{ "id": "d7cc93cb-69e6-41ed-b9ed-50d6c716b4c3", "created_at": "2026-04-06T00:09:31.375942Z", "updated_at": "2026-04-10T03:32:20.677764Z", "deleted_at": null, "sha1_hash": "e04a785fdc004fe3b65eb959f3f218cd063a358f", "title": "SerialVlogger (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35912, "plain_text": "SerialVlogger (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:31:48 UTC\r\nwin.serialvlogger (Back to overview)\r\nSerialVlogger\r\nActor(s): APT41\r\nThis malware is protected using VMProtect and related to the loading of KEYPLUG.\r\nReferences\r\n2020-10-12 ⋅ Malwarebytes Labs ⋅ Hossein Jazi, Jérôme Segura, Malwarebytes Threat Intelligence Team, Roberto Santos\r\nWinnti APT group docks in Sri Lanka for new campaign\r\nDBoxAgent SerialVlogger Winnti\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.serialvlogger\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.serialvlogger\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serialvlogger" ], "report_names": [ "win.serialvlogger" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434171, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e04a785fdc004fe3b65eb959f3f218cd063a358f.pdf", "text": "https://archive.orkl.eu/e04a785fdc004fe3b65eb959f3f218cd063a358f.txt", "img": "https://archive.orkl.eu/e04a785fdc004fe3b65eb959f3f218cd063a358f.jpg" } }