{ "id": "85ed8e16-8f6b-4dcc-9142-4064059b122d", "created_at": "2026-04-06T15:52:52.266245Z", "updated_at": "2026-04-10T03:36:47.778922Z", "deleted_at": null, "sha1_hash": "cfceade68c3a8b2e242bfa17708c1fa94eec4f25", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 412865, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy Arek-BTC\r\nArchived: 2026-04-06 15:34:06 UTC\r\nQuery Registry, Technique T1012 - Enterprise | MITRE ATT\u0026CK\u0026reg;\r\nCVE: 1 | URL: 6 | Domain: 2 | Hostname: 2\r\nAdversaries can access the Windows Registry to gather information about the operating system, configuration, and\r\ninstalled software, as well as to make modifications to the system's registry, according to a report published in the\r\nSecurity Research Institute (CTI).\r\n122 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 1 of 19\n\nMISSION2025 - APT41.\r\nCVE: 6\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 2 of 19\n\nAPT41, also known as MISSION2025, is a Chinese state-sponsored advanced persistent threat group that has been\r\nactive since at least 2012. The group is particularly focused on cyberespionage and financially motivated attacks,\r\nusing sophisticated techniques to target a wide range of industries globally. Their operations are aligned with\r\nChina's economic strategy, notably the \"Made in China 2025\" initiative, emphasizing intellectual property theft\r\nand corporate espionage.\r\n161 Subscribers\r\n841 Subscribers\r\nNew SprySOCKS Linux malware used in cyber espionage attacks\r\nCVE: 9 | FileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | Domain: 1 | Hostname: 4\r\nA Chinese espionage-focused hacker tracked as 'Earth Lusca' was observed targeting government agencies in\r\nmultiple countries, using a new Linux backdoor dubbed 'SprySOCKS.' Trend Micro's analysis of the novel\r\nbackdoor showed that it originates from the Trochilus open-source Windows malware, with many of its functions\r\nported to work on Linux systems. However, the malware appears to be a mixture of multiple malware as the\r\nSprySOCKS' command and control server (C2) communication protocol is similar to RedLeaves, a Windows\r\nbackdoor. In contrast, the implementation of the interactive shell appears to have been derived from Derusbi, a\r\nLinux malware.\r\n431 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 3 of 19\n\nNew SprySOCKS Linux malware used in cyber espionage attacks\r\nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 4 | URL: 1 | Hostname: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 4 of 19\n\nA round-up of interesting technology-related links shared over the past week, as well as the latest developments in\r\nthe fight against cyber espionage, malware and other malware. £1.\r\n47 Subscribers\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 5 of 19\n\n52 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 6 of 19\n\n181 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 7 of 19\n\nEarth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement\r\nCVE: 9 | FileHash-SHA256: 4 | Hostname: 2\r\nEarth Lusca remained active during the first half of 2023, with its attacks focusing primarily on countries in\r\nSoutheast Asia, Central Asia, and the Balkans (with a few scattered attacks on Latin American and African\r\ncountries). The group’s main targets are government departments that are involved in foreign affairs, technology,\r\nand telecommunications.\r\n374,261 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 8 of 19\n\n44 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 9 of 19\n\nAPT-41\r\nCIDR: 1 | CVE: 6 | FileHash-MD5: 52 | FileHash-SHA1: 35 | FileHash-SHA256: 23 | Domain: 25 |\r\nHostname: 3\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 10 of 19\n\nAPT-41\r\n40 Subscribers\r\n37 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 11 of 19\n\nGhostEmperor: From ProxyLogon to kernel mode\r\nFileHash-MD5: 10 | FileHash-SHA1: 6 | FileHash-SHA256: 6 | Domain: 7 | Hostname: 4\r\nDemodex has been observed in a recent rise of attacks against Exchange servers. The malware could be used to\r\nhide and hide the source of the attack. The responsible cluster has been dubbed GhostEmperor.\r\n374,261 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 12 of 19\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 13 of 19\n\nIdentifican nuevo programa malicioso “Biopass RAT”\r\nnvestigadores descubrieron un nuevo programa dirigido a empresas chinas de juegos de azar en línea, en donde los\r\nusuarios son engañados para descargar un programa malicioso disfrazado de instalador legítimo para aplicaciones\r\nconocidas como Adobe Flash Player o Microsoft Silverlight, pero en realidad carga un código de Cobalt Strike o\r\nun programa previamente no documentado escrito en Python, llamado “Biopass RAT”. Biopass RAT, es un nuevo\r\ntipo de troyano de acceso remoto y posee características básicas que se encuentran en otros programas maliciosos,\r\ncomo la identificación del sistema de archivos, el acceso al escritorio remoto, la filtración de documentos y la\r\nejecución de comandos. También tiene la capacidad de comprometer la información privada de sus víctimas\r\nmediante el robo de datos del navegador web y el cliente de mensajería instantánea.\r\n266 Subscribers\r\nHackers Spread BIOPASS Malware via Chinese Online Gambling Sites\r\nCybersecurity researchers are warning about a new malware that's striking online gambling companies in China\r\nvia a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based\r\nbackdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming\r\napp to capture the screen of its victims. The attack involves deceiving gaming website visitors into downloading a\r\nmalware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player\r\nor Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads. Specifically, the\r\nwebsites' online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the\r\nmalware to the victims.\r\n431 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 14 of 19\n\n14 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 15 of 19\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 16 of 19\n\nLinux Derusbi, backdoor used by Chinese APT\r\nA report from Fidelis Cybersecurity highlights the use of a 64-bit Linux variant of the Derusbi malware used in a\r\nseries of high-profile cyber-attacks in the United States.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 17 of 19\n\n354 Subscribers\r\n462 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 18 of 19\n\nSource: https://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Derusbi\r\nPage 19 of 19\n\nNew SprySOCKS Linux malware https://otx.alienvault.com/browse/pulses?q=tag:Derusbi used in cyber espionage attacks \nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 4 | URL: 1 | Hostname: 2\n Page 4 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:Derusbi" ], "report_names": [ "pulses?q=tag:Derusbi" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775490772, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cfceade68c3a8b2e242bfa17708c1fa94eec4f25.pdf", "text": "https://archive.orkl.eu/cfceade68c3a8b2e242bfa17708c1fa94eec4f25.txt", "img": "https://archive.orkl.eu/cfceade68c3a8b2e242bfa17708c1fa94eec4f25.jpg" } }