{ "id": "adc54dd7-9686-45ca-873d-81a833abd3e0", "created_at": "2026-04-06T00:06:29.005137Z", "updated_at": "2026-04-10T03:36:48.083409Z", "deleted_at": null, "sha1_hash": "d34915f879ba3d34ea09b59990b795be96c02643", "title": "Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1810072, "plain_text": "Talos uncovers espionage campaigns targeting CIS countries,\r\nembassies and EU health care agency\r\nBy Asheer Malhotra\r\nPublished: 2023-03-14 · Archived: 2026-04-02 12:41:25 UTC\r\nTuesday, March 14, 2023 07:00\r\nCisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running\r\nseveral successful espionage campaigns since at least June 2022.\r\nYoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan\r\nand other Commonwealth of Independent States (CIS), based on our analysis. We also observed\r\nYoroTrooper compromise accounts from at least two international organizations: a critical European Union\r\n(EU) health care agency and the World Intellectual Property Organization (WIPO). Successful\r\ncompromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We\r\nassess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government\r\nagencies.\r\nInformation stolen from successful compromises include credentials from multiple applications, browser\r\nhistories \u0026 cookies, system information and screenshots.\r\nYoroTrooper’s main tools include Python-based, custom-built and open-source information stealers, such\r\nas the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access,\r\nYoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and\r\nMeterpreter.\r\nThe infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in\r\nmalicious archives delivered to targets. The actor appears intent on exfiltrating documents and other\r\ninformation, likely for use in future operations.\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 1 of 15\n\nIntroducing YoroTrooper\r\nThis new threat actor we are naming “YoroTrooper” has been targeting governments across Eastern Europe since\r\nat least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that\r\nare all linked to the same threat actor. Cisco Talos does not have a full overview of this threat actor, as we were\r\nable to collect varying amounts of detail in each campaign. In some cases, for instance, we were able to fully\r\nprofile a campaign, while in other cases, we only identified the infrastructure or compromised data.\r\nOur assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living\r\nin Russia or Russian nationals since their victimology consists mostly of countries in the Commonwealth of\r\nIndependent States (CIS). There are also snippets of Cyrillic in some of their implants, indicating that the actor is\r\nfamiliar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code\r\nPage 866), indicating a targeting of individuals speaking that specific language.\r\nEspionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs)\r\nwe have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates\r\nsubdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious\r\nartifacts. The table below contains some of the domains created by this actor.\r\nMalicious subdomain Legitimate domain Entity\r\nmail[.]mfa[.]gov[.]kg[.]openingfile[.]net mfa[.]gov[.]kg\r\nKyrgyzstan’s Ministry of Foreign\r\nAffairs\r\nakipress[.]news akipress[.]com\r\nAKI Press News Agency\r\n(Kyrgyzstan-based)\r\nmaileecommission[.]inro[.]link commission[.]europa[.]eu European Commission’s email\r\nsts[.]mfa[.]gov[.]tr[.]mypolicy[.]top mfa[.]gov[.]tr\r\nTurkey’s Ministry of Foreign\r\nAffairs\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 2 of 15\n\nMalicious subdomain Legitimate domain Entity\r\nindustry[.]tj[.]mypolicy[.]top industry[.]tj\r\nTajikistan’s Ministry of Industry\r\nand New Technologies\r\nmail[.]mfa[.]az-link[.]email mail[.]mfa[.]az\r\nAzerbaijan’s Ministry of Foreign\r\nAffairs\r\nbelaes[.]by[.]authentication[.]becloud[.]cc belaes[.]by\r\nBelarusian Nuclear Power Plant\r\n(Astravets)\r\nbelstat[.]gov[.]by[.]attachment-posts[.]cc belstat[.]gov[.]by\r\nNational Statistical Committee of\r\nBelarus\r\nminsk[.]gov[.]by[.]attachment-posts[.]cc minsk[.]gov[.]by\r\nOfficial Website of the\r\nGovernment of Minsk (Belarus)\r\nThe initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting\r\nof two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the\r\nPDF is the lure to make the infection look legitimate. The full details of the campaigns are detailed in the section\r\nbelow.\r\nRegarding YoroTrooper’s toolset, the actor uses several commodity remote access trojans (RAT) and credential\r\nstealers. For RATs, we have seen the usage of AveMaria/Warzone RAT, LodaRAT, and a custom-built implant\r\nbased on Python. Credential stealers used by YoroTrooper are either custom scripts, which in some cases are based\r\non the open-sourced Lazagne project or commodity stealers such as the Stink Stealer. All the Python-based\r\nmalware used in the campaign is wrapped up into an executable using frameworks such as Nuitka or PyInstaller.\r\nThe custom implants (stealers and RATs) use Telegram bots to exfiltrate information or receive commands from\r\nthe operator.\r\nSuccessful infections and breaches by YoroTrooper\r\nOur analysis has shown that YoroTrooper successfully obtained access to credentials of at least one account from a\r\ncritical EU health care agency’s internet-exposed system and another from the World Intellectual Property\r\nOrganization (WIPO). However, it is unclear if the threat actors targeted these institutions specifically via such\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 3 of 15\n\nphishing domains or if the credentials were compromised because they belong to users from a specific list of\r\ntargeted countries in Europe. We found malicious domains masquerading as those of legitimate European Union\r\ngovernment agencies, such as “maileecommission[.]inro[.]link”, which indicates that other European institutions\r\nwere targeted.\r\nYoroTrooper also successfully compromised embassies belonging to Turkmenistan and Azerbaijan, where the\r\noperators attempted to exfiltrate documents of interest and deploy additional malware.\r\nTypically, YoroTrooper employs information stealers and RATs. An analysis of their stolen data reveals a treasure\r\ntrove of information stolen from infected endpoints, such as credentials, histories and cookies for multiple\r\nbrowsers. Information such as credentials is highly valuable as they may be used either during lateral movement\r\nefforts or during subsequent YoroTrooper campaigns. Browsing histories can be used by a threat actor to\r\nspecifically target victims with phishing lures based on their browsing habits.\r\nYoroTrooper affiliation assessment\r\nWhile attribution can be difficult, we assess that there are no relevant overlaps between YoroTrooper and\r\nKasablanka, the group behind the development of LodaRat4Android. Our analysis on Kasablanka in 2021 was\r\nthat the operators might be different from the developers, which we can now confirm.\r\nThe overlaps with the PoetRAT team are stronger, especially on non-technical aspects of the campaigns but there\r\nare not enough for us to link them even with a low confidence level. Cisco Talos discovered the PoetRAT team in\r\n2020 during a series of campaigns that successfully compromised Azerbaijan embassies and other government\r\nagencies.\r\nWhile there are no concrete links between operators of PoetRAT and YoroTrooper, such as infrastructure overlaps,\r\nthere are some similarities in their TTPs and victimology. Both actors use open-source tools to perform credential\r\nexfiltration and initial reconnaissance. In terms of bespoke tools, both threat actors have an affinity towards using\r\nPython-based implants, usually distributed, implemented or packed in a rather unusual way that is characteristic of\r\nthe respective threat actors. The PoetRAT team would append the Python interpreter to a malicious document that\r\nwould be extracted and used to execute the Python-based PoetRAT. YoroTropper used the Nuitka framework to\r\npack their custom credential stealer in such a weird way that it ended up leaking the Python code rather than\r\nobfuscating it.\r\nRegarding victimology, there are some noteworthy overlaps between YoroTrooper and the PoetRAT team, who\r\nmainly target Azerbaijan, specifically their embassies, energy sector and government institutions. YoroTropper is\r\nalso targeting Azerbaijan and other CIS countries, and their embassies, with a similar focus on the energy sector.\r\nKasablanka is not the sole operator of LodaRAT\r\nWhile attributing this campaign to a specific threat actor, what stuck out the most was the use of LodaRAT and its\r\nrepeated attribution to a singular threat actor called “Kasablanka” in open-source reporting. While Talos assesses\r\nthat LodaRAT is built and sometimes operated by Kasablanka, there is evidence that indicates that LodaRAT is\r\nbeing used in multiple distinct campaigns. Therefore, despite the fact that LodaRAT isn’t publicly available, either\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 4 of 15\n\nopen-sourced or for sale publicly — although one can be decompiled easily for use by any actor — our\r\nassessment is that there are multiple operators in the threat landscape employing LodaRAT. Therefore,\r\nYoroTrooper’s use of LodaRAT should not be used as the sole indicator for attribution.\r\nOur research shows that the LodaRAT samples used by YoroTrooper deviate from previous versions of the\r\nmalware employed by Kasablanka. In fact, the LodaRAT variants used by Yoro Trooper are based on versions\r\nwe’ve seen being deployed in other crimeware campaigns alongside RedLine and VenomRAT, indicating\r\nLodaRAT’s availability to multiple threat actors.\r\nThis strengthens our assertion that although Kasablanka is the developer of LodaRAT and Loda4Android, it is not\r\nthe sole operator of LodaRAT, an assessment we made as early as 2021.\r\nCampaign profiles\r\nThis threat actor extensively targets CIS countries using a variety of malware deployed by a relatively simple\r\ninfection chain. The operators have utilized a diverse suite of malware such as:\r\nCommodity RATs and stealers: Warzone, LodaRAT and Stink stealer.\r\nCustom Python-based information stealers: Custom scripts for stealing Google Chrome browser\r\ncredentials.\r\nCustom Python-based RATs (with exfiltrators): First seen in June 2022, but gained popularity with the\r\nthreat actor around February 2023.\r\nReverse shells: Python and Meterpreter-based reverse shells.\r\nThe following is a timeline of the various geographies targeted by attacks in the campaign operated by\r\nYoroTrooper.\r\nTime frame\r\nTargeted\r\nGeography\r\nSalient TTPs\r\nFebruary 2023 Uzbekistan\r\n• Reuses Uzbekistani themed lures/decoys:\r\n• Memo from energy company\r\n“UZBEKHYDROENERGO”\r\n• Deploys a custom-built Python based reverse shell\r\nand file exfiltrator with variants built via PyInstaller\r\nand Nuitka.\r\n• Uses HTA files.\r\n• Also deploys Meterpreter reverse shells in certain\r\ncases.\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 5 of 15\n\nLate January 2023 Uzbekistan\r\n• Uses Uzbekistani themed lures/decoys:\r\n• Memo from energy company\r\n“UZBEKHYDROENERGO”\r\n• Deploys Python implant - custom Python based\r\nstealer.\r\n• HTA downloads Decoy and dropper implant.\r\nEarly January 2023 Tajikistan\r\n• Uses Tajikistani themed lures: Report from\r\nGovernment of Tajikistan.\r\n• Deploys Python implant - custom Python based\r\nstealer.\r\n• HTA downloads decoy documents and dropper\r\nimplants.\r\nDecember 2022 Russia\r\n• Uses Russian themed lures.\r\n• Uses VHDX files containing archives and LNKs\r\nthat download and activate LodaRAT.\r\nNovember 2022 Azerbaijan\r\n• Uses Azerbaijani lures and malicious domains:\r\n• mail[.]mfa[.]az-link[.]email, true[.]az-link[.]email\r\n• Deploys Python implant - Stink stealer.\r\nOctober 2022 Belarus\r\n• IPs and domains masquerade as Belarusian\r\ndomains: \r\n• mail[.]belaes[.]by[.]authentication[.]becloud[.]cc\r\n• One variant of HTA downloads only\r\nAveMaria/Warzone RAT.\r\n• Another variant of HTA downloads only Python\r\nbased implants - Stink stealer.\r\n• No lures.\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 6 of 15\n\nSeptember 2022 Russia\r\n• VHDX based distribution introduced.\r\n• No HTAs employed - LNKs download .NET based\r\nimplants directly using curl.\r\n• Malicious subdomains masquerading (typo-squatted) as Russian government entities:\r\n• rnail[.]mintrans[.]gov[.]ru[.]inro[.]link ;\r\nrnail[.]iterrf[.]ru[.]inro[.]link ;\r\naccount[.]nail[.]ru[.]inro[.]link ;\r\nrnail[.]rnid[.]ru[.]inro[.]link\r\nAugust 2022 Belarus, Russia\r\n• IPs and domains masquerade as Belarusian and\r\nRussian domains: \r\n• mail[.]hse[.]ru[.]attachment-posts[.]cc ;\r\nbelstat[.]gov[.]by[.]attachment-posts[.]cc ;\r\nminsk[.]gov[.]by[.]attachment-posts[.]cc\r\n• No HTAs employed - LNKs download Python\r\nbased reverse shells directly using curl.\r\n• Corrupt PDFs used as lures.\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 7 of 15\n\nCampaigns infection chain\r\nThe latest infection chain from January 2023 is relatively straightforward but consists of multiple components\r\nsuch as archives, LNKs, HTAs and ultimately the final payloads:\r\nThe infection chains begin with a malicious archive (RARs or ZIPs) delivered to targets with lure document titles\r\nreferring to topics of interest to CIS nations, such as:\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 8 of 15\n\nNational_Development_Strategy.rar\r\nPresidents_Strategy_2023.rar\r\nThe campaign has also employed some generic file names as well such as “Nota.rar”, “вложение.rar”.\r\nWe have also observed the occasional inclusion of decoy documents in the archive files, as well.\r\nThe malicious LNK files are simple downloaders that employ mshta.exe to download and execute a remote HTA\r\nfile on the infected endpoint.\r\nLNK files downloading and executing remote HTA files.\r\nThe malicious HTA files employed in this campaign have seen a steady evolution with the latest variant\r\ndownloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are\r\naccomplished by running PowerShell-based commands.\r\nMalicious HTA.\r\nCustom-built final payloads\r\nYoroTrooper has been consistently introducing new malware into their infection chains in this campaign,\r\nincluding both custom-built and commodity malware. It is worth noting that while this campaign began with the\r\ndistribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 9 of 15\n\nPython-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from\r\nsuccessful breaches during the course of the campaign.\r\nCustom Python RAT\r\nThe custom-built Python-based RAT is relatively simple. It uses Telegram as a medium of C2 communication and\r\nexfiltration and contains functionality to:\r\nRun arbitrary commands on the infected endpoint.\r\nUpload files of interest to the attacker to a telegram channel via a bot.\r\nThis bot was wrapped up into a .exe either using PyInstaller or Nuitka and then deployed in the field. There are\r\nsome interesting observations here suggesting that the adversary may be speak Russian:\r\nThe presence of telegram messages in Russian such as: “Сохраняю в {save_dir}” or “Файл\r\nзагружен!\\nИмя”.\r\nCode that decodes the output of a command run on the system into CP866 - Code page for Cyrillic.\r\nSnippet: Python based RAT used by YoroTrooper.\r\nCustomized stealer script\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 10 of 15\n\nAnother Python-based payload distributed in January 2023 consists of a simple stealer script that will extract login\r\ndata for the Chrome browser and exfiltrate it via a Telegram bot. This custom script has likely been stitched\r\ntogether from publicly available sources, such as Lazagne:\r\nCommodity and miscellaneous malware\r\nYoroTrooper has relied heavily on the use of primarily two commodity malware families, AveMaria/Warzone RAT\r\nand LodaRAT, especially in October and November 2022. AveMaria is a highly prolific malware family available\r\nfor sale online, while LodaRAT is a RAT-based family whose authorship has been attributed to the Kasablanka\r\nthreat actor.\r\nStink stealer analysis\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 11 of 15\n\nYet another one of the final payloads found being deployed by YoroTrooper is an open-source credential stealer\r\ncalled “Stink,” which is wrapped into an executable file using the Nuitka Python compiler framework.\r\nStink has several modules from Chromium-based browsers that collect credentials, cookies and bookmarks,\r\namong other information. It harvests Filezilla credentials and authentication cookies from Discord and Telegram.\r\nFrom the system, the stealer will collect a screenshot, external IP address, operating system, processor, graphic\r\ncard and running processes:\r\nAll modules are executed in their own process and even each process will use its own threads to speed up the\r\ninformation collection process. The information is stored in a temporary directory before being compressed and\r\nexfiltrated.\r\nThe sender module is responsible for data exfiltration via a Telegram bot. As of early March, the latest version of\r\nStink Stealer 2.1.1 has an autostart configuration option that will create a link in the startup folder of the victim\r\nprofile with the name “Windows Runner.”\r\nAutostart configuration options.\r\nMiscellaneous malware\r\nApart from commodity malware, we’ve also observed YoroTrooper deploy implants serving as reverse shells\r\nagainst their targets. For example, in September 2022, we saw a simple Python-based reverse shell. This one,\r\nhowever, was missing the Cyrillic language check (CP866).\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 12 of 15\n\nAnother set of reverse shell implants that YoroTrooper occasionally uses are Meterpreter binaries that are then\r\nused to execute arbitrary commands on the infected endpoint. This tactic was seen being used by YoroTrooper as\r\nlate as February 2023.\r\nA C-based custom keylogger also discovered by Talos probably deployed by one of the final stage payloads\r\nconsists of the ability to record keystrokes and save them to a file on disk.\r\nSnippet: Keylogger functionality.\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 13 of 15\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found at our Github repository here.\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 14 of 15\n\nSource: https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nhttps://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/" ], "report_names": [ "yorotrooper-espionage-campaign-cis-turkey-europe" ], "threat_actors": [ { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "d4135989-e577-4133-bdae-a24243c832a4", "created_at": "2023-11-05T02:00:08.068657Z", "updated_at": "2026-04-10T02:00:03.396218Z", "deleted_at": null, "main_name": "Kasablanka", "aliases": [], "source_name": "MISPGALAXY:Kasablanka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433989, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d34915f879ba3d34ea09b59990b795be96c02643.pdf", "text": "https://archive.orkl.eu/d34915f879ba3d34ea09b59990b795be96c02643.txt", "img": "https://archive.orkl.eu/d34915f879ba3d34ea09b59990b795be96c02643.jpg" } }