{ "id": "95758031-d097-40ee-a93b-9b965d7a5a71", "created_at": "2026-04-06T00:19:04.819775Z", "updated_at": "2026-04-10T03:37:23.814042Z", "deleted_at": null, "sha1_hash": "db844e6afff34ae148bad4f03a5e5741dbb4ef94", "title": "ITG23 crypters cooperation between cybercriminal groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12780785, "plain_text": "ITG23 crypters cooperation between cybercriminal groups\r\nBy Charlotte Hammond, Ole Villadsen, Golo Mühr\r\nPublished: 2022-05-19 · Archived: 2026-04-05 15:56:49 UTC\r\nCharlotte Hammond\r\nMalware Reverse Engineer\r\nIBM Security\r\nOle Villadsen\r\nCyber Threat Hunt Analyst\r\nIBM Security\r\nIBM Security X-Force researchers have continually analyzed the use of several crypters developed by the\r\ncybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The\r\nresults of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“Contileaks”),\r\nprovide new insight into the connections and cooperation between prominent cybercriminal groups whose attacks\r\noften lead to ransomware.\r\nCrypters are applications designed to encrypt and obfuscate malware to evade analysis by antivirus scanners and\r\nmalware analysts. Crypters generally operate by encrypting the pre-compiled malware payload and embedding it\r\nwithin a secondary binary, known as a stub, which contains code to decrypt and execute the malicious payload.\r\nThe use of crypters allows malware developers to easily experiment with different methods of evading antivirus\r\ndetection without having to make changes to the malware itself.\r\nX-Force analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams\r\nor third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri — as well as malware developed\r\nby other groups such as Emotet, IcedID, Qakbot, and MountLocker. The presence of one of these crypters on a file\r\nsample is a strong indication that its developer, distributer, or operator is either a part of ITG23 or has a\r\npartnership with the group.\r\nX-Force found evidence that ITG23 by mid-2021 scaled up their efforts to crypt malware with the development of\r\nseveral new crypters and the construction of a Jenkins build server to automate the crypting of malware at scale.\r\nX-Force also observed the analyzed crypters used repeatedly by Emotet and IcedID malware samples, indicating\r\nITG23 is also crypting malware for these groups. These findings add to a growing body of evidence indicating a\r\nclose relationship between ITG23 and the threat actors behind the development and operation of IcedID and\r\nEmotet.\r\nAdditionally, X-Force uncovered that at least one ITG23 crypter has been used repeatedly since late February\r\n2022 with the Qakbot banking trojan and at least once with the Gozi banking trojan likely delivered by the ITG23\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 1 of 28\n\ndistribution affiliate TA551 (tracked by X-Force as Hive0106). X-Force’s analysis of these crypters has also\r\nuncovered a previously undisclosed relationship between the IcedID group and MountLocker ransomware-as-a-service (RaaS) operation.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nA tangled web they weave\r\nITG23’s “build machine”\r\nITG23 is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first\r\nidentified in 2016 and initially used to facilitate online banking fraud. The group since that time expanded its\r\noperations to develop and operate new malware such as BazarLoader and Anchor. ITG23 also adapted to the\r\nransomware economy by using its payloads to gain a foothold in victim environments for ransomware attacks and\r\ndeveloping and operating the Conti and Diavol RaaS operations. ITG23 is best thought of as a group of groups,\r\nnot unlike a large corporation, who report to common “upper management” and share infrastructure and support\r\nfunctions, such as IT and human resources. One of these support groups within ITG23 is dedicated to developing\r\ncrypters for use with the group’s own malware operations as well as for several other groups.\r\nITG23 have been crypting their malware for several years, and crypters used by the group were regularly seen in\r\nuse with malware such as Trickbot, Emotet, Cobalt Strike and Ryuk. However, the development of multiple new\r\ncrypters during the past year suggests a focused effort to scale up their crypting operation.\r\nEvidence gained from several sources, including ContiLeaks, indicates that ITG23 has set up a Jenkins build\r\nserver to automate the mass crypting of malware, also referred to as the “Build Machine”. Jenkins is an open-source automation server designed to automate the building, testing, and deploying of software. The “Build\r\nMachine” was created in April 2021, coinciding with an increase in the use of crypters with malware developed by\r\nITG23 and other groups.\r\nSince that time, ITG23 crypters have been applied to:\r\nMalware used to gain a foothold in victim environments, such as Trickbot, BazarLoader, Sliver, IcedID,\r\nEmotet, Qakbot, and Gozi. We even identified ITG23 crypters with Colibri, a loader advertised on\r\nunderground forums that was used to download Trickbot in fall of 2021, likely by an internal ITG23\r\ndistribution affiliate. Some of these malware families are built by ITG23, such as Trickbot and\r\nBazarLoader, and others are built by different groups, such as IcedID, Emotet, and Qakbot. ITG23\r\ndistribution affiliates have deployed Sliver, an open source, cross-platform adversary simulation and red\r\nteam platform, probably to gain access for ITG23 internal red teams to conduct ransomware attacks.\r\nCobalt Strike beacon samples downloaded during attacks commencing with the above malware and used\r\nby internal red teams or other affiliates when performing ransomware attacks.\r\nRansomware such as Conti and MountLocker, also known as Xinglocker, AstroLocker, and Quantum,\r\nwhich are often deployed following an infection with the above tools and malware.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 2 of 28\n\nITG23 has discontinued use of Trickbot and BazarLoader as of December 2021 and February 2022, respectively,\nbut X-Force continues to observe the crypters leveraged by other malware, including IcedID, Emotet, Conti,\nQakbot, and the adversary simulation software Cobalt Strike. One notable exception is the Anchor malware which\nalthough attributed to ITG23 does not tend to use the same crypters as the other malware mentioned throughout\nthis report. The Anchor malware was commonly observed using a separate crypter, named ShellStarter, which has\nsome code overlap with Anchor itself and was likely created by the same developer. The ShellStarter crypter was\nalso regularly used with Cobalt Strike payloads, but otherwise did not seem to be used for general crypting\noperations. We are also currently analyzing Bumblebee malware samples which we have also linked to ITG23 to\ndetermine if they are using an ITG23 crypter.\nContiLeaks\nIn February 2022, a Ukrainian security researcher using the Twitter handle “ContiLeaks” revealed a wealth of\ninformation about ITG23 and its operations, including private conversations between its members. While these\nleaks appeared to concentrate on the Conti RaaS operation, they also show that it was part of the larger ITG23\n“corporation” which also includes ITG23’s crypting operation. These chats indicate that the head of this crypting\noperation uses the handle “Bentley”, who manages a team of developers responsible for both developing the\ncrypters and crypting malware for affiliates and partners. Bentley in turn regularly provides status reports to\n“Mango”, a more senior manager within ITG23 who reports to the group’s former leader “Stern.” Other security\nresearchers have also identified Bentley and his role managing the crypting team. Below is an example of a status\nupdate on malware crypting that Bentley would send on a regular basis to Mango.\nDate: Aug 26, 2021 @ 11:08:21.000 \nFrom:\n[emailprotected] \nTo:\n[emailprotected] \nMessage: \nПроект лео -\n13 криптов. Билд машина (Project leo - 13 crypts. Build\nMachine) \nБК (BK) \nгруппа 15: 20 криптов, билд\nмашина (group 15: 20 crypts, build machine) \nгруппа\n19: 5 крипта, билд машина (group 19: 5 crypts, build machine)\n\nгруппа 20: 1 крипто, билд машина (group 20: 1 crypt,\nbuild machine) \nТрик: (Trick) \n4 длл: 2 сэм 2 невил\n(4 dll: 2 sam 2 nevil) \nТройка: (Troika:) \nневил\n(nevil) \nШелкод: билд машина (Shellcode: Build Machine)\n\nКобальт: билд машина (Cobalt: Build Machine)\nChat logs from the ContiLeaks also provide details about the creation of the build machine. On April 15, 2021,\nMango informed Stern that the build machine for the crypters would be ready by the end of April 2021.\nMango → Stern: билд машина для крипторов будет готова к концу\nмесяца, вчера уже начали обкатывать ее но пока сыровата \n(The build machine for cryptors will be ready by the end of the\nmonth, yesterday they already started to run it in, but it’s still raw)\nOn June 7, 2021, Bentley provides an update to Stern on the status of the transition of work to the build machine.\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\nPage 3 of 28\n\nBentley → Stern: Дела - хорошо. Интересно и насыщено. \nВсе\nкрипторы перешли из ручного труда в автоматическуй сборку через\nбилд машину. \nТеперь они занимаются актуализацией и чисткой\nстабов. А файлы я делаю на билд машине, проверяю и выдаю. \nЕсли что-то билдится грязным - обращаюсь к криптору. Он чистит\nстаб. Снова проверяем и выдаем. \nЗадачи: \n1. Криптование\nфайлов для Лео на билд машине. \n2. Шелкод кобальт \n3.\nЛокеры \n4. Коабальт ехе и длл \n5. dll трика \n6.\nОбучаю и предоставлюя доступ другим членам команды к билд машине,\nчтобы они могли сами собирать крипты. \n7. Подготовака линков\nдля нагрузки и тестирование ехелей для netwalker, hash, cherry.\nEverything is OK. Interesting and rich. \nAll cryptors have\nmoved from manual labor to automatic assembly through the build machine.\n\nNow they are engaged in updating and cleaning stubs. And I make\nfiles on the build machine, check and issue. \nIf something is being\nbuilt dirty, I turn to cryptor. He cleans the stub. Check again and release.\nTasks: \n1. Crypting files for Leo on the build machine.\n\n2. Cobalt shellcode \n3. Lockers \n4. Cobalt exe and dll\n\n5. Trickbot dll \n6. Educate and give other team members\naccess to the build machine so that they can collect the crypts themselves.\n\n7. Preparing links for loading and testing excels for netwalker, hash, cherry.\nWithin the ContiLeaks, there are multiple references to the use of a Jenkins server for the Build Machine. In one\nsuch example, on January 17, 2022, two ITG23 developers “derekson” and “elon” discuss the Jenkins server. X-Force also uncovered Program Database (PDB) file paths used by ITG23 crypters that reference Jenkins (see\nbelow for more details).\nDerekson → Elon: Привет. Почти закончил со вторым сервером. Скажи когда можно подключить к дженкинс\n(Hello. Almost finished with the second server. Tell me when can I connect to jenkins for a test?)\nThroughout the leaked chats, there are multiple examples of Bentley delivering crypted malware samples to\naffiliates and partners such as Cherry, Netwalker, and Zeus. X-Force assesses that “zevs” (“zeus”) is affiliated with\nthe prominent distribution group Hive0106 (aka TA551), which used the gtags ‘zev,’ ‘zem’ and ‘zvs’ during their\nTrickbot campaigns. Hive0106 is a prominent distribution affiliate with an established relationship with ITG23.\nThroughout the chats, “zeus” is alternatively translated as “зевса”, “зевсом”, “зевсу”, and “зевс” depending on\nthe grammatical case.\nFor example, on Aug 10, 2021, Bentley sends the following request to Hof, a developer associated with Trickbot\nmalware:\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\nPage 4 of 28\n\nBentley → Hof: Доброе утро. Сделай, пожалуйста, zev4.dll и zem1.dll\nдля Зевса \n(Good morning. Please make zev4.dll and zem1.dll for Zeus)\nThe following messages also indicate crypted samples were prepared for Zevs:\nAugust 31, 2021: \nBentley → Zevs: Еще ответ: у нас есть опыт\nсерийной выдачи криптов п БК* уже, один заказчик берет партиями по\n30-100 штук \n(Another answer: we have experience in the serial\nissuance of crypts and BK* already, one customer takes in batches of 30-100 pieces)\nSeptember 24, 2021:\nNeo → Zevs: монт молчит, я крипты готовил 3 штуки к 8 по мск \n(Mont is silent, I prepared 3 crypts by 8 Moscow time)\n*We assess БК (BK) likely is a reference to BazarLoader based on analyzing multiple chat references to this\nacronym.\nEmotet and IcedID: Longtime pals\nThe use of ITG23 crypters with Emotet and IcedID malware is the latest evidence of a close relationship with\nthese groups that has featured distributing each other’s malware and cooperating on malware development.\nEmotet first appeared in 2014 as a banking trojan and later emerged as a prominent downloader for other banking\ntrojans, including IcedID, Qakbot, and Trickbot. IcedID, also known as Bokbot and often referred to by ITG23 as\nAnubis, is a banking trojan first discovered by X-Force in September 2017. Since that time IcedID — like many\nbanking trojans — has evolved to include backdoor and data harvesting capabilities and is often used as a\ndownloader for other malware, including Cobalt Strike and ransomware.\nEmotet: ITG23 and the Emotet group have a history of seeding each other’s malware. ITG23 has used Emotet\nextensively to deliver Trickbot malware often leading to the notorious Emotet -\u003e Trickbot -\u003e Ryuk ransomware\nattack sequence. Following actions to disrupt Trickbot group operations in fall 2020, Emotet moved quickly to\nassist ITG23’s recovery by downloading Trickbot malware to infected machines. A year later, ITG23 returned the\nfavor by seeding Emotet samples to facilitate Emotet’s return following the January 2021 international law\nenforcement operation against the group.\nThe presence of “Veron” aka “Mors” participating in conversations with ITG23 members in the leaked chats also\npoints to ITG23’s close cooperation with Emotet. Historically, “mors” was a gtag used with Trickbot samples\ndelivered by Emotet. Based on the conversations, Veron/Mors appears to be a liaison to ITG23 for Emotet related\nmatters. Veron/Mors also seemed to work with the crypting team, and messages can be found from Bentley which\ndiscuss crypting files for Veron. Bentley sent the following messages to Veron and Stern between February and\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\nPage 5 of 28\n\nMay 2021 possibly related to crypting Emotet samples for testing purposes before Emotet’s reappearance in\nNovember:\nFebruary 24, 2021: \nStern → Bentley: veron запустился? (Veron started?) \nBentley → Stern: Он начи\nРаботаем над криптами для него. наших криптора \n(He starts in March. We're working over the crypters\nMarch 1, 2021: \nStern → Bentley: veron не начал еще? (Veron hasn't started yet?) \nBentley → Stern\nЕще не начанал. Сделали годеый крипт его длл. Ждем как даст полную версию со всеми ньюансами \nMay 5, 2021 \nBentley → Veron: Можешь дать длл на крипт? Пока можем начать криптовать и готовить ст\n(Can you give a dll for the crypt? For now, we can start to crypt and prepare stubs)\nMessages between Veron and Stern in May 2021 seem to suggest that the return of Emotet may have been delayed\ndue a need to rewrite parts of the code for security purposes.\nMay 18, 2021: \nStern → Veron: привет. когда стартуем? \n(Hi, when are we starting?) \nVeron →\nя скажу когда точно, в ближайшее время уже, делаю чтобы не взломали \n(Hello, I'll tell you exactly\nMay 24, 2021: \nVeron → Stern: привет, сорри, что задерживаем, но надо переписать часть, я за безопа\nбудешь, если вопросы есть \n(hello, sorry for the delay, but we need to rewrite part, I'm for security \n(and your cool ICEDId bot) \nStern → Leo: про него пишут и\n(researchers write about it) \nStern → Leo: что ты сейчас на первом месте \n(that you're in the firs\nThe leaked chats often refer to a “Project Leo”, which we assess is a reference to IcedID. Bentley regularly\nprovides Mango with updates on crypting related to “Project Leo” and in November 2021, Stern messaged the\nfollowing instruction to Bentley:\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\nPage 6 of 28\n\nStern → Bentley: \"включи крипты лео \n(turn on the crypts of Leo)\"\nIcedID and MountLocker ransomware\nX-Force uncovered evidence that ITG23 crypters were used with MountLocker (see below), a ransomware-as-a-service (RaaS) operation that has been active since July 2020. Since then, MountLocker has rebranded several\ntimes to other names including XingLocker, AstroLocker, and Quantum. This evidence — combined with code\noverlap between IcedID and MountLocker ransomware and the use of IcedID alongside MountLocker during\nmultiple ransomware attacks — suggests that the IcedID group operates the MountLocker RaaS.\nThe following conversation between Stern and Bentley on May 6, 2021, provides additional evidence that Leo,\nwho operates IcedID, also has some involvement with ransomware. Stern asks Bentley which ‘lockers’, aka\nransomware, his team have been crypting, and Bentley responds that they have had binaries from Reshaev and\nfrom Leo. Reshaev is a developer/manager for the Conti ransomware.\nStern: как автобилды работают? \nBentley: Большая часть стабов уже работают.\nВыдаем локеры ехе 32 64 длл 32 64 , кобу 32 64 как ехе так и длл. Шелкоды в ехе и длл.\nПростые длл, БК. \nStern: какие локеры \nBentley: от решаева в ехе и от лео в длл\n\nStern: How's the autobuild working? \nBentley: Most of the stubs are already working.\nWe issue lockers exe 32 64 dll 32 64, cobalt 32 64 as exe and dll. Shellcode in exe and dll.\nSimple Dll, BK. \nStern: Which lockers? \nBentley: From Reshaev in exe and from Leo in Dll\nAnalysis of IcedID and MountLocker samples reveals areas of code overlap, particularly in the logging and\ndecryption functions. Both IcedID and MountLocker generate extensive debug logs, which are formatted in an\nalmost identical manner.\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\nPage 7 of 28\n\nFigure 1 — Debug log strings from an IcedID sample\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 8 of 28\n\nFigure 2 — Debug log strings from a MountLocker sample\r\nAdditionally, samples of both IcedID and MountLocker were identified which contained almost identical XOR\r\ndecryption and key generation algorithms.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 9 of 28\n\nFigure 3 — XOR algorithm and key generation function from an IcedID sample\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 10 of 28\n\nFigure 4 — XOR algorithm and key generation function from a MountLocker sample\r\nQakbot: A new partner?\r\nWhile monitoring for signs of ITG23 crypters’ use in the wild, X-Force identified the first known use in late\r\nFebruary 2022 of an ITG23 crypter with Qakbot aka Qbot. The Qakbot banking trojan was first identified in 2007\r\nand like other banking trojan groups, it has increased its functionality over the years and evolved into a flexible\r\ndownloader and backdoor often leading to ransomware attacks. The appearance of ITG23 crypters on Qakbot\r\nsamples provides evidence of a direct relationship between ITG23 and the Qakbot group. The relationship\r\nbetween ITG23 and Qakbot is also supported by additional evidence published recently. That said, the discovery\r\ndoes not come as a complete surprise. In the leaked chats, “Tramp” asked Bentley on December 6, 2021, about\r\ncrypting Qakbot:\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 11 of 28\n\nTramp → Bentley: криптанем квак бота ? \n(crypt Quak Bot?) \nBentley → Tramp: давай попробуем\n\nAll of these techniques together also provide obstacles for the malware reverse engineer and make it harder to\r\nwrite detection signatures and automated malware parsers.\r\nX-Force research indicates that ITG23 is providing crypting services to other threat actors in addition to using\r\nthem for their own malware. Using the same crypter for multiple malware families has an additional benefit of\r\nconfusing the identification capabilities of AV applications. Indeed, it is not uncommon to see a crypted malware\r\nbinary flagged by AV as belonging to one malware family, when it is in fact a completely different one, and they\r\njust happen to be using the same crypter.\r\nX-Force analysts are tracking at least thirteen crypters we believe to be developed and currently in use by ITG23\r\nthat we are calling Dave, Pear, Lore, Mirror, Galore, Rustic, Tron, Hexa, Stub, Error, Skeleton, Charm, and\r\nGraven. Whilst variants of the Dave RC4 crypter have been in use for at least a couple of years, the rest appear to\r\nhave been primarily developed in the past year. ITG23 has used these crypters with Trickbot, BazarLoader and\r\nConti malware — all of which are attributed to ITG23 — and used them to crypt malware on behalf of groups\r\nsuch as IcedID and Emotet. We have also observed these crypters used with Cobalt Strike samples, which we\r\nassess are used by ransomware internal red teams or affiliates when conducting attacks on clients infected with\r\nTrickbot, BazarLoader, IcedID or Emotet.\r\nIn the sections below, we provide an overview of each of the crypters and the examples of the malware families\r\nthey have been used with.\r\nDave\r\nDave is one of the older crypters that X-Force tracks as currently in use by ITG23, having been used since at least\r\n2020. Several variations of Dave exist, but one of the most common variants stores the payload either as an\r\nRCData type resource or within the data section, and decrypts it using a custom RC4 algorithm, which uses a\r\nvariable sbox size rather than the standard for RC4 which is 256 bytes. Dave is so-called as it commonly wraps\r\nthe payload in a second-stage shellcode loader, where the ascii string ‘dave’ is used to mark the end of the\r\npayload. Dave loaders have been most frequently observed loading Emotet and Trickbot, but also occasionally\r\nBazarLoader, Ryuk, Conti, IcedID, Cobalt Strike and Colibri.\r\nIt is common practice for malware developers to ‘strip’ malware binaries during compilation which removes\r\nsymbol information such as variable and function names. This has the benefits of making the malware more\r\ndifficult to analyze, as well as removing details, which may potentially be used by analysts to fingerprint the\r\ndeveloper.\r\nAlmost all samples analyzed by X-Force are fully stripped, however from November 2021 to January 2022 X-Force observed a number of unstripped Dave-crypted samples uploaded to repositories such as VirusTotal,\r\nproviding a rare insight into the coding style of the developer. Based off some of the strings and function names\r\nX-Forced determined the developer utilized components of publicly available code for the stub, for example, the\r\nfunction CLoad::FromMemory() can be traced back to a 2016 code sample, memlib.cpp, originally published on\r\na forum. The aforementioned shellcode with the ‘dave’ signature also appears to be modified from the open source\r\nsRDI repository.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 13 of 28\n\nFigure 5 — Unstripped Dave stub with original function and variable names as assigned by the developer.\r\nSelect samples using the Dave crypter:\r\nSample Family  SHA256 Hash  \r\nCobalt Strike a9c4eafcff0567c68919c93ddf8baa769392e92706e6b35f7b989310d70f732f  \r\nColibri f5fd02ebd2376fd1bc1ff121e9bfda618755a5c049edc8a4288eb67eb1cc7f9b  \r\nEmotet 5da102cc1ff7d842e3b5c9d6f571bd3b3afdc1715d37f120b31e1859928f5837  \r\nTrickbot 947c81aefdb479de7e75f14be2921bb829478680e039c2bc40a4c258524819b8  \r\nBazarLoader 47bac27be954cf593ac731cd57fa98b565cf5036a6fbf35c508549f039eea8f3  \r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 14 of 28\n\nConti 5ace33358a8b11ae52050d02d2d6705f04bd47a27c6c6e28ef65028bbfaf5da9  \r\nRyuk 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843  \r\nPear\r\nPear crypter can be tracked back to at least March 2021, when it was used to crypt IcedID. Pear has been primarily\r\nobserved in use with IcedID payloads, but samples loading BazarLoader, Trickbot, and Colibri payloads have also\r\nbeen found. Pear crypter stores the payload within one of the stub binary’s data sections, and custom algorithms\r\nare used to encrypt the payload. The exact format and values of the encryption algorithm change per sample,\r\nsuggesting a technique such as metaprogramming may have been employed to generate the algorithms. The\r\nencrypted payload often has a recognizable alternating byte pattern that makes use of a restricted set of bytes in\r\norder to keep the entropy low. Entropy measures the level of randomness in the data, and many encryption\r\nalgorithms will generate encrypted data with a distinctively high entropy value, which is easily detectable by\r\nbinary analysis tools. By using an algorithm that outputs lower-entropy data, the encrypted payload is less easy to\r\ndetect by automated systems.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 15 of 28\n\nFigure 6 — Pear crypted sample with distinctive encrypted payload utilizing a restricted byte set.\r\nSelect samples using the Pear crypter:\r\nSample Family SHA256 Hash  \r\nIcedID 9f4bdbfec9f091e985e153a1597fc271abd0320c60dfe37dc3e7d81e5d18ad83  \r\nBazarLoader 26cac671e215d88b5070af7d94200588d2b7c414a6e8debf7370b993fcfffb23  \r\nColibri b1fc2855f5579f02ac6d03c2d20e85948e9609fd769389addb8ce5986b1f8ecd  \r\nTrickbot e2ba0567ac236a24bfd4df321ae7860e8fe2810dbd088e0e90d67167c1ccd4c5  \r\nLore\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 16 of 28\n\nLore crypter has been in use since at least May 2021 and has been observed with payloads including Emotet,\r\nTrickbot, BazarLoader, IcedID and Cobalt Strike. This crypter stores the payload as a BITMAP type resource,\r\nwith a 103-byte bitmap file header added to the start of the payload data. Upon execution, the stub code loads the\r\nresource, removes the bitmap header, and decrypts the remaining data using XOR and a hardcoded key. The\r\npayload is then loaded into memory and executed. The crypter originally appeared to be designed for use with PE\r\npayloads, and so shellcode-based payloads were wrapped in an additional second stage loader.\r\nLore crypted binaries often include a lot of extraneous imports and junk functions in an attempt to obscure the\r\nlocation of the payload decryption and loading code from analysts. This loading code instead uses API hashes to\r\nretrieve handles to the API functions it requires, so the extraneous imports can generally be ignored by the analyst.\r\nA handful of Lore crypted samples were identified containing the following PDB paths:\r\n204506c69824371017f482e88f9fbb14cfd0fbc17233fa8d3ffbf4f527e20af5 c:\\jenkins\\workspace\\crypter5_generic_exe\\Bin\\\r\nThese paths provide evidence of a Jenkins server being used for crypting operations and also suggest that it likely\r\ncontains a number of different crypters, with crypter5 being Lore Crypter. This is corroborated by the PDB path\r\nfound within some Error crypted samples, detailed further below, which refer to it as ‘crypter7’.\r\nThe directory names ‘crypter5_generic_exe’ and ‘crypter5_shellcode_64_exe’ indicate that different\r\nconfigurations of the crypter stubs were likely compiled for different types of payloads. In this case, the two\r\nsamples containing the reference ‘crypter5_shellcode_64_exe’ are both 64-bit executable files that contain Cobalt\r\nStrike shellcode http stagers as their payloads. For the two samples containing the reference\r\n‘crypter5_generic_exe’, one is a 64-bit executable containing a BazarLoader payload and the other is a 32-bit\r\nexecutable containing a Conti ransomware executable.\r\nSelect samples using the Lore crypter:\r\nSample Family SHA256 Hash  \r\nCobalt Strike ee8efcd34db429697337d7275d713385600c510558a8a4615bd1eb18847f43f2  \r\nConti e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d  \r\nIcedID 7a6c42343b3d422c9f6f5c72763645b8f1b4931c609c320e60816aee55e4ae8a  \r\nEmotet 70b66e57ea54f48a8b288d65d93063478e27b5710cab106cf41464e086e784db  \r\nTrickbot 2587e94f3bc1ae54ff7732984925def76de934b3e1b1f7407bd66491db18f7e0  \r\nBazarLoader 8661bd7d893fe1dd2109fac55cf9cea5f609012769732039e20165a3198c1086  \r\nMirror\r\nMirror crypter has been observed since November 2021, and so far has primarily been found loading BazarLoader\r\npayloads, as well as some IcedID and Cobalt Strike. Mirror crypter shares some code overlap and obfuscation\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 17 of 28\n\nmechanisms with Lore crypter, suggesting they may have the same developer or codebase. Mirror splits its\r\nencrypted payload into three parts which are stored across different sections of the resulting binary loader. Two\r\nmain variants of the Mirror stub code have been found so far, one which decrypts the payload using AES-256 via\r\nthe Windows CryptDecrypt API, and a second which decrypts the payload using XOR and a hardcoded key.\r\nSelect samples using the Mirror crypter:\r\nSample Family SHA256 Hash  \r\nBazarLoader (IDB\r\nSample)\r\ncbd830c745bbec26733214798fe144c61ef4bac342c853f8a08b682077b2178b  \r\nBazarLoader (XOR\r\nvariant)\r\nb44d0261823595b303bdae62df7790b30c13a0a897978d30f3041c27a645eac6  \r\nIcedID 00c46232cdad873bf02787746fba9d196a6045bac1051154af7772f5b0f29b87  \r\nCobalt Strike 9eedbac3f1c8795cf1f04301ecf2d66aacacbbb9e6c087ed158f00f81fae7375  \r\nGalore\r\nWhilst the majority of ITG23’s current crypter stubs are coded in C/C++, it seems the developers also\r\nexperimented with alternative languages, producing crypters with loader stubs written in both the Go and Rust\r\nprogramming languages. Galore crypter uses the Go programming language and has been observed in the wild\r\nsince mid-2021 when it was frequently used to crypt BazarLoader payloads. The Go programming language has\r\nbecome increasingly popular with malware authors over the past few years due to its convenient cross-platform\r\nsupport, and the fact that it produces large and complex binaries upon compilation which can be tricky to reverse\r\nengineer and often have lower detection rates against AV applications than their C/C++ coded counterparts.\r\nUpon execution the Galore stub code decrypts the payload using XOR, and loads and executes the PE payload\r\nusing code based off the open-source Reflective DLL Injection project. The use of this Reflective Dll Injection\r\ncode is common in many of ITG23’s crypters.\r\nSelect samples using the Galore crypter:\r\nSample Family SHA256 Hash  \r\nBaazarloader 26be0ba3533703f5eeea8489e6a8881461dab7f597f33e546182ba1910953d09  \r\nRustic\r\nRustic crypter uses the Rust programming language which, like Go, has been seeing an increase in popularity with\r\nmalware developers. The payload is stored in the .rdata section of the loader and encrypted using a XOR based\r\nalgorithm with two keys applied in multiple iterations. The crypter supports both shellcode and PE payloads, with\r\nshellcode payloads loaded into memory and executed directly, and PE payloads loaded in a similar manner to\r\nGalore crypter, using the Reflective DLL Injection technique.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 18 of 28\n\nRustic crypted samples were first observed in early September 2021 and it has been used with malware including\r\nBazarLoader, IcedID, Cobalt Strike, Quantum, as well as implants from Sliver which is a post-exploitation\r\nframework written in Go.\r\nFigure 7 — Rustic stub loader code responsible for loading and decrypting the payload\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 19 of 28\n\nFigure 8 — Strings within a Rustic-crypted sample indicate that the binary was written using the Rust language\r\nSelect samples using the Rustic crypter:\r\nSample Family SHA256 Hash\r\nSliver 45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676\r\nCobalt Strike e75fce425df2e878c7938cdf86c8e4bde541c68f75d55edb62a670af52521740\r\nBazarLoader 8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad\r\nIcedID bec6dc7f7bfbded59d1a9290105e13ac91cf676ef5a4513bacbfcabf73630202\r\nQuantum fd7ca7af9b2b6c5ffdb3206d647301de8bea33a69679e117be30e9a601c5dea2\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 20 of 28\n\nTron\r\nTron crypter first appeared in the wild in September 2021 when it was used to crypt Trickbot binaries associated\r\nwith gtag rob132. Since then, it has been observed with payloads within Emotet, Trickbot, BazarLoader, IcedID,\r\nConti and Cobalt Strike. Of note, Tron is the crypter identified in this article from CERT-UA.\r\nTron crypted binaries have their payload usually stored within the .text section of the stub loader which, upon\r\nexecution, unpacks and decompresses the payload, and then loads it into memory and executes it. The\r\ndecompression of the payload is performed using the Zlib library; however, the unpacking appears to be\r\nperformed using code originating from an obscure Github project called Megatron\r\n(https://github.com/akakist/megatron), specifically a module called ioBuffer.cpp which implements basic buffer\r\nmanipulation and unpacking functions. The Megatron project has since been taken down but previously strings\r\nfrom the source code in Github could be observed within the unpacking functions in the crypted binaries.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 21 of 28\n\nFigure 9 — The source code of ioBuffer.cpp as seen on Github\r\nThe above image shows the source code of ioBuffer.cpp as seen on Github, specifically a function\r\nnamed inBuffer::get_8() is shown, which contains the error string “inBuffer::get_8: noenough“. This same\r\nfunction and error string can be seen within the unpacking functions of the crypted binary.\r\nThe payload data is split into chunks which are delimited with the bytes ‘c3 cc cc cc’, where the number of ‘cc’\r\nbytes varies based on alignment. Bytes used to calculate the size of each chunk are added at the start of each\r\nchunk. The unpacking code parses the payload data, calculating the size of each chunk and appending the chunk\r\ndata to the output buffer whilst checking for and discarding the 0xc3 and 0xcc padding bytes.\r\nThe compressed and decompressed sizes are then parsed from the start of the unpacked data, and the\r\nzlib.decompress function is used to decompress the payload. One version of this crypter stores the payload in\r\nmultiple parts, which are unpacked individually and then joined together before decompression.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 22 of 28\n\nSeveral other variants of the Tron crypter have also been observed. One example contains the same ioBuffer\nunpacking functions, but the payloads are decrypted using XOR rather than decompressed using Zlib. Some\nvariants also have the payload stored in the .data section, and others may encode the payload in a numeric ascii\nformat.\nSome samples were identified containing path strings for header files such as the following:\nZ:\\cr4\\ballast\\5\\core\\src\\BitArray.h \nZ:\\cr\\crypter4\\ballast\\3\\openjp2\\opj_intmath.h\nConsidering the PDB strings identified within Lore and Error crypted samples, these path strings may indicate that\nTron crypter is referred to as crypter4 within the group.\nSelect samples using the Tron crypter:\nSample Family SHA256 Hash\nCobalt Strike 44e2057c7466881a61e3b542ce055b3d54aa7d88040ce879a915e20ed996d097\nConti 38784c635de9716c09a6f11f4d76f6402b5f6638f1614ed929c7de136bb5301a\nEmotet 8d8138c23bf514a984918f7b5c5a7501e91b2c058574b7ce0b9ccbe638e82387\nTrickbot fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898\nBazarLoader b88382ef06808155253f631a06e31024436e19d5bffd34f9b03906295e82de52\nIcedID 2b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b\nHexa\nHexa crypter compresses and RC4 encrypts its payload, and then encodes it as a hexadecimal ascii string to reduce\nentropy. This is then stored in the data sections of the stub binary, with some variants splitting the payload across\ntwo or three different sections. Upon execution the payload is reconstructed, decompressed and decrypted and\nthen copied to a newly created memory section and execution transferred to the payload. Portable executable (PE)\npayloads may be preceded by a shellcode loader which is responsible for properly mapping the PE file into\nmemory and executing it.\nHexa makes use of code obfuscation techniques to hinder analysis efforts including splitting the code into many\ntiny blocks separated by jumps, and the inclusion of blocks of junk data.\nHexa crypted samples were observed towards the end of 2021, with payloads including BazarLoader, Cobalt\nStrike, and Conti. It has also seen an increase in usage over the past couple of months where it has been used with\nmalware families including IcedID, QakBot and Gozi.\nSelect samples using the Hexa crypter:\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\nPage 23 of 28\n\nSample Family SHA256 Hash\r\nIcedID bbefa9f7747822e017580206931aec6e948e6cb3ca897b9615d87430b99e7d1e\r\nQakbot 0da8df441dc92d6719092aea1d3e9709e802aa87410279374d69626573fd3177\r\nBazarLoader 18bbaddacba7bcdda4a1a088a640e167271f44d6232c20aa7d88eceeb3028826\r\nCobalt Strike b51465ca7e71da2cd29072c819076c4efccb391dea353f16a36b0a60459b3358\r\nConti c77032c772e0ef0e3200edf38223f9c6047e56294e840ea79689b9e56048c69c\r\nGozi 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547\r\nStub\r\nStub crypter was first observed in November 2021. It has been used primarily in IcedID campaigns, but samples\r\nhave also been identified with payloads such as BazarLoader, Cobalt Strike, Conti, and Quantum ransomware,\r\nwhich is a variant of MountLocker and thought to be associated with the IcedID group.\r\nStub crypter stores the payload across multiple RCDATA type resources with sequential ids, e.g. 200, 201, 202.\r\nThe first resource contains the encryption key, and the remaining resources each hold an encrypted section of the\r\npayload PE file.\r\nTo generate the encryption key, the malware takes the first resource, removes a 62-byte header, and then proceeds\r\nto generate each byte of the key by combining the next three bytes from the resource data using bitwise shift and\r\nor operations. The final key length is usually 1024 bytes.\r\nThe malware then proceeds to decrypt the next resource using this key and a custom xor-based algorithm, which\r\nvaries between samples. The first decrypted resource contains the PE header of the payload binary, and the loading\r\ncode uses information from this header to map each of the remaining PE sections into memory as it decrypts them\r\nfrom the resources. The loaded payload is then executed at its entry point.\r\nSelect samples using the Stub crypter:\r\nSample Family SHA256 Hash\r\nBazarLoader 936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26\r\nQuantum faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d\r\nCobalt Strike 84f1e4c2524fea85c43f9df6ac1449c95d2d3ba5bd7cb6bff2f4e1c97dc8cbe1\r\nIcedID 008a674e33435ce0b892d0a68ac6d01f9606c040da87b21a10ed069729ee04ff\r\nConti 41896f40197a6160fcab046b5fc63a36d0805dbb1ca5a03af35b92b27d9a0eb5\r\nError\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 24 of 28\n\nError crypter was prominent from late November 2021 to January 2022 when it was used to crypt samples in\r\nEmotet, IcedID and BazarLoader campaigns, as well as being used with Cobalt Strike payloads. Error crypted\r\nbinaries contain a large amount of junk code and strings for obfuscation, with one variant seemingly designed to\r\nbe disguised as a hospital administration tool. Some samples also contain strings, which appear to have been\r\ngenerated from literary texts such as ‘David Copperfield’.\r\nFigure 10 — Error crypted sample containing strings relating to a hospital administration application\r\nError crypter encrypts its payload using XOR and the encrypted payload is divided into small chunks which are\r\nscrambled up and stored. Upon execution, the stub code uses a complicated series of functions to retrieve the data\r\nchunks and reconstruct the encrypted payload. The XOR key required for decryption is generated in a similarly\r\nconvoluted manner, with data being decrypted and retrieved from various sources and concatenated to form a\r\nstring. This string is then hashed, and the hash is used to generate the final XOR key.\r\nAn example of one of the strings used to generate the XOR decryption key is as follows:\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 25 of 28\n\n2021-12-03-mok.35022336.17:33:40===700524802745472.xKUzpAWUHQuKEHhnAwJ4MEDN4oDSNpNqXpt.2691200820897.302\r\nError crypter also includes some anti-debugging functions within the stub code including checking for the\r\npresence of a debugger and checking the system time year against a hard coded value.\r\nSome Error crypted samples were found to contain the following PDB string:\r\nC:\\\\crypter7\\\\Bin\\\\x64\\\\Release\\\\Dll\\\\cryptERRDll.pdb\r\nThis PDB string suggests that this crypter may have been known as ‘crypter7’ or ‘cryptERR’ internally within\r\nITG23.\r\nSelect samples using the Error crypter:\r\nSample Family SHA256 Hash\r\nEmotet a7343086d72f81f91cedc05d88b11cf44ba5da9ac6c25983870f3a77f854f4e9\r\nBazarLoader f17718d8f12cfada48a9288bf5f91e81787e361071f82345364c8e85b539524a\r\nCobalt Strike 1d20191aee650fd8c58c6564ce9ff5b86138a954bc49a3e25033cc888fc85466\r\nIcedID f9f62722ff249e8219d4864dc46a1bbb3871b1b3f9c4139ffe2726b8f6f27ad0\r\nCharm\r\nCharm crypter was observed primarily in campaigns between August 2021 and October 2021, and has been seen\r\nloading payloads such as BazarLoader, Cobalt Strike, Conti, and MountLocker. Charm crypter compresses its\r\npayload using an arithmetic coding algorithm, and then xor encrypts the compressed data and splits it into many\r\nsmall segments which are stored throughout the loader binary. Charm crypted binaries are obfuscated using junk\r\ncode to hinder analysis.\r\nSelect samples using the Charm crypter:\r\nSample Family SHA256 Hash\r\nBazarLoader 8758196b4266ca7809e54c84ff6767784cb105fce247ad3459a15bb8ef9032c8\r\nCobalt Strike 6eccc2f0b5fb42a7b59881acdef621cc086d6ab76dfd80e5a3b3542590197805\r\nConti 63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6\r\nQuantum 267f6ba1363b2dbf56ad7e324380782de682a59f7d647eaee7d92b1ba5d2fcfa\r\nGraven\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 26 of 28\n\nGraven crypter splits the payload into three parts which are stored in different sections of the generated loader\r\nbinary. Each part is then split into small pseudo-randomly sized chunks, delimited with pseudo-randomly sized\r\nchunks of null bytes. The algorithm to determine both the size of payload chunks and null-byte chunks is\r\ndeterministic with a fixed seed allowing for the payload to be reconstructed by the loader. Upon execution, the\r\npayload is rebuilt and decrypted using AES, then loaded into memory and executed. Some variants of Graven also\r\ninclude code to create a mutex with the name 7ce3e80173264ea19b05306b865eadf9.\r\nGraven crypted samples were primarily observed between November 2021 and February 2022, and payloads\r\ninclude BazarLoader, Emotet, and IcedID.\r\nSelect samples using the Graven crypter:\r\nSample Family SHA256 Hash\r\nBazarLoader 4246dbf6daf37bac0e525bdd8122131bedf4e32f9542c4696fa525e1f71a6508\r\nEmotet 836d8e2f36ad80f937a377f568d78653e975e4b52db995ae18272dfecca9ac0f\r\nIcedID a61b1d70d469b8ca7acdbd26fc859e6aeb229c4636fe9c92eac856914f326ac8\r\nSkeleton\r\nSkeleton is a fairly basic crypter, which stores the payload as a XOR encrypted, MessageTable type resource\r\nwithin the loader binary, often with just a hardcoded ascii string used as the XOR key. Upon execution, the\r\npayload resource is loaded, decrypted, and executed in memory. Variants have been found loading either shellcode\r\nor PE formatted payloads. PE payloads are mapped into memory, imports loaded, and then executed from their\r\nentrypoint. Skeleton crypted binaries have been observed loading Trickbot, Cobalt Strike and IcedID payloads\r\nbetween December 2021 and late March 2022.\r\nSelect samples using the Skeleton crypter:\r\nSample Family SHA256 Hash\r\nTrickbot 01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c\r\nIcedID 617e0f57f4283ca044003326663b5614d66f97e16bccdd8bec1321fad44a7195\r\nCobalt Strike 3dea0bac5c9ae010b4abeb532a3a347cd55682512ffe287dbb310d5d434777ef\r\nRecommendations\r\nEnsure anti-virus software and associated files are up to date.\r\nSearch for existing signs of the indicated IoCs in your environment.\r\nConsider blocking and or setting up detection for all URL and IP based IoCs.\r\nKeep applications and operating systems running at the current released patch level.\r\nDo not install unapproved apps on a device that has access to the corporate network.\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 27 of 28\n\nExercise caution with attachments and links in emails.\r\nX-Force\r\nIf you have questions or want a deeper discussion on how IBM X-Force can help you with incident response,\r\nthreat intelligence, or offensive security services schedule a follow up meeting here:\r\nIBM X-Force Scheduler\r\nIf you are experiencing cybersecurity issues or an incident, contact X-Force to help.\r\nUS hotline 1-888-241-9812 Global hotline (+001) 312-212-8034\r\nSource: https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nhttps://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/" ], "report_names": [ "itg23-crypters-cooperation-between-cybercriminal-groups" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434744, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db844e6afff34ae148bad4f03a5e5741dbb4ef94.pdf", "text": "https://archive.orkl.eu/db844e6afff34ae148bad4f03a5e5741dbb4ef94.txt", "img": "https://archive.orkl.eu/db844e6afff34ae148bad4f03a5e5741dbb4ef94.jpg" } }