{ "id": "5dcf8601-6693-476c-aadf-01c1c1da8a02", "created_at": "2026-04-06T00:18:32.06778Z", "updated_at": "2026-04-10T03:37:26.674751Z", "deleted_at": null, "sha1_hash": "fcfaf0e97e7101021622909285768b1622f6a4c0", "title": "Out of the Sandbox: WikiLoader Digs Sophisticated Evasion   | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3230642, "plain_text": "Out of the Sandbox: WikiLoader Digs Sophisticated Evasion   |\r\nProofpoint US\r\nBy July 31, 2023 Kelsey Merriman and Pim Trouerbach\r\nPublished: 2023-07-27 · Archived: 2026-04-05 21:59:32 UTC\r\nKey Takeaways\r\nProofpoint identified a new malware we call WikiLoader.\r\nIt has been observed delivered in multiple campaigns conducted by threat actors targeting Italian organizations. \r\nThe malware uses multiple mechanisms to evade detection. \r\nIt is named WikiLoader due to the malware making a request to Wikipedia and checking that the response has the\r\nstring “The Free” in the contents. \r\nIt is likely the use of this malware is available for sale to multiple cybercriminal groups. \r\nOverview\r\nProofpoint researchers identified a new malware we call WikiLoader. It was first identified in December 2022 being\r\ndelivered by TA544, an actor that typically uses Ursnif malware to target Italian organizations. Proofpoint observed multiple\r\nsubsequent campaigns, the majority of which targeted Italian organizations. \r\nWikiLoader is a sophisticated downloader with the objective of installing a second malware payload. The malware contains\r\ninteresting evasion techniques and custom implementation of code designed to make detection and analysis challenging.\r\nWikiLoader was likely developed as a malware that can be rented out to select cybercriminal threat actors.\r\nBased on the observed use by multiple threat actors, Proofpoint anticipates this malware will likely be used by other threat\r\nactors, especially those operating as initial access brokers (IABs).\r\nCampaign Delivery\r\nProofpoint researchers discovered at least eight campaigns distributing WikiLoader since December 2022. Campaigns began\r\nwith emails containing either Microsoft Excel attachments, Microsoft OneNote attachments, or PDF attachments. Proofpoint\r\nhas observed WikiLoader distributed by at least two threat actors, TA544 and TA551, both targeting Italy. While most\r\ncybercriminal threat actors have pivoted away from macro enabled documents as vehicles for malware delivery, TA544 has\r\ncontinued to use them in attack chains, including to deliver WikiLoader. \r\nThe most notable WikiLoader campaigns were observed on 27 December 2022, 8 February 2023, and 11 July 2023, as\r\ndescribed below. WikiLoader has been observed installing Ursnif as a follow-on payload.\r\nThe first campaign in Proofpoint data distributing WikiLoader was observed on 27 December 2022. Proofpoint researchers\r\nobserved a high-volume malicious email campaign targeting companies in Italy, which began with emails containing a\r\nMicrosoft Excel attachment spoofing the Italian Revenue Agency. The Microsoft Excel attachments contained characteristic\r\nVBA macros which, if enabled by the recipient, would download and execute a new unidentified downloader that Proofpoint\r\nresearchers eventually dubbed WikiLoader. This campaign was attributed to TA544.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 1 of 16\n\nFigure 1: Screenshot of an Excel attachment used in the 27 December 2022 campaign.\r\nProofpoint researchers identified an updated version of WikiLoader used in a campaign on 8 February 2023 in another high\r\nvolume, Italian-targeted campaign, attributed to TA544. The campaign spoofed an Italian courier service and contained VBA\r\nmacro enabled Excel documents that, if enabled by the recipient, would lead to the installation of WikiLoader which\r\nsubsequently downloaded Ursnif. This version of WikiLoader contained more complex structures, additional stalling\r\nmechanisms used in an attempt to evade automated analysis, and the use of encoded strings.\r\nFigure 2: Screenshot of email lure in Italian targeted campaign on 8 February 2023. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 2 of 16\n\nFigure 3: Excel document containing macros used in the 8 February 2023 campaign. \r\nOn 31 March 2023, Proofpoint observed WikiLoader delivered by TA551 using OneNote attachments containing embedded\r\nexecutables. The OneNote attachments contained a hidden CMD file behind an “OPEN” button which, if clicked by the\r\nrecipient, downloaded and executed WikiLoader. This campaign, with messages and lures written in Italian, also targeted\r\nItalian organizations, and was the first time Proofpoint observed WikiLoader used by an actor other than TA544. \r\nOn 11 July 2023, researchers identified additional changes to the actively developed malware in the protocol used for\r\nreaching compromised webhosts, exfiltration of host information via HTTP cookies, additional stalling mechanisms\r\nrequiring the sample to run for an extended time, and the processing of shellcode. In this campaign, TA544 used accounting\r\nthemes to deliver PDF attachments with URLs that led to the download of a zipped JavaScript file. If the JavaScript was\r\nexecuted by the recipient, it led to the download and execution of the packed downloader, WikiLoader. Notably, this\r\ncampaign was high-volume, including over 150,000 messages, and did not exclusively target Italian organizations like\r\npreviously observed campaigns. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 3 of 16\n\nFigure 4: Example email used in the 11 July campaign.\r\nFigure 5: Example PDF document used in the 11 July campaign.\r\nMalware Attachment Type Date Actor Targeting\r\nWikiLoader PDF 11 July 2023 TA544  \r\nWikiLoader OneNote 31 March 2023 TA551 Italy\r\nWikiLoader PDF 16 March 2023 TA544 Italy\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 4 of 16\n\nMalware Attachment Type Date Actor Targeting\r\nWikiLoader Excel 16 February 2023 TA544 Italy\r\nWikiLoader / Ursnif \"5050\" Excel 8 February 2023 TA544 Italy\r\nWikiLoader / Ursnif \"5050\" Excel 31 January 2023 TA544 Italy\r\nWikiLoader / Ursnif \"5050\" Excel 11 January 2023 TA544 Italy\r\nWikiLoader / Ursnif \"5050\" Excel 27 December 2022 TA544 Italy\r\nFigure 6: Table of confirmed WikiLoader campaigns observed in Proofpoint data.\r\nWikiLoader Malware Analysis\r\nThe sample used for the following technical analysis was observed on 8 February 2023, and demonstrates the full execution\r\nchain from initial loader to final payload. There have been some updates since this analysis, and they will be documented at\r\nthe end of this report. \r\nFirst Stage of WikiLoader: The Packed Loader\r\nFigure 7: Attack chain from the 8 February 2023 TA544 campaign delivering Ursnif. Stage 1 is the packed DLL. \r\nThe use of packed downloaders is a common technique employed by threat actors to evade detection and analysis. This\r\ngenerally means the delivered executable is smaller since it serves the purpose of downloading the actual payload rather than\r\nhaving it embedded in the file. Another advantage of doing this is that threat actors can control the delivery of payloads.\r\nThey can include IP filtering or enable downloads for just the first 24 hours of the campaign.\r\nThe first stage of WikiLoader is highly obfuscated. Most of the call instructions have been replaced with a combination of\r\npush/jmp instructions to recreate the actions of a return without having to explicitly use the return instruction. This causes\r\nissues with common analysis tools such as IDA Pro and Ghidra. In addition to these features, WikiLoader also uses indirect\r\nsyscalls in an attempt to evade endpoint detection and response (EDR) solutions and sandbox hooks. \r\nControl Flow Obfuscation\r\nIn the example below, WikiLoader obfuscates its control flow by first pushing the address of the function it wants to call\r\nfrom RCX onto the stack (push RCX). Then, it calculates an address that is in the middle of the instruction at address\r\n0x1800E2F41, five bytes into the \"sub RAX, 22C3246E\" instruction, which is the location of the byte \"C3\". When\r\ninterpreted as an x86 assembly instruction, \"C3\" is ret, which is the return instruction normally called at the end of a\r\nfunction. Calling ret will treat the address on the top of the stack as the address to return to, effectively jumping to the\r\nfunction whose address was pushed just a few instructions ago while completely confusing programs used for disassembly\r\nand analysis.\r\nFigure 8: Screenshot showing Wikiloader jumping within a sub instruction.\r\nThe following figure shows the exact same set of bytes but being disassembled from the correct offset which properly shows\r\nthe instruction is being interpreted as a return instruction rather than the sub instruction it was initially displayed as. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 5 of 16\n\nFigure 9: The same data shown in Figure 8 interpreted differently to show a return instruction.\r\nThe malware starts by finding the address of NtCreateThreadEx which allows it to spawn a thread pointing to\r\nGetModuleFileNameA. While searching for the correct NT API, the malware also ensures that no trampolines or hooks have\r\nbeen placed within the NT function. This is a technique sandboxes and EDR systems use to be able to trace and intercept\r\nfunction calls. At the beginning of the function, these systems will replace bytes with a new instruction that is controlled by\r\nthe sandbox or EDR. This technique can be detected by checking the initial bytes of a given function. The newly created\r\nthread is started in a suspended state and a flag is passed to hide the thread from a debugger. Once the thread is created, the\r\nmalware uses a combination of NtGetContextThread and NtSetContextThread to modify the instruction pointer to point to\r\nthe decrypted shellcode. With RIP replaced, the malware resumes the thread with NtResumeThread initiating the next stage. \r\nFigure 10: Overview of syscall invocation for CreateThreadEx. \r\nWikiLoader uses NTSetContextThread to set RIP to the decrypted shellcode. This user code is the next stage of the malware\r\n(Figure 11) which was decrypted earlier via a single byte XOR key.\r\nSecond Stage of WikiLoader: Shellcode\r\nFigure 11: Attack chain from the 8 February 2023 TA544 campaign delivering Ursnif, stage 2 is decrypted by a single byte\r\nXOR key. \r\nThe second stage of WikiLoader serves the purpose of decrypting the next stage of shellcode. Stage 3 is encrypted via a\r\nsingle byte XOR key and placed at the end of the stage 2 shellcode. Stage 2 finds a reference to the start of stage 3, decrypts\r\nit via the XOR key and transfers execution. The next stage of the shellcode starts at the end of the last function for stage 2. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 6 of 16\n\nFigure 12: Screenshot of the final function in the stage 2 shellcode, with the stage 3 shellcode coming right after.\r\nThird Stage of Packed Loader: Shellcode \r\nFigure 13: Attack chain from the 8 February 2023 TA544 campaign delivering Ursnif, stage 3 is the main stage where most\r\nfunctionality is used. \r\nThe third stage of the WikiLoader chain is the main stage where most of the loader functionality is used. The strings in the\r\nfollowing steps are decoded by skipping over every even character, taking just the first, third, fifth characters and so on.\r\n(Figure 14). For example, the string “SJlgeAeNpG” would decode to “Sleep”. The loader makes an HTTPS request to\r\nWikipedia.com and checks that the response has the string “The Free” in the contents (Figure 15). This is likely an evasive\r\nmaneuver to prevent detonation in automated analysis environments to ensure the device is connected to the internet and not\r\nin a simulated environment blocked from external connections. The loader then intentionally makes a request to an\r\nunregistered domain. If a valid response is returned, the malware terminates. This is another evasive maneuver as some\r\nautomated analysis environments are programmed to automatically return a valid response to all DNS queries by default to\r\nencourage malware to continue execution. For organizations with DNS logs or EDR systems that record DNS lookups,\r\nsearching for lookups of the unique domains used by WikiLoader is one way to identify infected systems.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 7 of 16\n\nFigure 14: Shellcode stage 3 entrypoint.\r\nFigure 15: Screenshot of where the loader checks connectivity to Wikipedia.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 8 of 16\n\nFigure 16: Screenshot of the Wikipedia URL checked by the loader rendered in a browser.\r\nThe loader then checks GetTickCount64 (Figure 17). If the value returned is less than 125, the loader will make a request to\r\na specified, hardcoded URL. If the value returned is more than 125, the loader will make a request to a different hardcoded\r\nURL. While this boolean check exists, it is unclear why the authors decided to make it switch depending on the tick count.\r\nSpecifically, this tick count is the number of milliseconds that have passed since the system was started. Later versions of\r\nthis loader iterate over a set of URLs and make requests until a valid response is given. The response page has a comment\r\ncontaining the string “gmail” followed by base64 encoded text (Figure 18). The loader locates the gmail string and uses it as\r\nan anchor to retrieve the base64 text, decodes the text, replaces any “+” characters with a “/” character, then appends the\r\nresulting string to a hardcoded URL pointing to Discord (Figure 19). The base64 encoded text is the file path required to\r\nretrieve the next stage hosted on Discord’s CDN. While the threat actors are using Discord resources, this does not mean that\r\nDiscord itself has been compromised. Rather the actors uploaded the sample in any Discord chat and copied the link to the\r\nattachment. \r\nFigure 17: Screenshot of GetTickCount64 use.\r\nFigure 18: Gmail anchor string followed by base64 encoded URI located in the payload URL webpage.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 9 of 16\n\nFigure 19: Decoded URL of the next stage payload.\r\nFourth Stage of Packed Loader: Shellcode\r\nFigure 20: Attack chain from the 8 February 2023 TA544 campaign delivering Ursnif, stage 4 is when the shellcode is\r\ndownloaded and executed from Discord. \r\nThe shellcode downloaded and executed from Discord follows the same process as the previous stage by checking for\r\nkernel32.dll, GetProcAddress, using the same string decoding, and using GetTickCount64 to choose the next URL\r\nhardcoded string. The URLs contained in this stage are the same as in the previous stage, with the exception that the URI\r\ncontains “id=2” instead of “id=1” (Figure 21). The loader follows the same process of locating the “gmail” string, using it as\r\nan anchor to decode and replace characters to be used in the URI to determine the location of the next file hosted on\r\nDiscord, but this time, the file retrieved is XOR encoded with a hardcoded, single byte. After decoding the file, it is executed\r\n(Figure 21).\r\nFigure 21: URI with id=2 hardcoded to find and decode the URI, then the URI appended to a hardcoded file location hosted\r\non Discord.\r\nFifth Stage of Packed Loader: Encoded PE\r\nFigure 22: Attack chain from the 8 February 2023 TA544 campaign delivering Ursnif, stage 5.\r\nThe PE file downloaded as the fifth stage contains 16 encoded bytes (Figure 23). The loader must drop every other byte of\r\nthe first 16 bytes to create a valid PE file. The final payload in this case is the Ursnif banking trojan with GroupID “5050”.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 10 of 16\n\nFigure 23: PE file showing PE file with the first 16 bytes encoded.\r\nNetwork Infrastructure\r\nGiven the odd paths the malware used to retrieve the filenames, it appeared as if these sites were compromised hosts. This is\r\na common technique used by threat actors, as it allows them to leverage preexisting infrastructure without having to give\r\nregistration information or pay for the actual host. Sometimes this comes with the added benefit for the threat actor, that the\r\nsite is trusted and might result in higher infection rates. The downside of this technique is the threat actors don’t have much\r\ncontrol over the hosts, and they can sometimes go offline or have the malicious code removed. The upstream PHP contains\r\neither one or two IPs with a hardcoded path. Depending on whether WikiLoader is sending a “?id=1” or a “?id=2” request\r\ndetermines which IP is used. In some cases, these IPs are the same, which suggests they are copies of each other or two IPs\r\npointing to the same host. In later versions of this upstream PHP, host information is gathered and sent via HTTP cookies.\r\nThese cookies contain basic host information, and a unique identifier for tracking purposes.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 11 of 16\n\nFigure 24: PHP upstream to return either the next stage shellcode, or the PE payload.\r\nWikiLoader Malware Evolution \r\nProofpoint researchers have observed at least three different versions of the malware, which indicates it is undergoing active\r\ndevelopment. The following is a timeline with the relevant differences and updates observed in each version.\r\nFirst version | 27 December 2022:\r\nNo string encoding within the shellcode layers\r\nStructures used for indirect syscalls were simpler \r\nShellcode layers didn’t contain as much obfuscation\r\nFewer APIs were used within the shellcode layer\r\nPotentially one less stage of shellcode\r\nThe fake domain was manually created rather than via automation \r\nSecond version | 8 February 2023\r\nAdded complexity to the syscall structure\r\nImplemented more busy loops\r\nBegan using encoded strings\r\nStarted deleting artifacts from file download\r\nThird version | 11 July 2023\r\nStrings still encoded via skip encoding\r\nNew technique for implementing indirect syscalls\r\nThe second filename is pulled via the MQTT protocol rather than reaching the compromised webhosts\r\nCookies are exfiltrated from the loader which contain basic host information\r\nFull execution of the loader takes almost an hour given the abundance of busy loops\r\nShellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass\r\nConclusion\r\nSo far, Proofpoint has only observed WikiLoader deliver Ursnif as a second-stage payload. However, given its use by\r\nmultiple threat actors, it is possible more ecrime actors, especially those operating as IABs, will use WikiLoader in the\r\nfuture as a mechanism to deliver additional malware payloads. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 12 of 16\n\nBased on analysis of multiple versions, Proofpoint assesses with high confidence this malware is in rapid development, and\r\nthe threat actors are attempting to make the loader more complicated, and the payload more difficult to retrieve. \r\nWikiLoader is delivered via activities regularly observed by threat actors, including macro-enabled documents, PDFs\r\ncontaining URLs leading to a JavaScript payload, and OneNote attachments with embedded executables. Thus, user\r\ninteraction is required to begin the malware installation. Organizations should ensure macros are disabled by default for all\r\nemployees, block the execution of embedded external files within OneNote documents, and ensure JavaScript files are\r\nopened by default in a notepad or similar application, by adjusting default file extension associations via group policy object\r\n(GPO).\r\nResearchers would like to thank @JAMESWT_MHT for their public work in identifying and uploading related samples to\r\npublic malware repositories. \r\nEmerging Threats Signatures\r\n2046966 - ET MALWARE WikiLoader Activity M1 (GET)\r\n2046967 - ET MALWARE WikilLoader Activity M1 (Response)\r\n2046968 - ET MALWARE WikilLoader Activity M2 (Response)\r\n2046969 - ET MALWARE WikilLoader Activity M3 (Response)\r\n2046970 - ET MALWARE WikiLoader Activity M2 (GET)\r\n2046971 - ET HUNTING Possible WikiLoader Activity (GET)\r\nIOCS\r\nIndicator Descri\r\nhxxps://cdn[.]discordapp[.]com/attachments/1128405963062378558/1128406314452799499/dw4qdkjbqwijhdhbwqjid.iso JS Pay\r\nhxxps://inspiration-canopee[.]fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php\r\nWikiL\r\nComs\r\nhxxps://cdn[.]discordapp[.]com/attachments/1124390807626076192/1128383419970240662/s42.iso\r\nWikiL\r\nPayloa\r\nhxxps://www[.]p-e-c[.]nl/wp-content/themes/twentytwentyone/hudiiiwj1.php?id=1\r\nWikiL\r\nReque\r\nhxxps://vivalisme[.]fr/forms/forms/kiikxnmlogx/frrydjqb/vendor/9818hd218hd21.php?id=1\r\nWikiL\r\nReque\r\nhxxps://inspiration-canopee[.]fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php?id=1\r\nWikiL\r\nReque\r\nhxxps://tournadre[.]dc1-mtp[.]fr/wp-content/plugins/kona-instagram-feed-for-gutenbargwfn/4dionaq9d0219d.php?id=1\r\nWikiL\r\nReque\r\nhxxps://studiolegalecarduccimacuzzi[.]it/Requests/tmetovcqhnisl/vendor/gyuonfuv/languages/vgwtdpera/Requests/5i8ndio12niod21.php?\r\nid=1\r\nWikiL\r\nReque\r\nhxxps://www[.]astrolabecommunication[.]fr/wp-includes/9d8n190dn21.php?id=1\r\nWikiL\r\nReque\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 13 of 16\n\n1d1e2c0946cd4e22fff380a3b6adf38e7c8b3f2947db7787d00f7d9db988dad2 JS SHA\r\nhxxps://nikotta[.]com/subtotal JS Pay\r\n69a6476d6f7b312cc0d9947678018262737417e02ebfe168f8d17babed24d657\r\nExcel\r\nSHA25\r\nd49c2e47c8e14cc01f0a362293c613ea9604e532ff77b879d69895473dfbeb03\r\nExcel\r\nSHA25\r\n95125db52cdc7870b35c3762bad0ea18944aaed9503c3f69b30beb6ca7bae7e7\r\nExcel\r\nSHA25\r\n1e5035723637c2f4a26d984e29d17cf164f3846f82eb0b7667efa132a2ea0187\r\nExcel\r\nSHA25\r\n18a088a190263275172a28d387103e83b8940e51e96cb518ed41a1960c772bba\r\nExcel\r\nSHA25\r\neaa1be7a91c4f1370d2ad566f8625e3e5bb7c58d99a9e2e3a80e83ce80904e11\r\nExcel\r\nSHA25\r\n1eb5d4ae5114979908bfbf8a617b2084b101e9eda92532cf81b2a527c27d91a5\r\nExcel\r\nSHA25\r\n46c2e0ffadf801900fbff964ba2af5e24fee3209d1011bb46529ba779ff79e93\r\nExcel\r\nSHA25\r\n8d4701f33c05851f41eedb98bfff0569b7f4fae3352e2081f01b3add0a97936c\r\nExcel\r\nSHA25\r\n9a74befc4a4dab4c5032d64fcf9723b67e73ae9d5280fb9fb54f225febba03fe\r\nExcel\r\nSHA25\r\nf88526be804223cae5b4314b9bc0f01c24352caa7ec2c7a2f8b6b54c2e902acc\r\nExcel\r\nSHA25\r\n9782f11930910c7d24dea71a7a21f40f19623b214cb1848bf9f4d49b858c8379\r\nExcel\r\nSHA25\r\n9feb868d39b13e395396ea86ddbf05c4820dd476b58b6b437eff1e0b91e2615c\r\nExcel\r\nSHA25\r\nhxxps://www[.]ilfungodilacco[.]it/wp-content/themes/twentytwentyone/fnc.php?id=1\r\nWikiL\r\nReque\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 14 of 16\n\nhxxps://www[.]centrograndate[.]it/plugins/content/jw_sigpro/jw_sigpro/includes/js/jquery_colorbox/example4/images/border3.php?id=1\r\nWikiL\r\nReque\r\nhxxp://www[.]bbpline.com\r\nExcel\r\nPayloa\r\n86966795bbd054104844cdab7efcafb0b1879a10aae5c0fefbbc83d1ebccbc98\r\nExcel\r\nSHA25\r\ne0a1ffff9d5c6eaaa2e57548d8db2febbe89441a76f58feae8256ab69f64c88b\r\nExcel\r\nSHA25\r\n2505b1471e26a303d59e5fc5f0118729a9eead489ffc6574ea2a7746e5db722d\r\nExcel\r\nSHA25\r\n6e494eb76d75ee02b28e370ab667bcbcdc6f5143ad522090f4b8244eb472d447\r\nExcel\r\nSHA25\r\n44abd30e18e88e832a65a29ce56c9c570d7f0a3b93158e5059722d89782a750c\r\nExcel\r\nSHA25\r\nd16c5485f3f01fe0d0ce9387e9c92b561ef4d42f0a22dde77f18a424079c87cd\r\nExcel\r\nSHA25\r\n0e518e2627350ec0ab61fce3713644726eb3916563199187ef244277281cd35b\r\nExcel\r\nSHA25\r\nhttps://sunniznuhqan[.]com\r\nExcel\r\nPayloa\r\n0b02cfe16ac73f2e7dc52eaf3b93279b7d02b3d64d061782dfed0c55ab621a8e\r\nWikiL\r\nSHA25\r\nhxxps://osteopathe-claudia-grimand[.]fr/wp-content/themes/twentynineteen/blog.php?id=1\r\nWikiL\r\nReque\r\nhxxps://www[.]yourbed[.]it/wp-content/themes/twentytwentyone/blog.php?id=1\r\nWikiL\r\nReque\r\n2c44c1312a4c99e689979863e7c82c474395d6f46485bd19d0ee26fc3fa52279\r\nExcel\r\nSHA25\r\n27070a66fc07ff721a16c4945d4ec1ca1a1f870d64e52ed387b499160a03d490\r\nExcel\r\nSHA25\r\na599666949f022de7ccc7edb3d31360e38546be22ad2227d4390364b42f43cfd\r\nExcel\r\nSHA25\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 15 of 16\n\nbbe1eb4a211c3ebaf885b7584fc0936b9289b4d4f4a7fc7556cc870de1ff0724\r\nExcel\r\nSHA25\r\na2ed8e1d23d2032909c8ad264231bc244c113a4b40786a9bc9df3418cc915405\r\nExcel\r\nSHA25\r\n1106e4b7392f471a740ec96f9e6a603fe28f74b32eef7b456801a833f13727fc\r\nExcel\r\nSHA25\r\n9386ccb677bde1c51ca3336d02fea66f9489913f2241caa77def71d09464d937\r\nExcel\r\nSHA25\r\nee008ff7b30d4fce17c5b07ed2d6a0593dc346f899eff3441d8fb3c190ef0e0e\r\nExcel\r\nSHA25\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nPage 16 of 16\n\n https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion \nFigure 14: Shellcode stage 3 entrypoint. \nFigure 15: Screenshot of where the loader checks connectivity to Wikipedia.\n Page 8 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion" ], "report_names": [ "out-sandbox-wikiloader-digs-sophisticated-evasion" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434712, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fcfaf0e97e7101021622909285768b1622f6a4c0.pdf", "text": "https://archive.orkl.eu/fcfaf0e97e7101021622909285768b1622f6a4c0.txt", "img": "https://archive.orkl.eu/fcfaf0e97e7101021622909285768b1622f6a4c0.jpg" } }