData folder, but sqlite3.dll is downloading\r\nbefore chrome stealing starts. At the end of execution, malware deletes mentioned DLLs and finishes execution.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 7 of 17\n\nMars steals credentials from Chromium and Gecko browsers by static paths, therefore it supports only the most\r\npopular.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 8 of 17\n\nBrowser name Browser folder\r\nChrome %localappdata%\\Google\\Chrome\\User Data\r\nChromium %localappdata%\\Chromium\\User Data\r\nMicrosoft Edge %localappdata%\\Microsoft\\Edge\\User Data\r\nKometa %localappdata%\\Kometa\\User Data\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 9 of 17\n\nBrowser name Browser folder\r\nAmigo %localappdata%\\Amigo\\User Data\r\nTorch %localappdata%\\Torch\\User Data\r\nOrbitum %localappdata%\\Orbitum\\User Data\r\nComodo %localappdata%\\Comodo\\Dragon\\User Data\r\nNichrome %localappdata%\\Nichrome\\User Data\r\nMaxthon5 %localappdata%\\Maxthon5\\Users\r\nSputnik %localappdata%\\Sputnik\\User Data\r\nEpic Privacy Browser %localappdata%\\Epic Privacy Browser\\User Data\r\nVivaldi %localappdata%\\Vivaldi\\User Data\r\nCocCoc %localappdata%\\CocCoc\\Browser\\User Data\r\nUran %localappdata%\\uCozMedia\\Uran\\User Data\r\nQIP Surf %localappdata%\\QIP Surf\\User Data\r\nCent Browser %localappdata%\\CentBrowser\\User Data\r\nElements Browser %localappdata%\\Elements Browser\\User Data\r\nTorBro %localappdata%\\TorBro\\Profile\r\nCryptoTab Browser %localappdata%\\CryptoTab Browser\\User Data\r\nBrave %localappdata%\\BraveSoftware\\Brave-Browser\\User Data\r\nOpera %appdata%\\Opera Software\\Opera Stable\\\r\nOpera GX %appdata%\\Opera Software\\Opera GX Stable\\\r\nOpera Neon %appdata%\\Opera Software\\Opera Neon\\User Data\r\nFirefox %appdata%\\Mozilla\\Firefox\\Profiles\\\r\nSlimBrowser %appdata%\\FlashPeak\\SlimBrowser\\Profiles\r\nPale Moon %appdata%\\Moonchild Productions\\Pale Moon\\Profiles\\\r\nWaterfox %appdata%\\Waterfox\\Profiles\\\r\nCyberfox %appdata%\\8pecxstudios\\Cyberfox\\Profiles\\\r\nBlackHawk %appdata%\\NETGATE Technologies\\BlackHawk\\Profiles\\\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 10 of 17\n\nBrowser name Browser folder\r\nIceCat %appdata%\\Mozilla\\icecat\\Profiles\\\r\nK-Meleon %appdata%\\K-Meleon\\\r\nThunderbird %appdata%\\Thunderbird\\Profiles\\\r\nThis malware also targets 2FA and crypto extensions, but only in Chromium-based browsers (opera is an\r\nexception).\r\nType Extension name Extension id\r\nCrypto TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nCrypto MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nCrypto Binance Chain Wallet fhbohimaelbohpjbbldcngcnapndodjp\r\nCrypto Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 11 of 17\n\nType Extension name Extension id\r\nCrypto Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nCrypto Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCrypto Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad\r\nCrypto Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nCrypto EQUAL Wallet blnieiiffboillknjnepogjhkgnoapac\r\nCrypto Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne\r\nCrypto BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\nCrypto iWallet kncchdigobghenbbaddojjnnaogfppfj\r\nCrypto Wombat amkmjjmmflddogmhpjloimipbofnfjih\r\nCrypto MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nCrypto GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nCrypto Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nCrypto Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nCrypto NeoLine cphhlgmgameodnhkjdmkpanlelnlohao\r\nCrypto Clover Wallet nhnkbkgjikgcigadomkphalanndcapjk\r\nCrypto Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn\r\nCrypto Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp\r\nCrypto Keplr dmkamcknogkgcdfhhbddcghachkejeap\r\nCrypto Sollet fhmfendgdocmcbmfikdcogofphimnkno\r\nCrypto Auro Wallet cnmamaachppnkjgnildpdmkaakejnhae\r\nCrypto Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nCrypto ICONex flpiciilemghbmfalicajoolhkkenfel\r\nCrypto Nabox Wallet nknhiehlklippafakaeklbeglecifhad\r\nCrypto KHC hcflpincpppdclinealmandijcmnkbgn\r\nCrypto Temple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nCrypto TezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 12 of 17\n\nType Extension name Extension id\r\nCrypto Cyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nCrypto Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nCrypto OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf\r\nCrypto LeafWallet cihmoadaighcejopammfbmddcmdekcje\r\nCrypto DAppPlay lodccjjbdhfakaekdiahmedfbieldgik\r\nCrypto BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml\r\nCrypto Steem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm\r\nCrypto Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl\r\nCrypto Hycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp\r\nCrypto ZilPay klnaejjgbibmhlephnhpmaofohgkpgkd\r\nCrypto Coin98 Wallet aeachknmefphepccionboohckonoeemg\r\n2FA Authenticator bhghoamapcdpbohphigoooaddinpkbai\r\n2FA Authy gaedmjdfmmahhbjefcbgaolhhanlaolb\r\n2FA EOS Authenticator oeljdldpnmdbchonielidgobddffflal\r\n2FA GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl\r\n2FA Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk\r\nThe malware targets multiple wallets, which stores sensitive data in files as wallet.dat that contains the\r\naddress, the private key to access this address, and other data.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 13 of 17\n\nWallet\r\nname\r\nWallet folder Regex\r\nEthereum %appdata%\\Ethereum\\ keystore\r\nElectrum %appdata%\\Electrum\\wallets\\ .\r\nElectrum\r\nLTC\r\n%appdata%\\Electrum-LTC\\wallets\\ .\r\nExodus %appdata%\\Exodus\\\r\nexodus.conf.json, window-state.json,\r\n\\Exodus\\exodus.wallet\\, passphrase.json,\r\nseed.seco, info.seco\r\nElectron\r\nCash\r\n%appdata%\\ElectronCash\\wallets\\ default_wallet\r\nMultiDoge %appdata%\\MultiDoge\\ multidoge.wallet\r\nJaxx %appdata%\\jaxx\\Local Storage\\ file__0.localstorage\r\nAtomic %appdata%\\atomic\\Local Storage\\leveldb\\\r\n000003.log, CURRENT, LOCK, LOG,\r\nMANIFEST.000001, 0000*\r\nBinance %appdata%\\Binance\\ app-store.json\r\nCoinomi %localappdata%\\Coinomi\\Coinomi\\wallets\\ *.wallet, *.config\r\nMars has a custom grabber with multiple functions. First, the malware makes a request to C\u0026C and gets config as\r\na response. Grabber config looks like this name|max_size|path|formats|recursively| . Then uses\r\nsetup_grabber() which use strtok() with lstrcatA() to parse grabber config and calls grabber() which\r\nperforms grabbing.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 14 of 17\n\nMalware gets loader config as the response while uploading log. This config looks like this\r\nlink|load_to|startup_param| (download link, path to a loaded file, start-up parameters).\r\nTo download file stealer calls download_file() function. Then uses strtok() with lstrcatA() to parse\r\nconfig parameters and calls ShellExecuteExA() to execute executable.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 15 of 17\n\nMalware gets the way to itself by using GetModuleFileName() and calls ShellExecuteExA() which executes\r\ncmd.exe with /c timeout /t 5 \u0026 del /f /q \\\"%s\\\" \u0026 exit parameters. After 5 seconds cmd.exe deletes\r\ncurrent executable.\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 16 of 17\n\nMars Stealer it’s an improved version of Oski Stealer. Have been added anti-debug check, crypto extensions\r\nstealing, but outlook stealing is missing. The code has been refactoring, but some algorithms remained stupid as in\r\nOski Stealer. Here you can read detailed Oski Stealer analysis from CyberArk.\r\nTweet: Aug 9, 2021\r\nFile: 6143734a8c9cae36bfde4f4b67f3c604\r\nC\u0026C: cookreceipts.fun\r\nSource: https://3xp0rt.com/posts/mars-stealer\r\nhttps://3xp0rt.com/posts/mars-stealer\r\nPage 17 of 17\n\n https://3xp0rt.com/posts/mars-stealer \nMalware gets the way to itself by using GetModuleFileName() and calls ShellExecuteExA() which executes\ncmd.exe with /c timeout /t 5 \u0026 del /f /q \\\"%s\\\" \u0026 exit parameters. After 5 seconds cmd.exe deletes\ncurrent executable. \n Page 16 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://3xp0rt.com/posts/mars-stealer" ], "report_names": [ "mars-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434375, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cbf8b9501fa0f68f2fe596e8d4423cea59c79420.pdf", "text": "https://archive.orkl.eu/cbf8b9501fa0f68f2fe596e8d4423cea59c79420.txt", "img": "https://archive.orkl.eu/cbf8b9501fa0f68f2fe596e8d4423cea59c79420.jpg" } }