{ "id": "b48b2007-03dc-4195-8557-dc1d601a0cf6", "created_at": "2026-04-06T00:11:00.691771Z", "updated_at": "2026-04-10T03:36:48.303748Z", "deleted_at": null, "sha1_hash": "e6d2559f82776d456fa34bb6f74f00d44a945ba8", "title": "Gazavat / Expiro DMSniff connection and DGA analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1992423, "plain_text": "Gazavat / Expiro DMSniff connection and DGA analysis\r\nBy Jason Reaves\r\nPublished: 2023-08-30 · Archived: 2026-04-05 12:42:30 UTC\r\nBy: Jason Reaves and Joshua Platt\r\nGazavat, also known at least partially as Expiro, is a multi-functional backdoor that has code overlaps with the\r\nPOS malware DMSniff[1]. Functionality includes:\r\nLoading other executables\r\nLoad hash cracking plugin\r\nLoad DMSniff plugin\r\nPerform webinjection and webfakes\r\nForm grabbing\r\nCommand execution\r\nDownload file from infected system\r\nConvert infection into proxy\r\nDDOS\r\nSpreading and EXE infecting\r\nRecovered Gazavat manual:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 1 of 15\n\nTechnical Overview\r\nGazavat, along with a few other malware variants over the years, have all been lumped together as a file infector\r\ncalled Expiro by AV companies. This is due to code reuse from the Carberp malware leak[2] being utilized by\r\nmultiple malware families. Gazavat itself, which is believed to be what AV companies initially referred to as\r\nExpiro, is much more complicated than just a simple file infector. First, let’s see the connection to DMSniff, which\r\nis how this malware ended up catching my attention: the bot id for Gazavat is passed in the user agent, which is\r\nthe same method used by DMSniff.\r\nDMSniff:\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 11.0; DSNF_2768=NT6.1.76016.1.7601-C386B17D.ENU.26F427F6-73\r\nGazavat[3]:\r\nMozilla/4.0 (compatible; MSIE 33; NT5.1.2600-74952D50.ENU.362235D7-ED9E5B-5D967F-1438147D; .NET CLR 0\r\nThe user agents are strikingly similar in their construction — the similarities do not stop there, though. Taking a\r\nlook in the binary of Gazavat shows the exact same string encoding routine as DMSniff.\r\nDMSniff sample(7d69e2c4e75c76c201d40dbc04b9f13b2f47bf9667ce3b937dd4b1d31b11a8af) string decryption\r\nroutine:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 2 of 15\n\nGazavat sample(a3f886db3d2691794e9ec27dca65dcc5d96e6095ec1de5275967a6e6d156d1f7) string decryption\r\nroutine:\r\nPress enter or click to view image in full size\r\nBy taking the YARA rule from previous research and broadening it out a bit we are able to find hundreds of\r\nsamples recently submitted to VirusTotal and begin decoding the strings. Afterwards the various types of\r\nfunctionality available can be discovered.\r\nCred Harvesting\r\n00sqlite3_open|03sqlite3_free|01sqlite3_close|02sqlite3_exec|\r\n\\\\mozsqlite3.dll\r\n\\\\mozglue.dll\r\n\\\\msvcr100.dll\r\n\\\\mozcrt19.dll\r\nFZILLA|ftp://\r\n\\\\FileZilla\\\\sitemanager.xml\r\nINETCOMM Server Passwords\r\nSoftware\\\\Microsoft\\\\Internet Explorer\\\\IntelliForms\\\\Storage2\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 3 of 15\n\nProxy UPNP\r\n\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlso\r\n\u003c?xml version=\"1.0\"?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\r\nM-SEARCH * HTTP/1.1\\r\\nHOST: 239.255.255.250:1900\\r\\nMAN: \"ssdp:discover\"\\r\\nMX: 1\\r\\nST: urn:schemas\r\nPOST %s HTTP/1.1\\r\\nHOST: %s:%u\\r\\nCONTENT-LENGTH: %u\\r\\nCONTENT-TYPE: text/xml; charset=\"utf-8\"\\r\\nS\r\n\u003cNewRemoteHost\u003e\u003c/NewRemoteHost\u003e\u003cNewExternalPort\u003e%i\u003c/NewExternalPort\u003e\u003cNewProtocol\u003e%s\u003c/NewProtocol\u003e\u003cNew\r\nschemas-upnp-org:control-1-0\r\nAV Scanning\r\n|wscsvc|WinDefend|MsMpSvc|NisSrv|\r\n\\\\Microsoft Security Client\\\\\r\n\\\\Windows Defender\\\\\r\nDropping Browser Extensions\r\nsoftware\\\\Mozilla\\\\Mozilla FireFox\r\n\\r\\nExtension%u=%s\\\\%s\r\n[ExtensionDirs]\r\n.ini\r\nchrome\\\\content.jar\r\ncomponents\r\nchrome\r\n{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\r\ninstall.rdf\r\nchrome.manifest\r\nchrome\\\\content\r\ncomponents\\\\red.js\r\n%s\\\\%s\\\\extensions\r\n%s\\\\*\r\n%s\\\\Mozilla\\\\Firefox\\\\Profiles\r\ncontent.js\r\nmanifest.json\r\nbackground.js\r\n##HOST_ID##\r\n##DOMAIN##\r\n##XERSION##\r\nExtensions\\\\\r\ndlddmedljhmbgdhapibnagaanenmajcm\r\n\"f (document.location.href==\\'chrome://tasks/\\') parent.self.location=\\'chrome://sessions/\\';\\n\r\nif (document.location.href==\\'chrome://extensions-frame/\\') { window.setInterval(CheckExt,10); };\\n\r\nfunction CheckExt(){ var el=document.getElementById(\\'%s\\'); if (el != null) el.parentNode.removeChil\r\n\u003c?xml version=\"1.0\"?\u003e\\n\\n\u003cRDF xmlns=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"\\n xmlns:em=\"htt\r\n\u003e90.*\u003c/em:maxVersion\u003e\\n \u003c/Description\u003e\\n \u003c/em:targetApplication\u003e\\n\\n \u003cem:name\u003e.\u003c/em:name\u003e\\\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 4 of 15\n\ncontent\\tsample\\tjar:chrome/content.jar!/content/\\n#content\\tsample\\tchrome/content/\\n\\noverlay chrom\r\nDGA related\r\n%s%c%c%c%c-%c%c%c%c%c.com\r\n%s%c%c%c%c%c-%c%c%c%c.ru\r\nWebinjects and Webfakes (via browser extension)\r\nbeforeEnd\r\nreturn Ci.nsIContentPolicy.ACCEPT},shouldProcess:function(c,e,a,d,b,f){return Ci.nsIContentPolicy.ACC\r\nRL!=l.toreplace){delete d.redirecting}else{return Ci.nsIContentPolicy.ACCEPT}}}try{var n=j.spec.repla\r\nategoryManager);a.addCategoryEntry(\"content-policy\",this.classDescription,this.contractID,true,true)}\r\n:\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)\",encode:function(c){var a=\"\";var\r\nconst Ci=Components.interfaces;const Cc=Components.classes;const Cr=Components.results;const Cu=Compo\r\nfexport[a]}catch(b){}},FindRedirectSign:function(b,a){if(!this.RedirectList){return false}for(var c=0\r\n\u003c2048)){a+=String.fromCharCode((d\u003e\u003e6)|192);a+=String.fromCharCode((d\u002663)|128)}else{a+=String.fromCha\r\n },\\r\\n \"incognito\": true,\\r\\n \"install_time\": \"12991426726872000\",\\r\\n\r\n// Copyright (c) 2011 The Chromium Authors. All rights reserved.\\r\\n// Use of this source code is gov\r\nrl==\"chrome://cache/\"){chrome.tabs.update(a,{url:\"chrome://predictors/\"})}if(b.url==\"chrome://net-int\r\n \"manifest_version\": 2,\\r\\n \"name\": \"Google Chrome\",\\r\\n \"permissions\":\r\nion|subm|submit|||substring|userAgent|navigator|this|form|value|blank|true|addEventListener|greeting\r\n(b.4==\"S\"){5}d+=a+\":\"+b[a].4+\":\"+((b[a].6==\"\")?\"\u003cz\u003e:\":b[a].6)+\":\";3((b[a].4==\"R\")||(b[a].4==\"Q\")){d+=\r\n\\r\\n \"dlddmedljhmbgdhapibnagaanenmajcm\": {\\r\\n \"active_permissions\": {\\r\\n\r\ntener(\"error\",function(f){onErrorAbortImage(f)},true);a.addEventListener(\"abort\",function(f){onErrorA\r\nld(a);delete BUF[b]}function onErrorAbortImage(b){var a=b.target;a.parentNode.removeChild(a)}function\r\nction Base64_encode(d){var c=\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)\";var\r\n{\\r\\n \"name\": \"Google Chrome\",\\r\\n \"version\": \"1.0\",\\r\\n \"background\": { \"scripts\": [\"background.j\r\n[5]!=\"a\")){return}var d=/;(\\\\S*)/.exec(b);ParseInjects(d[1]);chrome.storage.local.set({INJ_BLOCK:d[1\r\na\u003cMAX;a++){if(BUF[a]){continue}BUF[a]=b;InsertImg(document,a);return}}function BefSendHead(e){if(e.ta\r\n// Copyright (c) 2011 The Chromium Authors. All rights reserved.\\r\\n// Use of this source code is gov\r\ne);d++}else{if((e\u003e191)\u0026\u0026(e\u003c224)){c2=a.charCodeAt(d+1);b+=String.fromCharCode(((e\u002631)\u003c\u003c6)|(c2\u002663));d+=\r\nrn}var b=0;if(c.status==200){var a=c.responseText;if((a[42]==\";\")\u0026\u0026(a[0]==\"G\")\u0026\u0026(a[1]==\"I\")\u0026\u0026(a[2]==\r\n(\"INJ_BLOCK\",get_inj);chrome.extension.onMessage.addListener(onMsg);chrome.webNavigation.onCompleted\r\nCode(l);if(f!=64){a=a+String.fromCharCode(j)}if(e!=64){a=a+String.fromCharCode(g)}}a=Base64v2_utf8_de\r\nCard related\r\nVISA\r\nMasterCard\r\nUnable to authorize.\\n%s processing center is unable to authorize your card %s.\\nMake corrections and\r\nUnable to authorize\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 5 of 15\n\n)=====\\r\\n\\r\\n\r\n\\r\\n\\r\\n=====[\r\nThe samples also come with an encoded list of C2 domains. In the event that the binary is built to perform\r\nwebinjection attacks, a second list will also be on board that will be utilized by the browser extension as\r\nmentioned in previous work[3].\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDecoded C2 list example:\r\nvietwarok[.]in#fari-khan[.]in#oldlexus-sales[.]in#viewofpakiwar[.]in#prom-zonaars[.]ru#avchecpk[.]ru#\r\nDecoded list for the browser extension traffic:\r\nsystemtime[.]ru#systemsync[.]ru#altruist[.]pro#uni-link[.]in#fedlaw-gosdep[.]ru#save-galapagos-turtle\r\nDGA\r\nAs was previously mentioned some strings are related to a DGA, the DGA is different from DMSniff — but it’s\r\nalso much more obfuscated in the binaries we reverse-engineered. It’s worth mentioning that this malware has\r\nbeen around for a long time, so there are likely more variants than what have been found so far. The biggest\r\ndifference in the algorithm is the usage of a hardcoded string which, in the samples analyzed, was all a single\r\ncharacter and the structure of the domain in the strings:\r\n%s%c%c%c%c-%c%c%c%c%c.com\r\n%s%c%c%c%c%c-%c%c%c%c.ru\r\nThe algorithm creates 9 char values which will be a mix of vowels and consonants, along with the hardcoded\r\npiece that was all a single char value stored as a C-style string.\r\nThere are two functions used to pick the chars, which have remained static in the samples found — one for\r\npicking a vowel and one for picking a consonant:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 6 of 15\n\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 7 of 15\n\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 8 of 15\n\nPython versions:\r\ndef rand_vowel_char(a):\r\n val = int((a \u0026 0xff)/0x2b) \u0026 0xff\r\n if val == 4:\r\n return(chr(111))\r\n if val == 5:\r\n return(chr(97))\r\n if val == 3:\r\n return(chr(105))\r\n if val == 2:\r\n return(chr(117))\r\n if val == 0:\r\n return(chr(101))\r\n result = chr(val)\r\n if val == 1:\r\n return(chr(121))\r\n return(result)\r\ndef rand_const_char(a):\r\n val = int((a \u0026 0xff) / 0xa + 97) \u0026 0xff\r\n if val in [121,111,101,117,97, 106, 105]:\r\n val += 1\r\n return chr(val)\r\nBelow are two examples of the DGA algorithm where it can see the general flow remains the same, but there are\r\nsome obfuscation additions that change between samples:\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 9 of 15\n\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 10 of 15\n\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 11 of 15\n\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 12 of 15\n\nAfter getting through the obfuscation, a recreation of the algorithm in python can be seen below:\r\ndef dga(a):\r\n hc_char = chr(102)\r\n t1 = 9 * int((a+1)/256) + 31\r\n t2 = 7 * 3 + 17 * int((a + 1)/256)\r\n t3 = 11 * 3 + 23 * int((a+1) / 0x10000)\r\n v1 = rand_const_char(t1 * (a+1))\r\n v2 = rand_vowel_char(12 * (a+1))\r\n v3 = rand_const_char(t2 * (a+1))\r\n v4 = rand_vowel_char(113 * (a+1))\r\n v5 = rand_const_char(a+1)\r\n v6 = rand_vowel_char(47 * (a+1))\r\n v7 = rand_const_char(t3 * (a+1))\r\n v8 = rand_vowel_char(73 * (a+1))\r\n v9 = rand_const_char(67 * (a+1))\r\n tld = ''\r\n if(2 * (ord(v17) \u003e\u003e 1)) == ord(v17):\r\n tld = '.ru'\r\n dom = hc_char+v1+v2+v3+v4+v5+'-'+v6+v7+v8+v9+tld\r\n else:\r\n tld = '.com'\r\n dom = hc_char+v1+v2+v3+v4+'-'+v5+v6+v7+v8+v9+tld\r\n return(dom)\r\nYARA\r\nrule gaza_dga\r\n{\r\nstrings:\r\n$a1 = {0f b6 ?? ?? b9 2b 00 00 00 ba 83 be a0 2f f7 e2 c1 ?? 03}\r\n$const1 = {0f b6 ?? ?? b9 0a 00 00 00 ba cd cc cc cc f7 e2 c1 ?? 03}\r\ncondition:\r\nall of them\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 13 of 15\n\n}\r\nrule gazavat_broad_hunting\r\n{\r\nstrings:\r\n$a1 = {b9 ?? 00 00 00 [1-2] f7 ?? 0f b6}\r\n$a2 = {31 d? 89 ?? 8? [1-8] 0f b? ?? ?? 0f b? ?? ?? 3? d?}\r\ncondition:\r\nall of them\r\n}\r\nSamples\r\nDMSniff\r\n7d69e2c4e75c76c201d40dbc04b9f13b2f47bf9667ce3b937dd4b1d31b11a8af\r\nGazavat\r\na3f886db3d2691794e9ec27dca65dcc5d96e6095ec1de5275967a6e6d156d1f7\r\n08c656125a3c1abdb74ede3712aecca1a5e4a48984cae78aa60cb833f7231295\r\n050ad1608dca7a938203d185ecfb1ecc69b3e8501129327264d5bc4b67eacff3\r\n0a6cb9adcc23cb33b87689d2c328b742952e8e50c547380cfefe087c055af652\r\n0df600d642caf0969134605d010942b4394843054f37c063621c60508a93c9c0\r\n10f47f9f2fc3d3e46fbbaed21a6298b0d3882faa6a2de5fbb99094c6513ec392\r\n17e81becddbac84bb2fa9412ae11d6b066945ca85ef1a77c51e688bcf42f59b8\r\n23ef8ce504d5430d543509adeccb3f218aed56f5444aeecdc7d115b96e4b2373\r\n36ab0415049c5d8c9eb5721ad0c1d941976ff905a824609007e6c4c086e9aa6e\r\n38223ad3f30e8cdb0602e3f818e80ca936e15e4bd3bc427aff2ab1f91bb2fe46\r\n6da2602e7a95012a258b205c7f44bee5a964a938876509a09b7b01ce92fad764\r\n81a977f7b415480f01a2d44340be4cc35fe8868e7fa699a305b2dcc312c33dd8\r\n84636c0500d344a0c40252381521bf8adf9e2829326aec06892a36f10079a6f5\r\n85cb5eadfbc883448bfde48713f9b1dea9e731b6537361ea1f3d807123af982b\r\n85cc3d2f8b6a40ccdf446ad77fcf3681403ac5dc633b1baa1297581118f5160d\r\nd0405857330b188e808002c6ba457a858ab1a6d6bdef71831be4195db04d5c1d\r\nd200e0227bbea44646dcc41bcbb7d3bba5e7fa9cdc63dbeaaa99389d3e54c945\r\n1d7c5347aa687da9da8c329811392faafd76aa3ddbd77b7774470d7f8ba094d9\r\n0d7aba6c6c88372928daf3b43323a70324515d1791785d10e1798e105185144c\r\nMutex\r\ngazavat-svc\r\nkkq-vx\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 14 of 15\n\nBrowser Extensions\r\nmdgkfajodaliacghnafobjnclblcfmlm\r\ndlddmedljhmbgdhapibnagaanenmajcm\r\n\\1.0_0\\background.js\r\n\\1.0_0\\content.js\r\n\\1.0_0\\manifest.json\r\n{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\\chrome.manifest\r\n{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\\chrome\\content.jar\r\n{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\\components\\red.js\r\n{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\\install.rdf\r\nReferences\r\n1: https://flashpoint.io/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/\r\n2: https://github.com/m0n0ph1/malware-1/blob/master/Carberp%20Botnet/source%20-\r\n%20absource/pro/all%20source/Worm/Black_JW/kkqvx.h\r\n3: https://stopmalvertising.com/malware-reports/abuse-teams-targeted-by-expiro-analysis.html\r\n4: https://malware447.rssing.com/chan-6195220/all_p2.html\r\nSource: https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nhttps://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d" ], "report_names": [ "gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6d2559f82776d456fa34bb6f74f00d44a945ba8.pdf", "text": "https://archive.orkl.eu/e6d2559f82776d456fa34bb6f74f00d44a945ba8.txt", "img": "https://archive.orkl.eu/e6d2559f82776d456fa34bb6f74f00d44a945ba8.jpg" } }