{ "id": "19f73724-aea9-430c-a340-9761bb2fe9f1", "created_at": "2026-04-06T00:13:41.896198Z", "updated_at": "2026-04-10T03:36:48.399951Z", "deleted_at": null, "sha1_hash": "d643112cfe716a94a0f25184a33e8bf86939383e", "title": "Satacom delivers browser extension that steals cryptocurrency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1446479, "plain_text": "Satacom delivers browser extension that steals cryptocurrency\r\nBy Haim Zigel\r\nPublished: 2023-06-05 · Archived: 2026-04-05 18:50:44 UTC\r\nSatacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is\r\nknown to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the\r\nnext stage of another malware family currently distributed by Satacom. The Satacom malware is delivered via\r\nthird-party websites. Some of these sites do not deliver Satacom themselves, but use legitimate advertising plugins\r\nthat the attackers abuse to inject malicious ads into the webpages. The malicious links or ads on the sites redirect\r\nusers to malicious sites such as fake file-sharing services.\r\nIn this report we cover a recent malware distribution campaign related to the Satacom downloader. The main\r\npurpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by\r\nperforming web injections into targeted cryptocurrency websites. The malware attempts to do this by installing an\r\nextension for Chromium-based web browsers, which later communicates with its C2 server, whose address is\r\nstored in the BTC transaction data.\r\nThe malicious extension has various JS scripts to perform browser manipulations while the user is browsing the\r\ntargeted websites, including enumeration and manipulation with cryptocurrency websites. It also has the ability to\r\nmanipulate the appearance of some email services, such as Gmail, Hotmail and Yahoo, in order to hide its activity\r\nwith the victim’s cryptocurrencies shown in the email notifications.\r\nThe initial infection begins with a ZIP archive file. It is downloaded from a website that appears to mimic a\r\nsoftware portal that allows the user to download their desired (often cracked) software for free. The archive\r\ncontains several legitimate DLLs and a malicious Setup.exe file that the user needs to execute manually to initiate\r\nthe infection chain.\r\nVarious types of websites are used to spread the malware. Some of them are malicious websites with a hardcoded\r\ndownload link, while others have the “Download” button injected through a legitimate ad plugin. In this case,\r\neven legitimate websites may have a malicious “Download” link displayed on the webpage. At the time of writing,\r\nwe saw the QUADS plugin being abused to deliver Satacom.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 1 of 20\n\nWebsites with embedded QUADS ad plugin\r\nThe plugin is abused in the same way that other advertising networks are abused for malvertising purposes: the\r\nattackers promote ads that look like a “Download” button and redirect users to the attackers’ websites.\r\nWP QUADS ad plugin within the website’s content\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 2 of 20\n\nAfter the user clicks on the download button or link, there’s a chain of redirects that automatically takes them\r\nthrough various servers to reach a website masquerading as a file-sharing service to distribute the malware. In the\r\nscreenshot below, we can see examples of websites that are the final destinations of the redirection chains.\r\nFake ‘file-sharing’ services\r\nAfter the user downloads and extracts the ZIP archive, which is about 7MB in size, a few binaries, EXE and DLL\r\nfiles are revealed. The DLLs are legitimate libraries, but the ‘Setup.exe’ file is a malicious binary. It is about\r\n450MB, but is inflated with null bytes to make it harder to analyze. The original size of the file without the added\r\nnull bytes is about 5MB and it is an Inno Setup type file.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 3 of 20\n\nNull bytes added to the PE file\r\nInno Setup installers usually work as follows: at runtime the binary extracts a child installer to a temporary folder\r\nwith the name ‘Setup.tmp’. Then it runs the child installer ‘Setup.tmp’ file that needs to communicate with the\r\nprimary installer with arguments pointing to the location of the original ‘Setup.exe’ and its packages in order to\r\nretrieve the BIN data inside the ‘Setup.exe’ file for the next step of the installation.\r\nIn the case of the Satacom installer, the Setup.tmp file, once running, creates a new PE DLL file in the Temp\r\ndirectory. After the DLL is created, the child installer loads it into itself and runs a function from the DLL.\r\nIt then decrypts the payload of Satacom and creates a new sub-process of ‘explorer.exe’ in order to inject the\r\nmalware into the ‘explorer.exe’ process.\r\nBased on the behavior we observed, we can conclude that the malware performs a common process injection\r\ntechnique on the remote ‘explorer.exe’ process called process hollowing. This is a known technique used to evade\r\ndetection by AV applications.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 4 of 20\n\nThe malicious payload that’s injected into the ‘explorer.exe’ process uses the RC4 encryption implementation to\r\ndecrypt its configuration data, communication strings and data for the other dropped binaries on the victim’s\r\nmachine. The encrypted data is stored inside the malicious payload.\r\nThe malware uses different hardcoded keys to decrypt the data at each step. There are four different RC4 keys that\r\nthe malware uses to perform its actions, first decrypting the HEX string data to use it for its initial communication\r\npurposes.\r\nRC4 keys (left pane) and encrypted HEX strings (right pane)\r\nIn the screenshot above, the left pane shows the four RC4 hardcoded keys as HEX strings, and in the right pane\r\nwe can see the HEX strings that are decrypted using the RC4 ‘config_strings’ key to get the strings for the first\r\ninitialization of communication with the C2. If we decrypt the strings ourselves using the key, we get the result\r\nshown in the screenshot.\r\nOnce the HEX strings are decrypted, ‘explorer.exe’ initiates its first communication. To do so, it performs a DNS\r\nrequest to don-dns[.]com (a decrypted HEX string) through Google DNS (8.8.8.8, another decrypted string) and it\r\nqueries for the TXT record.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 5 of 20\n\nDNS query for TXT record through Google to don-dns[.]com\r\nOnce the request is complete, the DNS TXT record is received as another base64-encoded RC4-encrypted string:\r\n“ft/gGGt4vm96E/jp”. Since we have all of the RC4 keys, we can try to decrypt the string with the ‘dns_RC4_key’\r\nand get another URL as a result. This URL is where the payload is actually downloaded from.\r\nDecrypted string of TXT record\r\nThe payload: malicious browser extension\r\nThe Satacom downloader downloads various binaries to the victim’s machine. In this campaign we observed a\r\nPowerShell script being downloaded that installs a malicious Chromium-based browser extension that targets\r\nGoogle Chrome, Brave and Opera.\r\nThe extension installation script is responsible for downloading the extension in a ZIP archive file from a third-party website server. The PowerShell script downloads the archived file to the computer’s Temp directory and\r\nthen extracts it to a folder inside the Temp directory.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 6 of 20\n\nAfter that, the script searches for the possible locations of shortcuts for each of the targeted browsers in such\r\nplaces as Desktop, Quick Launch and Start Menu. It also configures the locations of the browsers’ installation files\r\nand the location of the extension on the computer.\r\nFinally, the PS script recursively searches for any link (.LNK) file in the above locations and modifies the\r\n“Target” parameter for all existing browser shortcuts with the flag “–load-extension=[pathOfExtension]” so that\r\nthe shortcut will load the browser with the malicious extension installed.\r\nChrome shortcut with the extension parameter\r\nAfter performing this action, the script closes any browser processes that may be running on the machine, so that\r\nthe next time the victim opens the browser, the extension will be loaded into the browser and run while the user is\r\nbrowsing the internet.\r\nThis extension installation technique allows the threat actors to add the addon to the victim’s browser without their\r\nknowledge and without uploading it to the official extension stores, such as the Chrome Store, which requires the\r\naddon to meet the store’s requirements.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 7 of 20\n\nExtension installation PowerShell script\r\nMalicious extension analysis\r\nAfter installation of the extension, we can analyze its functionality and features by checking specific files stored in\r\nthe extension’s directory. If we take a look at the first lines of the ‘manifest.json’ file, we’ll see that the extension\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 8 of 20\n\ndisguises itself by naming the addon “Google Drive,” so even when the user accesses the browser addons, the\r\nonly thing they will see is an addon named “Google Drive”, which looks like just another standard Google\r\nextension installed inside the browser.\r\nThe manifest.json file settings\r\nAnother malicious extension file that always runs in the background when the user is browsing is ‘background.js’,\r\nwhich is responsible for initializing communication with the C2. If we take a closer look at the JavaScript code,\r\nwe’ll find an interesting function call at the bottom of the script with a string variable that is the address of a\r\nbitcoin wallet.\r\nBackground.js script snippet\r\nLooking at the script’s code, we can conclude that the extension is about to fetch another string from the\r\nhardcoded URL, into which the script inserts the bitcoin address. The JavaScript receives data in JSON format,\r\nwhich shows the wallet’s transaction activity, and then looks for a specific string within the latest transaction\r\ndetails.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 9 of 20\n\nJSON of the transaction details\r\nThere are two strings on the page that contain the C2 address. The “script” string is a HEX string that contains the\r\nC2 host of the malware, and the “addr” string is the Base58-encoded C2 address. The reason for using the last\r\ncryptocurrency transaction of a specific wallet to retrieve the C2 address is that the server address can be changed\r\nby the threat actors at any time. Moreover, this trick makes it harder to disable the malware’s communication with\r\nits C2 server, since disabling wallets is much more difficult than blocking or banning IPs or domains. If the C2\r\nserver is blocked or taken down, the threat actors can simply change the ‘script’ or ‘addr’ string to a different C2\r\nserver by performing a new transaction. And since the extension always checks these strings to retrieve the C2, it\r\nwill always ask for the new one if it’s ever changed.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 10 of 20\n\nDecoded C2 address from the transaction details\r\nThe extension has several other scripts that are responsible for initializing the received commands and become\r\nfunctional after the C2 address is retrieved, because the scripts need to obtain some important information from\r\nthe C2. For example, the C2 holds the BTC address that will be used when the BTC is transferred from the\r\nvictim’s wallet to the threat actor’s wallet.\r\nThreat actor’s BTC wallet address\r\nTo get hold of the victim’s cryptocurrency, the threat actors use web injects on the targeted websites. The web\r\ninject script is also provided by the C2 after the extension contacts it. In the following screenshot, we can see the\r\n‘injections.js’ script from the extension, which fetches the web inject script from the C2 server.\r\nThe injections.js script\r\nAfter the addon contacts the C2 server – extracted as mentioned above – the server responds with the web inject\r\nscript that will be used on the targeted websites.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 11 of 20\n\nWebinject script from C2 server\r\nIf we take a closer look at the script, we can see that the threat actors are targeting various websites. In the version\r\nof the script shown above we can see that it targets Coinbase, Bybit, KuCoin, Huobi and Binance users.\r\nSince the script within the C2 can be changed at any time, the threat actors can add or remove other web injection\r\ntargets, as well as start targeting cryptocurrencies other than BTC, which makes this extension pretty dynamic and\r\nallows threat actors to control the malicious extension by changing the scripts.\r\nIf we look at the script, we can see that the extension performs various actions on the targeted websites. For\r\nexample, it has the ability to retrieve the victims’ addresses, obtain account information, bypass 2FA, and much\r\nmore. Moreover, it’s capable of transferring BTC currency from the victim’s wallet to the attackers’ wallet.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 12 of 20\n\nFunctions from the web inject script\r\nLooking at the full web inject script, we can conclude that the idea behind it is to steal BTC currencies from\r\nvictims who have the malicious extension installed. The extension performs various actions on the account in\r\norder to remotely control it using the web inject scripts, and eventually the extension tries to withdraw the BTC\r\ncurrency to the threat actors’ wallet. To circumvent the 2FA settings for transactions, the web inject script uses\r\n2FA bypass techniques.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 13 of 20\n\nSnippet of the BTC withdrawal function from the web inject script\r\nBefore stealing the cryptocurrency, the extension communicates with the C2 server to get the minimum BTC\r\nvalue. It then compares this value with the actual amount of money in the target wallet. If the wallet contains less\r\ncryptocurrency than the minimum amount received from the C2, it doesn’t withdraw any cryptocurrency from it.\r\nMinimum amount threshold from C2\r\nThe script also performs several other checks before stealing the BTC currency. For example, it also checks the\r\nBTC to USD exchange rate.\r\nWhen the amount of BTC in the target wallet meets the C2 checks, the script performs the withdrawal function to\r\nsteal the BTC currency from the victim.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 14 of 20\n\nPerforming balance check\r\nIn addition to stealing BTC, the malicious extension performs additional actions to hide its activity.\r\nFor example, the malicious extension contains scripts that target three different email services: Gmail, Hotmail\r\nand Yahoo. The idea behind the scripts is to hide the email confirmation of the transaction performed by the\r\nmalicious extension.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 15 of 20\n\nEach script makes visual changes to the emails once the victim reaches the email service’s page. It searches for\r\npre-defined email titles and content, and when it finds them, it simply hides them from the victim by injecting\r\nHTML code into the message body. As a result, the victim is unaware that a specific transaction transferring\r\ncrypto currency to the threat actors’ wallet was made.\r\nExtension JS targeting Gmail\r\nIn addition, the extension can manipulate email threads from the targeted websites, so if the victim opens a thread\r\nfrom, for example, Binance, it can change the content of the emails and display a fake email thread that looks\r\nexactly like the real one. It also contains a placeholder for desired strings that the extension can inject into the\r\ncontent of the message page.\r\nFake email thread template\r\nThe malicious extension has many other JavaScripts and it’s capable of performing additional actions. For\r\nexample, it can extract information through the browser, such as the system information, cookies, browser history,\r\nscreenshots of opened tabs, and even receive commands from the C2 server.\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 16 of 20\n\nJavaScripts: requesting commands from the C2 (left pane) and taking screenshots (right pane)\r\nThe purpose of the extension is to steal BTC and manipulate targeted cryptocurrency websites and email services\r\nto make the malware as stealthy as possible, so the victim doesn’t notice any information about the fraudulent\r\ntransactions. The extension can update its functionality due to the technique used to retrieve the C2 server via the\r\nlast transaction of a specific BTC wallet, which can be modified at any time by making another transaction to this\r\nwallet. This allows the threat actors to change the domain URL to a different one in case it’s banned or blocked by\r\nantivirus vendors.\r\nVictims\r\nThis campaign targets individual users around the world. According to our telemetry, in Q1 2023 users in the\r\nfollowing countries were most frequently infected: Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt,\r\nMexico.\r\nConclusions\r\nSatacom is a downloader that is still running campaigns and being developed by the threat actor behind it. This\r\nthreat actor continues to distribute malware families using various techniques, such as ad injection via ad plugins\r\nfor WordPress websites.\r\nThe recently distributed malware, which is a side-loaded extension for Chromium-based browsers, performs\r\nactions in the browser to manipulate the content of the targeted cryptocurrency website. The main purpose of this\r\nmalicious extension is to steal cryptocurrency from victims and transfer it to the threat actors’ wallet.\r\nMoreover, since it is a browser extension, it can be installed in Chromium-based browsers on various platforms.\r\nAlthough the installation of the malicious extension and the infection chain described in this article are Windows-specific, if the threat actors want to target Linux and macOS users, they could easily do so, provided the victims\r\nuse Chromium-based browsers.\r\nAppendix I – Indicators of Compromise\r\nSatacom files\r\n0ac34b67e634e49b0f75cf2be388f244\r\n1aa7ad7efb1b48a28c6ccf7b496c9cfd\r\n199017082159b23decdf63b22e07a7a1\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 17 of 20\n\nSatacom DNS\r\ndns-beast[.]com\r\ndon-dns[.]com\r\ndie-dns[.]com\r\nSatacom C2\r\nhit-mee[.]com\r\nnoname-domain[.]com\r\ndon-die[.]com\r\nold-big[.]com\r\nHosted PS scripts\r\ntchk-1[.]com\r\nMalicious extension ZIP\r\na7f17ed79777f28bf9c9cebaa01c8d70\r\nMalicious extension CC\r\nyou-rabbit[.]com\r\nweb-lox[.]com\r\nHosted Satacom installer ZIP files\r\nht-specialize[.]xyz\r\nht-input[.]cfd\r\nht-queen[.]cfd\r\nht-dilemma[.]xyz\r\nht-input[.]cfd\r\nio-strength[.]cfd\r\nfbs-university[.]xyz\r\nio-previous[.]xyz\r\nio-band[.]cfd\r\nio-strength[.]cfd\r\nio-band[.]cfd\r\ncan-nothing[.]cfd\r\nscope-chat[.]xyz\r\nstroke-chat[.]click\r\nicl-surprise[.]xyz\r\nnew-high[.]click\r\nshrimp-clock[.]click\r\noo-knowledge[.]xyz\r\noo-station[.]xyz\r\noo-blue[.]click\r\noo-strategy[.]xyz\r\noo-clearly[.]click\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 18 of 20\n\neconomy-h[.]xyz\r\nmedical-h[.]click\r\nhospital-h[.]xyz\r\nchurch-h[.]click\r\nclose-h[.]xyz\r\nthousand-h[.]click\r\nrisk-h[.]xyz\r\ncurrent-h[.]click\r\nfire-h[.]xyz\r\nfuture-h[.]click\r\nmoment-are[.]xyz\r\nhimself-are[.]click\r\nair-are[.]xyz\r\nteacher-are[.]click\r\nforce-are[.]xyz\r\nenough-are[.]xyz\r\neducation-are[.]click\r\nacross-are[.]xyz\r\nalthough-are[.]click\r\npunishment-chat[.]click\r\nrjjy-easily[.]xyz\r\nguy-seventh[.]cfd\r\nRedirectors to Satacom installer\r\nback-may[.]com\r\npost-make[.]com\r\nfilesend[.]live\r\nsoft-kind[.]com\r\nee-softs[.]com\r\nbig-loads[.]com\r\nel-softs[.]com\r\nsofts-labs[.]com\r\nsoft-make[.]com\r\nsoft-end[.]com\r\nsoon-soft[.]com\r\ntip-want[.]click\r\nget-loads[.]com\r\nnew-loads[.]com\r\nfile-send[.]live\r\nfiletosend-upload[.]net\r\nfile-send[.]cc\r\nAppendix II – MITRE ATT\u0026CK Mapping\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 19 of 20\n\nThis table contains all the TTPs identified during analysis of the activity described in this report.\r\nTactic Technique\r\nTechnique\r\nName\r\nInitial Access\r\nUser Execution: Malicious Link\r\nUser Execution: Malicious File\r\nT1204.001\r\nT1204.002\r\nExecution\r\nUser Execution: Malicious File\r\nCommand and Scripting Interpreter: PowerShell\r\nT1204.002\r\nT1059.001\r\nPersistence\r\nShortcut Modification\r\nBrowser Extensions\r\nT1547.009\r\nT1176\r\nDefense Evasion Process Injection T1055.012\r\nCredential Access\r\nCredentials from Password Stores\r\nSteal Web Session Cookie\r\nUnsecured CredentialsMulti-Factor Authentication\r\nInterception\r\nT1555.003\r\nT1539\r\nT1552T1111\r\nDiscovery\r\nAccount Discovery\r\nSoftware Discovery\r\nSecurity Software Discovery\r\nT1087\r\nT1518\r\nT1518.001\r\nCollection\r\nAutomated Collection\r\nScreen Capture\r\nCredentials from Password Stores\r\nBrowser Session Hijacking\r\nT1119\r\nT1113\r\nT1555\r\nT1185\r\nCommand and\r\nControl\r\nApplication Layer Protocol: Web Protocols\r\nApplication Layer Protocol: DNS\r\nDynamic Resolution\r\nT1071.001\r\nT1071.004\r\nT1568\r\nExfiltration Exfiltration Over C2 Channel T1041\r\nSource: https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nhttps://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/" ], "report_names": [ "109807" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434421, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d643112cfe716a94a0f25184a33e8bf86939383e.pdf", "text": "https://archive.orkl.eu/d643112cfe716a94a0f25184a33e8bf86939383e.txt", "img": "https://archive.orkl.eu/d643112cfe716a94a0f25184a33e8bf86939383e.jpg" } }