{ "id": "e13b16df-0f4c-404e-880a-e3bb647f6221", "created_at": "2026-04-06T00:08:36.582608Z", "updated_at": "2026-04-10T03:33:36.008746Z", "deleted_at": null, "sha1_hash": "efe3eec42a4e6164e29c45ba09be68d39af0835e", "title": "KryptoCibule: The multitasking multicurrency cryptostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 401119, "plain_text": "KryptoCibule: The multitasking multicurrency cryptostealer\r\nBy Matthieu FaouAlexandre Côté Cyr\r\nArchived: 2026-04-05 18:52:33 UTC\r\nESET researchers have uncovered a hitherto undocumented malware family that we named KryptoCibule. This malware is\r\na triple threat in regard to cryptocurrencies. It uses the victim's resources to mine coins, tries to hijack transactions by\r\nreplacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple\r\ntechniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its\r\ncommunication infrastructure.\r\nThe malware, written in C#, also employs some legitimate software. Some, such as Tor and the Transmission torrent client,\r\nare bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server. An\r\noverview of the various components and their interactions is shown in Figure 1.\r\nFigure 1. KryptoCibule components and tools\r\nWhen the malware is first executed, the host is assigned a unique identifier with the format {adjective}-{noun} where\r\n{adjective} and {noun} are random words taken from two hardcoded lists which provide over 10 million unique\r\ncombinations. This identifier is then used to identify the host in communications with the C\u0026C servers.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 1 of 13\n\nOn top of the crypto-related components, KryptoCibule also has RAT functionality. Among the commands it supports are\r\nEXEC, which allows execution of arbitrary commands and SHELL, which downloads a PowerShell script from the C\u0026C.\r\nThis script then loads a backdoor generated with the post-exploitation tool Pupy.\r\nThe name KryptoCibule derives from the Czech and Slovak words for “crypto” and “onion”.\r\nTimeline\r\nWe have uncovered multiple versions of this malware, enabling us to trace its evolution all the way back to December\r\n2018. Figure 2 shows the changes made over time to KryptoCibule.\r\nFigure 2. Timeline of updates and functionality changes\r\nTargets\r\nAccording to ESET telemetry (shown in Figure 3), the malware seems to target mostly users in Czechia (the Czech\r\nRepublic) and Slovakia. This reflects the user base of the site on which the infected torrents are found.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 2 of 13\n\nFigure 3. In our telemetry data, over 85% of detections were located in Czechia and Slovakia\r\nAlmost all the malicious torrents were available on uloz.to; a popular file sharing site in Czechia and Slovakia (see Figure\r\n4). We'll explain how these torrents are used to spread KryptoCibule in the next section.\r\nFigure 4. One of the malicious torrents on uloz.to\r\nAs detailed in the Anti-detection and anti-analysis techniques section below, KryptoCibule specifically checks for ESET,\r\nAvast, and AVG endpoint security products; ESET is headquartered in Slovakia, while the other two are owned by Avast,\r\nwhich is headquartered in Czechia.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 3 of 13\n\nTorrents\r\nKryptoCibule makes use of the BitTorrent protocol to spread to new victims and to download additional tools and updates.\r\nInitial Compromise\r\nKryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or\r\npirated software and games. Although other files may be included, as seen in Figure 5, there are five that are common to all\r\nKryptoCibule installer archives. packed.001 is the malware, while packed.002 is the installer for the expected software.\r\nBoth are XOR-encrypted with keys contained in Setup.exe.\r\nWhen Setup.exe is executed, it decodes both the malware and the expected installer files. It then launches the malware – in\r\nthe background – and the expected installer – front and center – giving the victim no indication that anything is amiss.\r\nFigure 5. Content of the Dead.Cells.Incl.All.DLC archive with only the minimum common set of KryptoCibule installer files\r\nshown\r\nAdditional software and updates\r\nThe BitTorrent protocol is also used to download updates to the malware, and additional software.\r\nKryptoCibule installs the transmission-daemon torrent client and manages it by issuing commands via its RPC interface on\r\nport 9091 with transmission-remote. The RPC interface uses the hardcoded credentials superman:krypton.\r\nTo install further software for the malware’s use, such as the SFTP server, the Launcher component makes an HTTP GET\r\nrequest to %C\u0026C%/softwareinfo?title=\u003csoftware name\u003e and receives a JSON response containing a magnet URI for the\r\ntorrent to download and other information indicating how to install and execute the program. Figure 6 shows an example of\r\nsuch a response.\r\n{\"Magnet\": \"magnet:?xt=urn[:]btih:67yd647nivxhumoedvwnwnzve55b3bxj\u0026dn=free-BuruServer-x64-v1.7.3.zip\", \"Version\": 1,\"Exe\r\nFigure 6. Sample response for a GET /softwareinfo?title=ssh_server request\r\nThe mechanism for getting updates is similar. The malware first gets global settings via HTTP from %C\u0026C%/settingsv5.\r\nAmong other things, this response contains a magnet URI for the latest version of the malware. It then makes a GET\r\nrequest to %C\u0026C%/version to get the most recent version number. If the local version is lower than that version, the torrent\r\nis downloaded and installed.\r\nTorrents are added to Transmission using the following command:\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 4 of 13\n\ntransmission-remote localhost -n superman:krypton -a \"\u003cmagnet URI\u003e\"\r\nA hardcoded list of 50 trackers is used to get peers for all torrents.\r\nSeeding malicious torrents\r\nVictims are also used to seed both the torrents used by the malware and the malicious torrents that help spread it. Infected\r\nhosts get a list of magnet URIs from %C\u0026C%/magnets, download them all and keep seeding them. This ensures that these\r\nfiles are widely available for others to download, which helps speed up the downloads and provides redundancy.\r\nAnti-detection and anti-analysis techniques\r\nThis malware leverages a variety of techniques to avoid detection, along with some basic anti-analysis protections.\r\nIt starts with the initial access vector. The executable contained inside the ZIP archive is a rather benign installer program\r\nthat masquerades as the legitimate InstallShield program. This file is scrambled with the open source program Obfuscar.\r\nThis same tool is used on all of the malware's custom executables. The malicious code itself is located inside an XOR-encrypted file, the key being a GUID hardcoded in Setup.exe.\r\nThe malware is then installed to the hardcoded path %ProgramFiles(x86)%\\Adobe\\Acrobat Reader DC\\Reader\\update and\r\nuses legitimate Adobe Acrobat Reader executable names for the bundled Tor executable and its own. Some of the files\r\ncontained in the install folder can be seen in Figure 7.\r\nFigure 7. Some of the files in the install folder. Armsvc.exe is the malware and ADelRCP.exe is the Tor executable. Both\r\nfilenames are actually used by Adobe Reader.\r\nTo achieve persistence, KryptoCibule creates a scheduled task to be run every five minutes with the following command.\r\nOnce again, it uses an Adobe Reader-related name.\r\nschtasks.exe /CREATE /SC MINUTE /MO 5 /TN \"Adobe Update Task\" /TR \\\"\"%ProgramFiles(x86)%\\Adobe\\Acrobat\r\nReader DC\\Reader\\Update\\armsvc.exe\\\"\" [/RL HIGHEST] /F [/RU SYSTEM]\r\nBefore first executing its payload and on every iteration of the main loop, the malware performs a check for running\r\nanalysis software using the following list. If any process with a matching name is found, it stops all running components\r\nand exits.\r\ncain\r\nfilemon\r\nnetmon\r\nnetstat\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 5 of 13\n\nnmwifi\r\nperfmon\r\nprocesshacker\r\nprocexp\r\nprocexp64\r\nprocmon\r\nregmon\r\ntasklist\r\ntaskmgr\r\ntcpvcon\r\ntcpview\r\nwireshark\r\nAntivirus evasion\r\nBefore initializing the cryptominer components, the malware performs a case-insensitive check of the\r\nrootSecurityCenter2\\AntiVirusProduct WMI object for the strings avast, avg and eset, as seen in the decompiled code in\r\nFigure 8. Should any of these strings be detected If any of them were detected, the cryptominer components will not be\r\ninstalled.\r\nFigure 8. Cleaned up decompiled code of the function used to check for specific security products\r\nWhenever the malware installs itself, an update or a new component, the install path used is excluded from Windows\r\nDefender automatic scanning by issuing the following command:\r\npowershell -c \"Add-MpPreference -ExclusionPath '\u003cinstall path\u003e'\"\r\nIt also creates firewall rules using innocuous-looking names to explicitly allow inbound and outbound traffic from its\r\ncomponents.  A rule to block outbound traffic from the ESET Kernel Service (ekrn.exe) is also created by the function\r\nshown in Figure 9.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 6 of 13\n\nFigure 9. Function that blocks outbound traffic from ekrn.exe in the Windows Firewall\r\nTor network usage\r\nKryptoCibule brings along the tor.exe command line tool, masquerading as ADelRCP.exe, and a configuration file (seen in\r\nFigure 10) as libstringutils.dll.\r\nFigure 10. The Tor configuration file used by the latest version of the malware\r\nThis sets up a SOCKS proxy on port 9050 that is used by the malware to relay all communications with the C\u0026C servers\r\nthrough the Tor network. This has the dual benefit of encrypting the communications and making it virtually impossible to\r\ntrace the actual server or servers behind these URIs.\r\nThe second part of the configuration file sets up onion services on the victimized host. These are accessible by the operators\r\nover the Tor network. When first starting up these services, Tor automatically generates a .onion URI for the host. This\r\nunique hostname is then sent to %C\u0026C%/transferhost/\u003cunique name\u003e. We will discuss how these onion services are used\r\nin the upcoming sections.\r\nPort Number Service\r\n9091 Transmission Daemon RPC interface\r\n9999 Apache httpd server\r\n9187 Buru SFTP server\r\n9188 Buru Web Admin\r\n12461 MiniWeb HTTP server\r\nThe onion URIs for two C\u0026C servers are contained in the malware. One of these provides a REST API that the malware\r\nuses for most communications, while the other is used to download files. Additional URIs can be obtained one at a time\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 7 of 13\n\nwith a request to %C\u0026C%/server.  Some older versions of the malware use these to download updates via port 12461. We\r\nbelieve that these URIs point to other infected hosts. The versions of the malware that use them have code to place their\r\ndownloaded updates into a directory served by the MiniWeb HTTP server on that same port.\r\nWe were able to identify one IP address for the file server C\u0026C in our telemetry data.\r\nAcquiring cryptocurrency\r\nKryptoCibule has three components that leverage infected hosts in order to obtain cryptocurrencies.\r\nCryptomining\r\nThe latest versions of KryptoCibule use XMRig, an open source program that mines Monero using the CPU, and\r\nkawpowminer, another open source program that mines Ethereum using the GPU. The second one is only used if a\r\ndedicated GPU is found on the host. Both of these programs are set up to connect to an operator-controlled mining server\r\nover the Tor proxy.\r\nOn every iteration of the main loop, the malware checks the battery level and the time since the last user input. It then starts\r\nor stops the miner processes based on this information. If the host has received no user input in the last 3 minutes and has at\r\nleast 30% battery, both the GPU and CPU miners are run without limits. Otherwise, the GPU miner is suspended, and the\r\nCPU miner is limited to one thread. If the battery level is under 10%, both miners are stopped. This is done to reduce the\r\nlikelihood of being noticed by the victim.\r\nClipboard hijacking\r\nThe second component masquerades as SystemArchitectureTranslation.exe. It uses the AddClipboardFormatListener\r\nfunction to monitor changes to the clipboard and to apply the replacement rules obtained from %C\u0026C%/regexes to its\r\ncontent. The code for this listener is shown in Figure 11. The value 0x31D corresponds to the WM_CLIPBOARDUPDATE\r\nconstant.\r\nThese rules, in the form \u003cregular_expresssion\u003e!\u003cwallet\u003e, match the format of cryptocurrency wallet addresses and replace\r\nthem with addresses of wallets controlled by the malware operator. This is an attempt to redirect transactions made by the\r\nvictim to the operator's wallets. This component uses a FileSystemWatcher to reload replacement rules whenever the\r\nsettings.cfg file is changed.\r\nFigure 11. Decompiled code for the listener function used by the clipboard hook\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 8 of 13\n\nAt the time of this writing, the wallets used by the clipboard hijacking component had received a little over US$1800 in\r\nBitcoin and Ethereum. One such wallet is shown in Figure 12. By correlating wallets used as sources in the same\r\ntransactions as known ones, we were able to uncover at least four additional Bitcoin wallets that likely belong to\r\nKryptoCibule's operators.\r\nFigure 12. A Bitcoin wallet used by the clipboard-hijacking component\r\nFile exfiltration\r\nThe third component walks through the filesystem of each available drive and looks for filenames that contain certain\r\nterms. A list of such terms we obtained during our investigation is shown in Figure 13.\r\n[\"wallet.dat\", \"utc--2014\", \"utc--2015\", \"utc--2016\", \"utc--2017\", \"utc--2018\", \"utc--2019\", \"utc--2020\", \".address.txt\"\r\nFigure 13. A list of words to search for, taken from the GET %C\u0026C%/settingsv5 response\r\nMost terms refer to cryptocurrencies, wallets or miners, but a few more generic ones like crypto (in several languages),\r\nseed and password are present also. The list contains similar terms in Czech and Slovak such as heslo, hesla and banka\r\n(these are the words for \"password\", \"passwords\" and \"bank\", respectively). A few terms also correspond to paths or files\r\nthat could provide other interesting data (Desktop, private) including private keys (.ssh, .aws). It gathers the full path of\r\neach of the matching files and sends the list to %C\u0026C%/found/\u003cunique name\u003e.\r\nWe believe that this works in tandem with the SFTP server running as an onion service on port 9187. This server creates\r\nmappings for every available drive and makes them available using credentials hardcoded in the malware. The gathered\r\npaths can thus be used for file exfiltration by having an attacker-controlled machine request them from the infected host\r\nover SFTP.\r\nKryptoCibule also installs a legitimate Apache httpd server that is configured to act as a forward proxy without any\r\nrestrictions and that is reachable as an onion service on port 9999.\r\nConclusion\r\nThe KryptoCibule malware has been in the wild since late 2018 and is still active, but it doesn't seem to have attracted\r\nmuch attention until now. Its use of legitimate open-source tools along with the wide range of anti-detection methods\r\ndeployed are likely responsible for this. The relatively low number of victims (in the hundreds) and their being mostly\r\nconfined to two countries may also contribute to this. New capabilities have regularly been added to KryptoCibule over its\r\nlifetime and it continues to be under active development.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 9 of 13\n\nPresumably the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than\r\nwhat we found in the wallets used by the clipboard hijacking component. The revenue generated by that component alone\r\ndoes not seem enough to justify the development effort observed.\r\nIndicators of Compromise (IoCs)\r\nThe comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nSamples\r\nSHA-1 Filename\r\nESET detection\r\nname\r\n3BCEF852639F85803974943FC34EFF2D6D7D916D armsvc.exe MSIL/KryptoCibule.A\r\n352743EBE6A0638CC0614216AD000B6A43C4D46E SystemArchitectureTranslation.exe MSIL/KryptoCibule.A\r\n70480D5F4CB10DE42DD2C863DDF57102BE6FA9E0 Updater.exe MSIL/KryptoCibule.A\r\n2E568CDF9B28824FBA1D7C16D8D0BE1D73A3FEBA Setup.exe MSIL/KryptoCibule.A\r\nNetwork\r\nrlwryismmgjijryr55u5rqlbqghqvrwxe5qgxupuviyysxkky5wah6yd.onion\r\n4dtu3lxrpx6nn7snjovoc3ldiy4x67k7qsrgzftvkrttoqbwnsuirhqd.onion\r\nv6lajszeqfkt3h2nptorindpf3mow5p3thrx2vuqbqzbv3tjrcqmgdqd.onion\r\nScheduled Tasks\r\nName Executable Path\r\nGoogleUpdateTask %LocalAppData%\\Microsoft\\Architecture\\SystemArchitectureTranslation.exe\r\nAdobe Update Task %ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\armsvc.exe\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 7 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1189 Drive-by Compromise\r\nKryptoCibule is spread through torrent and file-sharing websites.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nKryptoCibule directly executes PowerShell\r\ncommands.\r\nSome commands received from the C\u0026C use\r\nPowerShell.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 10 of 13\n\nTactic ID Name Description\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nCommands received from the KryptoCibule C\u0026C\r\nare executed with cmd.exe.\r\nT1106 Native API\r\nKryptoCibule uses the\r\nSystem.Diagnostics.Process C# class to run\r\nprocesses.\r\nT1204.002 User Execution: Malicious File\r\nKryptoCibule requires victims to run an installer\r\nfrom a downloaded torrent.\r\nPersistence T1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nKryptoCibule attains persistence by creating a\r\nscheduled task to run the main executable every\r\nfive minutes.\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nKryptoCibule executables are obfuscated with\r\nObfuscar.\r\nT1036 Masquerading\r\nKryptoCibule components use misleading names\r\nand a configuration file masquerades as a DLL.\r\nT1036.004\r\nMasquerading: Masquerade\r\nTask or Service\r\nKryptoCibule tasks are named after legitimate and\r\nbenign looking software.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nKryptoCibule uses paths and filenames that match\r\nthose of Adobe Reader for malware and Tor client.\r\nBuruServer uses paths and filenames for\r\nOpenSSH.\r\nTransmission is installed to Java runtime\r\ndirectories.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe files that come with the KryptoCibule\r\ninstaller are XOR-encrypted.\r\nPowerShell commands from the KryptoCibule\r\nC\u0026C are base64-encoded.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nThe KryptoCibule payload is not executed if an\r\nanalysis tool is detected.\r\nT1497.002\r\nVirtualization/Sandbox\r\nEvasion: User Activity Based\r\nChecks\r\nKryptoCibule uses the time since last input to set\r\nlimits on cryptominer CPU usage.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nKryptoCibule uses Add-MpPreference -\r\nExclusionPath to exclude malware and installed\r\ntools from Windows Defender scanning.\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nT1562.004\r\nImpair Defenses: Disable or\r\nModify System Firewall\r\nKryptoCibule uses advfirewall firewall add rule to\r\nallow its tools and block the ESET Kernel\r\nService.\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\nKryptoCibule hides process windows using the\r\nwindowstyle hidden option.\r\nDiscovery\r\nT1057 Process Discovery\r\nKryptoCibule uses\r\nSystem.Diagnostics.Process.GetProcesses to get a\r\nlist of running processes.\r\nT1082 System Information Discovery\r\nKryptoCibule obtains information about host’s\r\ntimezone, locale, power status, OS and hardware.\r\nT1083 File and Directory Discovery\r\nKryptoCibule has a component that looks for files\r\non the local file system.  \r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nKryptoCibule looks for antivirus software in the\r\nroot\\\\SecurityCenter2 → AntivirusProduct\r\nManagementObject.\r\nThe cryptominer component is not installed if it\r\ndetects an installed antivirus product.\r\nCollection\r\nT1005   Data from Local System\r\nKryptoCibule learches all attached drives for a list\r\nof filenames .\r\nT1119 Automated Collection\r\nKryptoCibule programmatically collect paths for\r\nfiles to be exfiltrated.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nKryptoCibule uses HTTP for C\u0026C\r\ncommunication.\r\nT1071.002  File Transfer Protocols\r\nKryptoCibule downloads updates and additional\r\ntools via BitTorrent.\r\nT1090.003 Proxy: Multi-hop Proxy\r\nKryptoCibule bundles Tor and uses it as a SOCKS\r\nproxy to communicate with its C\u0026C.\r\nT1105 Ingress Tool Transfer\r\nKryptoCibule downloads additional tools using\r\nBitTorrent.\r\nT1568 Dynamic Resolution\r\nKryptoCibule gets additional onion URIs over\r\nHTTP.\r\nT1571 Non-Standard Port\r\nKryptoCibule uses port 9187 for SFTP server, and\r\n9999 and 12461 for HTTP servers.\r\nExfiltration T1020 Automated Exfiltration Logs, file locations and system info are\r\nautomatically collected and sent to the\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nKryptoCibule C\u0026C.\r\nT1041 Exfiltration Over C2   Channel\r\nLogs, file locations and system info are sent via\r\nthe KryptoCibule HTTP C\u0026C channel.\r\nT1048\r\nExfiltration Over Alternative\r\nProtocol\r\nKryptoCibule exfiltrates files over SFTP.\r\nImpact T1496 Resource Hijacking\r\nKryptoCibule uses XMRig and Kawpowminer to\r\nmine cryptocurrency on victim systems.\r\nT1565\r\nData\r\nManipulation\r\nKryptoCibule replaces\r\ncryptocurrency wallet\r\naddresses in the clipboard in\r\nan attempt to hijack transfers.\r\nSource: https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nhttps://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/" ], "report_names": [ "kryptocibule-multitasking-multicurrency-cryptostealer" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efe3eec42a4e6164e29c45ba09be68d39af0835e.pdf", "text": "https://archive.orkl.eu/efe3eec42a4e6164e29c45ba09be68d39af0835e.txt", "img": "https://archive.orkl.eu/efe3eec42a4e6164e29c45ba09be68d39af0835e.jpg" } }