diff --git "a/data/processed/backup/llm_annotated_apt.jsonl" "b/data/processed/backup/llm_annotated_apt.jsonl" new file mode 100644--- /dev/null +++ "b/data/processed/backup/llm_annotated_apt.jsonl" @@ -0,0 +1,4554 @@ +{"text": "According to ESET, this is a commercial, multiplatform RAT, originally developed for Windows and extended to Android. In short, it can steal and delete files from a device, take screenshots, get device location, phish Facebook credentials, get a list of installed apps, steal user photos, take photos, record surrounding audio and phone calls, make calls, steal SMS messages, steal the device’s contact list, send text messages, etc.", "spans": {"SYSTEM: Android": [[109, 116]], "SYSTEM: Windows": [[85, 92]], "SYSTEM: ESET": [[13, 17]], "ORGANIZATION: Facebook": [[218, 226]]}, "info": {"source": "apt_reports", "name": "888 RAT"}} +{"text": "According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.", "spans": {"MALWARE: AbstractEmu": [[21, 32], [150, 161]], "SYSTEM: Android": [[103, 110]], "SYSTEM: Android operating system": [[103, 127]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "AbstractEmu"}} +{"text": "According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.", "spans": {"MALWARE: Ahmyth": [[21, 27], [139, 145]], "SYSTEM: Android": [[70, 77]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "AhMyth"}} +{"text": "According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.", "spans": {"MALWARE: Alien": [[81, 86]], "TOOL: TeamViewer": [[190, 200]], "ORGANIZATION: ThreatFabric": [[13, 25]], "MALWARE: Cerberus": [[45, 53]]}, "info": {"source": "apt_reports", "name": "Alien"}} +{"text": "This malware was initially named BlackRock and later renamed to AmpleBot.", "spans": {"MALWARE: AmpleBot": [[64, 72]], "MALWARE: BlackRock": [[33, 42]]}, "info": {"source": "apt_reports", "name": "AmpleBot"}} +{"text": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "spans": {"MALWARE: Androrat": [[0, 8], [130, 138]], "SYSTEM: Java": [[54, 58], [94, 98]], "SYSTEM: Android": [[59, 66], [151, 158]]}, "info": {"source": "apt_reports", "name": "AndroRAT"}} +{"text": "According to Google, a Chrome cookie stealer.", "spans": {"SYSTEM: Chrome": [[23, 29]], "ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "ANDROSNATCH"}} +{"text": "The malware displays fake Google Play update pages in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating potential targets in these regions.\r\n\r\nAntidot uses overlay attacks and keylogging techniques to efficiently collect sensitive information such as login credentials.", "spans": {"MALWARE: Antidot": [[203, 210]], "SYSTEM: Google Play": [[26, 37]], "ORGANIZATION: Google": [[26, 32]], "VULNERABILITY: keylogging": [[236, 246]], "MALWARE: Play": [[33, 37]]}, "info": {"source": "apt_reports", "name": "Antidot"}} +{"text": "BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.\r\n\r\nIn the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:\r\n\r\nRecording screen activity and sound from the microphone\r\nImplementing a SOCKS5 proxy for covert communication and package delivery\r\nCapturing screenshots\r\nSending mass SMS messages from the device to specified recipients\r\nRetrieving contacts stored on the device\r\nSending, reading, deleting, and blocking notifications for SMS messages received by the device\r\nScanning the device for files of interest to exfiltrate\r\nLocking the device screen and displaying a persistent ransom note\r\nSubmitting USSD code requests to query bank balances\r\nCapturing GPS data and pedometer statistics\r\nImplementing a keylogger to steal credentials\r\nMonitoring active apps to mimic and perform overlay attacks\r\nStopping malicious functionality and removing the malware from the device", "spans": {"MALWARE: Anubis": [[28, 34], [368, 374]], "ORGANIZATION: Lookout": [[359, 366]], "VULNERABILITY: keylogger": [[1033, 1042]], "VULNERABILITY: phishing": [[53, 61]]}, "info": {"source": "apt_reports", "name": "Anubis"}} +{"text": "According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018.\r\nIT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.", "spans": {}, "info": {"source": "apt_reports", "name": "ATANK"}} +{"text": "According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.", "spans": {"MALWARE: AxBanker": [[25, 33], [336, 344]], "SYSTEM: Android": [[64, 71]], "VULNERABILITY: phishing": [[227, 235]]}, "info": {"source": "apt_reports", "name": "AxBanker"}} +{"text": "BadBazaar is a type of malware primarily functioning as a spyware. Designed to compromise Android and iOS devices, it is often distributed through malicious apps downloaded from unofficial app stores, third-party websites, Telegram channels, and social engineering. Once installed, BadBazaar seeks to surveil the victim by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.", "spans": {"MALWARE: BadBazaar": [[0, 9], [282, 291]], "SYSTEM: Android": [[90, 97]], "SYSTEM: iOS": [[102, 105]], "SYSTEM: Telegram": [[223, 231]]}, "info": {"source": "apt_reports", "name": "badbazaar"}} +{"text": "According to BitSight, BADBOX is a large-scale cybercriminal operation selling off-brand Android TV boxes, smartphones, and other Android electronics with preinstalled malware.", "spans": {"MALWARE: BADBOX": [[23, 29]], "SYSTEM: Android": [[89, 96], [130, 137]]}, "info": {"source": "apt_reports", "name": "BADBOX"}} +{"text": "remote access tool (RAT) payload on Android devices", "spans": {"SYSTEM: Android": [[36, 43]]}, "info": {"source": "apt_reports", "name": "BADCALL"}} +{"text": "According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.", "spans": {"THREAT_ACTOR: Bahamut": [[21, 28], [106, 113]], "SYSTEM: Android": [[44, 51]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Bahamut"}} +{"text": "According to Lookout, BoneSpy is based on the Russian-developed, open-source DroidWatcher surveillanceware, featuring nearly identical code, names, and log messages in multiple classes related to the handling of databases containing collected exfil data such as call logs, location tracking, SMS messages, notifications, and browser bookmarks. Class names for many entry points (receivers, activities, and services) were either the same or very similar to DroidWatcher samples.", "spans": {"MALWARE: BoneSpy": [[22, 29]], "ORGANIZATION: Lookout": [[13, 20]]}, "info": {"source": "apt_reports", "name": "BoneSpy"}} +{"text": "According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.\r\n\r\nAt the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.", "spans": {"MALWARE: BrasDex": [[216, 223], [288, 295]], "SYSTEM: Android": [[59, 66], [349, 356]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "BrasDex"}} +{"text": "According to Cleafy, the victim's Android device is factory reset after the attackers siphon money from the victim's bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.", "spans": {"SYSTEM: Android": [[34, 41]]}, "info": {"source": "apt_reports", "name": "BRATA"}} +{"text": "PRODAFT describes Brunhilda as a \"Dropper as a Service\" for Google Play, delivering e.g. Alien.", "spans": {"MALWARE: Brunhilda": [[18, 27]], "SYSTEM: Google Play": [[60, 71]], "ORGANIZATION: Google": [[60, 66]], "MALWARE: Alien": [[89, 94]], "MALWARE: Play": [[67, 71]]}, "info": {"source": "apt_reports", "name": "Brunhilda"}} +{"text": "According to Cyble, this is an advanced Android malware evolved from SpySolr that features remote control, credential theft, and data exfiltration. It spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms. The malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections. It uses WebSocket-based C&C communication for real-time command execution and data theft. BTMOB RAT supports various malicious actions, including live screen sharing, file management, audio recording, and web injections.", "spans": {"MALWARE: BTMOB RAT": [[477, 486]], "SYSTEM: Android": [[40, 47], [270, 277]], "VULNERABILITY: credential theft": [[107, 123], [350, 366]], "VULNERABILITY: phishing": [[163, 171]]}, "info": {"source": "apt_reports", "name": "BTMOB RAT"}} +{"text": "According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.", "spans": {"MALWARE: CapraRAT": [[21, 29], [175, 183], [283, 291]], "SYSTEM: Android": [[48, 55], [352, 359]], "ORGANIZATION: PCrisk": [[13, 19]], "MALWARE: AndroRAT": [[148, 156]]}, "info": {"source": "apt_reports", "name": "CapraRAT"}} +{"text": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "spans": {"MALWARE: Catelites": [[0, 9]], "SYSTEM: Google Play": [[330, 341], [429, 440]], "SYSTEM: Chrome": [[445, 451]], "SYSTEM: Gmail": [[422, 427]], "SYSTEM: Android": [[71, 78]], "SYSTEM: Avast": [[29, 34]], "ORGANIZATION: Google": [[330, 336], [429, 435], [576, 582]], "MALWARE: Play": [[337, 341], [436, 440]]}, "info": {"source": "apt_reports", "name": "Catelites"}} +{"text": "According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.", "spans": {"MALWARE: Cerberus": [[21, 29], [183, 191]], "SYSTEM: Android": [[36, 43]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Cerberus"}} +{"text": "The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.", "spans": {"SYSTEM: Android": [[28, 35]]}, "info": {"source": "apt_reports", "name": "Chameleon"}} +{"text": "Coper is an Android banking trojan and RAT descended from ExobotCompact, itself a rewrite of Exobot. It uses a modular architecture, a multi-stage infection chain and (in some variants) a DGA. First observed in Colombia, it has since spread to Europe.", "spans": {"MALWARE: Coper": [[0, 5]], "MALWARE: ExobotCompact": [[58, 71]], "SYSTEM: Android": [[12, 19]]}, "info": {"source": "apt_reports", "name": "Coper"}} +{"text": "Poses as an app that can offer a \"corona safety mask\" but phone's address book and sends sms to contacts, spreading its own download link.", "spans": {}, "info": {"source": "apt_reports", "name": "Coronavirus Android Worm"}} +{"text": "According to ThreatFabric, this malware offers remote control, black screen overlays, and advanced data harvesting via accessibility logging.", "spans": {"ORGANIZATION: ThreatFabric": [[13, 25]]}, "info": {"source": "apt_reports", "name": "Crocodilus"}} +{"text": "According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.\r\n\r\nWhen CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.\r\n\r\nWhen files have been encrypted, a notification is displayed directing users to open the ransom note.", "spans": {"MALWARE: CryCryptor": [[26, 36], [183, 193], [325, 335]], "SYSTEM: Google Play": [[222, 233]], "ORGANIZATION: Google": [[222, 228]], "MALWARE: Play": [[229, 233]]}, "info": {"source": "apt_reports", "name": "CryCryptor"}} +{"text": "According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.\r\n\r\nLookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).", "spans": {"MALWARE: DAAM": [[21, 25], [126, 130]], "MALWARE: BouldSpy": [[278, 286]], "SYSTEM: Android": [[32, 39], [131, 138], [333, 340]], "ORGANIZATION: Lookout": [[244, 251]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "DAAM"}} +{"text": "According to Lookout, DCHSpy is an Android surveillanceware tool leveraged by Iranian cyber espionage group MuddyWater. DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos.", "spans": {"MALWARE: DCHSpy": [[22, 28], [120, 126]], "THREAT_ACTOR: MuddyWater": [[108, 118]], "SYSTEM: WhatsApp": [[136, 144]], "SYSTEM: Android": [[35, 42]], "ORGANIZATION: Lookout": [[13, 20]]}, "info": {"source": "apt_reports", "name": "DCHSpy"}} +{"text": "Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.", "spans": {"SYSTEM: WhatsApp": [[81, 89]], "SYSTEM: Signal": [[63, 69]], "SYSTEM: Android": [[0, 7]], "SYSTEM: Telegram": [[71, 79]], "VULNERABILITY: phishing": [[152, 160]]}, "info": {"source": "apt_reports", "name": "Dracarys"}} +{"text": "Android variant of ios.LightSpy.", "spans": {"MALWARE: LightSpy": [[23, 31]], "SYSTEM: Android": [[0, 7]]}, "info": {"source": "apt_reports", "name": "DragonEgg"}} +{"text": "According to Cleafy, DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring. Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience.", "spans": {"MALWARE: DroidBot": [[21, 29]], "TOOL: VNC": [[67, 70]], "VULNERABILITY: keylogging": [[141, 151]]}, "info": {"source": "apt_reports", "name": "DroidBot"}} +{"text": "According to Zimperium, DroidLock has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.\r\n\r\nIt employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC. The malware also exploits device administrator privileges to lock or erase data, capture the victim's image with the front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 panel.", "spans": {"MALWARE: DroidLock": [[24, 33]], "TOOL: VNC": [[314, 317]], "ORGANIZATION: Zimperium": [[13, 22]]}, "info": {"source": "apt_reports", "name": "DroidLock"}} +{"text": "According to Lookout, EagleMsgSpy is a lawful intercept surveillance tool developed by a Chinese software development company with use by public security bureaus in mainland China. Early samples indicate the surveillance tool has been operational since at least 2017, with development continued into late 2024. EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, network activity. \r\nThrough infrastructure overlap and artifacts from open command and control directories, Lookout attributes EagleMsgSpy to Wuhan Chinasoft Token Information Technology Co., Ltd. with high confidence.", "spans": {"MALWARE: EagleMsgSpy": [[22, 33], [311, 322], [633, 644]], "ORGANIZATION: Lookout": [[13, 20], [614, 621]]}, "info": {"source": "apt_reports", "name": "EagleMsgSpy"}} +{"text": "According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials", "spans": {"MALWARE: ERMAC": [[23, 28]], "SYSTEM: Android": [[33, 40]]}, "info": {"source": "apt_reports", "name": "ERMAC"}} +{"text": "ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.", "spans": {"MALWARE: ErrorFather": [[0, 11]], "SYSTEM: Android": [[18, 25]], "MALWARE: Cerberus": [[107, 115]]}, "info": {"source": "apt_reports", "name": "ErrorFather"}} +{"text": "According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.", "spans": {"ORGANIZATION: ThreatFabric": [[13, 25]]}, "info": {"source": "apt_reports", "name": "Eventbot"}} +{"text": "Facebook Credential Stealer.", "spans": {"ORGANIZATION: Facebook": [[0, 8]]}, "info": {"source": "apt_reports", "name": "FaceStealer"}} +{"text": "According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.", "spans": {"MALWARE: Fakecalls": [[24, 33]], "SYSTEM: Kaspersky": [[13, 22]]}, "info": {"source": "apt_reports", "name": "Fakecalls"}} +{"text": "According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.", "spans": {"MALWARE: FileCoder": [[233, 242]], "SYSTEM: Android": [[60, 67], [138, 145], [167, 174], [244, 251]]}, "info": {"source": "apt_reports", "name": "FileCoder"}} +{"text": "PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.", "spans": {"MALWARE: FluBot": [[18, 24]]}, "info": {"source": "apt_reports", "name": "FluBot"}} +{"text": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.", "spans": {"MALWARE: FluHorse": [[267, 275]], "SYSTEM: Android": [[66, 73]], "ORGANIZATION: Check Point": [[13, 24]]}, "info": {"source": "apt_reports", "name": "FluHorse"}} +{"text": "Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.", "spans": {"ORGANIZATION: Zimperium": [[0, 9]]}, "info": {"source": "apt_reports", "name": "FlyTrap"}} +{"text": "According to Check Point, they uncovered an operation dubbed \"Domestic Kitten\", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.", "spans": {"THREAT_ACTOR: Domestic Kitten": [[62, 77]], "SYSTEM: Android": [[101, 108]], "ORGANIZATION: Check Point": [[13, 24]]}, "info": {"source": "apt_reports", "name": "FurBall"}} +{"text": "According to Synthient, Gaganode is a decentralized bandwidth monetization service that enables both users and publishers to earn crypto for their bandwidth or monetize other people's bandwidth. The SDK intentionally implements RCE, thus aligning Gaganode more closely with malware than standard commercial SDKs.", "spans": {"MALWARE: Gaganode": [[24, 32], [247, 255]], "VULNERABILITY: RCE": [[228, 231]]}, "info": {"source": "apt_reports", "name": "Gaganode"}} +{"text": "According to ESET Research, GhostChat is a malicious Android app (package name com.datingbatch.chatapp) disguised to appear a legitimate chat platform called Dating Apps without payment; this legitimate app is available on Google Play and is unrelated to GhostChat other than through the latter using its icon. Ghostchat’s source and mode of distribution remain unknown.", "spans": {"MALWARE: GhostChat": [[28, 37], [255, 264]], "SYSTEM: Google Play": [[223, 234]], "SYSTEM: Android": [[53, 60]], "SYSTEM: ESET": [[13, 17]], "ORGANIZATION: Google": [[223, 229]], "MALWARE: Play": [[230, 234]]}, "info": {"source": "apt_reports", "name": "GhostChat"}} +{"text": "Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim's screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.", "spans": {"MALWARE: Gigabud": [[0, 7], [173, 180], [311, 318]], "SYSTEM: Android": [[26, 33], [61, 68]]}, "info": {"source": "apt_reports", "name": "Gigabud"}} +{"text": "Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:\r\n\r\nOverlaying: Dynamic (local overlays obtained from the C2)\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nContact list collection\r\nApplication listing\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: Call forwarding\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection.", "spans": {"MALWARE: Ginp": [[0, 4], [285, 289], [461, 465]], "SYSTEM: Kaspersky": [[83, 92]], "SYSTEM: Android": [[44, 51]], "ORGANIZATION: ThreatFabric": [[447, 459]]}, "info": {"source": "apt_reports", "name": "Ginp"}} +{"text": "According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.", "spans": {"MALWARE: Godfather": [[21, 30], [218, 227], [272, 281]], "SYSTEM: Android": [[49, 56]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Godfather"}} +{"text": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.", "spans": {"MALWARE: GPlayed": [[23, 30]], "SYSTEM: Cisco": [[0, 5]], "SYSTEM: .NET": [[55, 59], [331, 335]], "ORGANIZATION: Talos": [[6, 11]], "ORGANIZATION: Cisco Talos": [[0, 11]]}, "info": {"source": "apt_reports", "name": "GPlayed"}} +{"text": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", "spans": {"MALWARE: Gustuff": [[19, 26], [212, 219], [256, 263], [516, 523], [879, 886]], "SYSTEM: Android": [[39, 46], [623, 630]], "ORGANIZATION: Group-IB": [[0, 8], [842, 850]], "MALWARE: Fargo": [[726, 731]]}, "info": {"source": "apt_reports", "name": "Gustuff"}} +{"text": "Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.", "spans": {"MALWARE: Hermit": [[20, 26]], "SYSTEM: Android": [[77, 84]], "SYSTEM: iOS": [[69, 72]], "ORGANIZATION: Lookout": [[0, 7]]}, "info": {"source": "apt_reports", "name": "Hermit"}} +{"text": "HiddenAd is a malware that shows ads as overlays on the phone.", "spans": {"MALWARE: HiddenAd": [[0, 8]]}, "info": {"source": "apt_reports", "name": "HiddenAd"}} +{"text": "RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.", "spans": {}, "info": {"source": "apt_reports", "name": "HilalRAT"}} +{"text": "According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.", "spans": {"MALWARE: hook": [[81, 85]], "ORGANIZATION: ThreatFabric": [[13, 25]]}, "info": {"source": "apt_reports", "name": "Hook"}} +{"text": "Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.", "spans": {"TOOL: Hydra": [[18, 23]], "SYSTEM: Android": [[30, 37]], "MALWARE: BankBot": [[38, 45]]}, "info": {"source": "apt_reports", "name": "Hydra"}} +{"text": "Android variant of IPStorm (InterPlanetary Storm).", "spans": {"MALWARE: IPStorm": [[19, 26]], "MALWARE: InterPlanetary Storm": [[28, 48]], "SYSTEM: Android": [[0, 7]]}, "info": {"source": "apt_reports", "name": "IPStorm"}} +{"text": "According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.", "spans": {"MALWARE: IRATA": [[25, 30], [299, 304]], "SYSTEM: Android": [[62, 69]], "VULNERABILITY: phishing": [[138, 146]]}, "info": {"source": "apt_reports", "name": "IRATA"}} +{"text": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.", "spans": {"MALWARE: Joker": [[0, 5]], "SYSTEM: Android": [[56, 63]], "ORGANIZATION: Google": [[105, 111]]}, "info": {"source": "apt_reports", "name": "Joker"}} +{"text": "KIMWOLF is an android based malware which uses compromised systems to relay malicious and abusive Internet traffic, as well as participating in distributed denial-of-service (DDoS). KIMWOLF primarily infects unofficial Android-TV set-top boxes and digital photo frames. The malware has frequently been noted to achieve infection spread via abusing Android Debug Bridge (ADB) and residential proxies. There are multiple reports suggesting a connection to the Aisuru botnet, with Kimwolf acting as the Android variant.", "spans": {"MALWARE: Kimwolf": [[478, 485]], "SYSTEM: Android": [[219, 226], [348, 355], [500, 507]], "VULNERABILITY: DDoS": [[175, 179]], "MALWARE: Aisuru": [[458, 464]]}, "info": {"source": "apt_reports", "name": "Kimwolf"}} +{"text": "According to Lookout, this spyware was first observed in March 2022 and remains active with new samples still publicly hosted. It uses a two-stage C2 infrastructure that retrieves initial configurations from a Firebase cloud database. KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins. The spyware has Korean language support with samples distributed across Google Play and third-party app stores such as Apkpure.", "spans": {"MALWARE: KoSpy": [[235, 240]], "SYSTEM: Google Play": [[446, 457]], "ORGANIZATION: Lookout": [[13, 20]], "ORGANIZATION: Google": [[446, 452]], "MALWARE: Play": [[453, 457]]}, "info": {"source": "apt_reports", "name": "KoSpy"}} +{"text": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", "spans": {"SYSTEM: Android": [[0, 7], [195, 202]]}, "info": {"source": "apt_reports", "name": "LokiBot"}} +{"text": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.", "spans": {"MALWARE: MasterFred": [[23, 33]], "SYSTEM: Android": [[66, 73]]}, "info": {"source": "apt_reports", "name": "MasterFred"}} +{"text": "According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.", "spans": {"SYSTEM: Android": [[38, 45]], "ORGANIZATION: ThreatFabric": [[13, 25]]}, "info": {"source": "apt_reports", "name": "Medusa"}} +{"text": "Mirax is an Android RAT / banking trojan sold as a private Malware-as-a-Service since December 2025 by an actor using the moniker \"Mirax Bot\", advertised only to a small pool of predominantly Russian-speaking affiliates. It combines a conventional banking-trojan stack — HTML/JavaScript overlay injection against banking and cryptocurrency apps, Accessibility-Services abuse, HVNC, keylogging, SMS interception, and lock-screen (PIN / pattern / biometric) intelligence harvesting — with an integrated SOCKS5 residential-proxy module multiplexed with Yamux over the WebSocket C2 channel, which turns infected handsets into residential-IP proxy nodes for follow-on fraud. C2 traffic is routed through a C2 Gate server on three concurrent WebSocket channels (control on 8443, data/streaming on 8444, proxy tunnel on 8445). Observed campaigns rely on paid Meta ads impersonating IPTV and illegal sports-streaming apps that redirect to droppers hosted on GitHub Releases with daily-rotating hashes; the analysed campaign targeted Spanish-speaking users (Spain) and reached more than 220,000 accounts, though the platform's overlay inventory includes templates for German, French, Italian, Polish, Portuguese, and other European languages.", "spans": {"MALWARE: Mirax": [[0, 5], [131, 136]], "MALWARE: Mirax Bot": [[131, 140]], "SYSTEM: GitHub": [[950, 956]], "SYSTEM: Android": [[12, 19]], "ORGANIZATION: Meta": [[852, 856]], "VULNERABILITY: keylogging": [[382, 392]]}, "info": {"source": "apt_reports", "name": "Mirax"}} +{"text": "Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.", "spans": {"SYSTEM: Google Play": [[106, 117]], "ORGANIZATION: Google": [[106, 112]], "ORGANIZATION: Check Point": [[0, 11]], "MALWARE: Play": [[113, 117]]}, "info": {"source": "apt_reports", "name": "MobileOrder"}} +{"text": "Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.\r\nAccording to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.", "spans": {"MALWARE: Monokle": [[0, 7]], "ORGANIZATION: Lookout": [[333, 340]], "VULNERABILITY: MITM": [[304, 308]], "VULNERABILITY: man-in-the-middle": [[285, 302]]}, "info": {"source": "apt_reports", "name": "Monokle"}} +{"text": "MoqHao, also called Wroba and XLoader (not to be confused with the malware of the same name for Windows and macOS), is an Android-based mobile threat that is associated with a financially motivated Chinese group called Roaming Mantis. The malware claims to be the default SMS application and has dropper and banker capabilities.", "spans": {"MALWARE: MoqHao": [[0, 6]], "MALWARE: Wroba": [[20, 25]], "MALWARE: XLoader": [[30, 37]], "THREAT_ACTOR: Roaming Mantis": [[219, 233]], "SYSTEM: macOS": [[108, 113]], "SYSTEM: Android": [[122, 129]], "SYSTEM: Windows": [[96, 103]]}, "info": {"source": "apt_reports", "name": "MoqHao"}} +{"text": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "spans": {"MALWARE: MysteryBot": [[0, 10]], "SYSTEM: Android": [[17, 24], [83, 90]]}, "info": {"source": "apt_reports", "name": "MysteryBot"}} +{"text": "According to TechCrunch, this is a remote surveillance app that allows ordinary consumers to buy software capable of tracking people and their data without their knowledge. Once physically planted on a person’s phone or computer (usually with knowledge of the victim’s passcode or login), the app would continuously upload a copy of the victim’s information, including messages, photos, and location data, to pcTattletale’s servers and make the data accessible to whoever planted the spyware.", "spans": {"MALWARE: pcTattletale": [[409, 421]]}, "info": {"source": "apt_reports", "name": "pcTattletale"}} +{"text": "According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.", "spans": {"MALWARE: PhoneSpy": [[24, 32]], "SYSTEM: Android": [[83, 90]], "ORGANIZATION: Zimperium": [[13, 22]]}, "info": {"source": "apt_reports", "name": "PhoneSpy"}} +{"text": "According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.", "spans": {"MALWARE: PINEFLOWER": [[23, 33]], "SYSTEM: Android": [[40, 47]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "PINEFLOWER"}} +{"text": "According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.\r\n\r\nIn addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.", "spans": {"MALWARE: PixPirate": [[25, 34], [328, 337]], "SYSTEM: Android": [[50, 57]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "PixPirate"}} +{"text": "According to Lookout, PlainGnome consists of a two-stage deployment in which a very minimal first stage drops a malicious APK once it’s installed. The code of PlainGnome’s second stage payload evolved significantly from January 2024 through at least October. In particular, PlainGnome’s developers shifted to using Jetpack WorkManager classes to handle data exfiltration, which eases development and maintenance of related code. In addition, WorkManager allows for specifying execution conditions. For example, PlainGnome only exfiltrates data from victim devices when the device enters an idle state. This mechanism is probably intended to reduce the chance of a victim noticing the presence of PlainGnome on their device. As opposed to the minimalist first (installer) stage, the second stage carries out all surveillance functionality and relies on 38 permissions.", "spans": {"MALWARE: PlainGnome": [[22, 32], [159, 169], [274, 284], [511, 521], [696, 706]], "ORGANIZATION: Lookout": [[13, 20]]}, "info": {"source": "apt_reports", "name": "PlainGnome"}} +{"text": "RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East.\r\nThe malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.", "spans": {"MALWARE: RatMilad": [[0, 8]], "SYSTEM: Android": [[29, 36]], "SYSTEM: VPN": [[212, 215]]}, "info": {"source": "apt_reports", "name": "RatMilad"}} +{"text": "According to ThreatFabric, this RAT can perform NFC relay attacks and has Automated Transfer ystem (ATS) capabilities", "spans": {"ORGANIZATION: ThreatFabric": [[13, 25]]}, "info": {"source": "apt_reports", "name": "RatOn"}} +{"text": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", "spans": {"SYSTEM: Android": [[21, 28], [424, 431]], "SYSTEM: Adobe Flash": [[466, 477]]}, "info": {"source": "apt_reports", "name": "RedAlert2"}} +{"text": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "spans": {"MALWARE: Retefe": [[26, 32]], "SYSTEM: Signal": [[326, 332]], "SYSTEM: Android": [[4, 11], [144, 151]]}, "info": {"source": "apt_reports", "name": "Retefe"}} +{"text": "According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.", "spans": {"MALWARE: Revive": [[21, 27], [176, 182]], "SYSTEM: Android": [[70, 77]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Revive"}} +{"text": "According to ANY.RUN, this is a banking trojan that this collection sensitive user information, including: Registered mobile number, Aadhaar number, PAN card details, Date of birth, and Net banking user ID and password. It uses Telegram as C2.", "spans": {"SYSTEM: Telegram": [[228, 236]], "ORGANIZATION: ANY.RUN": [[13, 20]]}, "info": {"source": "apt_reports", "name": "Salvador Stealer"}} +{"text": "An Android ransomware that locks the device, changes the wallpaper, and demands money in exchange for unlocking the phone.", "spans": {"SYSTEM: Android": [[3, 10]]}, "info": {"source": "apt_reports", "name": "Sauron Locker"}} +{"text": "SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.", "spans": {"MALWARE: SharkBot": [[0, 8], [195, 203]], "SYSTEM: Android": [[52, 59]]}, "info": {"source": "apt_reports", "name": "SharkBot"}} +{"text": "Shopper/LeifAccess is a malicious Android app that uses Android's AccessibilityService to secretly control the device. It installs apps, leaves fake reviews, opens ads, and even registers users on various platforms. Disguised as a system app, it collects personal and device information and sends it to remote servers. The malware was most active in late 2019, especially in Russia, Brazil, and India.", "spans": {"MALWARE: Shopper": [[0, 7]], "MALWARE: LeifAccess": [[8, 18]], "SYSTEM: Android": [[34, 41], [56, 63]]}, "info": {"source": "apt_reports", "name": "Shopper"}} +{"text": "SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.", "spans": {"MALWARE: SideWinder": [[0, 10]], "SYSTEM: Google Play": [[68, 79]], "SYSTEM: Android": [[39, 46]], "SYSTEM: VPN": [[27, 30]], "ORGANIZATION: Google": [[68, 74]], "MALWARE: Play": [[75, 79]]}, "info": {"source": "apt_reports", "name": "SideWinder"}} +{"text": "Slocker also known as jisut and pigetrl, is a screen locker that is distributed through telegram groups.", "spans": {"MALWARE: Slocker": [[0, 7]], "MALWARE: jisut": [[22, 27]]}, "info": {"source": "apt_reports", "name": "Slocker"}} +{"text": "SMSAgent appears as a game application, but silently performs malicious routines in the background. It attempts to download other potentially malicious files from a remote server and sends out SMS or MMS messages that places expensive charges on the user's bill.", "spans": {"MALWARE: SMSAgent": [[0, 8]]}, "info": {"source": "apt_reports", "name": "SmsAgent"}} +{"text": "A sophisticated mobile surveillance implant operating as a Remote Control System (RCS). This malware family is characterized by a unique, multi-sided communication architecture that abandons traditional HTTP polling. Instead, it hybridizes Firebase Cloud Messaging (FCM) for asynchronous command signaling with Fast Reverse Proxy (FRP) to establish persistent, NAT-bypassing network tunnels, effectively turning the infected mobile device into a server accessible by the attacker.", "spans": {}, "info": {"source": "apt_reports", "name": "SpyFRPTunnel"}} +{"text": "SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.", "spans": {"MALWARE: SpyMax": [[0, 6]], "SYSTEM: Android": [[20, 27]], "MALWARE: SpyNote": [[64, 71]]}, "info": {"source": "apt_reports", "name": "SpyMax"}} +{"text": "According to Cleafy, SpyNote abuses Accessibility services and other Android permissions in order to: Collect SMS messages and contacts list; Record audio and screen; Perform keylogging activities; Bypass 2FA; Track GPS locations.", "spans": {"MALWARE: SpyNote": [[21, 28]], "SYSTEM: Android": [[69, 76]], "VULNERABILITY: keylogging": [[175, 185]]}, "info": {"source": "apt_reports", "name": "SpyNote"}} +{"text": "According to ThreatFabric, Sturnus is a privately operated Android banking trojan. This malware supports a broad range of fraud-related capabilities, including full device takeover. A key differentiator is its ability to bypass encrypted messaging. By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.\r\n\r\nThe trojan can harvest banking credentials through convincing fake login screens that replicate legitimate banking apps. In addition, it provides attackers with extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge.", "spans": {"MALWARE: Sturnus": [[27, 34], [320, 327]], "SYSTEM: WhatsApp": [[359, 367]], "SYSTEM: Signal": [[383, 389]], "SYSTEM: Android": [[59, 66]], "SYSTEM: Telegram": [[369, 377]], "ORGANIZATION: ThreatFabric": [[13, 25]]}, "info": {"source": "apt_reports", "name": "Sturnus"}} +{"text": "Svpeng is a malicious banking trojan targeting Android devices, and it poses a significant threat to both mobile users and the developers of mobile banking apps. Svpeng has been active since around 2013. It primarily targets Android users, and its main objective is to steal sensitive financial information, particularly login credentials and personal data related to banking and financial apps. Svpeng typically spreads through malicious apps, phishing campaigns, or drive-by downloads.", "spans": {"MALWARE: Svpeng": [[0, 6], [162, 168], [396, 402]], "SYSTEM: Android": [[47, 54], [225, 232]], "VULNERABILITY: phishing": [[445, 453]]}, "info": {"source": "apt_reports", "name": "Svpeng"}} +{"text": "Tempting cedar spyware is an Android spyware campaign, active since at least 2015, that used social engineering via fake, attractive Facebook profiles to trick victims into downloading malware. The spyware was designed to steal a wide range of sensitive personal data.", "spans": {"SYSTEM: Android": [[29, 36]], "ORGANIZATION: Facebook": [[133, 141]]}, "info": {"source": "apt_reports", "name": "TemptingCedar Spyware"}} +{"text": "According to Trend Micro, TgToxic has been used in an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. Goal of the campaign is to steal victims’ assets from finance and banking applications (such as cryptocurrency wallets, credentials for official bank apps on mobile, and money in deposit), via a banking trojan they named TgToxic (based on its special encrypted filename) embedded in multiple fake apps. While previously targeting users in Taiwan, Trend Micro observed the fraudulent activities and phishing lures targeting users from Thailand and Indonesia as of this writing. Users are advised to be wary of opening embedded links from unknown email and message senders, and to avoid downloading apps from third party platforms.", "spans": {"MALWARE: TgToxic": [[26, 33], [365, 372]], "SYSTEM: Android": [[95, 102]], "SYSTEM: Trend Micro": [[13, 24], [491, 502]], "VULNERABILITY: phishing": [[542, 550]]}, "info": {"source": "apt_reports", "name": "TgToxic"}} +{"text": "According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.", "spans": {"SYSTEM: Trend Micro": [[13, 24]]}, "info": {"source": "apt_reports", "name": "TianySpy"}} +{"text": "ToxicPanda is an Android banking RAT first identified by Cleafy in October 2024. It shows similarity to the TgToxic campaign, but appears to be a new development rather than a derivative. The threat actors are likely Chinese speakers. ToxicPanda initially made use of hardcoded C2 domains only, but started to incorporate a DGA in late 2024.", "spans": {"MALWARE: ToxicPanda": [[0, 10], [235, 245]], "SYSTEM: Android": [[17, 24]], "MALWARE: TgToxic": [[108, 115]]}, "info": {"source": "apt_reports", "name": "ToxicPanda"}} +{"text": "Triada is a remote access trojan (RAT) malware that is used to compromise Android devices in order to steal confidential and sensitive information such as credit card numbers, passwords, bank account information, etc. It also provides a backdoor for attackers to include the device as part of a botnet and perform other malicious activities.", "spans": {"MALWARE: Triada": [[0, 6]], "SYSTEM: Android": [[74, 81]]}, "info": {"source": "apt_reports", "name": "Triada"}} +{"text": "TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.", "spans": {"MALWARE: TrickMo": [[0, 7]], "SYSTEM: Android": [[42, 49]], "MALWARE: TrickBot": [[90, 98]]}, "info": {"source": "apt_reports", "name": "TrickMo"}} +{"text": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "spans": {"MALWARE: Triout": [[22, 28]], "SYSTEM: Android": [[34, 41]], "SYSTEM: Bitdefender": [[0, 11]]}, "info": {"source": "apt_reports", "name": "Triout"}} +{"text": "According to Cyble, this is a banking trojan that targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. The malware spreads via phishing sites masquerading as legitimate financial platforms and is installed through a dropper disguised as Google Play Services. It uses overlay attacks to steal banking credentials, credit card details, and login credentials by displaying fake login pages over legitimate apps. TsarBot can record and remotely control the screen, executing fraud by simulating user actions such as swiping, tapping, and entering credentials while hiding malicious activities using a black overlay screen. It captures device lock credentials using a fake lock screen to gain full control. TsarBot communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and dynamically execute on-device fraud.", "spans": {"MALWARE: TsarBot": [[461, 468], [754, 761]], "SYSTEM: Google Play": [[289, 300]], "ORGANIZATION: Google": [[289, 295]], "VULNERABILITY: phishing": [[179, 187]], "MALWARE: Play": [[296, 300]]}, "info": {"source": "apt_reports", "name": "TsarBot"}} +{"text": "According to Check Point Research, this is a RAT that is disguised as a set of dating apps like \"GrixyApp\", \"ZatuApp\", \"Catch&See\", including dedicated websites to conceal their malicious purpose.", "spans": {"ORGANIZATION: Check Point": [[13, 24]]}, "info": {"source": "apt_reports", "name": "Unidentified APK 004"}} +{"text": "Information stealer posing as a fake banking app, targeting Korean users.", "spans": {}, "info": {"source": "apt_reports", "name": "Unidentified APK 006"}} +{"text": "According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.", "spans": {"SYSTEM: Android": [[31, 38]]}, "info": {"source": "apt_reports", "name": "Unidentified 007 (ARMAAN RAT)"}} +{"text": "Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.", "spans": {"SYSTEM: Android": [[0, 7]]}, "info": {"source": "apt_reports", "name": "Unidentified APK 008"}} +{"text": "According to Google, a Chrome reconnaissance payload", "spans": {"SYSTEM: Chrome": [[23, 29]], "ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Unidentified APK 009 (Chrome Recon)"}} +{"text": "Related to the micropsia windows malware and also sometimes named micropsia.", "spans": {}, "info": {"source": "apt_reports", "name": "vamp"}} +{"text": "According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.", "spans": {"MALWARE: VINETHORN": [[23, 32]], "SYSTEM: Android": [[39, 46]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "VINETHORN"}} +{"text": "According to Xlab, this malware is used to compromise Android TVs and set-top boxes, and its corresponding botnet had more than 1 million nodes observed via sinkholing (Jan 2025).", "spans": {"SYSTEM: Android": [[54, 61]]}, "info": {"source": "apt_reports", "name": "vo1d"}} +{"text": "According to Avira, this is a banking trojan targeting Japan.", "spans": {}, "info": {"source": "apt_reports", "name": "Wroba"}} +{"text": "Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.", "spans": {"MALWARE: Xenomorph": [[0, 9]], "SYSTEM: Android": [[15, 22]]}, "info": {"source": "apt_reports", "name": "Xenomorph"}} +{"text": "Xhelper is a very persistent malware that can reinstall itself after factory reset, Xhelper downloads malicious apps and displays annoying ads.", "spans": {"MALWARE: Xhelper": [[0, 7], [84, 91]]}, "info": {"source": "apt_reports", "name": "xHelper"}} +{"text": "According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.", "spans": {"MALWARE: Zanubis": [[21, 28]]}, "info": {"source": "apt_reports", "name": "Zanubis"}} +{"text": "According to Microsoft, this is a web shell, written in ASPX supporting C#, carrying sufficient yet rudimentary functionality to support the following secondary activities: uploading and downloading files, running shell commands, opening a port (default port is set to TCP 250).", "spans": {"ORGANIZATION: Microsoft": [[13, 22]]}, "info": {"source": "apt_reports", "name": "LocalOlive"}} +{"text": "WebShell.", "spans": {}, "info": {"source": "apt_reports", "name": "Nightrunner"}} +{"text": "WebShell.", "spans": {}, "info": {"source": "apt_reports", "name": "Tunna"}} +{"text": "According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.\r\n\r\nThe secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.", "spans": {"MALWARE: TwoFace": [[21, 28], [927, 934]]}, "info": {"source": "apt_reports", "name": "TwoFace"}} +{"text": "Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.", "spans": {"MALWARE: Abcbot": [[0, 6]], "SYSTEM: Go": [[20, 22]], "VULNERABILITY: DDoS": [[137, 141]], "VULNERABILITY: brute force": [[81, 92]]}, "info": {"source": "apt_reports", "name": "Abcbot"}} +{"text": "Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.", "spans": {"MALWARE: HelloKitty": [[16, 26]], "MALWARE: ChaCha": [[80, 86]]}, "info": {"source": "apt_reports", "name": "Abyss Locker"}} +{"text": "A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "spans": {"SYSTEM: Windows": [[47, 54], [153, 160]], "SYSTEM: Linux": [[2, 7], [82, 87], [219, 224]]}, "info": {"source": "apt_reports", "name": "ACBackdoor"}} +{"text": "A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.", "spans": {}, "info": {"source": "apt_reports", "name": "AcidRain"}} +{"text": "According to Xlab, this is a DDoS bot.", "spans": {"VULNERABILITY: DDoS": [[29, 33]]}, "info": {"source": "apt_reports", "name": "AIRASHI"}} +{"text": "AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.", "spans": {"MALWARE: AirDropBot": [[0, 10]], "VULNERABILITY: DDoS": [[31, 35]]}, "info": {"source": "apt_reports", "name": "AirDropBot"}} +{"text": "Honeypot-aware variant of Mirai.", "spans": {"MALWARE: Mirai": [[26, 31]]}, "info": {"source": "apt_reports", "name": "Aisuru"}} +{"text": "Ransomware", "spans": {}, "info": {"source": "apt_reports", "name": "Akira"}} +{"text": "Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.", "spans": {"MALWARE: TrickBot": [[25, 33]]}, "info": {"source": "apt_reports", "name": "AnchorDNS"}} +{"text": "According to Unit 42, Auto-Color was discovered in November 2024 named based on the file name of the initial payload. It hides its C2 communication similarly to Symbiote, including the use of proprietary encryption algorithms.", "spans": {"MALWARE: Auto-Color": [[22, 32]], "ORGANIZATION: Unit 42": [[13, 20]], "MALWARE: Symbiote": [[161, 169]]}, "info": {"source": "apt_reports", "name": "Auto-Color"}} +{"text": "AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.", "spans": {"MALWARE: AVrecon": [[0, 7]], "SYSTEM: Linux": [[13, 18]], "VULNERABILITY: password spraying": [[575, 592]]}, "info": {"source": "apt_reports", "name": "AVrecon"}} +{"text": "Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features", "spans": {"MALWARE: Azazel": [[0, 6], [107, 113]], "SYSTEM: Linux": [[12, 17]], "VULNERABILITY: rootkit": [[28, 35], [75, 82]]}, "info": {"source": "apt_reports", "name": "azazel"}} +{"text": "B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name \"b1t\", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.", "spans": {"MALWARE: B1txor20": [[0, 8]], "SYSTEM: Linux": [[257, 262]]}, "info": {"source": "apt_reports", "name": "B1txor20"}} +{"text": "ESX and NAS modules for Babuk ransomware.", "spans": {"MALWARE: Babuk": [[24, 29]], "SYSTEM: NAS": [[8, 11]]}, "info": {"source": "apt_reports", "name": "Babuk"}} +{"text": "According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.", "spans": {"MALWARE: Backdoorit": [[28, 38]], "MALWARE: backd00rit": [[212, 222]], "SYSTEM: Unix": [[135, 139]], "SYSTEM: Windows": [[117, 124]], "SYSTEM: Avast": [[13, 18]], "SYSTEM: Linux": [[129, 134]], "SYSTEM: Go": [[73, 75]]}, "info": {"source": "apt_reports", "name": "Backdoorit"}} +{"text": "BADCALL is a Trojan malware variant used by the group Lazarus Group.", "spans": {"MALWARE: BADCALL": [[0, 7]], "THREAT_ACTOR: Lazarus Group": [[54, 67]]}, "info": {"source": "apt_reports", "name": "BADCALL"}} +{"text": "Ballista is an IoT botnet, infecting unpatched TP-Link Archer AX21 (AX1800) routers. It spreads through automatic exploitation of CVE-2023-1389. Its capabilities include remote code execution and DDoS attacks.", "spans": {"CVE_ID: CVE-2023-1389": [[130, 143]], "MALWARE: Ballista": [[0, 8]], "SYSTEM: TP-Link": [[47, 54]], "VULNERABILITY: code execution": [[177, 191]], "VULNERABILITY: remote code execution": [[170, 191]], "VULNERABILITY: DDoS": [[196, 200]]}, "info": {"source": "apt_reports", "name": "Ballista"}} +{"text": "Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.", "spans": {"MALWARE: Bashlite": [[0, 8]], "SYSTEM: Linux": [[43, 48]], "VULNERABILITY: DDoS": [[115, 119]]}, "info": {"source": "apt_reports", "name": "Bashlite"}} +{"text": "According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the \"nohup\" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing \"BiBi,\" and excluding certain file types from corruption.", "spans": {"MALWARE: BiBi": [[535, 539]]}, "info": {"source": "apt_reports", "name": "BiBi-Linux"}} +{"text": "Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.", "spans": {"SYSTEM: Windows": [[62, 69]], "SYSTEM: Linux": [[0, 5]]}, "info": {"source": "apt_reports", "name": "Bifrost"}} +{"text": "A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.", "spans": {"CVE_ID: CVE-2020-8515": [[19, 32]], "VULNERABILITY: DDoS": [[2, 6]]}, "info": {"source": "apt_reports", "name": "BigViktor"}} +{"text": "ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.", "spans": {"SYSTEM: ESXi": [[0, 4]], "ORGANIZATION: RSA": [[82, 85]]}, "info": {"source": "apt_reports", "name": "Black Basta"}} +{"text": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.\r\n\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.", "spans": {"MALWARE: BlackCat": [[21, 29], [378, 386]], "MALWARE: ALPHV": [[0, 5], [136, 141], [306, 311], [327, 332], [469, 474], [558, 563], [694, 699], [805, 810]], "MALWARE: Noberus": [[33, 40]], "TOOL: PsExec": [[839, 845]], "SYSTEM: Ubuntu": [[260, 266]], "SYSTEM: Rust": [[160, 164]], "SYSTEM: Synology": [[278, 286]], "SYSTEM: ESXi": [[300, 304], [791, 795]], "SYSTEM: Debian": [[252, 258]], "SYSTEM: Windows": [[212, 219]], "SYSTEM: Linux": [[221, 226]]}, "info": {"source": "apt_reports", "name": "BlackCat"}} +{"text": "According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.", "spans": {"SYSTEM: Trend Micro": [[13, 24]], "MALWARE: Royal": [[76, 81]]}, "info": {"source": "apt_reports", "name": "BlackSuit"}} +{"text": "According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.", "spans": {"CVE_ID: CVE-2022-42475": [[158, 172]], "SYSTEM: Fortinet": [[138, 146]], "SYSTEM: Windows": [[191, 198]], "SYSTEM: VPN": [[153, 156]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "BOLDMOVE"}} +{"text": "This is a pentesting tool and according to the author, \"BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.\".\r\n\r\nIt has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.", "spans": {"MALWARE: BOtB": [[56, 60]], "THREAT_ACTOR: TeamTNT": [[259, 266]]}, "info": {"source": "apt_reports", "name": "Break out the Box"}} +{"text": "According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits.\r\nSourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)", "spans": {"URL: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go": [[122, 212]], "HASH: 19991ef983f838287aa9362b78b4ed8da0929184": [[156, 196]], "MALWARE: Alien": [[13, 18]]}, "info": {"source": "apt_reports", "name": "BotenaGo"}} +{"text": "BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.", "spans": {"MALWARE: BPFDoor": [[0, 7]]}, "info": {"source": "apt_reports", "name": "BPFDoor"}} +{"text": "According to Google, BRICKSTORM is used to consistently target appliances, among them primarily VMware vCenter and ESXi hosts.", "spans": {"MALWARE: BRICKSTORM": [[21, 31]], "SYSTEM: ESXi": [[115, 119]], "SYSTEM: VMware": [[96, 102]], "SYSTEM: vCenter": [[103, 110]], "ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "BRICKSTORM"}} +{"text": "According to Mandiant, this is a webshell, written in Perl.", "spans": {"SYSTEM: Perl": [[54, 58]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "BUSHWALK"}} +{"text": "Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as \"Operation Telescreen\".", "spans": {}, "info": {"source": "apt_reports", "name": "Bvp47"}} +{"text": "Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.", "spans": {"SYSTEM: Linux": [[0, 5]]}, "info": {"source": "apt_reports", "name": "Caja"}} +{"text": "According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.", "spans": {"MALWARE: Caligula": [[28, 36]], "SYSTEM: Avast": [[13, 18]], "SYSTEM: Go": [[119, 121]], "ORGANIZATION: Intel": [[161, 166]], "VULNERABILITY: DDoS": [[88, 92]]}, "info": {"source": "apt_reports", "name": "Caligula"}} +{"text": "XMRig-based mining malware written in Go.", "spans": {"SYSTEM: Go": [[38, 40]]}, "info": {"source": "apt_reports", "name": "Capoae"}} +{"text": "A backdoor for UNIX operating systems that implements knocking as authentication method.", "spans": {}, "info": {"source": "apt_reports", "name": "cd00r"}} +{"text": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "spans": {}, "info": {"source": "apt_reports", "name": "CDorked"}} +{"text": "Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.", "spans": {"SYSTEM: Sophos": [[0, 6]], "VULNERABILITY: DDoS": [[35, 39]], "MALWARE: Mirai": [[216, 221]], "MALWARE: ChaCha": [[76, 82], [109, 115]]}, "info": {"source": "apt_reports", "name": "Chalubo"}} +{"text": "Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.", "spans": {"SYSTEM: Windows": [[65, 72]], "SYSTEM: Linux": [[55, 60]], "SYSTEM: Go": [[36, 38]]}, "info": {"source": "apt_reports", "name": "Chaos"}} +{"text": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel", "spans": {"URL: https://github.com/jpillora/chisel": [[376, 410]], "TOOL: Chisel": [[0, 6], [193, 199]], "SYSTEM: SentinelOne": [[276, 287]], "SYSTEM: Go": [[165, 167]]}, "info": {"source": "apt_reports", "name": "Chisel"}} +{"text": "ELF version of clop ransomware.", "spans": {"MALWARE: clop": [[15, 19]]}, "info": {"source": "apt_reports", "name": "Clop"}} +{"text": "According to CISA, this is an implant found in firmware for the Contec CMS8000, a patient monitor used by the Healthcare and Public Health sector. An embedded backdoor function with a hard-coded IP address and functionality that enables patient data spillage was identified.", "spans": {"ORGANIZATION: CISA": [[13, 17]]}, "info": {"source": "apt_reports", "name": "CMS8000 Backdoor"}} +{"text": "ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.", "spans": {"MALWARE: ConnectBack": [[0, 11], [182, 193]]}, "info": {"source": "apt_reports", "name": "ConnectBack"}} +{"text": "Ransomware", "spans": {}, "info": {"source": "apt_reports", "name": "Conti"}} +{"text": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "spans": {}, "info": {"source": "apt_reports", "name": "Cpuminer"}} +{"text": "A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.", "spans": {"SYSTEM: Linux": [[44, 49]]}, "info": {"source": "apt_reports", "name": "CronRAT"}} +{"text": "According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.", "spans": {"THREAT_ACTOR: Sandworm": [[553, 561]], "SYSTEM: NAS": [[231, 234]], "ORGANIZATION: CISA": [[13, 17]], "MALWARE: Cyclops": [[19, 26], [245, 252], [376, 383], [485, 492]], "MALWARE: Cyclops Blink": [[19, 32], [245, 258], [376, 389], [485, 498]], "MALWARE: VPNFilter": [[79, 88], [325, 334], [365, 374]]}, "info": {"source": "apt_reports", "name": "CyclopsBlink"}} +{"text": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "spans": {"MALWARE: Dacls": [[21, 26]], "THREAT_ACTOR: Lazarus Group": [[207, 220]], "SYSTEM: Windows": [[276, 283]], "SYSTEM: Linux": [[262, 267]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Dacls"}} +{"text": "Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.", "spans": {"CVE_ID: CVE-2021-20090": [[25, 39]], "MALWARE: Mirai": [[0, 5]]}, "info": {"source": "apt_reports", "name": "Dark"}} +{"text": "A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.", "spans": {"MALWARE: DarkCracks": [[76, 86]], "SYSTEM: WordPress": [[117, 126]]}, "info": {"source": "apt_reports", "name": "DarkCracks"}} +{"text": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).", "spans": {"MALWARE: DDG": [[41, 44]]}, "info": {"source": "apt_reports", "name": "DDG"}} +{"text": "DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.", "spans": {"MALWARE: DEADBOLT": [[0, 8]], "SYSTEM: QNAP": [[56, 60]], "SYSTEM: NAS": [[61, 64]], "SYSTEM: Go": [[42, 44]]}, "info": {"source": "apt_reports", "name": "DEADBOLT"}} +{"text": "Cado discovered this malware, written in Go and targeting AWS Lambda environments.", "spans": {"SYSTEM: AWS": [[58, 61]], "SYSTEM: Go": [[41, 43]]}, "info": {"source": "apt_reports", "name": "Denonia"}} +{"text": "Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.", "spans": {"MALWARE: Dofloo": [[0, 6]], "MALWARE: AESDDoS": [[12, 19]], "VULNERABILITY: DDoS": [[93, 97]]}, "info": {"source": "apt_reports", "name": "Dofloo"}} +{"text": "According to Cisco Talos, DriveSwitch is a launcher for SilentRaid.", "spans": {"MALWARE: DriveSwitch": [[26, 37]], "SYSTEM: Cisco": [[13, 18]], "ORGANIZATION: Talos": [[19, 24]], "ORGANIZATION: Cisco Talos": [[13, 24]], "MALWARE: SilentRaid": [[56, 66]]}, "info": {"source": "apt_reports", "name": "DriveSwitch"}} +{"text": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "spans": {"DOMAIN: kernel.org": [[41, 51]], "TOOL: SSH": [[207, 210]], "SYSTEM: cPanel": [[87, 93], [142, 148]], "SYSTEM: ESET": [[381, 385]]}, "info": {"source": "apt_reports", "name": "Ebury"}} +{"text": "The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.\r\n\r\nWhen it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.\r\n\r\nhttps://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities", "spans": {"URL: https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities": [[468, 553]], "MALWARE: Echobot": [[70, 77], [359, 366], [446, 453]], "SYSTEM: Palo Alto": [[141, 150], [313, 322]], "ORGANIZATION: Palo Alto Networks": [[141, 159], [313, 331]], "ORGANIZATION: Akamai": [[260, 266], [417, 423]], "MALWARE: Mirai": [[32, 37]]}, "info": {"source": "apt_reports", "name": "Echobot"}} +{"text": "According to ESET Research, EdgeStepper is an adversary-in-the-middle tool, which forwards DNS traffic from machines in a targeted network to a malicious DNS node. This allows the attackers to redirect the traffic from software updates to a hijacking node that serves instructions to the legitimate software to download a malicious update.", "spans": {"MALWARE: EdgeStepper": [[28, 39]], "SYSTEM: ESET": [[13, 17]]}, "info": {"source": "apt_reports", "name": "EdgeStepper"}} +{"text": "According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.", "spans": {"MALWARE: EnemyBot": [[36, 44]], "THREAT_ACTOR: Keksec": [[169, 175]], "SYSTEM: Android": [[297, 304]]}, "info": {"source": "apt_reports", "name": "EnemyBot"}} +{"text": "Ransomware used to target ESXi servers.", "spans": {"SYSTEM: ESXi": [[26, 30]]}, "info": {"source": "apt_reports", "name": "ESXiArgs"}} +{"text": "According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.", "spans": {"TOOL: Evilginx": [[25, 33]], "VULNERABILITY: phishing": [[94, 102]], "VULNERABILITY: man-in-the-middle": [[50, 67]]}, "info": {"source": "apt_reports", "name": "Evilginx"}} +{"text": "According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.", "spans": {"MALWARE: EvilGnome": [[32, 41], [230, 239]], "SYSTEM: Linux": [[71, 76], [153, 158], [314, 319]]}, "info": {"source": "apt_reports", "name": "EvilGnome"}} +{"text": "Malware used to run a DDoS botnet.", "spans": {"VULNERABILITY: DDoS": [[22, 26]]}, "info": {"source": "apt_reports", "name": "Fodcha"}} +{"text": "This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.\r\n\r\nIt comes with a rootkit as well.", "spans": {"VULNERABILITY: rootkit": [[147, 154]]}, "info": {"source": "apt_reports", "name": "FontOnLake"}} +{"text": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.", "spans": {"MALWARE: FritzFrog": [[26, 35]], "TOOL: SSH": [[113, 116]]}, "info": {"source": "apt_reports", "name": "FritzFrog"}} +{"text": "According to Synthient, Gaganode is a decentralized bandwidth monetization service that enables both users and publishers to earn crypto for their bandwidth or monetize other people's bandwidth. The SDK intentionally implements RCE, thus aligning Gaganode more closely with malware than standard commercial SDKs.", "spans": {"MALWARE: Gaganode": [[24, 32], [247, 255]], "VULNERABILITY: RCE": [[228, 231]]}, "info": {"source": "apt_reports", "name": "Gaganode"}} +{"text": "Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.", "spans": {"MALWARE: Gitpaste-12": [[0, 11]], "SYSTEM: GitHub": [[156, 162]], "SYSTEM: Linux": [[74, 79], [110, 115]]}, "info": {"source": "apt_reports", "name": "Gitpaste-12"}} +{"text": "ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.", "spans": {"SYSTEM: Go": [[30, 32]], "MALWARE: Glupteba": [[46, 54]]}, "info": {"source": "apt_reports", "name": "Glupteba Proxy"}} +{"text": "According to LAC, this malware is written in Go and was observed in 2022 used by an unknown China-based APT across several incidents in Japan. This backdoor has 20 commands and connects with C2 servers via KCP over UDP.", "spans": {"SYSTEM: Go": [[45, 47]]}, "info": {"source": "apt_reports", "name": "gokcpdoor"}} +{"text": "GOREVERSE is a publicly available reverse shell backdoor written in GoLang that operates over Secure Shell (SSH).", "spans": {"MALWARE: GOREVERSE": [[0, 9]], "TOOL: SSH": [[108, 111]]}, "info": {"source": "apt_reports", "name": "GOREVERSE"}} +{"text": "A DDoS botnet, based on Mirai.", "spans": {"VULNERABILITY: DDoS": [[2, 6]], "MALWARE: Mirai": [[24, 29]]}, "info": {"source": "apt_reports", "name": "Gorilla"}} +{"text": "GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.", "spans": {"MALWARE: GoTitan": [[0, 7]], "VULNERABILITY: DDoS": [[13, 17], [121, 125]]}, "info": {"source": "apt_reports", "name": "GoTitan"}} +{"text": "According to Mandiant, GRIMBOLT is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX. It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload. It's unclear if the threat actor's replacement of BRICKSTORM with GRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response.", "spans": {"MALWARE: GRIMBOLT": [[23, 31], [326, 334]], "TOOL: UPX": [[136, 139]], "ORGANIZATION: Mandiant": [[13, 21]], "MALWARE: BRICKSTORM": [[240, 250], [310, 320]]}, "info": {"source": "apt_reports", "name": "GRIMBOLT"}} +{"text": "Ransomware.", "spans": {}, "info": {"source": "apt_reports", "name": "HellDown"}} +{"text": "Linux version of the HelloKitty ransomware.", "spans": {"MALWARE: HelloKitty": [[21, 31]], "SYSTEM: Linux": [[0, 5]]}, "info": {"source": "apt_reports", "name": "HelloKitty"}} +{"text": "Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.", "spans": {"MALWARE: HiatusRAT": [[102, 111]]}, "info": {"source": "apt_reports", "name": "HiatusRAT"}} +{"text": "HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.", "spans": {"MALWARE: HiddenWasp": [[0, 10]], "SYSTEM: Linux": [[16, 21]]}, "info": {"source": "apt_reports", "name": "HiddenWasp"}} +{"text": "HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.", "spans": {"CVE_ID: CVE-2014-8361": [[277, 290]], "CVE_ID: CVE-2017-17215": [[315, 329]], "MALWARE: HinataBot": [[0, 9]], "TOOL: SSH": [[109, 112]], "SYSTEM: Huawei": [[293, 299]], "SYSTEM: Go": [[15, 17]], "VULNERABILITY: DDoS": [[24, 28]]}, "info": {"source": "apt_reports", "name": "HinataBot"}} +{"text": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.", "spans": {"THREAT_ACTOR: Camaro Dragon": [[121, 134]]}, "info": {"source": "apt_reports", "name": "Horse Shell"}} +{"text": "RAT. Functionality like ExecShell, GetFileList/SendFile/DownloadFile, Socks5, PortmapManager/GetConn/SendConn. Transport also supports Quic.\r\n\r\nVariants in C# and GO.", "spans": {}, "info": {"source": "apt_reports", "name": "InsidiousGh0st"}} +{"text": "According to Sekoia, this is the ransomware used by the Interlock ransomware intrusion set, which was first observed in September 2024 conducting Big Game Hunting and double extortion campaigns.", "spans": {"MALWARE: Interlock": [[56, 65]], "ORGANIZATION: Sekoia": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Interlock"}} +{"text": "IOControl is a Linux backdoor which targets ARM-based IoT and OT systems, which a particular focus on Fuel and Industrial Control Systems.", "spans": {"SYSTEM: Linux": [[15, 20]]}, "info": {"source": "apt_reports", "name": "elf.iocontrol"}} +{"text": "ccording to Fortinet, this is a Mirai-based DDoS botnet.", "spans": {"SYSTEM: Fortinet": [[12, 20]], "VULNERABILITY: DDoS": [[44, 48]], "MALWARE: Mirai": [[32, 37]]}, "info": {"source": "apt_reports", "name": "IZ1H9"}} +{"text": "According to Lumen, J-Magic is a variant of cd00r and passively scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software.", "spans": {"MALWARE: J-Magic": [[20, 27]], "MALWARE: cd00r": [[44, 49]], "MALWARE: J-magic": [[267, 274]]}, "info": {"source": "apt_reports", "name": "J-Magic"}} +{"text": "Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet).", "spans": {"MALWARE: Kaden": [[0, 5]], "VULNERABILITY: DDoS": [[11, 15], [73, 77]], "MALWARE: Gafgyt": [[57, 63]], "MALWARE: Bashlite": [[48, 56]]}, "info": {"source": "apt_reports", "name": "Kaden"}} +{"text": "According to Black Lotus Labs, KadNap primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. It employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.", "spans": {"MALWARE: KadNap": [[31, 37]], "ORGANIZATION: Black Lotus Labs": [[13, 29]], "MALWARE: Lotus": [[19, 24]]}, "info": {"source": "apt_reports", "name": "KadNap"}} +{"text": "Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.", "spans": {"MALWARE: Kaiji": [[47, 52], [239, 244]], "TOOL: SSH": [[106, 109]], "SYSTEM: Go": [[82, 84]], "ORGANIZATION: Intezer": [[29, 36]], "VULNERABILITY: DDoS": [[58, 62]], "VULNERABILITY: brute force": [[110, 121]]}, "info": {"source": "apt_reports", "name": "Kaiji"}} +{"text": "According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.", "spans": {"MALWARE: Kaiten": [[24, 30]]}, "info": {"source": "apt_reports", "name": "Kaiten"}} +{"text": "ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.", "spans": {"CVE_ID: CVE-2024-21887": [[96, 110]], "CVE_ID: CVE-2023-46805": [[115, 129]], "TOOL: Sliver": [[141, 147]], "SYSTEM: Rust": [[8, 12]], "SYSTEM: Ivanti": [[44, 50]], "SYSTEM: VPN": [[66, 69]]}, "info": {"source": "apt_reports", "name": "KrustyLoader"}} +{"text": "According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.", "spans": {"MALWARE: KTLVdoor": [[26, 34]], "SYSTEM: Trend Micro": [[13, 24]]}, "info": {"source": "apt_reports", "name": "KTLVdoor"}} +{"text": "According to the author if this open source project, this is a library for injecting a shared library into a Linux, Windows and MacOS process.", "spans": {"SYSTEM: Windows": [[116, 123]], "SYSTEM: Linux": [[109, 114]]}, "info": {"source": "apt_reports", "name": "Kubo Injector"}} +{"text": "According to Synacktiv, LinkPro targets the GNU/Linux systems and is developed in Golang. It is named after its main module and the corresponding (private) GitHub repository. LinkPro uses eBPF technology, to activate only when receiving a \"magic package\", and to hide on the compromised system.", "spans": {"MALWARE: LinkPro": [[24, 31], [175, 182]], "SYSTEM: GitHub": [[156, 162]], "SYSTEM: Linux": [[48, 53]]}, "info": {"source": "apt_reports", "name": "LinkPro"}} +{"text": "BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.", "spans": {"MALWARE: LiquorBot": [[71, 80], [208, 217]], "SYSTEM: Go": [[232, 234]], "MALWARE: Mirai": [[41, 46]]}, "info": {"source": "apt_reports", "name": "LiquorBot"}} +{"text": "According to ESET Research, LittleDaemon is the first stage deployed on the victim’s machine through hijacked updates. It was observed in both DLL and executable versions, both of them 32-bit PEs. The main purpose of LittleDaemon is to communicate with the hijacking node to obtain the downloader that we call DaemonicLogistics. LittleDaemon does not establish persistence.", "spans": {"MALWARE: LittleDaemon": [[28, 40], [217, 229], [329, 341]], "SYSTEM: ESET": [[13, 17]]}, "info": {"source": "apt_reports", "name": "LittleDaemon"}} +{"text": "Loader and Cleaner components used in attacks against high-performance computing centers in Europe.", "spans": {}, "info": {"source": "apt_reports", "name": "Loerbas"}} +{"text": "ESXi encrypting ransomware written in Rust.", "spans": {"SYSTEM: Rust": [[38, 42]], "SYSTEM: ESXi": [[0, 4]]}, "info": {"source": "apt_reports", "name": "Luna"}} +{"text": "According to Akamai, a Mirai variant exploiting GeoVision IoT devices, (possibly CVE-2024-6047 and/or CVE-2024-11120).", "spans": {"CVE_ID: CVE-2024-6047": [[81, 94]], "CVE_ID: CVE-2024-11120": [[102, 116]], "ORGANIZATION: Akamai": [[13, 19]], "MALWARE: Mirai": [[23, 28]]}, "info": {"source": "apt_reports", "name": "LZRD"}} +{"text": "Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.", "spans": {"THREAT_ACTOR: Cobalt": [[33, 39]], "TOOL: Cobalt Strike": [[33, 46]], "TOOL: Sliver": [[51, 57]], "SYSTEM: Rust": [[70, 74]], "SYSTEM: Cisco": [[0, 5]], "ORGANIZATION: Talos": [[6, 11]], "ORGANIZATION: Cisco Talos": [[0, 11]]}, "info": {"source": "apt_reports", "name": "Manjusaka"}} +{"text": "Masuta is a variant of Mirai that targets IoT devices, primarily routers, using dictionary attacks to target weak credentials. PureMasuta is a variant of Masuta that targets the EDB 38722 D-Link HNAP Bug.", "spans": {"MALWARE: Masuta": [[0, 6], [154, 160]], "MALWARE: PureMasuta": [[127, 137]], "SYSTEM: D-Link": [[188, 194]], "MALWARE: Mirai": [[23, 28]]}, "info": {"source": "apt_reports", "name": "Masuta"}} +{"text": "MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.", "spans": {"MALWARE: MESSAGETAP": [[0, 10]]}, "info": {"source": "apt_reports", "name": "MESSAGETAP"}} +{"text": "A x64 ELF file infector with non-destructive payload.", "spans": {}, "info": {"source": "apt_reports", "name": "Midrashim"}} +{"text": "According to Google, MINOCAT is an 64-bit ELF executable for Linux that includes a custom \"NSS\" wrapper and an embedded, open-source Fast Reverse Proxy (FRP) client that handles the actual tunneling.", "spans": {"MALWARE: MINOCAT": [[21, 28]], "SYSTEM: Linux": [[61, 66]], "ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "MINOCAT"}} +{"text": "Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means \"future\" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on \"Hack Forums\" many variants of the Mirai family appeared, infecting mostly home networks all around the world.", "spans": {"MALWARE: Mirai": [[0, 5], [393, 398]], "SYSTEM: Linux": [[91, 96]]}, "info": {"source": "apt_reports", "name": "Mirai"}} +{"text": "A ransomware, derived from the leaked Conti source code.", "spans": {"MALWARE: Conti": [[38, 43]]}, "info": {"source": "apt_reports", "name": "Monti"}} +{"text": "Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.", "spans": {"MALWARE: Mozi": [[0, 4]], "MALWARE: Gafgyt": [[133, 139]], "MALWARE: Mirai": [[141, 146]]}, "info": {"source": "apt_reports", "name": "Mozi"}} +{"text": "MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.\r\n\r\nMrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.", "spans": {"MALWARE: MrBlack": [[0, 7], [381, 388], [474, 481], [869, 876]], "TOOL: SSH": [[611, 614]], "SYSTEM: Ubiquiti": [[696, 704]], "SYSTEM: Linux": [[97, 102]], "VULNERABILITY: DDoS": [[164, 168], [233, 237], [1077, 1081]]}, "info": {"source": "apt_reports", "name": "MrBlack"}} +{"text": "Ransomware used against Linux servers.", "spans": {"SYSTEM: Linux": [[24, 29]]}, "info": {"source": "apt_reports", "name": "Nextcry"}} +{"text": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).", "spans": {"MALWARE: Nimbo-C2": [[25, 33]], "SYSTEM: Windows": [[117, 124]], "SYSTEM: Linux": [[133, 138]], "SYSTEM: .NET": [[180, 184]]}, "info": {"source": "apt_reports", "name": "Nimbo-C2"}} +{"text": "Golang-based RAT that offers execution of shell commands and download+run capability.", "spans": {}, "info": {"source": "apt_reports", "name": "NiuB"}} +{"text": "According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique \"key\" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices. \r\n\r\nThe malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.", "spans": {"MALWARE: Nosedive": [[31, 39], [182, 190], [352, 360], [628, 636], [705, 713]], "ORGANIZATION: Black Lotus Labs": [[13, 29]], "VULNERABILITY: DDoS": [[815, 819]], "MALWARE: Mirai": [[69, 74]], "MALWARE: Lotus": [[19, 24]]}, "info": {"source": "apt_reports", "name": "Nosedive"}} +{"text": "FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.", "spans": {"CVE_ID: CVE-2019-19781": [[281, 295]], "THREAT_ACTOR: NOTROBIN": [[20, 28], [342, 350]], "SYSTEM: Go": [[53, 55]], "ORGANIZATION: FireEye": [[0, 7], [320, 327]]}, "info": {"source": "apt_reports", "name": "NOTROBIN"}} +{"text": "According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.", "spans": {"MALWARE: Orbit": [[26, 31]], "SYSTEM: Linux": [[153, 158]], "ORGANIZATION: Intezer": [[97, 104]]}, "info": {"source": "apt_reports", "name": "OrBit"}} +{"text": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "spans": {"CVE_ID: CVE-2017-17215": [[43, 57]], "MALWARE: Mirai": [[0, 5]]}, "info": {"source": "apt_reports", "name": "Owari"}} +{"text": "According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.", "spans": {"SYSTEM: Apache": [[109, 115]]}, "info": {"source": "apt_reports", "name": "p0sT5n1F3r"}} +{"text": "P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.", "spans": {"MALWARE: P2Pinfect": [[0, 9]], "TOOL: SSH": [[245, 248]], "SYSTEM: Rust": [[101, 105]], "SYSTEM: Windows": [[129, 136]], "SYSTEM: Linux": [[141, 146], [177, 182]], "SYSTEM: Redis": [[271, 276]]}, "info": {"source": "apt_reports", "name": "P2Pinfect"}} +{"text": "According to 0x3oBAD, this is a 64-bit Linux ELF ransomware binary targeting VMware ESXi hypervisor environments. The sample combines a robust cryptographic scheme Curve25519 ECDHand ChaCha20 with ESXi-specific VM enumeration via the vmInventory.xml inventory file, graceful shutdown of running VMs before encryption, and a multi-threaded file encryption pipeline scaled to available CPU cores. The ransom note is delivered inside ESXi’s own web UI welcome.txt, replacing the host management interface greeting.", "spans": {"SYSTEM: ESXi": [[84, 88], [197, 201], [431, 435]], "SYSTEM: Linux": [[39, 44]], "SYSTEM: VMware": [[77, 83]]}, "info": {"source": "apt_reports", "name": "Payload "}} +{"text": "P2P botnet derived from the Mirai source code.", "spans": {"MALWARE: Mirai": [[28, 33]]}, "info": {"source": "apt_reports", "name": "pbot"}} +{"text": "A botnet with P2P and centralized C&C capabilities.", "spans": {}, "info": {"source": "apt_reports", "name": "Pink"}} +{"text": "According to Mandiant, this is a SparkGateway plugin that loads LITTLELAMB.WOOLTEA through JNI.", "spans": {"ORGANIZATION: Mandiant": [[13, 21]], "MALWARE: LITTLELAMB.WOOLTEA": [[64, 82]]}, "info": {"source": "apt_reports", "name": "PITFUEL"}} +{"text": "According to Mandiant, PITHOOK hooks the accept and accept4 functions within the web process by modifying the PLT. When PITHOOK receives a buffer matching the predefined magic byte sequence, it will duplicate the socket and forward it to PITSTOP over the Unix domain socket /data/runtime/cockpit/wd.fd.", "spans": {"MALWARE: PITHOOK": [[23, 30], [120, 127]], "SYSTEM: Unix": [[255, 259]], "ORGANIZATION: Mandiant": [[13, 21]], "MALWARE: PITSTOP": [[238, 245]]}, "info": {"source": "apt_reports", "name": "PITHOOK"}} +{"text": "According to Mandiant, this is backdoor which hooks the accept and setsockopt of the web process by modifying its procedure linkage table (PLT). This enables backdoor communication via the Unix socket /tmp/clientsDownload.sock when it receives a specific 48-byte magic byte sequence in the incoming buffer.", "spans": {"FILEPATH: /tmp/clientsDownload.sock": [[201, 226]], "SYSTEM: Unix": [[189, 193]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "PITSOCK"}} +{"text": "According to Nexttron Systems, this is an implant built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access.", "spans": {"TOOL: SSH": [[190, 193]]}, "info": {"source": "apt_reports", "name": "Plague"}} +{"text": "According to Sekoia, this is a form of TLS backdoor containing pre-defined commands. Their investigation initially identified Cisco routers as a target but they also uncovered other payloads from the same family, but targeting different devices, notably Asus, QNAP and Synology. A working hypothesis suggests that devices compromised with PolarEdge could be used as Operational Relay Boxes (ORB) to facilitate offensive cyber operations.", "spans": {"MALWARE: PolarEdge": [[339, 348]], "SYSTEM: Synology": [[269, 277]], "SYSTEM: Cisco": [[126, 131]], "SYSTEM: QNAP": [[260, 264]], "ORGANIZATION: Sekoia": [[13, 19]]}, "info": {"source": "apt_reports", "name": "PolarEdge"}} +{"text": "Part of Mythic C2, written in Golang.", "spans": {"TOOL: Mythic": [[8, 14]]}, "info": {"source": "apt_reports", "name": "Poseidon"}} +{"text": "Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.", "spans": {"SYSTEM: Windows": [[44, 51]], "SYSTEM: Python": [[97, 103]], "SYSTEM: Linux": [[66, 71], [120, 125]], "ORGANIZATION: Black Lotus Labs": [[0, 16]], "MALWARE: Lotus": [[6, 11]]}, "info": {"source": "apt_reports", "name": "PrivetSanya"}} +{"text": "Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.", "spans": {"THREAT_ACTOR: Rocke": [[44, 49]], "ORGANIZATION: Unit 42": [[0, 7]]}, "info": {"source": "apt_reports", "name": "Pro-Ocean"}} +{"text": "According to Elastic, PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers. \r\n\r\nThe rootkit component, referenced by the malware authors as “PUMA\", employs an internal Linux function tracer (ftrace) to hook 18 different syscalls and several kernel functions, enabling it to manipulate core system behaviors. Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information. \r\n\r\nKey functionalities of the kernel module include privilege escalation, hiding files and directories, concealing itself from system tools, anti-debugging measures, and establishing communication with command-and-control (C2) servers.\r\n\r\nThere is also an accompanying userland SO rootkit internally referred to as Kitsune.", "spans": {"MALWARE: PUMAKIT": [[22, 29]], "MALWARE: PUMA": [[274, 278], [482, 486]], "MALWARE: Kitsune": [[944, 951]], "SYSTEM: Linux": [[301, 306]], "ORGANIZATION: Elastic": [[13, 20]], "VULNERABILITY: privilege escalation": [[528, 548], [681, 701]], "VULNERABILITY: rootkit": [[78, 85], [217, 224], [910, 917]]}, "info": {"source": "apt_reports", "name": "PUMAKIT"}} +{"text": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "spans": {"MALWARE: pupy": [[452, 456]], "TOOL: powershell": [[200, 210]], "SYSTEM: Linux": [[176, 181]], "MALWARE: Pupy": [[0, 4], [101, 105], [468, 472]]}, "info": {"source": "apt_reports", "name": "pupy"}} +{"text": "Qilin ransomware, initially observed in July 2022 under the name “Agenda,” operates on a Ransomware-as-a-Service (RaaS) model. This model allows core developers to provide their malicious software and infrastructure to affiliates in exchange for a percentage of the profits generated from attacks. The name “Qilin” references a Chinese mythological creature symbolizing power and prosperity, a fitting metaphor for the group’s perceived influence and financial objectives. Despite the Chinese name, the group is linked to Russian-speaking cybercriminals, often recruiting affiliates on Russian-language forums and notably excluding Commonwealth of Independent States (CIS) countries from its targets.", "spans": {"MALWARE: Qilin": [[0, 5], [308, 313]], "MALWARE: Agenda": [[66, 72]]}, "info": {"source": "apt_reports", "name": "Qilin"}} +{"text": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", "spans": {"MALWARE: QNAPCrypt": [[4, 13]], "ORGANIZATION: RSA": [[528, 531]]}, "info": {"source": "apt_reports", "name": "QNAPCrypt"}} +{"text": "The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes", "spans": {"SYSTEM: QNAP": [[20, 24], [148, 152]], "SYSTEM: NAS": [[25, 28]]}, "info": {"source": "apt_reports", "name": "QSnatch"}} +{"text": "Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.", "spans": {"THREAT_ACTOR: UNC3524": [[50, 57]], "TOOL: SSH": [[99, 102]], "ORGANIZATION: Mandiant": [[0, 8]]}, "info": {"source": "apt_reports", "name": "QUIETEXIT"}} +{"text": "According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.", "spans": {"MALWARE: RansomEXX": [[25, 34], [141, 150]], "MALWARE: Defray777": [[48, 57]], "SYSTEM: Windows": [[290, 297]], "SYSTEM: Linux": [[302, 307]], "MALWARE: Defray": [[40, 46]]}, "info": {"source": "apt_reports", "name": "RansomEXX"}} +{"text": "According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.", "spans": {"MALWARE: RansomExx2": [[155, 165]], "SYSTEM: Rust": [[120, 124]], "ORGANIZATION: X-Force": [[26, 33]], "ORGANIZATION: IBM": [[13, 16]]}, "info": {"source": "apt_reports", "name": "RansomExx2"}} +{"text": "A Mirai derivate bruteforcing SSH servers.", "spans": {"TOOL: SSH": [[30, 33]], "MALWARE: Mirai": [[2, 7]]}, "info": {"source": "apt_reports", "name": "RapperBot"}} +{"text": "RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as:\r\n- CVE-2024-3400 \r\n- CVE-2023-46805\r\n- CVE-2024-21887\r\n- CVE-2023-1389\r\n- CVE-2022-22954\r\n- CVE-2018-20062", "spans": {"CVE_ID: CVE-2024-3400": [[149, 162]], "CVE_ID: CVE-2023-46805": [[167, 181]], "CVE_ID: CVE-2024-21887": [[185, 199]], "CVE_ID: CVE-2023-1389": [[203, 216]], "CVE_ID: CVE-2022-22954": [[220, 234]], "CVE_ID: CVE-2018-20062": [[238, 252]], "MALWARE: RedTail": [[0, 7]]}, "info": {"source": "apt_reports", "name": "RedTail"}} +{"text": "RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group. \r\n\r\nRedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP. \r\n\r\nThe malware can execute various commands including system information collection, updates, shell commands, and network tunneling.", "spans": {"MALWARE: RedXOR": [[0, 6], [296, 302]], "SYSTEM: Python": [[361, 367]], "SYSTEM: Linux": [[45, 50]]}, "info": {"source": "apt_reports", "name": "RedXOR"}} +{"text": "Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.", "spans": {"SYSTEM: ESXi": [[37, 41]], "SYSTEM: Linux": [[24, 29]], "SYSTEM: VMware": [[30, 36]]}, "info": {"source": "apt_reports", "name": "RedAlert Ransomware"}} +{"text": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm.\r\n\r\nSome versions have there configuration stored within the .data section using RC4 to encrypt the details.\r\n\r\nConfiguration options include C2 IP and Port, as well as defence evasion details for changing the process name.", "spans": {"SYSTEM: Linux": [[13, 18]], "ORGANIZATION: Intel": [[79, 84]]}, "info": {"source": "apt_reports", "name": "Rekoobe"}} +{"text": "ELF version of win.revil targeting VMware ESXi hypervisors.", "spans": {"MALWARE: revil": [[19, 24]], "SYSTEM: ESXi": [[42, 46]], "SYSTEM: VMware": [[35, 41]]}, "info": {"source": "apt_reports", "name": "REvil"}} +{"text": "P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.", "spans": {"CVE_ID: CVE-2019-15107": [[103, 117]], "VULNERABILITY: RCE": [[84, 87]], "VULNERABILITY: DDoS": [[458, 462]]}, "info": {"source": "apt_reports", "name": "Roboto"}} +{"text": "RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021.\r\nThe malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.", "spans": {"MALWARE: RotaJakiro": [[0, 10]], "SYSTEM: Linux": [[25, 30]]}, "info": {"source": "apt_reports", "name": "RotaJakiro"}} +{"text": "According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.", "spans": {"MALWARE: Royal": [[25, 30]], "MALWARE: Conti": [[178, 183]]}, "info": {"source": "apt_reports", "name": "Royal Ransom"}} +{"text": "According to Cisco Talos, RushDrop is a dropper used by UAT-7290 for deploying SilentRaid", "spans": {"MALWARE: RushDrop": [[26, 34]], "SYSTEM: Cisco": [[13, 18]], "ORGANIZATION: Talos": [[19, 24]], "ORGANIZATION: Cisco Talos": [[13, 24]], "MALWARE: SilentRaid": [[79, 89]]}, "info": {"source": "apt_reports", "name": "RushDrop"}} +{"text": "According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as \"Channels\" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.", "spans": {"MALWARE: SALTWATER": [[23, 32], [117, 126]], "SYSTEM: Barracuda": [[53, 62]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "SALTWATER"}} +{"text": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "spans": {"CVE_ID: CVE-2014-8361": [[178, 191]], "MALWARE: Satori": [[0, 6]]}, "info": {"source": "apt_reports", "name": "Satori"}} +{"text": "According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.\r\nThe malware is based on an open-source backdoor program named \"cd00r\".", "spans": {"SYSTEM: Barracuda": [[90, 99]], "ORGANIZATION: CISA": [[13, 17]], "MALWARE: cd00r": [[692, 697]]}, "info": {"source": "apt_reports", "name": "SEASPY"}} +{"text": "Ransomware, likely based on the leaked Babuk source code.", "spans": {"MALWARE: Babuk": [[39, 44]]}, "info": {"source": "apt_reports", "name": "SEXi"}} +{"text": "According to Fortinet, this is a Mirai fork propagating through multiple vulnerabilities. ShadowV2 had previously been observed targeting AWS EC2 instances in campaigns disclosed in September 2025.", "spans": {"MALWARE: ShadowV2": [[90, 98]], "SYSTEM: Fortinet": [[13, 21]], "SYSTEM: AWS": [[138, 141]], "MALWARE: Mirai": [[33, 38]]}, "info": {"source": "apt_reports", "name": "ShadowV2"}} +{"text": "According to STRIKE, ShortLeash is a custom backdoor used to create an ORB network. It generates unique, self-signed TLS certificates with spoofed metadata for each node. Analysis of these certificates revealed over 1000 active nodes globally and victimology supports attribution to China-Nexus APTs.", "spans": {"MALWARE: ShortLeash": [[21, 31]]}, "info": {"source": "apt_reports", "name": "ShortLeash"}} +{"text": "According to Cisco Talos, SilentRaid is a primary implant used by UAT-7290 in intrusions meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware.", "spans": {"MALWARE: SilentRaid": [[26, 36]], "SYSTEM: Cisco": [[13, 18]], "ORGANIZATION: Talos": [[19, 24]], "ORGANIZATION: Cisco Talos": [[13, 24]]}, "info": {"source": "apt_reports", "name": "SilentRaid"}} +{"text": "SimpleTea for Linux is an HTTP(S) RAT. \r\n\r\nIt was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.\r\n\r\nIt’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.\r\n\r\nIt supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.\r\n\r\nSimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.", "spans": {"FILEPATH: /home/%user%/.config/apdl.cf": [[485, 513]], "DOMAIN: apdl.cf": [[506, 513]], "MALWARE: SimpleTea": [[0, 9], [928, 937]], "SYSTEM: Linux": [[14, 19], [142, 147], [393, 398], [942, 947], [993, 998]]}, "info": {"source": "apt_reports", "name": "SimpleTea"}} +{"text": "According to its author, this is a stealthy Linux Kernel Rootkit for modern kernels (6x).", "spans": {"SYSTEM: Linux": [[44, 49]]}, "info": {"source": "apt_reports", "name": "Singularity"}} +{"text": "According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.", "spans": {"MALWARE: SLAPSTICK": [[22, 31]], "SYSTEM: Solaris": [[37, 44]], "ORGANIZATION: FireEye": [[13, 20]]}, "info": {"source": "apt_reports", "name": "SLAPSTICK"}} +{"text": "According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.", "spans": {"MALWARE: SnappyTCP": [[18, 27], [148, 157]], "SYSTEM: Unix": [[64, 68]], "SYSTEM: Linux": [[58, 63]], "ORGANIZATION: PwC": [[13, 16]]}, "info": {"source": "apt_reports", "name": "SnappyTCP"}} +{"text": "According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell).", "spans": {"MALWARE: SNOWLIGHT": [[21, 30]]}, "info": {"source": "apt_reports", "name": "SNOWLIGHT"}} +{"text": "This is an implant used by APT31 on home routers to utilize them as ORBs.", "spans": {"THREAT_ACTOR: APT31": [[27, 32]]}, "info": {"source": "apt_reports", "name": "SoWaT"}} +{"text": "According to Mandiant, this is a utility that is written in C and targets Linux. It can be used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it using AES without the need for any command line tools.", "spans": {"SYSTEM: Linux": [[74, 79]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "SPAWNSNARE"}} +{"text": "According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.", "spans": {"MALWARE: STEELCORGI": [[22, 32]], "SYSTEM: Linux": [[49, 54]], "ORGANIZATION: FireEye": [[13, 20]]}, "info": {"source": "apt_reports", "name": "STEELCORGI"}} +{"text": "Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.", "spans": {"FILEPATH: /bin/bash": [[278, 287]], "TOOL: wget": [[221, 225]], "SYSTEM: Linux": [[158, 163]], "VULNERABILITY: brute-force": [[105, 116]]}, "info": {"source": "apt_reports", "name": "sustes miner"}} +{"text": "A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.", "spans": {"VULNERABILITY: rootkit": [[99, 106]]}, "info": {"source": "apt_reports", "name": "Symbiote"}} +{"text": "Cryptojacking botnet", "spans": {}, "info": {"source": "apt_reports", "name": "Sysrv-hello"}} +{"text": "Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.", "spans": {"SYSTEM: Kubernetes": [[272, 282]], "SYSTEM: Docker": [[106, 112]]}, "info": {"source": "apt_reports", "name": "TeamTNT"}} +{"text": "According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.", "spans": {"MALWARE: TripleCross": [[25, 36]], "SYSTEM: Linux": [[42, 47]], "VULNERABILITY: rootkit": [[53, 60]]}, "info": {"source": "apt_reports", "name": "TripleCross"}} +{"text": "According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.", "spans": {"CVE_ID: CVE-2019-10149": [[132, 146]], "ORGANIZATION: Cybereason": [[13, 23]]}, "info": {"source": "apt_reports", "name": "Unidentified Linux 001"}} +{"text": "Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool (\"unifi-video\") related to Ubiquiti UniFi surveillance cameras.", "spans": {"THREAT_ACTOR: APT31": [[16, 21]], "SYSTEM: Ubiquiti": [[115, 123]]}, "info": {"source": "apt_reports", "name": "Unidentified ELF 004"}} +{"text": "Enables remote execution of scripts on a host, communicates via Tox.", "spans": {}, "info": {"source": "apt_reports", "name": "Unidentified ELF 006 (Tox Backdoor)"}} +{"text": "According to Synacktiv, vGet is an in-memory stager for vShell, written in Rust.", "spans": {"MALWARE: vGet": [[24, 28]], "SYSTEM: Rust": [[75, 79]]}, "info": {"source": "apt_reports", "name": "vGet"}} +{"text": "VoidLink is a cloud-native Linux malware family designed as a modular post-exploitation framework for modern cloud and containerized environments. It features a plugin-based architecture with dynamically loadable components that provide reconnaissance, credential harvesting, privilege escalation, lateral movement, persistence, and anti-forensic capabilities. The framework demonstrates strong operational security through runtime encryption, environment awareness (cloud provider and container detection), and the use of user-mode and kernel-level rootkit techniques to evade detection.\r\n\r\nVoidLink is not a repurposed legacy tool but a purpose-built framework optimized for cloud infrastructure, indicating a shift in advanced threat development toward Linux-based cloud workloads. Although no confirmed large-scale infections have been observed, its maturity and design suggest potential use by sophisticated threat actors for long-term, stealthy access to cloud environments.", "spans": {"MALWARE: VoidLink": [[0, 8], [592, 600]], "SYSTEM: Linux": [[27, 32], [756, 761]], "VULNERABILITY: privilege escalation": [[276, 296]], "VULNERABILITY: rootkit": [[550, 557]]}, "info": {"source": "apt_reports", "name": "VoidLink"}} +{"text": "According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.", "spans": {"MALWARE: WatchBog": [[56, 64]], "SYSTEM: Jira": [[389, 393]], "SYSTEM: Jenkins": [[407, 414]], "ORGANIZATION: Intezer": [[13, 20]], "VULNERABILITY: BlueKeep": [[253, 261]]}, "info": {"source": "apt_reports", "name": "WatchBog"}} +{"text": "According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.", "spans": {"SYSTEM: Kaspersky": [[166, 175]], "ORGANIZATION: CIA": [[67, 70]], "MALWARE: Hive": [[71, 75]]}, "info": {"source": "apt_reports", "name": "xdr33"}} +{"text": "Linux DDoS C&C Malware", "spans": {"SYSTEM: Linux": [[0, 5]], "VULNERABILITY: DDoS": [[6, 10]]}, "info": {"source": "apt_reports", "name": "XOR DDoS"}} +{"text": "Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of \"UPX!\". It is being distributed via weak telnet passwords and known vulnerabilities.", "spans": {"MALWARE: Zergeca": [[0, 7]], "TOOL: UPX": [[74, 77], [136, 139]], "VULNERABILITY: DDoS": [[13, 17]]}, "info": {"source": "apt_reports", "name": "Zergeca"}} +{"text": "ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.", "spans": {"MALWARE: ZeroBot": [[0, 7]], "SYSTEM: Go": [[13, 15]], "ORGANIZATION: FBI": [[216, 219]], "VULNERABILITY: DDoS": [[179, 183]]}, "info": {"source": "apt_reports", "name": "ZeroBot"}} +{"text": "According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).", "spans": {"MALWARE: ZuoRAT": [[31, 37]], "ORGANIZATION: Black Lotus Labs": [[13, 29]], "MALWARE: Lotus": [[19, 24]]}, "info": {"source": "apt_reports", "name": "ZuoRAT"}} +{"text": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", "spans": {}, "info": {"source": "apt_reports", "name": "AutoCAD Downloader"}} +{"text": "According to Google, this is a cookie stealer", "spans": {"ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "COOKIESNATCH"}} +{"text": "According to Google, this is a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named \"Coruna\" by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.", "spans": {"MALWARE: Coruna": [[218, 224]], "SYSTEM: iOS": [[98, 101], [265, 268], [397, 400]], "ORGANIZATION: Apple": [[70, 75]], "ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Coruna"}} +{"text": "Commercial spyware by Intellexa.", "spans": {}, "info": {"source": "apt_reports", "name": "Predator"}} +{"text": "According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj).\r\nThe server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.", "spans": {"ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "VALIDVICTOR"}} +{"text": "The iOS malware that is installed over USB by osx.wirelurker", "spans": {"MALWARE: wirelurker": [[50, 60]], "SYSTEM: iOS": [[4, 7]]}, "info": {"source": "apt_reports", "name": "WireLurker"}} +{"text": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "spans": {"MALWARE: Adwind": [[613, 619]], "SYSTEM: Java": [[64, 68]], "SYSTEM: Windows": [[545, 552]], "SYSTEM: VPN": [[377, 380]], "ORGANIZATION: Microsoft": [[535, 544]], "MALWARE: attrib": [[589, 595]]}, "info": {"source": "apt_reports", "name": "AdWind"}} +{"text": "According to VMRay, this malware family uses in interesting obfuscation technique: a trailing slash in its archive to confuse analysis tools. It abuses #GitHub as a #C2 and exfiltrates stolen data, such as browser cookies, via Discord webhooks. The GitHub repositories are quite active and exist since mid to late 2024. The malware also monitors keyboard and mouse input, takes screenshots.", "spans": {"SYSTEM: GitHub": [[153, 159], [249, 255]], "SYSTEM: Discord": [[227, 234]]}, "info": {"source": "apt_reports", "name": "Akemi"}} +{"text": "F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.", "spans": {"MALWARE: Banload": [[18, 25]], "ORGANIZATION: F-Secure": [[0, 8]]}, "info": {"source": "apt_reports", "name": "Banload"}} +{"text": "DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.", "spans": {"MALWARE: DynamicRAT": [[0, 10], [137, 147], [364, 374]], "VULNERABILITY: DDoS": [[337, 341]]}, "info": {"source": "apt_reports", "name": "DynamicRAT"}} +{"text": "EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string \"_packet_\" as a packet delimiter.", "spans": {"MALWARE: EpicSplit RAT": [[0, 13], [397, 410]], "SYSTEM: Java": [[33, 37]]}, "info": {"source": "apt_reports", "name": "EpicSplit RAT"}} +{"text": "According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.", "spans": {"MALWARE: IceRat": [[130, 136]], "SYSTEM: Java": [[124, 128]]}, "info": {"source": "apt_reports", "name": "IceRat"}} +{"text": "JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.", "spans": {"MALWARE: JavaDispCash": [[0, 12]]}, "info": {"source": "apt_reports", "name": "JavaDispCash"}} +{"text": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "spans": {"DOMAIN: jrat.io": [[325, 332]], "MALWARE: jRAT": [[0, 4], [279, 283]], "MALWARE: Jacksbot": [[20, 28]], "SYSTEM: Java": [[64, 68]], "SYSTEM: macOS": [[89, 94]], "SYSTEM: Windows": [[103, 110]], "SYSTEM: Linux": [[96, 101]], "VULNERABILITY: DDoS": [[172, 176]]}, "info": {"source": "apt_reports", "name": "jRAT"}} +{"text": "DDoS for Minecraft servers.", "spans": {"VULNERABILITY: DDoS": [[0, 4]]}, "info": {"source": "apt_reports", "name": "Mineping"}} +{"text": "According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.", "spans": {"MALWARE: Latrodectus": [[86, 97]]}, "info": {"source": "apt_reports", "name": "Pronsis Loader"}} +{"text": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "spans": {"DOMAIN: qarallax.com": [[217, 229]], "MALWARE: Qarallax RAT": [[182, 194], [374, 386]], "SYSTEM: Java": [[273, 277]], "MALWARE: Quaverse RAT": [[83, 95]]}, "info": {"source": "apt_reports", "name": "Qarallax RAT"}} +{"text": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "spans": {"MALWARE: QRat": [[0, 4]], "MALWARE: Quaverse RAT": [[20, 32]], "VULNERABILITY: keylogger": [[188, 197]]}, "info": {"source": "apt_reports", "name": "QRat"}} +{"text": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", "spans": {"MALWARE: Ratty": [[0, 5]], "SYSTEM: Java": [[24, 28]], "SYSTEM: GitHub": [[52, 58]]}, "info": {"source": "apt_reports", "name": "Ratty"}} +{"text": "According to Mandiant, SLAYSTYLE is a webshell written in Java.", "spans": {"MALWARE: SLAYSTYLE": [[23, 32]], "SYSTEM: Java": [[58, 62]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "SLAYSTYLE"}} +{"text": "Sorillus is a Java-based multifunctional remote access trojan (RAT) that targets Linux, macOS, and Windows operating systems. First created in 2019, the tool gained significant attention in 2022 when various obfuscated client versions began appearing on VirusTotal starting January 18, 2022. The RAT's features were detailed on its now-defunct website (hxxps://sorillus[.]com), where it was marketed for lifetime access at 59.99€, with a discounted price of 19.99€ at the time. Payments were conveniently accepted via various cryptocurrencies.\r\n\r\nThe creator and distributor of Sorillus, a YouTube user known as \"Tapt,\" claimed the tool could collect sensitive information from infected systems, including:\r\n\r\n HardwareID\r\n\r\n Username\r\n\r\n Country\r\n\r\n Language\r\n\r\n Webcam footage\r\n\r\n Headless status\r\n\r\n Operating system details\r\n\r\n Client version\r\n\r\nHowever, Sorillus was shut down in 2025 following the FBI's Operation \"Talent,\" which targeted alot of the Cracking infrastucture which included Sellix, the payment portal used by Sorillus for transactions. This operation disrupted the financial infrastructure supporting the RAT, leading to its cessation of operations 5 days later.", "spans": {"SYSTEM: Java": [[14, 18]], "SYSTEM: macOS": [[88, 93]], "SYSTEM: Windows": [[99, 106]], "SYSTEM: Linux": [[81, 86]], "ORGANIZATION: FBI": [[928, 931]], "ORGANIZATION: VirusTotal": [[254, 264]]}, "info": {"source": "apt_reports", "name": "Sorillus RAT"}} +{"text": "STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.\r\n\r\nSince Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.", "spans": {"MALWARE: STRRAT": [[0, 6], [437, 443], [780, 786]], "TOOL: PowerShell": [[723, 733]], "SYSTEM: Java": [[12, 16]], "SYSTEM: Chrome": [[366, 372]], "SYSTEM: Firefox": [[338, 345]], "SYSTEM: Thunderbird": [[392, 403]], "SYSTEM: Internet Explorer": [[347, 364]], "SYSTEM: Outlook": [[383, 390]], "VULNERABILITY: keylogging": [[272, 282]]}, "info": {"source": "apt_reports", "name": "STRRAT"}} +{"text": "This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.", "spans": {"SYSTEM: Symantec": [[250, 258]], "SYSTEM: Discord": [[231, 238]]}, "info": {"source": "apt_reports", "name": "Verblecon"}} +{"text": "According to Lumen, a web shell used by Volt Typhoon.", "spans": {"THREAT_ACTOR: Volt Typhoon": [[40, 52]]}, "info": {"source": "apt_reports", "name": "VersaMem"}} +{"text": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "spans": {"MALWARE: AIRBREAK": [[0, 8]]}, "info": {"source": "apt_reports", "name": "AIRBREAK"}} +{"text": "BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development.", "spans": {"MALWARE: BeaverTail": [[0, 10], [230, 240], [454, 464], [485, 495], [618, 628]], "SYSTEM: macOS": [[582, 587]], "SYSTEM: GitHub": [[468, 474]], "SYSTEM: Windows": [[570, 577]], "SYSTEM: Python": [[182, 188]], "MALWARE: InvisibleFerret": [[213, 228]]}, "info": {"source": "apt_reports", "name": "BeaverTail"}} +{"text": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.", "spans": {"MALWARE: BELLHOP": [[2, 9], [154, 161], [392, 399]], "SYSTEM: Windows": [[64, 71]], "ORGANIZATION: Google": [[470, 476]]}, "info": {"source": "apt_reports", "name": "BELLHOP"}} +{"text": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "spans": {"MALWARE: CACTUSTORCH": [[30, 41]], "SYSTEM: GitHub": [[17, 23]]}, "info": {"source": "apt_reports", "name": "CACTUSTORCH"}} +{"text": "GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.", "spans": {"MALWARE: ChromeBack": [[19, 29]]}, "info": {"source": "apt_reports", "name": "ChromeBack"}} +{"text": "ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.", "spans": {"MALWARE: ClearFake": [[0, 9]], "VULNERABILITY: drive-by download": [[116, 133]]}, "info": {"source": "apt_reports", "name": "ClearFake"}} +{"text": "According to SentinelOne, these applications, typically implemented in app.js files, are deployed on ClickFix malware distribution servers. These applications run servers that listen on configured ports to handle incoming HTTP GET and POST requests, executing different functions based on the specific request path.\r\nThe ContagiousDrop applications deliver malware disguised as software updates or essential utilities. They distribute a tailored payload based on the victim’s operating system (Windows, macOS, or Linux), system architecture, and method of interaction with the server, such as the use of the curl command.\r\nIn addition to delivering malware, the ContagiousDrop applications feature an integrated email notification system. These notifications, sent from a configured email address, provide the Contagious Interview threat actors with insights into victim engagement and interaction patterns and are delivered to their configured recipient addresses.", "spans": {"MALWARE: ContagiousDrop": [[321, 335], [662, 676]], "THREAT_ACTOR: Contagious Interview": [[810, 830]], "TOOL: curl": [[608, 612]], "SYSTEM: macOS": [[503, 508]], "SYSTEM: Windows": [[494, 501]], "SYSTEM: SentinelOne": [[13, 24]], "SYSTEM: Linux": [[513, 518]]}, "info": {"source": "apt_reports", "name": "ContagiousDrop"}} +{"text": "WebAssembly-based crpyto miner.", "spans": {}, "info": {"source": "apt_reports", "name": "CryptoNight"}} +{"text": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.", "spans": {"VULNERABILITY: keylogger": [[92, 101]]}, "info": {"source": "apt_reports", "name": "DarkWatchman"}} +{"text": "Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium", "spans": {"URL: https://github.com/doener2323/doenerium": [[133, 172]], "MALWARE: doenerium": [[163, 172]]}, "info": {"source": "apt_reports", "name": "doenerium"}} +{"text": "According to sysdig, EtherRAT uses Ethereum smart contracts for C2 URL resolution. It establishes persistence through five independent mechanisms, ensuring survival across reboots and system maintenance (systemd, xdg, cron, bashrc, profile).", "spans": {"MALWARE: EtherRAT": [[21, 29]], "MALWARE: systemd": [[204, 211]]}, "info": {"source": "apt_reports", "name": "EtherRAT"}} +{"text": "According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.", "spans": {"MALWARE: EvilNum": [[22, 29]]}, "info": {"source": "apt_reports", "name": "EVILNUM"}} +{"text": "FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.", "spans": {"MALWARE: FakeUpdateRU": [[0, 12]], "SYSTEM: Chrome": [[194, 200]], "ORGANIZATION: Google": [[187, 193]], "VULNERABILITY: drive-by download": [[116, 133]]}, "info": {"source": "apt_reports", "name": "FakeUpdateRU"}} +{"text": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\r\n\r\nFAKEUPDATES has been heavily used by UNC1543, a financially motivated group.", "spans": {"MALWARE: FAKEUPDATES": [[0, 11], [194, 205], [345, 356]]}, "info": {"source": "apt_reports", "name": "FAKEUPDATES"}} +{"text": "According to Google, GHOSTBLADE is delivered via the DarkSword exploit chain. GHOSTBLADE is a dataminer written in JavaScript that collects and exfiltrates a wide variety of data from a compromised device. Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S). Unlike GHOSTKNIFE and GHOSTSABER, GHOSTBLADE is less capable and does not support any additional modules or backdoor-like functionality; it also does not operate continuously. However, similar to GHOSTKNIFE, GHOSTBLADE also contains code to delete crash reports, but targets a different directory where they may be stored.", "spans": {"MALWARE: GHOSTBLADE": [[21, 31], [78, 88], [224, 234], [331, 341], [505, 515]], "ORGANIZATION: Google": [[13, 19]]}, "info": {"source": "apt_reports", "name": "GHOSTBLADE"}} +{"text": "According to Koi Security, this malware harvests NPM, GitHub, and Git credentials for supply chain propagation. It targets 49 different cryptocurrency wallet extensions to drain funds. It uses stolen credentials to compromise additional packages and extensions, spreading the worm further. Furthermore, it deploys SOCKS proxy servers, turning developer machines into criminal infrastructure and installs hidden VNC servers for complete remote access.", "spans": {"TOOL: VNC": [[411, 414]], "SYSTEM: GitHub": [[54, 60]], "SYSTEM: Git": [[66, 69]]}, "info": {"source": "apt_reports", "name": "GlassWorm"}} +{"text": "According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.", "spans": {"MALWARE: GootLoader": [[37, 47], [169, 179], [254, 264]], "SYSTEM: WordPress": [[139, 148]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "GootLoader"}} +{"text": "grelos is a skimmer used for magecart-style attacks.", "spans": {"MALWARE: grelos": [[0, 6]], "MALWARE: magecart": [[29, 37]]}, "info": {"source": "apt_reports", "name": "grelos"}} +{"text": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", "spans": {"MALWARE: GRIFFON": [[0, 7], [233, 240]]}, "info": {"source": "apt_reports", "name": "Griffon"}} +{"text": "IClickFix is a malicious JavaScript framework deployed on compromised WordPress sites to deliver further malware using the ClickFix social engineering tactic and fake Cloudflare Turnstile CAPTCHA challenge.", "spans": {"MALWARE: IClickFix": [[0, 9]], "SYSTEM: WordPress": [[70, 79]], "ORGANIZATION: Cloudflare": [[167, 177]]}, "info": {"source": "apt_reports", "name": "IClickFix"}} +{"text": "JADESNOW is a JavaScript-based downloader malware family associated with the threat cluster UNC5342. JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.", "spans": {"MALWARE: JADESNOW": [[0, 8], [101, 109], [349, 357]], "THREAT_ACTOR: UNC5342": [[92, 99]]}, "info": {"source": "apt_reports", "name": "JADESNOW"}} +{"text": "Kongtuke is a sophisticated TDS system that was initially discovered around May 2024. Making use of compromised CMS Websites, Kongtuke redirects website visitors through a multi-stage infection process ultimately leading to device infection. Initially using fake Update lures, it started to use FakeCaptcha lures at the beginning of 2025. It is likely an initial access service, selling infections to both Ransomware affiliates and other IA vendors like SocGholish.", "spans": {"MALWARE: Kongtuke": [[0, 8], [126, 134]], "MALWARE: SocGholish": [[454, 464]]}, "info": {"source": "apt_reports", "name": "KongTuke"}} +{"text": "The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.", "spans": {"MALWARE: LNKR": [[4, 8]], "VULNERABILITY: cross-site scripting": [[304, 324]]}, "info": {"source": "apt_reports", "name": "LNKR"}} +{"text": "Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from \"input fields\" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.", "spans": {"MALWARE: Magecart": [[0, 8]]}, "info": {"source": "apt_reports", "name": "magecart"}} +{"text": "MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.", "spans": {"MALWARE: MegaMedusa": [[0, 10]], "THREAT_ACTOR: RipperSec": [[54, 63]], "VULNERABILITY: DDoS": [[21, 25]]}, "info": {"source": "apt_reports", "name": "megaMedusa"}} +{"text": "MiniJS is a very simple JavaScript-based first-stage backdoor. \r\nThe backdoor is probably distributed via spearphishing email. \r\nDue to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.", "spans": {"MALWARE: MiniJS": [[0, 6]], "THREAT_ACTOR: Turla": [[203, 208]], "VULNERABILITY: spearphishing": [[106, 119]]}, "info": {"source": "apt_reports", "name": "MiniJS"}} +{"text": "According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX\" (with XX being numbers).\r\n\r\nMintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.", "spans": {"MALWARE: MintsLoader": [[34, 45], [342, 353], [566, 577]], "TOOL: PowerShell": [[554, 564]], "TOOL: AsyncRAT": [[420, 428]], "VULNERABILITY: phishing": [[447, 455]], "MALWARE: Vidar": [[433, 438]]}, "info": {"source": "apt_reports", "name": "MintsLoader"}} +{"text": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "spans": {"MALWARE: More_eggs": [[0, 9]], "THREAT_ACTOR: Cobalt": [[47, 53]]}, "info": {"source": "apt_reports", "name": "More_eggs"}} +{"text": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", "spans": {"MALWARE: NanHaiShu": [[0, 9], [74, 83]], "THREAT_ACTOR: Leviathan": [[63, 72]]}, "info": {"source": "apt_reports", "name": "NanHaiShu"}} +{"text": "NodeCordRAT is a cross-platform Remote Access Trojan and information stealer written in Node.js that targets Windows, macOS, and Linux systems through malicious NPM packages in software supply chain attacks. The malware executes automatically when developers unknowingly install compromised dependencies, providing attackers with comprehensive system access and data\r\nexfiltration capabilities. Its core functions include remote code execution through shell access, credential theft from Google Chrome and MetaMask wallets, extraction of developer secrets from .env files, live screen capture, complete file system navigation and exfiltration, and system information gathering for victim profiling. NodeCordRAT achieves persistence through process managers like\r\npm2 that maintain the malware as a background service, while its command-and-control communications leverage the Discord API over HTTPS with hardcoded bot tokens, allowing malicious traffic to masquerade as legitimate web activity and enabling attackers to receive stolen data and issue commands through private Discord channels.", "spans": {"MALWARE: NodeCordRAT": [[0, 11], [699, 710]], "SYSTEM: macOS": [[118, 123]], "SYSTEM: Chrome": [[495, 501]], "SYSTEM: Windows": [[109, 116]], "SYSTEM: Linux": [[129, 134]], "SYSTEM: Node.js": [[88, 95]], "SYSTEM: Discord": [[876, 883], [1075, 1082]], "ORGANIZATION: Google": [[488, 494]], "VULNERABILITY: credential theft": [[466, 482]], "VULNERABILITY: code execution": [[429, 443]], "VULNERABILITY: screen capture": [[578, 592]], "VULNERABILITY: remote code execution": [[422, 443]]}, "info": {"source": "apt_reports", "name": "NodeCordRAT"}} +{"text": "According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.", "spans": {}, "info": {"source": "apt_reports", "name": "OFFODE"}} +{"text": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", "spans": {"MALWARE: Ostap": [[0, 5], [195, 200], [711, 716]], "TOOL: Wireshark": [[636, 645]], "SYSTEM: WMI": [[207, 210]], "SYSTEM: Microsoft Office": [[148, 164]], "ORGANIZATION: Microsoft": [[148, 157]], "MALWARE: TrickBot": [[801, 809]], "MALWARE: Nymaim": [[780, 786]]}, "info": {"source": "apt_reports", "name": "ostap"}} +{"text": "OtterCandy is a JavaScript backdoor that uses the Socket.IO WebSocket protocol over port 5000 for command and control and exfiltrates data via HTTP on port 3011. It focuses on credential \r\ntheft from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex) by decrypting SQLite login databases with Windows DPAPI, and it targets cryptocurrency wallets through both browser \r\nextension identification and desktop wallet directory collection. The malware conducts recursive filesystem searches to gather .env files, seed phrases, blockchain configuration data, shell history, and cloud credentials for AWS, Azure, and GCP. It fingerprints victims by combining hostname and machine UUID to prevent duplicate records and includes a secondary payload system that downloads, prepares, and executes platform-specific follow-on malware.", "spans": {"MALWARE: OtterCandy": [[0, 10]], "SYSTEM: Edge": [[233, 237]], "SYSTEM: Chrome": [[225, 231]], "SYSTEM: Brave": [[239, 244]], "SYSTEM: SQLite": [[275, 281]], "SYSTEM: Windows": [[303, 310]], "SYSTEM: GCP": [[620, 623]], "SYSTEM: AWS": [[604, 607]], "SYSTEM: Azure": [[609, 614]], "SYSTEM: Opera": [[246, 251]]}, "info": {"source": "apt_reports", "name": "OtterCandy"}} +{"text": "This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.", "spans": {"DOMAIN: Avast.io": [[158, 166]], "SYSTEM: Avast": [[158, 163]], "MALWARE: Prometheus": [[121, 131]]}, "info": {"source": "apt_reports", "name": "Parrot TDS"}} +{"text": "PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.", "spans": {"MALWARE: PeaceNotWar": [[0, 11]]}, "info": {"source": "apt_reports", "name": "PeaceNotWar"}} +{"text": "According to Trend Micro, PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language. This is to ensure that the framework could be launched across different execution environments via LOLBins (Living off the land binaries). This flexibility allowed to use PeckBirdy in various kill chain stages, including being used as a watering-hole control server during the initial attack phase, as a reverse shell server during the lateral movement phase, and as a C&C server during the backdoor phase.", "spans": {"MALWARE: PeckBirdy": [[26, 35], [336, 345]], "TOOL: LOLBins": [[264, 271]], "SYSTEM: Trend Micro": [[13, 24]]}, "info": {"source": "apt_reports", "name": "PeckBirdy"}} +{"text": "According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.", "spans": {"SYSTEM: Chrome": [[122, 128]], "SYSTEM: Firefox": [[129, 136]], "SYSTEM: Windows": [[207, 214]], "SYSTEM: Trend Micro": [[13, 24]], "SYSTEM: Node.js": [[36, 43]]}, "info": {"source": "apt_reports", "name": "QNodeService"}} +{"text": "QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.", "spans": {"MALWARE: QUICKCAFE": [[0, 9], [118, 127]], "MALWARE: QUICKRIDE.POWER": [[52, 67]], "MALWARE: QUICKRIDE": [[52, 61]]}, "info": {"source": "apt_reports", "name": "QUICKCAFE"}} +{"text": "Active around 2012-2013, this family deployed small JavaScript snippets on infected websites to load exploit kit scripts from DGA-generated domains.\r\nIt commonly used the Blackhole exploit kit and the Sutra Traffic Distribution System (TDS), which caused it to sometimes be misnamed as Blackhole or Sutra.", "spans": {"MALWARE: Blackhole": [[171, 180], [286, 295]], "MALWARE: Sutra": [[201, 206], [299, 304]]}, "info": {"source": "apt_reports", "name": "RunForestRun"}} +{"text": "According to StepSecurity, this is a stealer deployed through a compromised Nx package, targeting system environment properties, cryptocurrency wallets, and development credentials. Data is exfiltrated to Github using stolen tokens.", "spans": {}, "info": {"source": "apt_reports", "name": "s1ngularity Stealer"}} +{"text": "A Javascript-based worm propagating through GitHub repositories and exfiltrating tokens and other credentials.", "spans": {"SYSTEM: GitHub": [[44, 50]]}, "info": {"source": "apt_reports", "name": "Shai-Hulud"}} +{"text": "According to Proofpoint, this is a cluster of fake update campaigns delivering payloads like NetSupportManager RAT and Lumma Stealer.", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "MALWARE: Lumma Stealer": [[119, 132]], "MALWARE: NetSupportManager RAT": [[93, 114]]}, "info": {"source": "apt_reports", "name": "SmartApeSG"}} +{"text": "According to ESET, SpyPress is a set of Javascript payloads targeting different webmail frameworks (HORDE, MDAEMON, ROUNDCUBE, ZIMBRA). The observed payloads have common characteristics. All are similarly obfuscated, with variable and function names replaced with random-looking strings. Furthermore, strings used by the code, such as webmail and C&C server URLs, are also obfuscated and contained in an encrypted list. Each of those strings is only decrypted when it is used. Note that the variable and function names are randomized for each sample, so the final SpyPress payloads will have different hashes. Another common characteristic is that there are no persistence or update mechanisms. The payload is fully contained in the email and only executed when the email message is viewed from a vulnerable webmail instance.\r\n\r\nFinally, all payloads communicate with their hardcoded C&C servers via HTTP POST requests. There is a small number of C&C servers that are shared by all payloads (there is no separation by victim or payload type).", "spans": {"MALWARE: SpyPress": [[19, 27], [564, 572]], "SYSTEM: ESET": [[13, 17]]}, "info": {"source": "apt_reports", "name": "SpyPress"}} +{"text": "SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.", "spans": {"FILEPATH: %appdata%\\Roaming\\Microsoft\\Templates\\,": [[232, 271]], "MALWARE: SQLRat": [[0, 6], [709, 715]], "ORGANIZATION: Microsoft": [[250, 259], [772, 781]]}, "info": {"source": "apt_reports", "name": "SQLRat"}} +{"text": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", "spans": {"TOOL: Empire": [[52, 58]], "TOOL: powershell": [[100, 110], [145, 155]]}, "info": {"source": "apt_reports", "name": "Starfighter"}} +{"text": "According to IBM X-Force, this is a simple reverse shell. Upon execution, the script generates a unique victim ID by combining the machine's product ID and computer name. It queries a hardcoded server and executes optional commands directly via cmd.exe. Command output is send back using a POST request after completion or a timeout.", "spans": {"TOOL: cmd.exe": [[245, 252]], "TOOL: cmd": [[245, 248]], "ORGANIZATION: IBM X-Force": [[13, 24]], "ORGANIZATION: X-Force": [[17, 24]], "ORGANIZATION: IBM": [[13, 16]]}, "info": {"source": "apt_reports", "name": "StarFish"}} +{"text": "StoatWaffle Malware is a lightweight JavaScript-based backdoor trojan active since at least October 2025 that enables persistent, stealthy remote control over infected systems by continuously beaconing to a command-and-control server approximately every 5 seconds. The First-Stage Module performs host fingerprinting — collecting hostname, MAC address, operating system details, and the complete Node.js process environment (process.env), which frequently contains cloud credentials, API keys, and CI/CD secrets — and executes attacker-supplied payloads via eval(). The Second-Stage Module additionally collects the victim's public IP address, spawns attacker-supplied payloads as isolated detached child processes using the local Node.js runtime, and supports process ID tracking, remote agent UUID and session token updates, and an operator-controlled kill-switch that terminates all tracked child processes and self-exits on command. Both modules suppress SIGHUP signals and hide spawned process windows to reduce visibility, report errors to the C2 server via a dedicated telemetry endpoint, and together allow attackers to steal secrets, deliver additional payloads, execute arbitrary commands, and maintain ongoing process-level control with the privileges of the compromised user.", "spans": {"MALWARE: StoatWaffle": [[0, 11]], "SYSTEM: Node.js": [[396, 403], [731, 738]]}, "info": {"source": "apt_reports", "name": "StoatWaffle"}} +{"text": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", "spans": {"MALWARE: maintools.js": [[52, 64]]}, "info": {"source": "apt_reports", "name": "Maintools.js"}} +{"text": "According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.", "spans": {"TOOL: PowerShell": [[204, 214]], "MALWARE: Emotet": [[26, 32]]}, "info": {"source": "apt_reports", "name": "Unidentified JS 003 (Emotet Downloader)"}} +{"text": "A simple loader written in JavaScript found by Marco Ramilli.", "spans": {}, "info": {"source": "apt_reports", "name": "Unidentified JS 004"}} +{"text": "A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.", "spans": {}, "info": {"source": "apt_reports", "name": "Unidentified JS 006 (Winter Wyvern)"}} +{"text": "According to Seqrite, this collector is delivered via a phishing mail and triggers via XSS in an active Zimbra session.", "spans": {"SYSTEM: Zimbra": [[104, 110]], "VULNERABILITY: XSS": [[87, 90]], "VULNERABILITY: phishing": [[56, 64]]}, "info": {"source": "apt_reports", "name": "Unidentified JS 007 (Zimbra Stealer)"}} +{"text": "According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).\r\n\r\nResearch shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).", "spans": {"MALWARE: Valak": [[21, 26], [225, 230], [298, 303], [357, 362]], "ORGANIZATION: PCrisk": [[13, 19]], "MALWARE: Ursnif": [[511, 517]], "MALWARE: Gozi": [[533, 537]]}, "info": {"source": "apt_reports", "name": "Valak"}} +{"text": "The threat actor of this family compromised Chrome extension developer accounts and attached malicious code to the extensions. Web Developer 0.4.9, Chrometana 1.1.3, Infinity New Tab 3.12.3, CopyFish 2.8.5, Web Paint 1.2.1, and Social Fixer 20.1.1 were affected by this. TouchVPN and BetterVPN were assumed to be targets as well.\r\n\r\nThis lead to the execution of another Javascript that substitutes ad banners for their own, effectively hijacking ad traffic. It is also reported that fake pop-up alerts were used to lure victims to download possibly other malware.", "spans": {"SYSTEM: Chrome": [[44, 50]]}, "info": {"source": "apt_reports", "name": "js.wd"}} +{"text": "WEEVILPROXY is a sophisticated and featureful stealer which has a payload primarily written in NodeJS. The developer has put in concerted effort to develop the malware’s breadth of capabilities, including novel techniques not observed in any prior malware campaigns - to our knowledge. These new TTPs include methods to modify Windows Setup and Windows Recovery to enable long-term persistence, as well as methods to patch browser extensions ‘on the fly’.", "spans": {"MALWARE: WEEVILPROXY": [[0, 11]], "SYSTEM: Windows": [[327, 334], [345, 352]]}, "info": {"source": "apt_reports", "name": "WEEVILPROXY"}} +{"text": "webshell", "spans": {}, "info": {"source": "apt_reports", "name": "Icesword"}} +{"text": "According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.", "spans": {"MALWARE: AppleJeus": [[20, 29]]}, "info": {"source": "apt_reports", "name": "AppleJeus"}} +{"text": "Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.", "spans": {"ORGANIZATION: Google": [[0, 6]], "VULNERABILITY: 0-day": [[85, 90]], "VULNERABILITY: watering hole": [[57, 70]]}, "info": {"source": "apt_reports", "name": "CDDS"}} +{"text": "A loader delivering malicious Chrome and Safari extensions.", "spans": {"SYSTEM: Safari": [[41, 47]], "SYSTEM: Chrome": [[30, 36]]}, "info": {"source": "apt_reports", "name": "Choziosi"}} +{"text": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn’t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim’s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim’s hard drive to a remote server\r\n- update itself to a newer version", "spans": {"DOMAIN: Download.com": [[369, 381]], "DOMAIN: MacUpdate.com": [[385, 398]], "MALWARE: CoinThief": [[0, 9]], "SYSTEM: Chrome": [[972, 978]], "SYSTEM: Firefox": [[983, 990]]}, "info": {"source": "apt_reports", "name": "CoinThief"}} +{"text": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "spans": {"MALWARE: Dacls": [[21, 26]], "THREAT_ACTOR: Lazarus Group": [[207, 220]], "SYSTEM: Windows": [[276, 283]], "SYSTEM: Linux": [[262, 267]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Dacls"}} +{"text": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim’s webcam\r\n- Sending emails with an attachment", "spans": {"MALWARE: Eleanor": [[0, 7]], "TOOL: Tor": [[194, 197], [287, 290], [425, 428]], "SYSTEM: MySQL": [[931, 936]], "SYSTEM: SQLite": [[940, 946]], "SYSTEM: PHP": [[249, 252]]}, "info": {"source": "apt_reports", "name": "Eleanor"}} +{"text": "According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.", "spans": {"MALWARE: ElectroRAT": [[21, 31], [182, 192]], "SYSTEM: Windows": [[126, 133]], "SYSTEM: Linux": [[146, 151]], "SYSTEM: Go": [[79, 81]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "ElectroRAT"}} +{"text": "According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.\r\n\r\nIt drops the \"READ_ME_NOW.txt\" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.", "spans": {"MALWARE: EvilQuest": [[21, 30]], "MALWARE: ThiefQuest": [[46, 56]], "VULNERABILITY: keylogger": [[558, 567]]}, "info": {"source": "apt_reports", "name": "EvilQuest"}} +{"text": "According to Proofpoint, FrigidStealer FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.", "spans": {"MALWARE: FrigidStealer": [[25, 38], [39, 52]], "ORGANIZATION: Proofpoint": [[13, 23]], "ORGANIZATION: Apple": [[58, 63], [313, 318]]}, "info": {"source": "apt_reports", "name": "FrigidStealer"}} +{"text": "Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.", "spans": {"MALWARE: FULLHOUSE": [[15, 24]], "THREAT_ACTOR: Lazarus Group": [[90, 103]], "VULNERABILITY: process injection": [[277, 294]]}, "info": {"source": "apt_reports", "name": "FULLHOUSE"}} +{"text": "This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.", "spans": {"MALWARE: GIMMICK": [[73, 80]], "THREAT_ACTOR: Storm Cloud": [[142, 153]], "SYSTEM: macOS": [[52, 57]], "ORGANIZATION: Volexity": [[84, 92]]}, "info": {"source": "apt_reports", "name": "GIMMICK"}} +{"text": "According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.\r\n\r\nResearch shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.", "spans": {"MALWARE: GMERA": [[21, 26], [255, 260], [293, 298], [330, 335], [460, 465]], "MALWARE: Kassi": [[42, 47]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Gmera"}} +{"text": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.", "spans": {"MALWARE: HiddenLotus": [[31, 42]], "SYSTEM: Adobe Acrobat": [[173, 186]]}, "info": {"source": "apt_reports", "name": "HiddenLotus"}} +{"text": "The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:\r\n\r\n- capture screenshots\r\n- exfiltrate files to a remote computer\r\n- send various information about the infected computer\r\n- extract ZIP archive\r\n- download files from a remote computer and/or the Internet\r\n- run executable files", "spans": {"MALWARE: Imuler": [[297, 303]], "MALWARE: Revir": [[260, 265]]}, "info": {"source": "apt_reports", "name": "iMuler"}} +{"text": "RAT. Functionality like ExecShell, GetFileList/SendFile/DownloadFile, Socks5, PortmapManager/GetConn/SendConn. Transport also supports Quic.\r\n\r\nVariants in GO.", "spans": {}, "info": {"source": "apt_reports", "name": "InsidiousGh0st"}} +{"text": "According to Patrick Wardle, this malware persists a python script as a cron job. \r\nSteps: \r\n1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. \r\n2. Appends its new job to this file.\r\n3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.", "spans": {"FILEPATH: /tmp/dump'.": [[177, 188]], "SYSTEM: Python": [[96, 102]]}, "info": {"source": "apt_reports", "name": "Janicab"}} +{"text": "According to SentinelOne, KeySteal targets files with the .keychain and keychain-db file extensions in the following locations.", "spans": {"MALWARE: KeySteal": [[26, 34]], "SYSTEM: SentinelOne": [[13, 24]]}, "info": {"source": "apt_reports", "name": "KeySteal"}} +{"text": "According to Volexity, LIGHTSPY is a multi-platform malware family with documented variants for Android, iOS, and macOS.", "spans": {"MALWARE: LIGHTSPY": [[23, 31]], "SYSTEM: macOS": [[114, 119]], "SYSTEM: Android": [[96, 103]], "SYSTEM: iOS": [[105, 108]], "ORGANIZATION: Volexity": [[13, 21]]}, "info": {"source": "apt_reports", "name": "LIGHTSPY"}} +{"text": "According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.\r\n\r\nThe OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).", "spans": {"MALWARE: OceanLotus": [[45, 55], [278, 288]], "SYSTEM: Adobe Flash": [[324, 335]]}, "info": {"source": "apt_reports", "name": "OceanLotus"}} +{"text": "SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.", "spans": {"SYSTEM: SentinelOne": [[0, 11]], "SYSTEM: Go": [[51, 53]]}, "info": {"source": "apt_reports", "name": "oRAT"}} +{"text": "This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.\r\n\r\nThe downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.\r\n\r\nThe file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.\r\n\r\nDespite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.", "spans": {"MALWARE: Patcher": [[123, 130], [816, 823]], "SYSTEM: macOS": [[27, 32]], "SYSTEM: Microsoft Office": [[210, 226]], "ORGANIZATION: Microsoft": [[210, 219]], "VULNERABILITY: brute-force": [[1039, 1050]]}, "info": {"source": "apt_reports", "name": "Patcher"}} +{"text": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", "spans": {}, "info": {"source": "apt_reports", "name": "PintSized"}} +{"text": "Part of Mythic C2, written in Golang.", "spans": {"TOOL: Mythic": [[8, 14]]}, "info": {"source": "apt_reports", "name": "Poseidon"}} +{"text": "macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.", "spans": {"SYSTEM: macOS": [[0, 5]]}, "info": {"source": "apt_reports", "name": "Poseidon Stealer"}} +{"text": "Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.", "spans": {"MALWARE: Proton RAT": [[0, 10], [510, 520]], "SYSTEM: macOS": [[69, 74]], "MALWARE: Proton": [[0, 6], [510, 516]]}, "info": {"source": "apt_reports", "name": "Proton RAT"}} +{"text": "According to SentinelOne, this is an infostealer, targeting among other things the encrypted database of Zoom.", "spans": {"SYSTEM: Zoom": [[105, 109]], "SYSTEM: SentinelOne": [[13, 24]]}, "info": {"source": "apt_reports", "name": "Pureland"}} +{"text": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", "spans": {"MALWARE: Global": [[76, 82]]}, "info": {"source": "apt_reports", "name": "Pwnet"}} +{"text": "Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.", "spans": {"MALWARE: Dok": [[0, 3]], "MALWARE: Retefe": [[11, 17], [61, 67]], "TOOL: Tor": [[246, 249], [375, 378]], "SYSTEM: macOS": [[25, 30], [538, 543]], "SYSTEM: Windows": [[605, 612]], "ORGANIZATION: Apple": [[512, 517]], "ORGANIZATION: VirusTotal": [[522, 532]], "VULNERABILITY: MITM": [[412, 416]]}, "info": {"source": "apt_reports", "name": "Dok"}} +{"text": "According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.\r\n\r\nIn most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.", "spans": {"MALWARE: Shlayer": [[21, 28]], "SYSTEM: Adobe Flash": [[188, 199]], "ORGANIZATION: PCrisk": [[13, 19]]}, "info": {"source": "apt_reports", "name": "Shlayer"}} +{"text": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.", "spans": {"MALWARE: Silver Sparrow": [[25, 39]], "ORGANIZATION: Apple": [[105, 110]], "ORGANIZATION: Red Canary": [[13, 23]]}, "info": {"source": "apt_reports", "name": "Silver Sparrow"}} +{"text": "SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).\r\n\r\nIt also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.\r\n\r\nSimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.", "spans": {"MALWARE: SimpleTea": [[0, 9], [82, 91], [320, 329]], "SYSTEM: macOS": [[23, 28], [334, 339]], "SYSTEM: Linux": [[96, 101]], "ORGANIZATION: VirusTotal": [[356, 366]], "MALWARE: SimplexTea": [[103, 113]]}, "info": {"source": "apt_reports", "name": "SimpleTea"}} +{"text": "General purpose backdoor", "spans": {}, "info": {"source": "apt_reports", "name": "systemd"}} +{"text": "According to Mandiant, WAVESHAPER is a backdoor written in C++ and packed by an unknown packer that targets macOS. The backdoor supports downloading and executing arbitrary payloads retrieved from its command-and-control (C2 or C&C) server, which is provided via the command-line parameters. To communicate with the adversary infrastructure, WAVESHAPER leverages the curl library for either HTTP or HTTPS, depending on the command-line argument provided.\r\nWAVESHAPER also runs as a daemon by forking itself into a child process that runs in the background detached from the parent session and collects system information, which is sent to the C&C server in a HTTP POST request.", "spans": {"MALWARE: WAVESHAPER": [[23, 33], [342, 352], [456, 466]], "TOOL: curl": [[367, 371]], "SYSTEM: macOS": [[108, 113]], "ORGANIZATION: Mandiant": [[13, 21]]}, "info": {"source": "apt_reports", "name": "WAVESHAPER"}} +{"text": "Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.\r\n\r\nFormbook has a \"magic\"-value FBNG (FormBook-NG), while Xloader has a \"magic\"-value XLNG (XLoader-NG). This \"magic\"-value XLNG is platform-independent.\r\n\r\n\r\nNot to be confused with apk.xloader or ios.xloader.", "spans": {"MALWARE: Xloader": [[0, 7], [151, 158]], "MALWARE: Formbook": [[27, 35], [96, 104]], "SYSTEM: macOS": [[78, 83]], "MALWARE: XLoader": [[185, 192]]}, "info": {"source": "apt_reports", "name": "Xloader"}} +{"text": "A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).", "spans": {"SYSTEM: Python": [[174, 180]]}, "info": {"source": "apt_reports", "name": "ZuRu"}} +{"text": "Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.", "spans": {"MALWARE: Ani-Shell": [[0, 9]], "SYSTEM: PHP": [[22, 25]]}, "info": {"source": "apt_reports", "name": "Ani-Shell"}} +{"text": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", "spans": {"MALWARE: Antak": [[0, 5]], "TOOL: PowerShell": [[54, 64]]}, "info": {"source": "apt_reports", "name": "ANTAK"}} +{"text": "ASPXSpy is an open-source web shell written in C# that allows a threat actor to accomplish various post-exploitation tasks, including file access and command execution.", "spans": {"MALWARE: ASPXSpy": [[0, 7]]}, "info": {"source": "apt_reports", "name": "ASPXSpy"}} +{"text": "A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.", "spans": {}, "info": {"source": "apt_reports", "name": "Behinder"}} +{"text": "C99shell is a PHP backdoor that provides a lot of functionality, for example:\r\n\r\n\r\n* run shell commands;\r\n* download/upload files from and to the server (FTP functionality);\r\n* full access to all files on the hard disk;\r\n* self-delete functionality.", "spans": {"MALWARE: C99shell": [[0, 8]], "SYSTEM: PHP": [[14, 17]]}, "info": {"source": "apt_reports", "name": "c99shell"}} +{"text": "FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.", "spans": {"MALWARE: DEWMODE": [[23, 30]], "SYSTEM: PHP": [[162, 165]], "SYSTEM: Apache": [[316, 322]], "ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: zero-day": [[89, 97]]}, "info": {"source": "apt_reports", "name": "DEWMODE"}} +{"text": "PHP/JavaScript malware for WordPress that injects multi-stage scripts, turning compromised sites into distributed TDS/C2 nodes. Delivers signed payloads, maintains persistence via helper files, and redirects traffic to monetized scam networks.", "spans": {"SYSTEM: PHP": [[0, 3]], "SYSTEM: WordPress": [[27, 36]]}, "info": {"source": "apt_reports", "name": "DollyWay"}} +{"text": "According to Xlab, Glutton is a modular PHP fileless attack framework, capable of data exfiltration and running backdoors.", "spans": {"MALWARE: Glutton": [[19, 26]], "SYSTEM: PHP": [[40, 43]]}, "info": {"source": "apt_reports", "name": "Glutton"}} +{"text": "In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.", "spans": {"DOMAIN: Avast.io": [[90, 98]], "SYSTEM: Avast": [[90, 95]], "MALWARE: Parrot TDS": [[20, 30]]}, "info": {"source": "apt_reports", "name": "Parrot TDS WebShell"}} +{"text": "Backdoor written in php", "spans": {}, "info": {"source": "apt_reports", "name": "Prometheus Backdoor"}} +{"text": "According to Cisco Talos, this is multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”", "spans": {"MALWARE: PS1Bot": [[702, 708]], "TOOL: PowerShell": [[80, 90], [673, 683]], "SYSTEM: Cisco": [[13, 18]], "ORGANIZATION: Talos": [[19, 24]], "ORGANIZATION: Cisco Talos": [[13, 24]], "VULNERABILITY: keylogger": [[221, 230]], "VULNERABILITY: screen capture": [[232, 246]]}, "info": {"source": "apt_reports", "name": "PS1Bot"}} +{"text": "A PHP webshell that allows file system management, data exfiltration and command execution.", "spans": {"SYSTEM: PHP": [[2, 5]]}, "info": {"source": "apt_reports", "name": "php.shin_webshell"}} +{"text": "Ransomware.", "spans": {}, "info": {"source": "apt_reports", "name": "BlackSun"}} +{"text": "According to CERT-UA, COOKBOX is a PowerShell script that implements the functionality of downloading and executing PowerShell cmdlets. For each affected computer, a unique identifier is calculated using cryptographic transformations (SHA256/MD5 hash functions) based on a combination of computer name and disk serial number, which is transmitted in the “X-Cookie” header of HTTP requests when interacting with the management server. The persistence of the backdoor is ensured by the corresponding key in the Run branch of the operating system (OS) registry, which is created at the stage of the initial infection by a third-party PowerShell script (including the COOKBOX deployer). As a rule, obfuscation elements are used in the program code: chr-character encoding, character replacement (replace()), base64 conversion, GZIP compression.", "spans": {"MALWARE: COOKBOX": [[22, 29], [664, 671]], "TOOL: PowerShell": [[35, 45], [116, 126], [631, 641]], "TOOL: replace": [[792, 799]], "ORGANIZATION: CERT-UA": [[13, 20]]}, "info": {"source": "apt_reports", "name": "COOKBOX"}} +{"text": "According to Trend Micro, DarkWisp is a PowerShell-based backdoor and reconnaissance utility designed for unauthorized system access and intelligence gathering. It enables attackers to exfiltrate sensitive data while maintaining persistent control over the compromised system. The malware collects extensive information about the compromised system to create a detailed profile. It determines whether the user has administrative privileges, checks for membership in a corporate domain, and identifies the presence of cryptocurrency wallets or VPN software by scanning specified directories and applications. It also gathers data about the system's operating environment, including public IP address, geographic location, installed antivirus products, firewall status, and system uptime. This information is compiled into a structured format and transmitted to the C&C server.", "spans": {"MALWARE: DarkWisp": [[26, 34]], "TOOL: PowerShell": [[40, 50]], "SYSTEM: Trend Micro": [[13, 24]], "SYSTEM: VPN": [[543, 546]]}, "info": {"source": "apt_reports", "name": "DarkWisp"}} +{"text": "A loader written in Powershell, usually delivered packaged in MSI/MSIX files.", "spans": {}, "info": {"source": "apt_reports", "name": "EugenLoader"}} +{"text": "Loader used to deliver FRat (see family windows.frat)", "spans": {"MALWARE: FRat": [[23, 27]]}, "info": {"source": "apt_reports", "name": "FRat Loader"}} +{"text": "The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.", "spans": {"MALWARE: FTCODE": [[90, 96]]}, "info": {"source": "apt_reports", "name": "FTCODE"}} +{"text": "According to TRAC Labs, the GhostWeaver backdoor not only maintains continuous, authenticated communication with its command-and-control server but also includes functionalities to generate DGA domains (using a fixed-seed algorithm based on the week number and year), deliver additional payloads via remote commands and bypass certificate validation by leveraging a RemoteCertificateValidationCallback that always returns true. Multiple delivered plugins are designed to target sensitive information - including credentials from popular browsers (Brave, Chrome, Firefox, Edge), Outlook data, and cryptocurrency wallets. The Formgrabber plugin includes web injection methods by dynamically manipulating HTML content, modifying JA3 fingerprints via cipher suite reordering, and employing a man-in-the-middle proxy setup to intercept the traffic. GhostWeaver’s and plugins’ delivery on systems that are not part of an Active Directory domain suggests that attackers are extending their reach beyond typical corporate targets, aligning with a financially motivated agenda that exploits environments with weaker security controls.", "spans": {"MALWARE: GhostWeaver": [[28, 39], [844, 855]], "SYSTEM: Edge": [[571, 575]], "SYSTEM: Chrome": [[554, 560]], "SYSTEM: Firefox": [[562, 569]], "SYSTEM: Brave": [[547, 552]], "SYSTEM: Outlook": [[578, 585]], "SYSTEM: Active Directory": [[915, 931]], "VULNERABILITY: man-in-the-middle": [[788, 805]]}, "info": {"source": "apt_reports", "name": "GhostWeaver"}} +{"text": "The author describes this open source shell as follows. \r\nHTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.\r\n\r\nThis shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.", "spans": {"MALWARE: HTTP-Shell": [[58, 68]], "SYSTEM: Windows": [[451, 458]], "SYSTEM: Linux": [[463, 468], [663, 668]], "ORGANIZATION: Microsoft": [[277, 286]]}, "info": {"source": "apt_reports", "name": "HTTP-Shell"}} +{"text": "According to EclecticIQ, Kalambur is designed to gather local system information, then download a repackaged TOR binary inside a ZIP file and retrieve additional tools from what is likely an attacker-controlled TOR onion site.", "spans": {"MALWARE: Kalambur": [[25, 33]]}, "info": {"source": "apt_reports", "name": "Kalambur"}} +{"text": "According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.", "spans": {"MALWARE: LightBot": [[50, 58]]}, "info": {"source": "apt_reports", "name": "LightBot"}} +{"text": "According to ESET Research, this malware is used by LongNosedGoblin and executes a chain of obfuscated commands passed to a spawned PowerShell process as one long command line argument, meaning that the script is not stored on disk. Every subsequent stage is encoded with base64, where the last one is additionally deflated with gzip. The second stage bypasses AMSI. In this case, NosyDownloader uses Matt Graeber’s reflection method and disabling script logging techniques made available on GitHub to bypass AMSI.", "spans": {"MALWARE: NosyDownloader": [[381, 395]], "THREAT_ACTOR: LongNosedGoblin": [[52, 67]], "TOOL: PowerShell": [[132, 142]], "SYSTEM: GitHub": [[492, 498]], "SYSTEM: ESET": [[13, 17]]}, "info": {"source": "apt_reports", "name": "NosyDownloader"}} +{"text": "The author describes Octopus as an \"open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S.\"\r\n\r\nIt is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.", "spans": {"MALWARE: Octopus": [[21, 28], [110, 117]], "THREAT_ACTOR: DustSquad": [[236, 245]], "TOOL: powershell": [[118, 128]], "SYSTEM: Kaspersky": [[249, 258]]}, "info": {"source": "apt_reports", "name": "Octopus"}} +{"text": "PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.", "spans": {"MALWARE: PowerHarbor": [[0, 11]], "TOOL: PowerShell": [[25, 35]], "TOOL: WinSCP": [[648, 654]], "SYSTEM: Telegram": [[623, 631]], "ORGANIZATION: RSA": [[283, 286]]}, "info": {"source": "apt_reports", "name": "PowerHarbor"}} +{"text": "According to Insikt Group, PowerNet is a custom Powershell loader that decompresses and executes NetSupport RAT.", "spans": {"MALWARE: PowerNet": [[27, 35]], "TOOL: NetSupport": [[97, 107]]}, "info": {"source": "apt_reports", "name": "PowerNet"}} +{"text": "This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a \"vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server.\"", "spans": {"THREAT_ACTOR: FIN7": [[62, 66]], "TOOL: PowerShell": [[26, 36]], "TOOL: powershell": [[5, 15]], "ORGANIZATION: Mandiant": [[81, 89]]}, "info": {"source": "apt_reports", "name": "POWERPLANT"}} +{"text": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", "spans": {"MALWARE: POWERSOURCE": [[0, 11]]}, "info": {"source": "apt_reports", "name": "POWERSOURCE"}} +{"text": "POWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.", "spans": {"MALWARE: POWERSTATS": [[0, 10]], "TOOL: powershell": [[36, 46]], "SYSTEM: Microsoft Office": [[79, 95]], "ORGANIZATION: Microsoft": [[79, 88]]}, "info": {"source": "apt_reports", "name": "POWERSTATS"}} +{"text": "This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: \"POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.\"", "spans": {"MALWARE: POWERTRASH": [[150, 160]], "THREAT_ACTOR: FIN7": [[64, 68]], "TOOL: PowerShell": [[5, 15]], "TOOL: PowerSploit": [[235, 246]], "SYSTEM: GitHub": [[270, 276]], "ORGANIZATION: Mandiant": [[124, 132]]}, "info": {"source": "apt_reports", "name": "POWERTRASH"}} +{"text": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", "spans": {"MALWARE: PowerZure": [[0, 9], [116, 125]], "TOOL: PowerShell": [[15, 25]], "SYSTEM: Azure": [[109, 114], [227, 232]], "ORGANIZATION: Microsoft": [[81, 90]]}, "info": {"source": "apt_reports", "name": "PowerZure"}} +{"text": "DLL loader that decrypts and runs a powershell-based downloader.", "spans": {"TOOL: powershell": [[36, 46]]}, "info": {"source": "apt_reports", "name": "PowGoop"}} +{"text": "The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.", "spans": {"TOOL: PowerShell": [[226, 236]]}, "info": {"source": "apt_reports", "name": "PresFox"}} +{"text": "A set of powershell scripts, using services like Google Docs and Dropbox as C2.", "spans": {"TOOL: powershell": [[9, 19]], "ORGANIZATION: Google": [[49, 55]]}, "info": {"source": "apt_reports", "name": "RandomQuery"}} +{"text": "According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.", "spans": {"TOOL: powershell": [[45, 55]], "ORGANIZATION: Trellix": [[13, 20]]}, "info": {"source": "apt_reports", "name": "RMOT"}} +{"text": "Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.", "spans": {"MALWARE: Royal": [[27, 32]]}, "info": {"source": "apt_reports", "name": "Royal Ransom"}} +{"text": "According to Trend Micro, SilentPrism is a backdoor malware designed to achieve persistence, dynamically execute shell commands, and maintain unauthorized remote control of compromised systems. It implements persistence mechanisms differently based on user privileges: for non-administrative users, it leverages the Windows registry to create auto-run entries using mshta.exe combined with VBScript to download and execute remote payloads; for administrative users, it deploys scheduled tasks with similar execution methods. SilentPrism retrieves additional payloads and instructions from a C&C server, ensuring modular functionality. The malware communicates with its C&C server using encrypted channels, employing AES encryption and Base64 encoding to obfuscate data. Commands received are decrypted and executed in various ways, including direct PowerShell script execution, dynamic script block creation, or job-based execution. Each task is tracked using unique identifiers, allowing the malware to monitor execution states and return results to the server. SilentPrism incorporates anti-analysis techniques such as virtual machine detection and randomized sleep intervals (ranging from 300 to 700 milliseconds) between operations, making its behavior less predictable. Additionally, it continuously polls the C&C server for commands, enabling operators to dynamically control infected systems.", "spans": {"MALWARE: SilentPrism": [[26, 37], [525, 536], [1063, 1074]], "TOOL: PowerShell": [[849, 859]], "TOOL: mshta": [[366, 371]], "SYSTEM: Windows": [[316, 323]], "SYSTEM: Trend Micro": [[13, 24]]}, "info": {"source": "apt_reports", "name": "SilentPrism"}} +{"text": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", "spans": {"MALWARE: sLoad": [[0, 5], [290, 295]], "TOOL: PowerShell": [[11, 21]], "SYSTEM: Citrix": [[268, 274]], "SYSTEM: Outlook": [[239, 246]], "MALWARE: Ramnit": [[63, 69]]}, "info": {"source": "apt_reports", "name": "sLoad"}} +{"text": "Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.", "spans": {"THREAT_ACTOR: APT-C-12": [[70, 78]]}, "info": {"source": "apt_reports", "name": "Unidentified PS 001"}} +{"text": "A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.", "spans": {"VULNERABILITY: phishing": [[92, 100]]}, "info": {"source": "apt_reports", "name": "Unidentified PS 002 (RAT)"}} +{"text": "This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.", "spans": {"TOOL: PowerShell": [[33, 43], [140, 150]]}, "info": {"source": "apt_reports", "name": "Unidentified PS 003 (RAT)"}} +{"text": "According to CERT-UA, this is a stealer targeting a range of file extensions and creating screenshots of the compromised machine to be then uploaded via cURL.", "spans": {"ORGANIZATION: CERT-UA": [[13, 20]]}, "info": {"source": "apt_reports", "name": "WRECKSTEEL"}} +{"text": "According to Fortinet, Amnesia RAT is written in Python and designed for broad, multi-category data theft combined with real-time surveillance and system control. Its capabilities include: Browser credentials and session data, Telegram Desktop session hijacking, Seed phrase discovery and clipboard monitoring, Discord and Steam data theft, Cryptocurrency wallets and financial assets, System and hardware intelligence, Screen, audio, and activity surveillance, Process and system control, Persistence, multiple exfiltration channels.", "spans": {"MALWARE: Amnesia RAT": [[23, 34]], "SYSTEM: Fortinet": [[13, 21]], "SYSTEM: Python": [[49, 55]], "SYSTEM: Telegram": [[228, 236]], "SYSTEM: Discord": [[312, 319]], "VULNERABILITY: session hijacking": [[245, 262]]}, "info": {"source": "apt_reports", "name": "Amnesia RAT"}} +{"text": "According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.", "spans": {"MALWARE: AndroxGh0st": [[312, 323]], "SYSTEM: PHP": [[183, 186]], "SYSTEM: AWS": [[286, 289], [465, 468], [516, 519]], "VULNERABILITY: brute force": [[571, 582], [605, 616]]}, "info": {"source": "apt_reports", "name": "AndroxGh0st"}} +{"text": "According to Prodaft, this is a Python-based backdoor used by the Savage Ladybug (FIN7) group is developed to provide remote access, execute commands, and steal data. It is obfuscated to avoid detection.", "spans": {"THREAT_ACTOR: FIN7": [[82, 86]], "SYSTEM: Python": [[32, 38]]}, "info": {"source": "apt_reports", "name": "Anubis Backdoor"}} +{"text": "Ares is a Python RAT.", "spans": {"MALWARE: Ares": [[0, 4]], "SYSTEM: Python": [[10, 16]]}, "info": {"source": "apt_reports", "name": "Ares"}} +{"text": "Stealer written in Python 3, typically distributed bundled via PyInstaller.", "spans": {"SYSTEM: Python": [[19, 25]]}, "info": {"source": "apt_reports", "name": "BlankGrabber"}} +{"text": "According to K7 Security Labs, Braodo Stealer is written in Python and collects all cookies and saved credentials from the browsers and all services and process information of that particular system as a zip file, which is then exfiltrated to a Telegram Channel.", "spans": {"MALWARE: Braodo": [[31, 37]], "SYSTEM: Python": [[60, 66]], "SYSTEM: Telegram": [[245, 253]]}, "info": {"source": "apt_reports", "name": "Braodo"}} +{"text": "According to CERT-UA, this is a PyArmor-protected backdoor capable of execution dynamically downloaded Python code.", "spans": {"SYSTEM: Python": [[103, 109]], "ORGANIZATION: CERT-UA": [[13, 20]]}, "info": {"source": "apt_reports", "name": "CHERRYSPY"}} +{"text": "Creal is an open-source grabber/credential stealer that was originally made by a GitHub user named Ayhuuu, who even advertised a \"premium\" version on his now-deleted Telegram channel @Crealstealer. To the day of release, it was already not FUD, but its open-source nature made it attractive for threat actors to modify the base malware and even obfuscate it for less detection ratios. The base project came with a compiler, and the general source code the compiler used was PyInstaller for compilation into native formats like exe. For C2, Discord webhooks were utilized, which in later versions got protected with a service called https://stealer.to to make deletion not possible.\r\n\r\nIt Compromised following Data on Execution:\r\n\r\n* Discord Information\r\n* Browser Data\r\n* Crypto Related Data\r\n* Steam\r\n* Riot Games\r\n* Telegram\r\n* System Information\r\n* Tokens/Secrets", "spans": {"URL: https://stealer.to": [[632, 650]], "SYSTEM: GitHub": [[81, 87]], "SYSTEM: Telegram": [[166, 174], [819, 827]], "SYSTEM: Discord": [[540, 547], [734, 741]]}, "info": {"source": "apt_reports", "name": "Creal Stealer"}} +{"text": "Discord Stealer written in Python with Javascript-based inject files.", "spans": {"SYSTEM: Python": [[27, 33]], "SYSTEM: Discord": [[0, 7]]}, "info": {"source": "apt_reports", "name": "Empyrean"}} +{"text": "Ransomware written in Python.", "spans": {"SYSTEM: Python": [[22, 28]]}, "info": {"source": "apt_reports", "name": "Evil Ant"}} +{"text": "According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.", "spans": {"MALWARE: Guard": [[29, 34]], "THREAT_ACTOR: WildPressure": [[74, 86]], "SYSTEM: macOS": [[165, 170]], "SYSTEM: Kaspersky": [[13, 22]], "SYSTEM: Windows": [[153, 160]], "SYSTEM: Python": [[105, 111]]}, "info": {"source": "apt_reports", "name": "Guard"}} +{"text": "According to CERT-UA, LAMEHUG uses an LLM (Qwen) to dynamically generate commands to gather basic information about a computer and recursively exfiltrate Office documents from a set of folders, to be uploaded either by SFTP or HTTP POST requests.", "spans": {"MALWARE: LAMEHUG": [[22, 29]], "ORGANIZATION: CERT-UA": [[13, 20]]}, "info": {"source": "apt_reports", "name": "LAMEHUG"}} +{"text": "The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.", "spans": {"TOOL: LaZagne": [[21, 28]], "SYSTEM: Windows": [[309, 316]], "SYSTEM: Python": [[237, 243]], "SYSTEM: Linux": [[293, 298]]}, "info": {"source": "apt_reports", "name": "LaZagne"}} +{"text": "This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/", "spans": {"URL: https://github.com/TheGeekHT/Loki.Rat/": [[289, 327]], "THREAT_ACTOR: El Machete": [[203, 213]], "SYSTEM: Python": [[20, 26]], "MALWARE: Loki": [[318, 322]], "MALWARE: Machete": [[206, 213]], "MALWARE: Ares": [[57, 61]]}, "info": {"source": "apt_reports", "name": "Loki RAT"}} +{"text": "An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.", "spans": {"MALWARE: FreakOut": [[79, 87]], "SYSTEM: Python": [[35, 41]]}, "info": {"source": "apt_reports", "name": "N3Cr0m0rPh"}} +{"text": "According to eSentire, NightshadeC2 demonstrates an extensive capability set, including: Reverse shell via Command Prompt/PowerShell; Download and execute DLL or EXE; Self-deletion; Remote control; Screen capture; Hidden web browsers; Keylogging; clipboard content capturing. Certain variants have been found with stealing capabilities that enable the extraction of browser passwords and cookies from victim systems for both Gecko and Chromium based browsers.", "spans": {"MALWARE: NightshadeC2": [[23, 35]], "TOOL: PowerShell": [[122, 132]]}, "info": {"source": "apt_reports", "name": "NightshadeC2"}} +{"text": "According to CERT-UA, this malware establishes a connection to the management server using web sockets and/or MQTT, data is transmitted in JSON format. Based on basic information about the computer (MAC address, BIOS serial number, disk and processor ID), it generates a unique device identifier using the SHA-256 algorithm (the first 16 bytes are used). It ensures the execution of the program code received from the server. Persistence is achieved by creating an entry in the Run branch of the operating system registry.", "spans": {"SYSTEM: BIOS": [[212, 216]], "ORGANIZATION: CERT-UA": [[13, 20]]}, "info": {"source": "apt_reports", "name": "PLUGGYAPE"}} +{"text": "Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.", "spans": {"MALWARE: Poet RAT": [[56, 64]], "SYSTEM: Cisco": [[0, 5]], "SYSTEM: Python": [[29, 35], [127, 133]], "ORGANIZATION: Talos": [[6, 11]], "ORGANIZATION: Cisco Talos": [[0, 11]]}, "info": {"source": "apt_reports", "name": "Poet RAT"}} +{"text": "PXA Stealer is an information-stealing malware written in Python, identified by Cisco Talos in an active campaign attributed to a Vietnamese-speaking threat actor (2024). The stealer targets sensitive data such as credentials for online accounts, VPN and FTP clients, financial information, browser cookies, and gaming-related data. Notably, PXA Stealer is capable of decrypting browser master passwords to exfiltrate stored credentials. The campaign leverages heavily obfuscated batch scripts for delivery and execution. The actor behind this operation is linked to the Telegram channel “Mua Bán Scan MINI,” known to host credential trade and cybercrime activity. While there are connections to the CoralRaider adversary, attribution to this group remains unconfirmed. In q2 2025 PXA stealer was observed to target Italy.", "spans": {"MALWARE: PXA Stealer": [[0, 11], [342, 353]], "MALWARE: PXA": [[0, 3], [342, 345], [781, 784]], "THREAT_ACTOR: CoralRaider": [[700, 711]], "SYSTEM: Cisco": [[80, 85]], "SYSTEM: Python": [[58, 64]], "SYSTEM: VPN": [[247, 250]], "SYSTEM: Telegram": [[571, 579]], "ORGANIZATION: Talos": [[86, 91]], "ORGANIZATION: Cisco Talos": [[80, 91]]}, "info": {"source": "apt_reports", "name": "PXA Stealer"}} +{"text": "Python-version of GolangGhost RAT", "spans": {"SYSTEM: Python": [[0, 6]], "MALWARE: GolangGhost": [[18, 29]]}, "info": {"source": "apt_reports", "name": "PylangGhost"}} +{"text": "According to its author, Pyramid is a post exploitation framework written in Python, capable of executing offensive tooling from a signed binary (e.g. python.exe) by importing their dependencies in memory. It was created to demonstrate a bypass strategy against EDRs based on some blind-spots assumptions.", "spans": {"MALWARE: Pyramid": [[25, 32]], "SYSTEM: Python": [[77, 83]]}, "info": {"source": "apt_reports", "name": "Pyramid"}} +{"text": "According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.", "spans": {"MALWARE: PY#RATION": [[165, 174]], "VULNERABILITY: keylogging": [[260, 270]]}, "info": {"source": "apt_reports", "name": "PY#RATION"}} +{"text": "PyVil RAT", "spans": {"MALWARE: PyVil": [[0, 5]]}, "info": {"source": "apt_reports", "name": "PyVil"}} +{"text": "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.", "spans": {"TOOL: Responder": [[0, 9]], "SYSTEM: SMB": [[67, 70]], "SYSTEM: LDAP": [[81, 85]]}, "info": {"source": "apt_reports", "name": "Responder"}} +{"text": "According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.", "spans": {"SYSTEM: Python": [[55, 61]], "ORGANIZATION: Proofpoint": [[13, 23]]}, "info": {"source": "apt_reports", "name": "Serpent"}} +{"text": "Ransomware written in Python and delivered as compiled executable created using PyInstaller.", "spans": {"SYSTEM: Python": [[22, 28]]}, "info": {"source": "apt_reports", "name": "Venomous"}} +{"text": "Venus Stealer is a python based Infostealer observed early 2023.", "spans": {"MALWARE: Venus Stealer": [[0, 13]]}, "info": {"source": "apt_reports", "name": "Venus Stealer"}} +{"text": "A basic info stealer w/ some capability to inject code into legit applications.", "spans": {}, "info": {"source": "apt_reports", "name": "W4SP Stealer"}} +{"text": "According to its author, PANIX is a powerful, modular, and highly customizable Linux persistence framework designed for security researchers, detection engineers, penetration testers, CTF enthusiasts, and more. Built with versatility in mind, PANIX emphasizes functionality, making it an essential tool for understanding and implementing a wide range of persistence techniques.", "spans": {"MALWARE: PANIX": [[25, 30], [243, 248]], "SYSTEM: Linux": [[79, 84]]}, "info": {"source": "apt_reports", "name": "PANIX"}} +{"text": "A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.", "spans": {"TOOL: SSH": [[134, 137]]}, "info": {"source": "apt_reports", "name": "xzbot"}} +{"text": "CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.", "spans": {"MALWARE: CageyChameleon": [[0, 14], [173, 187]]}, "info": {"source": "apt_reports", "name": "CageyChameleon"}} +{"text": "According to ClearSky, this is a VBS-based wiper, deployed via exploitation of a vulnerable WinRAR version (CVE-2025-80880). They assess with medium confidence a link to Gamaredon.", "spans": {"CVE_ID: CVE-2025-80880": [[108, 122]], "TOOL: WinRAR": [[92, 98]], "ORGANIZATION: ClearSky": [[13, 21]]}, "info": {"source": "apt_reports", "name": "GamaWiper"}} +{"text": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", "spans": {"MALWARE: HALFBAKED": [[4, 13], [205, 214]], "TOOL: PowerShell": [[594, 604]], "SYSTEM: WMI": [[363, 366]], "SYSTEM: BIOS": [[329, 333]]}, "info": {"source": "apt_reports", "name": "HALFBAKED"}} +{"text": "According to Sekoia, the aim of this backdoor is to receive VBS modules for execution from a remote C2 server. Once received, HATVIBE uses a simple XOR algorithm to decrypt each module, contact it between two