{ "id": "be53729f-4f83-4f3f-b139-b991285f0367", "created_at": "2026-04-06T01:31:13.342856Z", "updated_at": "2026-04-10T13:12:54.825888Z", "deleted_at": null, "sha1_hash": "f52328658aaa2ae927a9d84a47ebdae3ebe9591b", "title": "Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3804733, "plain_text": "Ghost in the Zip | New PXA Stealer and Its Telegram-Powered\r\nEcosystem\r\nArchived: 2026-04-06 00:07:40 UTC\r\nExecutive Summary\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 1 of 67\n\nBeazley Security and SentinelLabs discovered and analyzed a rapidly evolving series of infostealer\r\ncampaigns delivering the Python-based PXA Stealer.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 2 of 67\n\nThis discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts\r\nto delay detection.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 3 of 67\n\nWe identified more than 4,000 unique victim IP addresses in exfiltrated logs, with infected systems\r\nspanning at least 62 countries, most notably South Korea, the United States, the Netherlands, Hungary, and\r\nAustria.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 4 of 67\n\nThe stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4\r\nmillion harvested browser cookies, giving actors ample access to victims’ accounts and financial lives.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 5 of 67\n\nThe threat actors behind these campaigns are linked to Vietnamese-speaking cybercriminal circles who\r\nmonetize the stolen data through a subscription-based underground ecosystem that efficiently automates\r\nresale and reuse through the Telegram platform’s API.\r\nOverview\r\nIn close partnership, Beazley Security and SentinelLabs have uncovered a large-scale, ongoing infostealer\r\ncampaign built around the Python-based PXA Stealer. Initially surfacing in late 2024, this threat has since matured\r\ninto a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an\r\norganized cybercriminal Telegram-based marketplace that sells stolen victim data.\r\nThroughout 2025, these actors have continuously refined their delivery mechanisms and evasion strategies. Most\r\nnotably, they’ve adopted novel sideloading techniques involving legitimate signed software (such as Haihaisoft\r\nPDF Reader and Microsoft Word 2013), concealed malicious DLLs, and embedded archives disguised as common\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 6 of 67\n\nfile types. These campaigns use elaborate staging layers that obscure their purpose and delay detection by\r\nendpoint tools and human analysts alike.\r\nThe final payload, PXA Stealer, exfiltrates a broad spectrum of high-value data–which includes passwords,\r\nbrowser autofill data, cryptocurrency wallet and FinTech app data, and more– to Telegram channels via automated\r\nbot networks. Our telemetry and analysis uncovered over 4,000 unique victims across more than 60 countries,\r\nsuggesting a widespread and financially motivated operation that feeds into criminal platforms such as Sherlock.\r\nThis data is then monetized and sold to downstream cybercriminals, enabling actors who engage in\r\ncryptocurrency theft or buy access to infiltrate organizations for other purposes.\r\nThis campaign exemplifies a growing trend in which legitimate infrastructure (e.g., Telegram, Cloudflare Workers,\r\nDropbox) is weaponized at scale to both execute and monetize information theft, while simultaneously reducing\r\nthe cost and technical overhead for attackers. As stealer campaigns become increasingly automated and supply-chain integrated, defenders must adjust to an adversary landscape defined not just by malware, but by\r\ninfrastructure, automation, and real-time monetization.\r\nBeazley Security would like to extend sincere thanks to our partners at SentinelOne for their instrumental\r\ncollaboration and exceptional reverse engineering support during this investigation.\r\nBackground and Haihaisoft Sideloading\r\nThis cluster of PXA Stealer activity has been ongoing and active since late 2024, with some BotIDs being created\r\nas early as October, 2024. The general delivery mechanisms and TTPs have not changed. However the actors\r\nbehind this cluster have continually pivoted to new sideloading mechanisms, along with updated Telegram C2\r\ninfrastructure.\r\nDuring a wave of attacks occurring in April 2025, users were phished or otherwise lured into downloading a\r\ncompressed archive containing a signed copy of the Haihaisoft PDF Reader freeware application along with the\r\nmalicious DLL to be sideloaded. This component of the attack is responsible for establishing persistence on the\r\ntarget host via the Windows Registry, and retrieving additional malicious components, including Windows\r\nexecutable payloads hosted remotely on Dropbox. Various infostealers were delivered in this initial campaign,\r\nincluding LummaC2 and Rhadamanthys Stealer. \r\nIt was during the first wave that we also observed a change in TTPs: the threat actors shifted to updated Python-based payloads instead of Windows executables.\r\nAttacks leveraging the updated Python-based payloads are initiated in the same manner: delivery of a large\r\narchive containing the signed copy of Haihaisoft PDF Reader, alongside the malicious DLL to be loaded. \r\nUpon execution, the malicious DLL creates a .CMD script Evidence.cmd in the current directory, which\r\norchestrates all subsequent steps in the attack chain. The .CMD script utilizes certutil to extract an encrypted\r\nRAR archive embedded inside a malformed PDF.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 7 of 67\n\ncertutil -decode Documents.pdf LX8bzeZTzF5XSONpDC.rar\r\nThis command leads the Edge browser to open the PDF file, though this results in an error message as the file is\r\nnot a valid PDF. Subsequently, the packaged WinRAR utility–masquerading as images.png –extracts an\r\nembedded RAR archive using decoded command lines. This process took several minutes and caused sandbox\r\nanalysis to time out in several cases, which led to false negative results.\r\nThis extracts several Python dependencies, including a legitimate Python 3.10 interpreter renamed svchost.exe\r\nand a malicious Python script named Photos , which are then executed. This step sets a Registry Run key to\r\nensure the payload will run each time the computer starts.\r\nreg add \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Windows Update Service\" /t REGSZ _/d \"cmd.exe /c start \\\"\r\n\\\"C:\\Users\\Public\\LX8bzeZTzF5XSONpDC\\svchost.exe\\\"C:\\Users\\Public\\LX8bzeZTzF5XSONpDC\\Photos\" /f\r\nEvolved Infection Chain\r\nIn July 2025, Beazley Security MDR identified new activity that closely mirrored the infection chain and TTPs\r\nobserved in the previous campaigns, but with several notable evolutions reflecting heightened operational\r\nmaturity and ongoing innovation by the threat actors.\r\nThe large archive attached to the phishing lure contained:\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 8 of 67\n\nA legitimate, signed Microsoft Word 2013 executable\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 9 of 67\n\nA malicious DLL, msvcr100.dll , that is sideloaded by the Microsoft Word 2013 executable\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 10 of 67\n\nAdditional files and later-stage payloads within a supporting directory named \"_\".\r\nWhile similar to the April campaign, the July wave introduces more sophisticated file naming to increase evasion\r\nand leverages non-malicious decoy documents opened to ensure the user remains unsuspecting.\r\nThe Microsoft Word 2013 binary is renamed to appear to the user as a Word document:\r\nFigure 1 - Screenshot of renamed Word 2013 executable to lure the user\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 11 of 67\n\nThe other files extracted from the archive are hidden from the user in Windows Explorer but shown below:\r\nFigure 2 - Extracted contents of the archive, including hidden files\r\nWhen the victim opens the Word executable, Windows loads the malicious msvcr100.dll since the OS searches\r\nfor the filename in the local directory before system directories. The sideloaded DLL then launches a hidden\r\ninstance of Command Prompt and begins a multi-stage chain of activity:\r\nFigure 3 - Overview of the infection chain\r\nFirst, Word launches a benign decoy document named Tax-Invoice-EV.docx , which displays a fake copyright\r\ninfringement notice to the victim. We believe this document doubles as an anti-analysis feature by introducing a\r\nnon-malicious file into the attack chain, which potentially wastes security analysts’ time. The document lacks\r\nmacros or other scriptable objects.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 12 of 67\n\nFigure 4 - Screenshot of the non-malicious decoy document\r\nNext, like the previous activity, certutil is used to decode a file from the “-“ folder into a new encrypted zip\r\narchive that is deceptively named with a PDF file extension, Document.pdf for example:\r\ncertutil -decode Document.pdf Invoice.pdf\r\nThen, a legitimate WinRar executable also hosted in the “-“ folder renamed images.png is used to unpack the\r\narchive:\r\nimages.png x -ibck -y -poX3ff7b6Bfi76keXy3xmSWnX0uqsFYur Invoice.pdf C:\\\\Users\\\\Public\r\nThe second archive contains a portable Windows Python interpreter, several Python libraries, and a malicious\r\nPython script. The Python interpreter is renamed to svchost.exe and launches a heavily obfuscated Python\r\nscript again disguised as images.png , followed by the $BOT_ID argument.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 13 of 67\n\nstart C:\\\\Users\\\\Public\\\\Windows\\\\svchost.exe C:\\\\Users\\\\Public\\\\Windows\\\\Lib\\\\images.png\r\nPayload Analysis\r\nThe final payload is an updated version of PXA Stealer. PXA Stealer is a Python-based infostealer which first\r\nemerged in 2024. PXA is primarily seen in Vietnamese-speaking threat actor circles. The malware targets sensitive\r\ninformation including credentials, financial data, browser data and cookies, and cryptocurrency wallet details. As\r\ndetailed below, a wide variety of applications and data types within these categories are supported by PXA Stealer.\r\nPXA Stealer is capable of exfiltrating data via Telegram, as has been observed in prior campaigns.\r\nSimilar to prior campaigns, the newly observed PXA Stealer payloads are capable of identifying, packaging, and\r\nexfiltrating data from an extensive list of applications and interfaces on infected systems. Exfiltration continues to\r\nbe handled via Telegram, with specific Telegram BOT IDs and Tokens identified as tied to these more recent\r\ncampaigns.\r\nThe new variant of PXA Stealer will enumerate Chromium/Gecko browsers, decrypt any saved passwords,\r\ncookies, stored personally identifiable information (PII), autofill data, and any authentication tokens. The\r\ninfostealer will also attempt to inject a DLL into running instances of browsers such as Chrome, targeting\r\nChrome’s App-Bound Encryption Key to defeat the internal encryption schemes within Chrome. The DLL\r\ninjected during the July campaign targets MSEdge, Chrome, Whale, and CocCoc browsers.\r\nFigure 5 - Browsers targeted by the injected DLL from the July campaign\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 14 of 67\n\nThe infostealer also grabs files from dozens of desktop cryptocurrency wallets, VPN clients, Cloud-CLI utilities,\r\nconnected fileshares, as well as applications such as Discord, and much more.\r\nThe collected data is packaged into ZIP archives then exfiltrated to a specific Telegram bot via Cloudflare Worker\r\nrelays. There are also conditions where the malware will reach out to external sources for additional Python\r\npayloads, such as 0x0[.]st, a Pastebin-like temporary file hosting resource. Other analyzed PXA Stealer payloads\r\nsupport stealing data from the following browsers:\r\n360Browser AVG Chrome\r\n360 Extreme Browser Brave Chromium\r\nAloha Brave Nightly CocCoc\r\nAmigo CCleaner CryptoTab\r\nArc Cent Dragon\r\nAvast Chedot Edge\r\nEpic Opera Speed360\r\nGhost Opera Crypto SRWare\r\nIridium Opera GX Thorium\r\nLiebao QQBrowser UR Browser\r\nLiebao AI Sidekick Vivaldi\r\nMaxthon Slimjet Wavebox\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 15 of 67\n\nNaver Sogou Yandex\r\nThe malware targets the following list of cryptocurrency wallet related browser extensions:\r\nAmbire ExodusWeb3 SafePal Wallet\r\nAptos Wallet Frame Station Wallet\r\nArgent X Keystone Wallet Sui Wallet\r\nAtomic Wallet Leather Bitcoin Wallet Talisman Wallet\r\nBackpack Wallet Ledger Live Tonkeeper Wallet\r\nBitapp Leo Wallet TON Wallet\r\nBitget Wallet Magic Eden Wallet Uniswap Extension\r\nBitski Wallet MathWallet Wallet Guard\r\nCosmostation Wallet MyTonWallet Zeal\r\nCrocobit OpenMask Wallet Zeeve Wallet\r\nCrypto.com Portal DEX Wallet Zerion\r\nEdge Wallet Pulse Wallet Chromium\r\nEqual Quai Wallet\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 16 of 67\n\nUser databases and configuration files for the following applications are targeted, many of which house sensitive\r\ndata or cryptocurrency assets:\r\nArmory bytecoin Electron Cash\r\nAtomic Chia Wallet Electrum\r\nAzure Coinomi ElectrumLTC\r\nBinance Daedalus Mainnet Ethereum\r\nBitcoin Core DashCorewallets Exodus\r\nBlockstream Green Dogecoin FileZilla\r\nGuarda Desktop Litecoinwallets ProtonVPN\r\nJaxx Desktop Monero Raven Core\r\nKeePass MultiDoge Telegram\r\nKomodo Wallet MyMonero Wasabi Wallet\r\nLedger Live OpenVPN Zcash\r\nThe infostealer is also capable of targeting website-specific data. The malware includes the following list of sites,\r\nfor which the stealer will attempt to discover and collect credentials, cookies and session tokens. The targeted sites\r\nare primarily financial, such as FinTech services or cryptocurrency exchanges:\r\nads.google.com coinomi.co.nl korbit.co.kr\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 17 of 67\n\nadsmanager.facebook.com coinone.co.kr kraken.com\r\nbinance.com coinplug.ng kucoin.com\r\nbingx.com crypto.com lbank.com\r\nbitfinex.com electrum.org mexc.com\r\nbitget.com exodus.com nami.exchange\r\nbitgo.com gate.com okx.com\r\nbitmart.com gemini.com paypal.com\r\nbitunix.com gopax.co.kr probit.com\r\nbusiness.facebook.com htx.com upbit.com\r\nbybit.com huobi.com whitebit.com\r\ncoinbase.com hyperliquid.xyz xt.com\r\nThe specific Telegram Bot Token, and associated Chat ID, identified in the samples from July are:\r\nTelegram Bot Token: 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ\r\nTelegram Chat ID: -1002698513801\r\nData is exfiltrated to Telegram via connection via Cloudflare workers. The specific Cloudflare DNS address is:\r\nLp2tpju9yrz2fklj.lone-none-1807.workers[.]dev\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 18 of 67\n\nWe reported this abuse of Cloudflare Workers to Cloudflare, and we thank their team for taking immediate action\r\nto disrupt this malicious infrastructure.\r\nEach of the final PXA Stealer payloads corresponds to a Telegram Bot Token and ChatID combination. Each\r\nvariant we analyzed is associated with the same Telegram Bot Token\r\n( 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ ) although the ChatIDs vary. Additionally, there can be\r\nmultiple ChatIDs, which correspond to a Telegram channel, tied to each payload. Each bot is tied to as many as 3\r\nTelegram channels. One channel, typically denoted with the New Logs string, receives exfiltrated data contained\r\nin zip archives uploaded from victims’ machines, along with log/ledger style data for each victims’ exfiltrated data\r\nset. Specific entries also indicate the victim’s geographic location, IP address and other contextual data. \r\nPXA Stealer log entries show counts for the types of data within:\r\nCK:2868|PW:482|AF:606|CC:0|FB:1|Sites:4|Wallets:0|Apps:1\r\nThe stealer data types include:\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 19 of 67\n\nCK=Cookies\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 20 of 67\n\nPW = Passwords\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 21 of 67\n\nAF = AutoFill data\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 22 of 67\n\nCC=Credit Card data\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 23 of 67\n\nFB= Facebook Cookies\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 24 of 67\n\nTK= Authentication Tokens\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 25 of 67\n\nSites = Domains / Site specific data\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 26 of 67\n\nWallets = Crypto Wallet data\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 27 of 67\n\nApps = Application specific data (ex: private messenger chat history and keys)\r\nFigure 6 - Exfiltrated Victim Data from MRB_NEW_VER_BOT via PXA Stealer\r\nEach bot will also have an associated ‘Reset’ and ‘Notifications’ channel as well. The ‘Notification’ channels\r\nappear to allow operators to automate their communications process when new victim logs are uploaded or\r\notherwise obtained. The ‘Reset’ channels appear to be used in similar manner to the ‘New Logs’ channels, storing\r\nnewly exfiltrated victim data.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 28 of 67\n\nWhile all analyzed variants share the same Bot Token ID, we have observed multiple ChatIDs across the New\r\nLog/Reset/Notification combinations across this stealer’s ecosystem. The observed Bots-to-ID sets include:\r\nTelegram BotID 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ\r\nJames_New_Ver_bot (yd2sV / James)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 29 of 67\n\nJames - New Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 30 of 67\n\nJames - New Logs Notification\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 31 of 67\n\nJames - Reset Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 32 of 67\n\nDA_NEW_VER_BOT (qDTxA / DUC ANH)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 33 of 67\n\nNew Logs - \\u0110\\u1ee9c Anh\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 34 of 67\n\nReset Logs - \\u0110\\u1ee9c Anh\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 35 of 67\n\nMRB_NEW_VER_BOT (Plk1y / MRB_NEW)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 36 of 67\n\nNew Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 37 of 67\n\nReset Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 38 of 67\n\nNotify \r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 39 of 67\n\nJND_NEW_VER_BOT (5DJ0P / JND)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 40 of 67\n\nJND - New Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 41 of 67\n\nJND - Reset Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 42 of 67\n\nAND_2_NEW_VER_BOT (oaCzj / ADN 2 / Adonis)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 43 of 67\n\nAdonis - New Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 44 of 67\n\nAdonis - Reset Logs\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 45 of 67\n\nNew Log Notification\r\nThe encompassing Telegram ID is connected to a Bot that has the following properties:\r\nUsername: “Logs_Data_bot”\r\nFirstname: \\u0412\\u0418\\u0414\\u0415\\u041e \\u0421 \\u041b\\u0410\\u0419\\u041a\\u0410\r\nLastname: (nul)\r\nThe firstname field on this bot decodes to a string of Cyrillic text “ВИДЕО С ЛАЙКА”. This roughly translates to\r\n‘Video for/with/of Laika,” though the significance of this string is unclear. \r\nTelegram Abuse and Attribution\r\nThe later-stage dropper component is responsible for parsing target Telegram URLs based on a string gathered\r\nfrom a prescribed Telegram ChatID. This string is then combined with the base URL for either paste[.]rs or\r\n0x0[.]st to retrieve the next batch of obfuscated Python code.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 46 of 67\n\nMultiple identifiers were observed across the multitude of analyzed samples. The most prominent we observed\r\nare:\r\nADN_2_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 47 of 67\n\nDA_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 48 of 67\n\nJAMES_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 49 of 67\n\nJND_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 50 of 67\n\nMR_P_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 51 of 67\n\nMR_Q_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 52 of 67\n\nKBL_NEW_VER_BOT\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 53 of 67\n\nMRB_NEW_VER_BOT\r\nThese identifiers are visible within the commands launched by the side-loaded DLL described above.\r\nEach of these _NEW_VER_BOT identifiers corresponds to a Telegram User ID. The profile names resemble a bot,\r\nbut are actually user accounts:\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 54 of 67\n\nFigure 7 - Bio and Info fields from Telegram profiles masquerading as bots\r\nWhen retrieving files from paste[.]rs , the corresponding strings are concatenated with the\r\nhxxps://paste[.]rs or hxxps://0x0[.]st prefix, which constructs the full download URL hosting another\r\npayload.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 55 of 67\n\nFigure 8 - Obfuscated Python code hosted on Paste[.]rs\r\nOnce downloaded, the obfuscated Python code is decoded and executed, delivering the Infostealer component of\r\nthe attack.\r\nThe Telegram ChatID associated with the infostealer component of this attack is “@Lonenone.” The “Lonenone”\r\ntheme is also present in the Cloudflare Worker hostname lp2tpju9yrz2fklj[.]lone-none-1807[.]workers[.]dev . The profile display name contains an emoji of the Vietnam flag.\r\nFigure 9 - Lone None Telegram ChatID.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 56 of 67\n\nFigure 10 - Reference to LoneNone TG channel in decoded (July) infostealer\r\nThis Telegram ChatID/Account is associated with the same threat actor using PXA Stealer as previously described\r\nby Cisco Talos. It is worth noting that there are a number of other Vietnamese-language artifacts present in these\r\nstages of the malware. For example, the aforementioned Telegram BOT IDs show 'Duc Anh' ... aka \"đức anh\" as\r\ndisplay names, which loosely translates to “brother”.\r\nPXA Stealer uses the BotIDs (stored as TOKEN_BOT) to establish the link between the main bot and the various\r\nChatID (stored as CHAT_ID). The ChatIDs are Telegram channels with various properties, but they primarily\r\nserve to host exfiltrated data and provide updates and notifications to the operators.\r\nPXA Stealer transmits data via HTTP POST requests to the Telegram API. Everything is handled via HTTPS, thus\r\nthere is no visible Telegram process or self-contained client producing the traffic. This is one of PXA stealer’s\r\nmethods of hiding exfiltration traffic from potential analysis or detection.\r\nPrior to transferring the exfiltrated data, the stealer packages stage data into an archive using the following naming\r\nconvention where CC=Country Code:\r\n[CC_IPADDRESS]_HOSTNAME.zip\r\n(ex: [RU_123.45.67[.]89]DESKTOP-VICTIM.zip)\r\nThe main BotID ( 7414494371:AAHsrQDkPrEVyz9z0RoiRS5fJKI-ihKJpzQ ) includes a reference to  probiv[.]gg in\r\nthe Bot metadata:\r\n\":[{\"command\":\"start\",\"description\":\"probiv.gg \\u0437\\u0430\\u043f\\u043e\\u043c\\u043d\\u0438 \\ud83d\\udd25\"}\r\nProbiv[.]gg\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 57 of 67\n\nFigure 11 - Telegram redirect on probiv[.]gg\r\nThe redirect leads to the Telegram landing page for SherLock1u_BOT , a provider of stolen data, and the automated\r\nservices to search for specific data types or sets.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 58 of 67\n\nFigure 12 - SherLock1u_BOT\r\nWe also tracked activity from the bots since April indicating targeting of victims in South Korea. The following\r\nimage shows details of exfiltrated data from one Korea-based victim by the MRB_NEW_VER_BOT ID.\r\nFigure 13 - South Korea victim data uploaded to Telegram via PXA Stealer\r\nVictimology\r\nOur analysis uncovered details around victimology for several active BotIDs associated with the ongoing PXA\r\nStealer campaign. Some of these Bots have been active since at least October 2024, and they continue to receive\r\ndata from infected hosts to date.\r\nFigure 14 - Adonis (ADN_2_NEW_BOT) Victim records\r\nThe PXA Stealer logs contain victim IP addresses that indicate there are potentially more than 4,000 unique\r\nvictims from 62 countries. The top targeted countries in the analyzed set are:\r\n1. 1.\r\nRepublic of Korea (KR)\r\n2. 2.\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 59 of 67\n\nUnited States (US)\r\n3. 3.\r\nNetherlands (NL) \r\n4. 4.\r\nHungary (HU)\r\n5. 5.\r\nAustria (AT)\r\nSome appear to favor specific locations, for example Adonis (ADN_2_NEW_VER_BOT) most heavily targets\r\nhosts in Israel and Taiwan, followed by KR and US.\r\nConclusion\r\nThe evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined\r\ntheir deployment chains, making them increasingly more challenging to detect and analyze. The July 2025 attack\r\nchain in particular illustrates a highly tailored approach engineered to bypass traditional antivirus solutions, delay\r\nexecution in sandboxes, and mislead SOC analysts who review process trees or EDR data by using byzantine\r\ndelivery and installation methods.\r\nThis campaign’s medley of legitimate applications and non-malicious decoy documents is designed to mislead\r\nusers and SOC analysts alike. The actors reinforce this facade by naming a user-space folder to mimic the system\r\ndirectory Windows and disguising a Python interpreter as svchost.exe to blend into typical system activity. In\r\nparallel, they use files with familiar extensions, such as PNG and PDF, to conceal embedded WinRAR executables\r\nand ZIP archives, layering their evasion techniques to mislead users, investigators, and traditional detection\r\ntechnologies.\r\nPXA Stealer, and the threat actors behind it, continue to feed the greater infostealer ecosystem. It is also important\r\nto note that PXA, along with similar stealers like Redline, Lumma, and Vidar, each produce data that can be neatly\r\ningested into data monetization ecosystems. The sales-oriented services like Sherlock, such as Daisy Cloud and\r\nMoon Cloud, take data harvested by these stealers directly from the bots. The more mature services then\r\nnormalize the sets of exfilterated data to make it ‘sales-ready’. The idea behind leveraging the legitimate Telegram\r\ninfrastructure is driven by the desire to automate exfiltration and streamline the sales process, which enables\r\nactors to deliver data more efficiently to downstream criminals. The developer-friendly nature of Telegram–\r\ncombined with the company’s laissez-faire attitude towards cybercrime–underscores the crucial role that Telegram\r\nplays in the holistic cybercriminal ecosystem.\r\nIndicators of Compromise\r\nSHA-1 Hashes\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 60 of 67\n\n05a8e10251a29faf31d7da5b9adec4be90816238 First-Stage Dropper (archive)\r\n06fcb4adf8ca6201fc9e3ec72d53ca627e6d9532 First-Stage Dropper (archive)\r\n06fcb4adf8ca6201fc9e3ec72d53ca627e6d9532 First-Stage Dropper (archive)\r\n0c472b96ecc1353fc9259e1b8750cdfe0b957e4f First-Stage Dropper (archive)\r\n1594331d444d1a1562cd955aefff33a0ee838ac9 First-Stage Dropper (archive)\r\n1783af05e7cd52bbb16f714e878bfa9ad02b6388 First-Stage Dropper (archive)\r\n185d10800458ab855599695cd85d06e630f7323d First-Stage Dropper (archive)\r\n23c61ad383c54b82922818edcc0728e9ef6c984d First-Stage Dropper (archive)\r\n23c61ad383c54b82922818edcc0728e9ef6c984d First-Stage Dropper (archive)\r\n345c59394303bb5daf1d97e0dda894ad065fedf6 First-Stage Dropper (archive)\r\n345c59394303bb5daf1d97e0dda894ad065fedf6 First-Stage Dropper (archive)\r\n37e4039bd2135d3253328fea0f6ff1ca60ec4050 First-Stage Dropper (archive)\r\n3a20b574e12ffb8a55f1fb5dc91c91245a5195e8 First-Stage Dropper (archive)\r\n3e9198e9546fa73ef93946f272093092363eb3e2 First-Stage Dropper (archive)\r\n3f0071d64edd72d7d92571cf5e4a5e82720c5a9b First-Stage Dropper (archive)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 61 of 67\n\n40795ca0880ea7418a45c66925c200edcddf939e First-Stage Dropper (archive)\r\n407df08aff048b7d05fd7636be3bc9baa699646d First-Stage Dropper (archive)\r\n44feb2d7d7eabf78a46e6cc6abdd281f993ab301 First-Stage Dropper (archive)\r\n4528215707a923404e3ca7667b656ae50cef54ef First-Stage Dropper (archive)\r\n4528215707a923404e3ca7667b656ae50cef54ef First-Stage Dropper (archive)\r\n4607f6c04f0c4dc4ee5bb68ee297f67ccdcff189 First-Stage Dropper (archive)\r\n48325c530f838db2d7b9e5e5abfa3ba8e9af1215 First-Stage Dropper (archive)\r\n48d6350afa5b92958fa13c86d61be30f08a3ff0c First-Stage Dropper (archive)\r\n4dcf4b2d07a2ce59515ed3633386addff227f7bd First-Stage Dropper (archive)\r\n5246e098dc625485b467edd036d86fd363d75aae First-Stage Dropper (archive)\r\n540227c86887eb4460c4d59b8dea2a2dd0e575b7 First-Stage Dropper (archive)\r\n5b60e1b7458cef383c45998204bbaac5eacbb7ee First-Stage Dropper (archive)\r\n612f61b2084820a1fcd5516dc74a23c1b6eaa105 First-Stage Dropper (archive)\r\n61a0cb64ca1ba349550176ef0f874dd28eb0abfa First-Stage Dropper (archive)\r\n6393b23bc20c2aaa71cb4e1597ed26de48ff33e2 First-Stage Dropper (archive)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 62 of 67\n\n65c11e7a61ac10476ed4bfc501c27e2aea47e43a First-Stage Dropper (archive)\r\n6eb1902ddf85c43de791e86f5319093c46311071 First-Stage Dropper (archive)\r\n70b0ce86afebb02e27d9190d5a4a76bae6a32da7 First-Stage Dropper (archive)\r\n7c9266a3e7c32daa6f513b6880457723e6f14527 First-Stage Dropper (archive)\r\n7d53e588d83a61dd92bce2b2e479143279d80dcd First-Stage Dropper (archive)\r\n7d53e588d83a61dd92bce2b2e479143279d80dcd First-Stage Dropper (archive)\r\n7e505094f608cafc9f174db49fbb170fe6e8c585 First-Stage Dropper (archive)\r\nae8d0595724acd66387a294465b245b4780ea264 First-Stage Dropper (archive)\r\nb53ccd0fe75b8b36459196b666b64332f8e9e213 First-Stage Dropper (archive)\r\nb53ccd0fe75b8b36459196b666b64332f8e9e213 First-Stage Dropper (archive)\r\nbfed04e6da375e9ce55ad107aa96539f49899b85 First-Stage Dropper (archive)\r\nc46613f2243c63620940cc0190a18e702375f7d7 First-Stage Dropper (archive)\r\nc5407cc07c0b4a1ce4b8272003d5eab8cdb809bc First-Stage Dropper (archive)\r\nc9caba0381624dec31b2e99f9d7f431b17b94a32 First-Stage Dropper (archive)\r\nca6912da0dc4727ae03b8d8a5599267dfc43eee9 First-Stage Dropper (archive)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 63 of 67\n\nd0b137e48a093542996221ef40dc3d8d99398007 First-Stage Dropper (archive)\r\nd1a5dff51e888325def8222fdd7a1bd613602bef First-Stage Dropper (archive)\r\ndeace971525c2cdba9780ec49cc5dd26ac3a1f27 First-Stage Dropper (archive)\r\ndeace971525c2cdba9780ec49cc5dd26ac3a1f27 First-Stage Dropper (archive)\r\ne27669cdf66a061c5b06fea9e4800aafdb8d4222 First-Stage Dropper (archive)\r\ne27669cdf66a061c5b06fea9e4800aafdb8d4222 First-Stage Dropper (archive)\r\ne9dfde8f8a44b1562bc5e77b965b915562f81202 First-Stage Dropper (archive)\r\nf02ae732ee4aff1a629358cdc9f19b8038e72b7b First-Stage Dropper (archive)\r\nf02ae732ee4aff1a629358cdc9f19b8038e72b7b First-Stage Dropper (archive)\r\nf5793ac244f0e51ba346d32435adb8eeac25250c First-Stage Dropper (archive)\r\nf7bb34c2d79163120c8ab18bff76f48e51195d35 First-Stage Dropper (archive)\r\nf8f328916a890c1b1589b522c895314a8939399c First-Stage Dropper (archive)\r\nf91e1231115ffe1a01a27ea9ab3e01e8fac1a24f First-Stage Dropper (archive)\r\nfaf033dc60fed4fc4d264d9fac1d1d8d641af5e0 First-Stage Dropper (archive)\r\nfaf033dc60fed4fc4d264d9fac1d1d8d641af5e0 First-Stage Dropper (archive)\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 64 of 67\n\nff920aee8199733258bb2a1f8f0584ccb3be5ec6 First-Stage Dropper (archive)\r\n3d38abc7786a1b01e06cc46a8c660f48849b2b5f Side-loaded DLL\r\n08f517d4fb4428380d01d4dd7280b62042f9e863 Encoded PDF (Archive)\r\n1aa5a0e7bfb995fc2f3ba0e54b59e7877b5d8fd3 Python stealer\r\n734738e7c3b9fef0fd674ea2bb8d7f3ffc80cd91 Python stealer\r\n80e68d99034a9155252e2ec477e91da75ad4f868 Python stealer\r\nba56a3c404d1b4ed4c57a8240e7b53c42970a4b2 Python stealer\r\nbd457c0d0a5776b43969ce28a9913261a74a4813 Python stealer\r\nda210d89a797a2d84ba82e80b7a4ab73d48a07b1 Python stealer\r\ndc6a62f0a174b251e0b71e62e7ded700027cc70b Python stealer\r\n533960d38e6fee7546cdea74254bccd1af8cbb65 Stage2 Python stealer\r\nc5688fc4c282f9a0dc62cf738089b3076162e8c6 Stage2 Python stealer\r\nc9a1ddf30c5c7e2697bc637001601dfa5435dc66 Stage2 Python stealer\r\n4ab9c1565f740743a9d93ca4dd51c5d6b8b8a5b6 Browser Injection DLL\r\nDomains\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 65 of 67\n\npaste[.]rs Code hosting site\r\n0x0[.]st Code hosting site\r\nlp2tpju9yrz2fklj.lone-none-1807[.]workers[.]dev Cloudflare Worker\r\nURLs\r\nhxxps://0x0[.]st/8nyT.py\r\nhxxps://0x0[.]st/8dxc.py\r\nhxxps://0x0[.]st/8GcQ.py\r\nhxxps://0x0[.]st/8GpS.py\r\nhxxps://0x0[.]st/8ndd.py\r\nhxxps://0x0[.]st/8GcO.py\r\nhxxps://0x0[.]st/8GsK[.]py\r\nhxxps://paste[.]rs/yd2sV\r\nhxxps://paste[.]rs/umYBi\r\nhxxps://paste[.]rs/qDTxA\r\nhxxps://paste[.]rs/Plk1y\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 66 of 67\n\nhxxps://paste[.]rs/5DJ0P\r\nhxxps://paste[.]rs/oaCzj\r\nhxxps://www[.]dropbox[.]com/scl/fi/c1abtpif2e6calkzqsrbj/.dll?\r\nrlkey=9h1ar7wmsg407ngpl25xv2spt\u0026st=mp7z58v2\u0026dl=1\r\nSource: https://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nhttps://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem\r\nPage 67 of 67\n\n https://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem \nThis discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non\u0002\nmalicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts\nto delay detection. \n Page 3 of 67 \n\n https://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem \nThe stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4\nmillion harvested browser cookies, giving actors ample access to victims’ accounts and financial lives.\n Page 5 of 67", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem" ], "report_names": [ "ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439073, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f52328658aaa2ae927a9d84a47ebdae3ebe9591b.pdf", "text": "https://archive.orkl.eu/f52328658aaa2ae927a9d84a47ebdae3ebe9591b.txt", "img": "https://archive.orkl.eu/f52328658aaa2ae927a9d84a47ebdae3ebe9591b.jpg" } }