{ "id": "47a78406-387e-4e22-b476-d1e1e8cbc035", "created_at": "2026-04-06T00:12:14.780531Z", "updated_at": "2026-04-10T03:34:54.782175Z", "deleted_at": null, "sha1_hash": "f082fa77a337e3c1b0e324ab6f0d05e812e26946", "title": "Vendetta-new-threat-actor-from-Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3670358, "plain_text": "Vendetta-new-threat-actor-from-Europe\r\nPublished: 2020-05-14 · Archived: 2026-04-05 22:24:42 UTC\r\nLearn more about 360 Total Security\r\nStarting in April this year, 360 Baize Lab intercepted a large number of attack samples from an unknown hacker\r\norganization. The hacker organization sent a phishing email to the victim by forging a police station investigation\r\nletter, COVID-19 detection notice, etc. , Through the backdoor virus to control the victim’s machine, steal\r\nvaluable sensitive data related to the target.\r\nThe PDB path of the virus samples used by the organization points to a user named “Vendetta”, and we will later\r\nalso name the hacker organization Vendetta:\r\n“C:\\Users\\Vendetta\\source\\repos\\{project name}\\*\\obj\\Debug\\{project name}.pdb”\r\nIn some samples, we have repeatedly detected the following tags, the virus author claims that he is from Italy:\r\nHowever, we found in the naming of virus samples that virus authors like to use certain Turkish names to name\r\nvariables, such as “RoboSki”, so we suspect that the organization originated in Europe:\r\nVendetta is a hacker organization that is very good at using social engineering. They forge phishing emails very\r\nrealistically. They can easily gain users’ trust and guide users to open the malicious programs they carry.\r\nThe picture below is a Vendetta forgery of the investigation letter issued by the Austrian Federal Ministry of the\r\nInterior (BMI)\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 1 of 13\n\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 2 of 13\n\nForged investigation letter from the Romanian police station:\r\nForged the COVID-19 virus test email issued by the Australian Government Department of Health. The email\r\nstated that the victim had contact with a confirmed case within the past 14 days. It is recommended to read the test\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 3 of 13\n\nguide in the attachment and accept the test:\r\nForged a virus test email issued by the Mexican health department:\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 4 of 13\n\nAs well as the forged email quoted by the Egyptian Orascom Group:.\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 5 of 13\n\nThe compressed file in the email attachment contains the Trojan file, which is generally named after pdf.exe,\r\nDocument.exe, etc. After running, it decrypts and loads the subsequent virus module in memory.\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 6 of 13\n\nRoboSki\r\nIn all samples, we detected the same type of code obfuscator, and according to its PDB debugging path, we named\r\nit RoboSki:\r\nRoboSki encrypts and stores the shellcode in the pixels of the picture. The following figure is the code logic to\r\nextract the available pixel data and decrypt the shellcode:\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 7 of 13\n\nReZer0\r\nThe execution logic of ReZer0 is controlled by hard-coded built-in instructions. According to different\r\ninstructions, different malicious functions are executed. Its design logic resembles the design method of backdoor\r\nprograms:\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 8 of 13\n\nWe have sorted out the hard-coded instructions and their corresponding meanings, most of which are not used:\r\nHardcode[x] Description\r\n0\r\n[0] == 4 load the plugin from the resource into memory\r\n[0]! = 4 Inject the plugin in the resource into the system process to execute\r\n1 Whether to register scheduled tasks\r\n4 Download and execute any file\r\n5 Download file URL\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 9 of 13\n\n6 The execution path of the downloaded file\r\n7 Whether to detect the virtual machine\r\n8 Whether to detect sandbox\r\n9 ByPass antivirus software\r\n29 Show file version\r\n34 Sleep()\r\n35 Sleep duration\r\nIn the 360 massive data, we found that ReZer0 has an obvious version identification. In conjunction with the\r\nabove-mentioned large number of instructions used, we speculate that the software is still in the development\r\nstage, and it will not be ruled out that the program will be controlled through network communication in the\r\nfuture:\r\nIn addition to the nature of the backdoor virus, ReZer0 also carries known remote control Trojans such as\r\nNanoCore and Remcos in the resources. We will not repeat the remote control functions such as NanoCore. We\r\ntake some of the victims of Vendetta as an example to speculate the purpose of their actions.\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 10 of 13\n\nPassion Fruit Company of Australia (PAI) is a representative institution and a non-profit membership organization\r\nthat supports the passion fruit industry in Australia. PAI is an umbrella organization that represents and enhances\r\nthe interests of everyone in the passion fruit industry, including growers, packers, wholesalers, exporters,\r\nresearchers, and retail stores.\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 11 of 13\n\nOf course, Vendetta’s attack target is not only the PAI family. We have roughly described the distribution of\r\nVendetta’s attack target by statistically the distribution of related samples, and its attack purpose is to steal related\r\ncommercial information.\r\nSummary\r\nVendetta is an active hacking organization that started in April 2020. The organization may have originated in\r\nEurope. It is good at using social engineering to launch cyber attacks. The purpose of the attack is to steal targeted\r\nbusiness intelligence.\r\nC2:\r\n172.111.188.199:8829\r\nMd5:\r\ne73d9b2eba5e818cd4699f1484af5bce\r\ndabbfc6a7d939c4c41fb2c7cee295220\r\ndd93825ca5bd3afda1c238ce2ded84e1\r\n500dc2b3fbea8f13b29f494afb9465ec\r\n2106b19ffb7bf327d64d4cd6bdb606b4\r\ne73d9b2eba5e818cd4699f1484af5bce\r\nLearn more about 360 Total Security\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 12 of 13\n\nSource: https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nhttps://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/\r\nPage 13 of 13\n\n https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ \nguide in the attachment and accept the test: \nForged a virus test email issued by the Mexican health department:\n Page 4 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/" ], "report_names": [ "vendetta-new-threat-actor-from-europe" ], "threat_actors": [ { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434334, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f082fa77a337e3c1b0e324ab6f0d05e812e26946.pdf", "text": "https://archive.orkl.eu/f082fa77a337e3c1b0e324ab6f0d05e812e26946.txt", "img": "https://archive.orkl.eu/f082fa77a337e3c1b0e324ab6f0d05e812e26946.jpg" } }