{ "id": "2dfffb0c-1927-469b-b2d2-f3f59d153d2d", "created_at": "2026-04-06T01:29:52.691478Z", "updated_at": "2026-04-10T03:36:36.599641Z", "deleted_at": null, "sha1_hash": "fdac9996e61ebafad9012f0bb1f08390ac56cd7d", "title": "Elastic Security Labs discovers the LOBSHOT malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1623510, "plain_text": "Elastic Security Labs discovers the LOBSHOT malware\r\nBy Daniel Stepanic\r\nPublished: 2023-05-16 · Archived: 2026-04-06 00:24:09 UTC\r\nWichtigste Erkenntnisse\r\nAdversaries continue to abuse and increase reach through malvertising such as Google Ads by\r\nimpersonating legitimate software\r\nElastic Security Labs is shedding light on an undiscovered hVNC malware that has been quietly collecting\r\na large install base\r\nThis malware we are calling LOBSHOT appears to be leveraged for financial purposes employing banking\r\ntrojan and info-stealing capabilities\r\nPräambel\r\nElastic Security Labs along with the research community noticed a large spike in the adoption of malvertising\r\nearlier this year. Attackers promoted their malware using an elaborate scheme of fake websites through Google\r\nAds and embedding backdoors in what appears to users as legitimate installers. In this post, we will highlight one\r\nmalware family we observed from this spike we’re calling LOBSHOT. LOBSHOT continues to collect victims\r\nwhile staying under the radar.\r\nOne of LOBSHOT’s core capabilities is around its hVNC (Hidden Virtual Network Computing) component.\r\nThese kinds of modules allow for direct and unobserved access to the machine. This feature continues to be\r\nsuccessful in bypassing fraud detection systems and is often baked into many popular families as plugins.\r\nWe will walk through the LOBSHOT infection chain and its behaviors. Additionally, we will provide a YARA\r\nsignature and configuration extractor for this family.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 1 of 19\n\nLOBSHOT infection chain\r\nThroughout our analysis, we observed infrastructure known to belong to TA505. TA505 is a well-known\r\ncybercrime group associated with Dridex, Locky, and Necurs campaigns. A loader documented by Proofpoint,\r\nknown as Get2, has also been tied to the same domains in the past that we observed with LOBSHOT. We assess\r\nwith moderate confidence that LOBSHOT is a new malware capability leveraged by TA505 starting in 2022.\r\nCampaign context\r\nEarlier this year, Elastic Security Labs observed multiple infections with an interesting chain of events that\r\nresulted in the execution of an unknown hVNC malware, which we are calling LOBSHOT. Around this same\r\ntime, similar infection chains were observed in the security community with commonalities of users searching for\r\nlegitimate software downloads that ended up getting served illegitimate software from promoted ads from Google\r\n[1, 2, 3, 4].\r\nIn one example, the malicious ad was for a legitimate remote desktop solution, AnyDesk. Careful examination of\r\nthe URL goes to https://www.amydecke[.]website instead of the legitimate AnyDesk URL,\r\nhttps://www.anydesk[.]com .\r\nMalicious Google Ad\r\nThe landing pages were very convincing with similar branding as the legitimate software and included Download\r\nNow buttons that pointed to an MSI installer.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 2 of 19\n\nFake AnyDesk landing page for installer\r\nThanks to security researcher Will Dormann, we were able to view the screenshots from the AnyDesk campaign.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 3 of 19\n\nTweet referencing AnyDesk infection chain\r\nAt the time of publication, we haven’t seen any previous public information about LOBSHOT, so we will focus\r\nour research on LOBSHOT’s functionality and capabilities.\r\nLOBSHOT code analysis\r\nTo focus on the LOBSHOT malware, we will skip the initial infection chain. For these initial details, here is a\r\ngood sandbox report to look over for general TTPs. We have observed over 500 unique LOBSHOT samples since\r\nlast July. The samples we have observed are compiled as 32-bit DLLs or 32-bit executables typically ranging\r\naround 93 KB to 124 KB. Consider the following sample representative of LOBSHOT for purposes of this\r\nanalysis.\r\nDynamic API resolution\r\nIn our LOBSHOT sample, like most malware we see today, it employs dynamic import resolution to evade\r\nsecurity products and slow down the rapid identification of its capabilities. This process involves resolving the\r\nnames of the Windows APIs that the malware needs at runtime as opposed to placing the imports into the program\r\nahead of time.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 4 of 19\n\nResolving Windows Registry APIs through LoadLibraryA/GetProcessAddress\r\nDefender emulation check\r\nAfter the initial libraries are loaded, LOBSHOT performs a Windows Defender anti-emulation check by verifying\r\nif the computer name matches the string HAL9TH and if the username matches JohnDoe. These are hard-coded\r\nvalues within the emulation layer of Defender, if they are present, the malware immediately stops running. This\r\nkind of verification has been incorporated in many other stealers including Arkei, Vidar, and Oski. Below is the\r\nemulation output using the Qiling framework highlighting these verification checks.\r\nDefender checks via Qiling\r\nVerschleierung von Strings\r\nThis malware hides its primary strings through a straightforward encryption function using different bitwise\r\noperators. To perform the string decryption, LOBSHOT uses an initial seed from the WTS_SESSION_INFO\r\nstructure from a call to WTSEnumerateSessionsA.\r\nLOBSHOT calling WTSEnumerateSessionsA\r\nIn this case, the malware developer sets up the initial seed by performing an XOR on the SessionID (always a 0 )\r\nand the S char from “Services”.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 5 of 19\n\nWTS_SESSION_INFO structure used as the initial seed for string decryption\r\nInitial enumeration\r\nBefore sending any outbound network requests, LOBSHOT builds a custom structure containing enumerated data\r\nfrom the machine including:\r\nGUID of machine derived from SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nWindows edition, username, computer name\r\nA VM check, number of processes running, process ID, parent process of malware\r\nWindows desktop object details\r\nScreen height/width\r\nDisplay device information\r\nHandles to the desktop objects and windows\r\nDPI for the display(s)\r\nMalware retrieving Windows desktop object information\r\nAblauf der Ausführung\r\nAfter LOBSHOT is executed, it moves a copy of itself to the C:\\ProgramData folder, spawning a new process\r\nusing explorer.exe , terminating the original process, and finally deleting the original file. This design choice is\r\nused in an attempt to break the process tree ancestry; making it harder to spot for analysts.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 6 of 19\n\nThe LOBSHOT process tree as observed with Elastic Defend\r\nBelow is a screenshot after the initial execution, the malware is now parentless and running from the\r\nC:\\ProgramData directory.\r\nLOBSHOT running without a parent process\r\nPersistenz\r\nFor persistence, LOBSHOT leverages the Registry run key persistence method. In our sample, this is placed in the\r\nHKEY_CURRENT_USER Registry hive with a randomly generated name pointing to the malware located in\r\nC:\\ProgramData.\r\nRegistry key persistence\r\nIn addition, it sets Registry key data under the Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices key\r\npath which is used to check for a hardcoded global identifier key that would indicate the system had already been\r\ninfected. In our sample, the Display value is set to the string 134a1160. The results from the stealer feature are\r\nrecorded inside the Default Printer value. We'll discuss the stealer functionality in the next section.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 7 of 19\n\nRegistry hive used to store data\r\nStealer functionality\r\nWith the persistence mechanism established, LOBSHOT starts a new thread kicking off the stealer functionality. It\r\nstarts by targeting specific Google Chrome extensions that deal with cryptocurrency wallets. Below are Procmon\r\noutputs showing LOBSHOT trying to access 32 Chrome wallet extensions, nine Edge wallet extensions, and 11\r\nFirefox wallet extensions.\r\nChrome extensions related to cryptocurrency wallets\r\nEdge extensions related to cryptocurrency wallets\r\nFirefox extensions related to cryptocurrency wallets\r\nFor the complete listing of the different cryptocurrencies mapped to their extension IDs, see the appendix.\r\nIf there is a match with any of these extensions, the results are inserted in the Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Devices Registry key value as binary data with the format of browser name_extension name.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 8 of 19\n\nBelow is an example after the registry modification showing: Chrome_Yoroi.\r\nStealer component writing found wallet to registry\r\nAfter the browser extensions are enumerated, there is a check for a hardcoded file titled hmr_*.dat inside the\r\nC:\\ProgramData directory. If this file exists it will be executed with rundll32.exe with the following command-line arguments:\r\nrundll32.exe \"C:\\ProgramData\\hmr_1.dat\", #1 hmod\r\nWhile we didn’t observe this behavior directly, this function appears to show off a feature baked in by the\r\ndeveloper allowing the ability for additional execution options such as loading their own DLL.\r\nNetwork communications\r\nFor each LOBSHOT sample we have reviewed, there is a hardcoded IP and port that is decrypted from the binary\r\nthat is used as the primary C2. The malware beacons every 5 seconds communicating by using the following calls:\r\nws2_32.socket\r\nws2_32.connect\r\nws2_32.send\r\nws2_32.select\r\nws2_32.recv\r\nws2_32.shutdown\r\nws2_32.closesocket\r\nOn these outbound requests, it sends pseudorandom hard-coded data along with a shortened GUID value and\r\nversion number of the module.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 9 of 19\n\nHardcoded values and version in request\r\nBelow is an example of the send request buffer sent during the initial outbound requests showing the above-hardcoded values and version number.\r\nRequest buffer on outbound network traffic\r\nHardcoded values within outbound network traffic request\r\nSearching for the above mov instruction paired with the first DWORD of the hardcoded value ( C7 06 25 56 0DC\r\n) shows over 550 samples in VirusTotal within the last year. With some of the first samples showing up in late July\r\n2022. The prevalence of these hardcoded values shows that it has been actively used and under development for a\r\nlong period of time, and will likely continue to be used in the future.\r\nVirusTotal VTGrep search on hardcoded bytes\r\nAfter this initial handshake, LOBSHOT will send the previous custom data structure containing the enumerated\r\ndata such as the hostname, username, windows objects, etc. over this port.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 10 of 19\n\nThe Wireshark output of outbound requests containing victim host information\r\nCapabilities\r\nOne of LOBSHOT’s core capabilities is around its hVNC (Hidden Virtual Network Computing) module.\r\nUnlike traditional VNC (Virtual Network Computing) where the software provides remote access to a\r\nmachine with the user’s consent and the visibility of the actions taken on the machine can be clearly\r\nobserved. hVNC acts in the opposite way designed to stay stealthy where all actions by an attacker are\r\ntaking place on the same machine, but can’t be visibly observed by the victim. hVNC became a popular\r\nsolution within the banking trojan space to bypass device and fraud detection solutions. More details on\r\nhVNC can be found here.\r\nLOBSHOT implements the hVNC feature by generating a hidden desktop using the CreateDesktopW Windows\r\nAPI and then assigning the desktop to the malware using the SetThreadDesktop API . A new Windows\r\nexplorer.exe process is then created under the context of the new hidden desktop.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 11 of 19\n\nLOBSHOT’s hidden desktop creation\r\nAt this stage, the victim machine will start sending screen captures that represent the hidden desktop that is sent to\r\na listening client controlled by the attacker. The attacker interacts with the client by controlling the keyboard,\r\nclicking buttons, and moving the mouse, these capabilities provide the attacker full remote control of the device.\r\nWithin LOBSHOT’s hVNC module, there is a built-in GUI menu that allows the attacker to run the following\r\ncommands quickly:\r\nStart new explorer.exe process\r\nStart Windows Run command\r\nStart new Windows process with provided command\r\nStart Browsers (Internet Explorer, Edge, Firefox)\r\nTerminate existing explorer.exe processes and start new explorer.exe process\r\nTamper with Windows sound settings\r\nSet/retrieve Clipboard text\r\nActivate Start Menu\r\nModify DPI Awareness settings\r\nExecute the run dialog inside the hVNC module\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 12 of 19\n\nClipboard grabber inside the hVNC module\r\nCMD execution inside the hVNC module\r\nWhile the main functionality is centered on LOBSHOT’s hVNC module, it does have additional capabilities. One\r\nexample is its ability to swap out its C2 provided by an operator; it manages this by writing the new C2 details\r\ninto the registry key path Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices under the Video value.\r\nUpdating C2 through registry modification\r\nLOBSHOT also includes an update mechanism where it will remove previous modifications to the registry such as\r\nremoving the “Display” value and Run key persistence, starting a new process, and finally exiting the existing\r\nprocess.\r\nRemove existing registry key\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 13 of 19\n\nSpawn new LOBSHOT process\r\nLOBSHOT configuration extractor\r\nElastic Security Labs has released an open source tool, under the Elastic 2.0 license, that will allow for\r\nconfigurations to be extracted from LOBSHOT samples. The tool can be downloaded here.\r\nThe extractor can run at the individual file or directory level, examples are below:\r\npython lobshot_config_extractor.py --file sample.bin\r\npython lobshot_config_extractor.py --directory samples\r\nZusammenfassung\r\nThreat groups are continuing to leverage malvertising techniques to masquerade legitimate software with\r\nbackdoors like LOBSHOT. These kinds of malware seem small, but end up packing significant functionality\r\nwhich helps threat actors move quickly during the initial access stages with fully interactive remote control\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 14 of 19\n\ncapabilities. We are continuing to see new samples related to this family each week, and expect it to be around for\r\nsome time.\r\nErkennungslogik\r\nVerhütung\r\nSuspicious Windows Explorer Execution\r\nVerdächtige Eltern-Kind-Beziehung\r\nWindows.Trojan.Lobshot\r\nErkennung\r\nEQL-Abfrage\r\nUsing the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below\r\nEQL queries to hunt for behaviors similar\r\nThe following EQL query can be used to detect suspicious grandparent, parent, child relationships observed with\r\nLOBSHOT.\r\nsequence by host.id, user.id with maxspan=1m\r\n [process where event.type == \"start\" and not startsWith~(process.executable, process.parent.executable)] by pro\r\n [file where event.type == \"deletion\"] by file.name, process.entity\\_id\r\n [process where event.type == \"start\" and not startsWith~(process.executable, process.parent.executable)] by pro\r\nuntil [process where event.type == \"end\"] by process.name, process.entity\\_id\r\nYARA-Regel\r\nrule Windows_Trojan_Lobshot {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-04-18\"\r\n last_modified = \"2023-04-18\"\r\n license = \"Elastic License v2\"\r\n os = \"Windows\"\r\n threat_name = \"Windows.Trojan.Lobshot\"\r\n reference_sample = \"e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6\"\r\n strings:\r\n $str0 = \"HVNC Remote Control\" ascii fullword\r\n $str1 = \" Error # %d - %08lx\" ascii fullword\r\n $str2 = \"Set clipboard text failed.\" ascii fullword\r\n $str3 = \"OK %08lx %08lx %d\" ascii fullword\r\n $str4 = \"\\\") \u0026 (rundll32.exe \\\"\" wide fullword\r\n $str5 = \"%LOCALAPPDATA%\\\\svc.db\" wide fullword\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 15 of 19\n\n$str6 = \"cmd.exe /c (ping -n 10 127.0.0.1) \u0026 (del /F /Q \\\"\" wide fullword\r\n $seq_str_decrypt = { 8A 5A ?? 8D 52 ?? 80 EB ?? 85 FF 74 ?? C0 E0 ?? 2C ?? 0A C3 32 C1 32 C7 88 06 32 E8\r\n $seq_emu_check = { 8B 35 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? C7 44 24 ?? 48 41 4C 39 50 C7 44 24 ?? 5\r\n $seq_enum_xor = { FF 15 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 83 7C 24 ?? 00 0F 84 ?? ?? ?? ?? 8B 4C 24 ??\r\n $seq_create_guid = { 8D 48 ?? 80 F9 ?? 77 ?? 2C ?? C1 E2 ?? 46 0F B6 C8 0B D1 83 FE ?? 7C ?? 5F 8B C2 5E\r\n condition:\r\n 2 of ($seq*) or 5 of ($str*)\r\n}\r\nBeobachtete Taktiken und Techniken des Angreifers\r\nElastic verwendet das MITRE ATT\u0026CK-Framework, um gängige Taktiken, Techniken und Verfahren zu\r\ndokumentieren, die von Advanced Persistent Threats gegen Unternehmensnetzwerke eingesetzt werden.\r\nTaktiken\r\nTaktiken stellen das Warum einer Technik oder Untertechnik dar. Es ist das taktische Ziel des Gegners: der Grund\r\nfür die Ausführung einer Aktion.\r\nErstzugriff\r\nAusführung\r\nPersistenz\r\nCommand and Control\r\nTarnung\r\nTechniken / untergeordnete Techniken\r\nTechniken und Untertechniken stellen dar, wie ein Angreifer ein taktisches Ziel erreicht, indem er eine Aktion\r\nausführt.\r\nAutostart-Ausführung beim Systemstart oder der Anmeldung: Registrierungsschlüssel / Autostart-Ordner\r\nDaten aus dem lokalen System\r\nSystembesitzer-/Benutzererkennung\r\nObfuscated Files or Information: Dynamic API Resolution\r\nRemote Services: VNC\r\nExfiltration über C2-Kanal\r\nDaten aus der Zwischenablage\r\nBeobachtungen\r\nAll observables are also available for download in both ECS and STIX format. Additionally, we have created a\r\nVirusTotal Collection with all indicators.\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 16 of 19\n\nIndikator Typ Referenz\r\n95.217.125.200 IP-Adresse LOBSHOT C2\r\ne4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6 SHA-256 LOBSHOT\r\nReferenzen\r\nIn der obigen Studie wurde auf Folgendes Bezug genommen:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/ta505\r\nhttps://twitter.com/wdormann/status/1617612216945250304?s=20\r\nhttps://www.malware-traffic-analysis.net/2023/01/23/index.html\r\nAnhang\r\nChrome wallet extensions\r\nWallet name Extension ID\r\nYoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nTronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nNifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nMetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nMath Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCoinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad\r\nBinance Wallet fhbohimaelbohpjbbldcngcnapndodjp\r\nBrave Wallet odbfpeeihdkbihmopkbjmoonfanlbfcl\r\nGuarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nEqual Wallet blnieiiffboillknjnepogjhkgnoapac\r\nJaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne\r\nBitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nOxygen fhilaheimglignddkjgofkcbgekhenbh\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 17 of 19\n\nWallet name Extension ID\r\nMyEtherWallet nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nSaturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nRonin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nStation Wallet aiifbnbfobpmeekipheeijimdpnlpgpp\r\nHarmony fnnegphlobjdpkhecapkijjdkgcjhkib\r\nCoin98 Wallet aeachknmefphepccionboohckonoeemg\r\nEVER Wallet cgeeodpfagjceefieflmdfphplkenlfk\r\nKardiaChain Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nPhantom bfnaelmomeimhlpmgjnjophhpkkoljpa\r\nPali Wallet mgffkfbidihjpoaomajlbgchddlicgpn\r\nBOLT X aodkkagnadcbobfpggfnjeongemjbjca\r\nLiquality Wallet kpfopkelmapcoipemfendmdcghnegimn\r\nXDEFI Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nNami lpfcbjknijpeeillifnkikgncikgfhdo\r\nMultiversX DeFi Wallet dngmlblcodfobpdpecaadgfbcggfjfnm\r\nEdge wallet extensions\r\nWallet name Extension ID\r\nYoroi akoiaibnepcedcplijmiamnaigbepmcb\r\nMetaMask ejbalbakoplchlghecdalmeeeajnimhm\r\nMath Wallet dfeccadlilpndjjohbjdblepmjeahlmm\r\nRonin Wallet kjmoohlgokccodicjjfebfomlbljgfhk\r\nStation Wallet ajkhoeiiokighlmdnlakpjfoobnjinie\r\nBDLT Wallet fplfipmamcjaknpgnipjeaeeidnjooao\r\nGlow niihfokdlimbddhfmngnplgfcgpmlido\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 18 of 19\n\nWallet name Extension ID\r\nOneKey obffkkagpmohennipjokmpllocnlndac\r\nMetaWallet kfocnlddfahihoalinnfbnfmopjokmhl\r\nFirefox wallet extensions\r\nWallet name Extension ID\r\nYoroi {530f7c6c-6077-4703-8f71-cb368c663e35}.xpi\r\nRonin Wallet ronin-wallet@axieinfinity.com.xpi\r\nMetaMask webextension@metamask.io.xpi\r\nTronLink {5799d9b6-8343-4c26-9ab6-5d2ad39884ce}.xpi\r\n{aa812bee-9e92-48ba-9570-5faf0cfe2578}.xpi\r\n{59ea5f29-6ea9-40b5-83cd-937249b001e1}.xpi\r\n{d8ddfc2a-97d9-4c60-8b53-5edd299b6674}.xpi\r\nPhantom {7c42eea1-b3e4-4be4-a56f-82a5852b12dc}.xpi\r\n{b3e96b5f-b5bf-8b48-846b-52f430365e80}.xpi\r\n{eb1fb57b-ca3d-4624-a841-728fdb28455f}.xpi\r\n{76596e30-ecdb-477a-91fd-c08f2018df1a}.xpi\r\nSource: https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nhttps://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware\r\nPage 19 of 19\n\n$str1 $str2 = \" Error = \"Set clipboard # %d - %08lx\" ascii text failed.\" fullword ascii fullword\n$str3 = \"OK %08lx %08lx %d\" ascii fullword\n$str4 = \"\\\") \u0026 (rundll32.exe \\\"\" wide fullword\n$str5 = \"%LOCALAPPDATA%\\\\svc.db\" wide fullword\n Page 15 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware" ], "report_names": [ "elastic-security-labs-discovers-lobshot-malware" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438992, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fdac9996e61ebafad9012f0bb1f08390ac56cd7d.pdf", "text": "https://archive.orkl.eu/fdac9996e61ebafad9012f0bb1f08390ac56cd7d.txt", "img": "https://archive.orkl.eu/fdac9996e61ebafad9012f0bb1f08390ac56cd7d.jpg" } }