{ "id": "721f8cd3-b49e-4465-aab3-19b517c70faf", "created_at": "2026-04-06T00:08:46.843589Z", "updated_at": "2026-04-10T03:32:56.632117Z", "deleted_at": null, "sha1_hash": "ebcdcb7230fd5a8947840d1fb058b55fa012bbf9", "title": "AdWind (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71307, "plain_text": "AdWind (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:38:48 UTC\r\nAdWind\r\naka: AlienSpy, JSocket, Frutas, UNRECOM, JBifrost, Sockrat\r\nURLhaus              \r\nPart of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information\r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\nHiding\r\nUses attrib.exe\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware\r\nReferences\r\n2021-11-23 ⋅ HP ⋅\r\nRATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind\r\nPage 1 of 3\n\nAdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos\r\n2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader\r\n2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT\r\nStealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer\r\nRemcos Zloader\r\n2020-06-28 ⋅ Security-in-Bits ⋅ Security-in-Bits\r\nInteresting tactic by Ratty \u0026 Adwind for distribution of JAR appended to signed MSI\r\nAdWind Ratty\r\n2020-04-29 ⋅ Zscaler ⋅ Sudeep Singh\r\nCompromised Wordpress sites used to distribute Adwind RAT\r\nAdWind\r\n2019-05-20 ⋅ Check Point ⋅ Ben Herzog\r\nMalware Against the C Monoculture\r\nAdWind jRAT GhostMiner Zebrocy\r\n2018-09-24 ⋅ Cisco Talos ⋅ Paul Rascagnères, Robert Perica, Tomislav Pericin, Vitor Ventura\r\nAdwind Dodges AV via DDE\r\nAdWind\r\n2018-08-20 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nInteresting hidden threat since years ?\r\nAdWind\r\n2018-03-12 ⋅ Github (herrcore) ⋅ Sergei Frankoff\r\nPython decryptor for newer AdWind config file\r\nAdWind\r\n2018-02-16 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nNew jRAT/Adwind Variant Being Spread With Package Delivery Scam\r\nAdWind\r\n2017-10-03 ⋅ Seqrite ⋅ Pavankumar Chaudhari\r\nEvolution of jRAT JAVA Malware\r\nAdWind\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind\r\nPage 2 of 3\n\n2017-07-11 ⋅ Trend Micro ⋅ Marshall Chen, Rubio Wu\r\nSpam Campaign Delivers Cross-platform Remote Access Trojan Adwind\r\nAdWind\r\n2017-07-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\nMALSPAM WITH JAVA-BASED RAT\r\nAdWind\r\n2015-12-08 ⋅ The Citizenlab ⋅ Claudio Guarnieri, John Scott-Railton, Marion Marschalek, Morgan Marquis-Boire\r\nPackrat: Seven Years of a South American Threat Actor\r\nAdWind Adzok CyberGate Xtreme RAT Packrat\r\nYara Rules\r\n[TLP:WHITE] jar_adwind_w0 (20170803 | Adwind RAT)\r\n[TLP:WHITE] jar_adwind_w1 (20170803 | Alien Spy Remote Access Trojan)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind" ], "report_names": [ "jar.adwind" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d001e298-8608-4ee6-96c7-e5afb62d718d", "created_at": "2022-10-25T16:07:24.035765Z", "updated_at": "2026-04-10T02:00:04.847015Z", "deleted_at": null, "main_name": "Packrat", "aliases": [], "source_name": "ETDA:Packrat", "tools": [ "Adwind", "Adwind RAT", "Adzok", "Alien Spy", "AlienSpy", "CyberGate", "CyberGate RAT", "ExtRat", "Frutas", "Invisible Remote Administrator", "JBifrost RAT", "JSocket", "Rebhip", "Sockrat", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Xtreme RAT", "XtremeRAT", "jBiFrost", "jConnectPro RAT", "jFrutas" ], "source_id": "ETDA", "reports": null }, { "id": "02a7064e-447b-433e-ac14-6f10d476f517", "created_at": "2023-01-06T13:46:38.520097Z", "updated_at": "2026-04-10T02:00:03.010392Z", "deleted_at": null, "main_name": "Packrat", "aliases": [], "source_name": "MISPGALAXY:Packrat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434126, "ts_updated_at": 1775791976, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ebcdcb7230fd5a8947840d1fb058b55fa012bbf9.pdf", "text": "https://archive.orkl.eu/ebcdcb7230fd5a8947840d1fb058b55fa012bbf9.txt", "img": "https://archive.orkl.eu/ebcdcb7230fd5a8947840d1fb058b55fa012bbf9.jpg" } }