Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 17:29:20 UTC
Home > List all groups > List all tools > List all groups using tool OLDBAIT
 Tool: OLDBAIT
Names
OLDBAIT
Sasfis
Category Malware
Type Credential stealer
Description
(FireEye) OLDBAIT is a credential harvester that installs itself in
%ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe.
There is a missing space in the MediaPlayer directory and the filename is missing the
‘o’ character. Both the internal strings and logic are obfuscated and are unpacked at
startup. Credentials for the following applications are collected:
• Internet Explorer
• Mozilla Firefox
• Eudora
• The Bat! (an email client made by a Moldovan company)
• Becky! (an email client made by a Japanese company)
Both email and HTTP can be used to send out the collected credentials.
Note: In some places it is mistakenly named Sasfis, which however seems to be a
completely different and unrelated malware family.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 29 December 2022
Download this tool card in JSON format
All groups using tool OLDBAIT
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=487c6c1a-4baa-4586-85fb-032677f460be
Page 1 of 2

Changed Name Country Observed
APT groups
  Sofacy, APT 28, Fancy Bear, Sednit 2004-Apr 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=487c6c1a-4baa-4586-85fb-032677f460be
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=487c6c1a-4baa-4586-85fb-032677f460be
Page 2 of 2