ThreatFox IOC Database
You are viewing the ThreatFox database entry for url https://www.dropbox.com/scl/fi/6sd0a0od839wwehcndldi/Merluis-Setup-2.0.0.exe.
Database Entry
| IOC ID: | 1785152 |
|---|---|
| IOC: | https://www.dropbox.com/scl/fi/6sd0a0od839wwehcndldi/Merluis-Setup-2.0.0.exe |
| IOC Type : | url |
| Threat Type : | payload_delivery |
| Malware: | Unknown RAT |
| Confidence Level : | Confidence level is elevated (75%) |
| Is compromised? : | False |
| ASN: | AS19679 DROPBOX |
| Country: |  US |
| First seen: | 2026-04-13 12:58:18 UTC |
| Last seen: | never |
| UUID: | 84d64a4f-372f-11f1-8759-42010aa4000a |
| Reporter |  Omaha |
| Reward | 5 credits from ThreatFox |
| Tags: | dropbox fake-game infostealer RAT ZKM-Stealer |
| Reference: | https://tria.ge/260407-s8dpgahs5l/behavioral1 |
Omaha
Dropbox hosted download URL for ZKM Stealer 26.0.0installer. Used as direct download link on fake game
distribution site merluis.pages.dev. Victims directed
here via social engineering on online messaging platforms.
File: Merluis-Setup-2.0.0.exe
SHA256: bd3997c44f1820eccc6574ee003bf5319b6a27d28e782937271c6ae190af024d
MD5: 6cda615633eadf8cb0529efc6c722973
VT: 0/58 at time of attack
NSIS installer bundles complete Java JRE 1.8.0_101
using BYOR technique. Deploys update.jar RAT payload
to victim AppData on execution.
Reported to Dropbox abuse team April 2026.
Law enforcement notified:
FBI IC3: fad477e92b9f4692b96be4eac6236d20
CISA: CCASE0175447