| Attacks by APT-C-60 Group Exploiting Legitimate Services |
The APT-C-60 group targeted organizations in Japan and East Asia with a sophisticated attack campaign. The attack begins with a phishing email containing a Google Drive link to download a VHDX file. This file includes an LNK file that executes a downloader, which then retrieves a backdoor called SpyGrace. The attackers use legitimate services like Bitbucket and StatCounter for command and control. The malware achieves persistence through COM hijacking and employs various techniques to evade detection. The campaign likely targeted multiple East Asian countries, using similar tactics across different attacks. |
| Type |
Indicator |
| FileHash-MD5 |
a78550e6101938c7f5e8bfb170db4db2 |
| FileHash-SHA1 |
0830ef2fe7813ccf6821cad71a22e4384b4d02b4 |
| FileHash-SHA1 |
1e5920a6b79a93b1fa8daca32e13d1872da208ee |
| FileHash-SHA1 |
33dba9c156f6ceda40aefa059dea6ef19a767ab2 |
| FileHash-SHA1 |
3affa67bc7789fd349f8a6c9e28fa1f0c453651f |
| FileHash-SHA1 |
4508d0254431df5a59692d7427537df8a424dbba |
| FileHash-SHA1 |
4589b97225ba3e4a4f382540318fa8ce724132d5 |
| FileHash-SHA1 |
5d3160f01920a6b11e3a23baec1ed9c6d8d37a68 |
| FileHash-SHA1 |
5ed4d42d0dcc929b7f1d29484b713b3b2dee88e3 |
| FileHash-SHA1 |
65300576ba66f199fca182c7002cb6701106f91c |
| FileHash-SHA1 |
6cf281fc9795d5e94054cfe222994209779d0ba6 |
| FileHash-SHA1 |
783cd767b496577038edbe926d008166ebe1ba8c |
| FileHash-SHA1 |
79e41b93b540f6747d0d2c3a22fd45ab0eac09ab |
| FileHash-SHA1 |
7e8aeba19d804b8f2e7bffa7c6e4916cf3dbee62 |
| FileHash-SHA1 |
8abd64e0c4515d27fae4de74841e66cfc4371575 |
| FileHash-SHA1 |
8ebddd79bb7ef1b9fcbc1651193b002bfef598fd |
| FileHash-SHA1 |
b1e0abfdaa655cf29b44d5848fab253c43d5350a |
| FileHash-SHA1 |
c198971f84a74e972142c6203761b81f8f854d2c |
| FileHash-SHA1 |
cc9cd337b28752b8ba1f41f773a3eac1876d8233 |
| FileHash-SHA1 |
d94448afd4841981b1b49ecf63db3b63cb208853 |
| FileHash-SHA1 |
fadd8a6c816bebe3924e0b4542549f55c5283db8 |
| FileHash-SHA1 |
fd6c16a31f96e0fd65db5360a8b5c179a32e3b8e |
| URL |
http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/command.asp |
| URL |
http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/listen.asp |
| URL |
http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/result.asp |
| URL |
http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/server.asp |
| URL |
http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/update.asp |
| URL |
https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea |
|
| Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024 |
A spear-phishing campaign targeting Japan since June 2024 has been identified, featuring the reemergence of the ANEL backdoor, previously used by APT10 until 2018. The campaign, attributed to Earth Kasha, targets individuals in political organizations, research institutions, and international relations-related entities. The attack utilizes various infection methods, including macro-enabled documents and shortcut files. The malware suite includes ROAMINGMOUSE, ANELLDR, and updated versions of ANEL. Post-exploitation activities involve information gathering and, in some cases, deployment of the more advanced NOOPDOOR backdoor. This campaign marks a shift in Earth Kasha's tactics, moving from exploiting vulnerabilities in edge devices to targeting individuals through spear-phishing. |
| Type |
Indicator |
| YARA |
35221e72ad38c2448c31239dc895ed2687ea669f |
|
| Matrix Unleashes A New Widespread DDoS Campaign |
A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabilities and misconfigurations across internet-connected devices, particularly IoT and enterprise systems. The campaign demonstrates how accessible tools and minimal technical knowledge can enable large-scale cyberattacks. Despite showing Russian affiliation, the absence of Ukrainian targets suggests a focus on financial gain rather than political motives. The threat actor is actively targeting both development and production servers, marking an evolution in DDoS activities. |
| Type |
Indicator |
| CVE |
CVE-2014-8361 |
| CVE |
CVE-2017-17106 |
| CVE |
CVE-2017-17215 |
| CVE |
CVE-2017-18368 |
| CVE |
CVE-2018-10561 |
| CVE |
CVE-2018-10562 |
| CVE |
CVE-2018-9995 |
| CVE |
CVE-2021-20090 |
| CVE |
CVE-2022-30075 |
| CVE |
CVE-2022-30525 |
| CVE |
CVE-2024-27348 |
| FileHash-MD5 |
0e3a1683369ab94dc7d9c02adbed9d89 |
| FileHash-MD5 |
53721f2db3eb5d84ecd0e5755533793a |
| FileHash-MD5 |
5a66b6594cb5da4e5fcb703c7ee04083 |
| FileHash-MD5 |
76975e8eb775332ce6d6ca9ef30de3de |
| FileHash-MD5 |
866c52bc44c007685c49f5f7c51e05ca |
| FileHash-MD5 |
9181d876e1fcd8eb8780d3a28b0197c9 |
| FileHash-MD5 |
9c9ea0b83a17a5f87a8fe3c1536aab2f |
| FileHash-MD5 |
c332b75871551f3983a14be3bfe2fe79 |
| FileHash-MD5 |
c7d7e861826a4fa7db2b92b27c36e5e2 |
| FileHash-MD5 |
d653fa6f1050ac276d8ded0919c25a6f |
| FileHash-MD5 |
df521f97af1591efff0be31a7fe8b925 |
| FileHash-SHA1 |
6136fe4df8c0cce502d50671def6b6bc2850a38d |
| FileHash-SHA1 |
84791db42a6f321ea70cfcbf13913fa4e02533f8 |
| FileHash-SHA1 |
8ba1f42c61e1bef97afb48b1e741c889cc0cad50 |
| FileHash-SHA1 |
95a5ff1372f352434525a416570eef4379ebac19 |
| FileHash-SHA1 |
ada6c6646cc86e12a09355944700debf8abd2a55 |
| FileHash-SHA1 |
c72cd784e908c2026549be7439418f7d126936b9 |
| FileHash-SHA256 |
0ee827d23752c2afc1b07e5312986703f63e05b8c4f1902f5db07bb494e4d057 |
| FileHash-SHA256 |
2e7682abe30d93afb3bd9dee0011c450c1d72d727151344b8b7360441571e007 |
| FileHash-SHA256 |
424058facc8f16fd578190a612bc3f9178f5e393d345c2330c39436abb4d1142 |
| FileHash-SHA256 |
8dfe94a1b02d1330886ad4458b32db3da4b872f9c2116657840de499fee5438a |
| FileHash-SHA256 |
aee08f24f2e0be5af8b9a7947e845e8364be2f8b5ff874fbc3e7a4c81ecdad83 |
| FileHash-SHA256 |
fa1b9e78b59cdb26d98da8b00fe701697a55ae9ea3bd11b00695cfbba2b67a7a |
| hostname |
sponsored-ate.gl.at.ply.gg |
|
| Regarding the Cyberhaven chrome extension compromise, there are other... |
Several Chrome extensions have been compromised, including those related to Cyberhaven. The affected extensions are linked to multiple suspicious domains resolving to the same IP address as cyberhavenext[.]pro. Some confirmed compromised extensions are listed with their corresponding URLs. Users are advised to search for these extensions in their environments and monitor for any traffic to the IP address 149.28.124[.]84. This information suggests a widespread attack targeting browser extensions, potentially putting users' data and privacy at risk. |
| Type |
Indicator |
| IPv4 |
149.28.124.84 |
| domain |
castorus.info |
| domain |
censortracker.pro |
| domain |
iobit.pro |
| domain |
moonsift.store |
| domain |
policyextension.info |
| domain |
primusext.pro |
| domain |
uvoice.live |
| domain |
wayinai.live |
| domain |
yujaverity.info |
| domain |
bookmarkfc.info |
| domain |
vpncity.live |
| domain |
parrottalks.info |
| domain |
readermodeext.info |
|
| Warning of a surge in activity associated with FICORA and Kaiten botnets |
FortiGuard Labs researchers observed increased activity from two botnets in late 2024: the Mirai variant 'FICORA' and the Kaiten variant 'CAPSAICIN'. Both target vulnerabilities in D-Link devices, particularly through the HNAP interface, allowing remote command execution. The FICORA botnet downloads and executes a shell script to infect Linux systems, while CAPSAICIN uses a downloader script to target various Linux architectures. FICORA includes DDoS capabilities using multiple protocols. CAPSAICIN appears to be a variant of Keksec group botnets. The attacks exploit vulnerabilities that were patched years ago, highlighting the importance of regular device updates and monitoring. |
| Type |
Indicator |
| CVE |
CVE-2015-2051 |
| CVE |
CVE-2019-10891 |
| CVE |
CVE-2022-37056 |
| CVE |
CVE-2024-33112 |
| IPv4 |
192.110.247.46 |
| IPv4 |
87.10.220.221 |
|
| Phishing for Banking Information |
A recent phishing campaign targeting Bank of Montreal (BMO) customers has been identified. The scam involves text messages purporting to be from BMO, asking recipients to verify their credit card information. Key indicators of the fraudulent nature include the use of a non-official SMS number, incorrect display of card numbers, and a malicious website with spelling errors. The domain 'bmo-securltyverlfy1.com' was registered on December 11, 2024, and is associated with an IP address linked to 81 other domains targeting various Canadian institutions. The campaign exploits the holiday season to deceive users into revealing sensitive banking information. |
| Type |
Indicator |
| FileHash-SHA256 |
c76cbf6e22734f177e024e1fee02ed17a53413e0dfee02c6a6601be28280b167 |
| domain |
bmo-securltyverlfy1.com |
|
| Gaming Engines: An Undetected Playground for Malware Loaders |
Check Point Research uncovered a new technique exploiting the Godot Engine to execute malicious GDScript code, remaining undetected by most antivirus tools. The technique has been used since June 2024, potentially infecting over 17,000 machines. A loader called GodLoader employs this method and is distributed via the Stargazers Ghost Network on GitHub. The technique allows cross-platform targeting of Windows, macOS, Linux, Android, and iOS devices. Researchers demonstrated successful payload drops on Linux and MacOS. This approach could potentially target over 1.2 million users of Godot-developed games through malicious mods or downloadable content. |
| Type |
Indicator |
| FileHash-MD5 |
2078f4397407b82d92a9aec7ca409726 |
| FileHash-MD5 |
218a8f2b3041327d8a5756f3a245f83b |
| FileHash-MD5 |
33ab33dfde13e2f89482bff662349c82 |
| FileHash-MD5 |
480c9ce7b6f60aa42e9a5886da844b67 |
| FileHash-MD5 |
5b88526524374dc75cb75ac9dda020f8 |
| FileHash-MD5 |
61d3abff46a6bd2946925542c7d30397 |
| FileHash-MD5 |
639864b85bd3ec6d8bb00f7e08d145d9 |
| FileHash-MD5 |
6501ebb8f3472c28c2396b32dee370f7 |
| FileHash-MD5 |
7c91efbcaa02854d951ac79000b77017 |
| FileHash-MD5 |
8e09c87e2e69a9b58341050b5e38134d |
| FileHash-MD5 |
9984d0a0b5388a08ddd4387e247d50da |
| FileHash-MD5 |
9a4ac6322a57b14acb3157c9cd83cd76 |
| FileHash-MD5 |
9bd3fecfb842b3d4d7f02500e78211b2 |
| FileHash-MD5 |
bef08eff4910a50e6997fbe21bb8b594 |
| FileHash-MD5 |
c7d5a8188ea302ab78d6a529e90d43b8 |
| FileHash-MD5 |
d3575a49bea6bd54a543d720412134b3 |
| FileHash-MD5 |
e41f0625a4574d3424e7bfa11a1f6416 |
| FileHash-MD5 |
e66311c87c39ec8c25379305b5ae724b |
| FileHash-MD5 |
ee60134b5708931be25b58780c0ff8a5 |
| FileHash-MD5 |
efbc9a5174dc45bf0d631c4faedd17a8 |
| FileHash-SHA1 |
1fed80a136e67a5b7b6846010a5853400886ee9c |
| FileHash-SHA1 |
9687e3b7ca67baf2a82f76919d2b254dedc1e762 |
| FileHash-SHA256 |
0d03c7c6335e06c45dd810fba6c52cdb9eafe02111da897696b83811bff0be92 |
| FileHash-SHA256 |
260f06f0c6c1544afcdd9a380a114489ebdd041b846b68703158e207b7c983d6 |
| FileHash-SHA256 |
3317b8e19e19218e5a7c77a47a76f36e37319f383b314b30179b837e46c87c45 |
| FileHash-SHA256 |
604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2 |
| FileHash-SHA256 |
6be9c015c82645a448831d9dc8fcae4360228f76dff000953a76e3bf203d3ec8 |
| FileHash-SHA256 |
b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa |
| domain |
control.gd |
| domain |
name.is |
|
| RomCom exploits Firefox and Windows zero days in the wild |
ESET researchers discovered a critical zero-day vulnerability in Mozilla products, exploited by the Russia-aligned group RomCom. The vulnerability, CVE-2024-9680, allows code execution in Firefox, Thunderbird, and Tor Browser. When chained with another Windows vulnerability, CVE-2024-49039, it enables arbitrary code execution without user interaction. The exploit chain delivered RomCom's backdoor in a widespread campaign targeting Europe and North America. Mozilla quickly patched the vulnerability within a day of notification. The Windows vulnerability, a privilege escalation bug in the Task Scheduler, was later patched by Microsoft. This sophisticated attack demonstrates RomCom's capabilities in developing or obtaining stealthy exploitation techniques. |
| Type |
Indicator |
| FileHash-SHA1 |
abb54c4751f97a9fc1c9598fed1ec9fb9e6b1db6 |
| URL |
https://journalctd.live/JfWb4OrQPLh |
| domain |
1drv.us |
| domain |
correctiv.sbs |
| domain |
cwise.store |
| domain |
devolredir.com |
| domain |
journalctd.live |
| domain |
redirconnectwise.cloud |
| domain |
redircorrectiv.com |
| domain |
redjournal.cloud |
|
| DigiEver Fix That IoT Thing! |
In mid-November 2024, the Akamai SIRT discovered an uptick in activity targeting the URI /cgi-bin/cgi_main.cgi in our global network of honeypots. This activity appears to be part of a recent ongoing Mirai-based malware campaign dating back to at least October 2024. Further investigation into this campaign revealed a new botnet that calls itself the “Hail C*ck Botnet” that’s been active since at least September 2024. Using a Mirai malware variant that incorporates ChaCha20 and XOR decryption algorithms, it has been seen compromising vulnerable Internet of Things (IoT) devices in the wild, such as the DigiEver DVR, and TP-Link devices through CVE-2023-1389. |
| Type |
Indicator |
| FileHash-MD5 |
da3b2e781acf9fd712d0adb4f7d6f989 |
| FileHash-SHA1 |
3472c3ffa4b2049110a8de71a416d8d5235ee6a0 |
| FileHash-SHA256 |
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad |
| FileHash-SHA256 |
31813bb69e10b636c785358ca09d7f91979454dc6fc001f750bf03ad8bde8fe5 |
| FileHash-SHA256 |
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615 |
| FileHash-SHA256 |
a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41 |
| FileHash-SHA256 |
b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af |
| FileHash-SHA256 |
dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02 |
| IPv4 |
104.37.188.76 |
| IPv4 |
141.98.11.79 |
| IPv4 |
149.50.106.25 |
| IPv4 |
154.213.187.50 |
| IPv4 |
154.216.17.126 |
| IPv4 |
185.82.200.181 |
| IPv4 |
193.233.193.45 |
| IPv4 |
194.87.198.29 |
| IPv4 |
195.133.92.51 |
| IPv4 |
213.182.204.57 |
| IPv4 |
31.13.248.89 |
| IPv4 |
45.125.66.90 |
| IPv4 |
45.202.35.24 |
| IPv4 |
45.202.35.91 |
| IPv4 |
5.35.104.31 |
| IPv4 |
5.39.254.71 |
| IPv4 |
81.29.149.178 |
| IPv4 |
86.107.100.80 |
| IPv4 |
88.151.195.22 |
| IPv4 |
91.132.50.181 |
| IPv4 |
91.149.218.232 |
| IPv4 |
91.149.238.18 |
| IPv4 |
95.214.53.205 |
| domain |
catlovingfools.geek |
| domain |
hailcocks.ru |
| domain |
hikvision.geek |
|
| Espionage cluster Paper Werewolf engages in destructive behavior |
The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cyber espionage to actively disrupting compromised infrastructures. They utilize PowerShell scripts, custom malware, and post-exploitation frameworks like Mythic. The attackers employ techniques such as reverse shells, credential interception, and destructive actions like changing passwords and deleting registry keys. Their arsenal includes tools like PowerRAT, Owowa, and Chisel. The group's sophisticated approach combines open-source frameworks with custom implants, making detection challenging. |
| Type |
Indicator |
| FileHash-SHA256 |
13252199b18d5257a60f57de95d8c6be7d7973df7f957bca8c2f31e15fcc947b |
| FileHash-SHA256 |
37b3fa8a3a05e4aedb25eb38d9e4524722f28c21fac9f788f87113c5b9184ef5 |
| FileHash-SHA256 |
804cd68f40d0bb93b6676447af719388e95cafd5a2b017a0386eb7de590ebf17 |
| FileHash-SHA256 |
8ba4cd7ea29f990cb86291003f82239bfafe28910d080b5b7d3db78e83c1b6f3 |
| FileHash-SHA256 |
fa8853aaa156485855b77a16a2f613d9f58d82ef63505be8b19563827089bf52 |
| IPv4 |
185.244.182.87 |
| IPv4 |
5.252.176.55 |
| domain |
lobbyluxuries.com |
|
| Know Thy Enemy: A Novel November Case on Persistent Remote Access |
In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtualization binary and disguised its server as a Windows Network Virtual Adapter. The attack involved lateral movement, privilege escalation, and credential access through WDigest manipulation. The threat actor's consistent tradecraft was observed in multiple environments, highlighting the importance of continuous threat hunting and feedback loops in security investigations. Lessons learned include hardening external perimeters, enforcing MFA, and deploying software allow-lists. |
| Type |
Indicator |
| FileHash-SHA256 |
fcea81909388611359bbaf41871300075e192a3246b9e1bebc5f3f0aaa2b2c9a |
| FileHash-SHA256 |
b629fe2363a23f7c0a6f40235ca25098321ba49bc397b36e2856a1ae76055c56 |
| FileHash-SHA256 |
fdf51eba1b48ed4180dfbb66d8e299794998252517597aff4a44162183f7dcd9 |
|
| Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed |
Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C2 framework and coinminer binaries. Threat actors injected malicious commands into firewall login attempts, deployed PHP webshells, exfiltrated sensitive configuration files and credentials, and in some cases installed XMRig cryptocurrency miners. The campaign demonstrates rapid exploitation of newly disclosed vulnerabilities in perimeter devices. Defenders are advised to implement robust external monitoring, restrict management interfaces, and patch vulnerable systems promptly. |
| Type |
Indicator |
| FileHash-SHA256 |
a3092bfa4199def7fc525465895ee3784c6fcf55f0a7e9c8436c027e0f41cb4b |
| hostname |
img.dxyjg.com |
| hostname |
sys.traceroute.vip |
|
| Analyzing Malicious Intent in Python Code: A Case Study |
Two malicious packages, Zebo-0.1.0 and Cometlogger-0.1, were identified by an AI-driven OSS malware detection system. These packages contain Python scripts designed for surveillance, data exfiltration, and unauthorized control. Zebo-0.1.0 uses obfuscation techniques, keylogging, screen capturing, and data exfiltration to a remote server. It also implements a persistence mechanism to ensure re-execution upon system startup. Cometlogger-0.1 exhibits webhook manipulation, information theft from various platforms, anti-VM detection, dynamic file modification, and persistence mechanisms. Both packages pose significant security risks, including credential leaks and sensitive information theft. The analysis highlights the importance of cybersecurity awareness and robust defensive measures against such malicious code. |
| Type |
Indicator |
| FileHash-SHA256 |
4aeb0211bd6d9e7c74c09ac67812465f2a8e90e25fe04b265b7f289deea5db21 |
| FileHash-SHA256 |
839d0cfcc52a130add70239b943d8c82c4234b064d6f996eeaae142f05cc9e85 |
| FileHash-SHA256 |
e01c61dc52514b011c83c293cf19092c40cb606a28a87675b4f896be5afebed2 |
|
| More SSH Fun! |
A Windows batch file has been discovered that abuses the ssh.exe tool in modern Windows versions to create a backdoor. The script adds a registry entry for persistence and uses SSH to set up a reverse tunnel, allowing remote access. It also downloads and executes a malicious file using a Dev Tunnels URL, a Microsoft feature similar to ngrok. The script disables host key verification and enables local command execution through SSH. While the specific malicious payload (Ghost.exe) is no longer available, it is suspected to be a Remote Access Trojan (RAT). This technique demonstrates the creative misuse of legitimate tools for malicious purposes. |
| Type |
Indicator |
| FileHash-SHA256 |
3172eb8283a3e82384e006458265b60001ba68c7982fda1b81053705496a999c |
| hostname |
vdch79w0-8000.inc1.devtunnels.ms |
|
| Modiloader From Obfuscated Batch File |
An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware. |
| Type |
Indicator |
| FileHash-MD5 |
7afcba92a35ba26fcde12f3aba8ff7d8 |
| FileHash-MD5 |
7cd592cb2f2179e188e9e99cb7c06bba |
| FileHash-MD5 |
dc156637aebf04336700a9bc71c78aad |
| FileHash-SHA1 |
8fe8577fc2ef8866c83ab163a8655ea777e6d4f4 |
| FileHash-SHA1 |
f04b6d7ca8a838e63df18ac6254f7f24c6ecdbd1 |
| FileHash-SHA256 |
29bda570966cf934b38ff7b1613f9330709307405391ced5452bd9cc63736331 |
| FileHash-SHA256 |
baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d |
| FileHash-SHA256 |
bc4cf21e25e9f429b8ea1fdc17061bc0eff0c1b44d83ff6c5da36c778ce62ade |
| domain |
swamfoxinnc.com |
| URL |
https://swamfoxinnc.com/233_Svcrhpjadgy |
|
| Cloud Atlas using a new backdoor, VBCloud, to steal data |
Cloud Atlas, a threat group active since 2014, has introduced a new backdoor called VBCloud in its latest campaign targeting Eastern Europe and Central Asia. The attack chain begins with phishing emails containing malicious documents exploiting CVE-2018-0802. The infection process involves downloading and executing an HTA file, which then deploys the VBShower backdoor. VBShower installs both VBCloud and PowerShower backdoors. VBCloud replicates previous capabilities, including downloading and executing malicious plugins, communicating with cloud servers, and performing various tasks. The campaign aims to steal data from victim devices, with VBCloud collecting system information and exfiltrating files. PowerShower is used for network reconnaissance and further infiltration. |
| Type |
Indicator |
| CVE |
CVE-2018-0802 |
| FileHash-MD5 |
0139f32a523d453bc338a67ca45c224d |
| FileHash-MD5 |
016b6a035b44c1ad10d070abcdfe2f66 |
| FileHash-MD5 |
01db58a1d0ec85adc13290a6290ad9d6 |
| FileHash-MD5 |
0f37e1298e4c82098dc9318c7e65f9d2 |
| FileHash-MD5 |
15fd46ac775a30b1963281a037a771b1 |
| FileHash-MD5 |
160a65e830eb97aae6e1305019213558 |
| FileHash-MD5 |
184cf8660af7538cd1cd2559a10b6622 |
| FileHash-MD5 |
1af1f9434e4623b7046cf6360e0a520e |
| FileHash-MD5 |
1bfb9cba8aa23a401925d356b2f6e7ed |
| FileHash-MD5 |
21585d5881cc11ed1f615fdb2d7acc11 |
| FileHash-MD5 |
242e86e658fe6ab6e4c81b68162b3001 |
| FileHash-MD5 |
2d24044c0a5b9ebe4e01ded2bfc2b3a4 |
| FileHash-MD5 |
2fe7e75bc599b1c68b87cf2a3e7aa51f |
| FileHash-MD5 |
31b01387ca60a1771349653a3c6ad8ca |
| FileHash-MD5 |
36dd0fbd19899f0b23ade5a1de3c2fec |
| FileHash-MD5 |
389bc3b9417d893f3324221141edea00 |
| FileHash-MD5 |
389f6e6fd9dcc84c6e944dc387087a56 |
| FileHash-MD5 |
3a54acd967dd104522ba7d66f4d86544 |
| FileHash-MD5 |
3f12bf4a8d82654861b5b5993c012bfa |
| FileHash-MD5 |
49f8ed13a8a13799a34cc999b195bf16 |
| FileHash-MD5 |
4b96dc735b622a94d3c74c0be9858853 |
| FileHash-MD5 |
6fcee9878216019c8dfa887075c5e68e |
| FileHash-MD5 |
88be01f8c4a9f335d33fa7c384ca4666 |
| FileHash-MD5 |
9d3557cc5c444fe5d73e4c7fe1872414 |
| FileHash-MD5 |
a30319545fda9e2da0532746c09130eb |
| FileHash-MD5 |
aa8da99d5623fafed356a14e59acbb90 |
| FileHash-MD5 |
cba05e11cb9d1d71f0fa70ecd1af2480 |
| FileHash-MD5 |
cbfb691e95ee34a324f94ed1ff91bc23 |
| FileHash-MD5 |
d445d443ace329fb244edc3e5146313b |
| FileHash-MD5 |
f3f28018fb5108b516d802a038f90bde |
| FileHash-MD5 |
f45008bf1889a8655d32a0eb93b8acdd |
| domain |
content-protect.net |
| domain |
control-issue.net |
| domain |
gosportal.net |
| domain |
mirconnect.info |
| domain |
net-plugin.org |
| domain |
office-confirm.com |
| domain |
riamir.net |
| domain |
sber-cloud.info |
| domain |
triger-working.com |
| domain |
web-privacy.net |
| domain |
web-wathapp.com |
| domain |
yandesks.net |
| domain |
yandesktop.com |
| domain |
yandisk.info |
| hostname |
kim.nl.tab.digital |
| hostname |
webdav.mydrive.ch |
|
| Unveiling WolfsBane: Linux counterpart to Gelsevirine |
ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood malware. These tools are designed for cyberespionage, targeting system information, credentials, and specific files. The malware uses sophisticated techniques for persistence, stealth, and command execution. This discovery marks Gelsemium's first known use of Linux malware, indicating a shift in APT tactics towards exploiting vulnerabilities in internet-facing Linux systems. |
| Type |
Indicator |
| FileHash-MD5 |
0ff2f7ef56717a032d970ff8b78c85e4 |
| FileHash-MD5 |
17ffeda7cf0f19381fb1eb0e70c03927 |
| FileHash-MD5 |
1b6868f8c412e1e6efc4d7149173c5a9 |
| FileHash-MD5 |
2251bc7910fe46fd0baf8bc05599bdcf |
| FileHash-MD5 |
24fff48947a8f5a100e21d5592f92d4c |
| FileHash-MD5 |
3230cb323663710d52dfe18b9f0cb369 |
| FileHash-MD5 |
35b4867b323749cc72406f471b149efc |
| FileHash-MD5 |
35e941f5df1560f0c2191c23e5189ada |
| FileHash-MD5 |
4b51d56955a4438481f8452120a36aa0 |
| FileHash-MD5 |
5480f12015b0520b7e33519725bec6ef |
| FileHash-MD5 |
5789e8b1a31d7117b05143cec4a85378 |
| FileHash-MD5 |
5d7cd888012605ddeab265865b7ba994 |
| FileHash-MD5 |
61d5bc51f97b9df015dea3990cfef29b |
| FileHash-MD5 |
66920df486acdd7aaa48baf6a5b753d5 |
| FileHash-MD5 |
6d9957965ead9b7b9d7f896de59f8c1b |
| FileHash-MD5 |
77bb729852a957efc606c64180543ea9 |
| FileHash-MD5 |
8545af9eb02ab26574df2834bcf1a5a5 |
| FileHash-MD5 |
87e437cf74ce4b1330b8af9ff71edae2 |
| FileHash-MD5 |
87eb0975758ecef44e8368914cffe151 |
| FileHash-MD5 |
97d46525797ffa7530851481eb96dd47 |
| FileHash-MD5 |
9ca6d9526a1c9fb2e624c382f687a92d |
| FileHash-MD5 |
9cacec575782d7b25a94f10e2061ac4c |
| FileHash-MD5 |
bc4d2f84a6ce49f06a6be32ccfaa1630 |
| FileHash-MD5 |
c857b9f9b8bd330e160cc3a3c274b068 |
| FileHash-MD5 |
cd5da0b66319efbe346a4ac98df2f6d0 |
| FileHash-MD5 |
d1a505f2a335a8aa05d3b74358157ff3 |
| FileHash-SHA1 |
029407c923c279803c6d7cbc7673936bca2e580c |
| FileHash-SHA1 |
0471e1a214f458d4c478677ec9896b0f31207377 |
| FileHash-SHA1 |
055f1e13e0fea44dc42e8cd8c9219ed588360304 |
| FileHash-SHA1 |
0ab53321bb9699d354a032259423175c08fec1a4 |
| FileHash-SHA1 |
0cedfb1789ef139b6040cf8d84ba130360c4eb7d |
| FileHash-SHA1 |
0fef89711da11c550d3914debc0e663f5d2fb86c |
| FileHash-SHA1 |
1042c798d7ff69eb52cbeae684c74fc0ee84aacd |
| FileHash-SHA1 |
1dd4e8119efb34beaec6af55b66222d3dc5036eb |
| FileHash-SHA1 |
209c4994a42af7832f526e09238fb55d5aab34e5 |
| FileHash-SHA1 |
21c9b87a8cf75deba6cff8cf66aa015d6fb46be2 |
| FileHash-SHA1 |
225fa75d48c7699c3961db1904993e39ae051940 |
| FileHash-SHA1 |
238c8e8eb7a732d85d8a7f7ca40b261d8ae4183d |
| FileHash-SHA1 |
239db66faa803772f2a8905b1e77377a5bf78351 |
| FileHash-SHA1 |
2668050fcad373fcd548792d9793375e4d704bef |
| FileHash-SHA1 |
2b03ffe35090ce5f9341e046464c9eed8a64441d |
| FileHash-SHA1 |
2d6ceaf73ea7f70135d9a82a397625c89c408f05 |
| FileHash-SHA1 |
2f795d69641312b6653b59c2653d7bf368a4405f |
| FileHash-SHA1 |
366a9e646a167fcd2381bc15905f7d7a5e76a100 |
| FileHash-SHA1 |
36e46ad4a9f31634d32b26bdba618df5ecdca188 |
| FileHash-SHA1 |
374c38e11c50f5eddd8f3708c557529a62446a4e |
| FileHash-SHA1 |
39d7bbf6b95fa8bf37fe434dc6efe380bbf9ab23 |
| FileHash-SHA1 |
43d27a9c57d252999259aafee9760bda00d1207d |
| FileHash-SHA1 |
43eec66f6d68f286357004dc62d6da01991a2eb8 |
| FileHash-SHA1 |
44947903b2bc760ac2e736b25574be33bf7af40b |
| FileHash-SHA1 |
47e0bc09b9b092bf5de415e663bd848917ea8303 |
| FileHash-SHA1 |
4a932622a1a5259e9c97ebfa8dc11fa84dffe039 |
| FileHash-SHA1 |
544717ef96a59135cd0a93886c273e3ffe702c1a |
| FileHash-SHA1 |
5eacce21513d29a6f318b338d3ee39cc2752f72b |
| FileHash-SHA1 |
600c59733444bc8a5f71d41365368f3002465b10 |
| FileHash-SHA1 |
625e0d33966e4060d57c1daca5eb6d1a51bba3c3 |
| FileHash-SHA1 |
6ae33a9df4e7d5d19c67edc1d1b73c1674ff5fc1 |
| FileHash-SHA1 |
6edbf71680f11681eea34be293f5c580de2e16e0 |
| FileHash-SHA1 |
6f22c761898a3db9a3788967d90a77331dfa66b3 |
| FileHash-SHA1 |
6f23354186659cd2a02a5521b39f6246199d83af |
| FileHash-SHA1 |
6f43fe80806a3fe5c866c0b63cc5b105a85d0e75 |
| FileHash-SHA1 |
72db8d1e3472150c1be93b68f53f091aacc2234d |
| FileHash-SHA1 |
762f73329ff2ebe2b8f55205f886cb5f1de99483 |
| FileHash-SHA1 |
78102e569c4f40d011d941bdd8fcaab508edacd6 |
| FileHash-SHA1 |
796ebb4074dde56fc1edefed0628db68b0857e8a |
| FileHash-SHA1 |
7b79c0c0e6d9d1760005416a463beea4518b822c |
| FileHash-SHA1 |
7e5bf24946c77a96532da6fd09eaa1ec4e6f1a91 |
| FileHash-SHA1 |
8090d015d6770e6826f3a9266dd3b0998d30ddc3 |
| FileHash-SHA1 |
843d6b0054d066845628e2d5db95201b20e12cd2 |
| FileHash-SHA1 |
8532eca04c0f58172d80d8a446ae33907d509377 |
| FileHash-SHA1 |
85528eac10090ae743bcf102b4ae7007b6468255 |
| FileHash-SHA1 |
88e4679e9a47a51bd82dc22460b5a69fd7d12acc |
| FileHash-SHA1 |
8ab3acc8a3f89e5b8e7a1929149d273eddadae64 |
| FileHash-SHA1 |
8bf0cab4a700bed3e5d7d38c8868d4f388df9a54 |
| FileHash-SHA1 |
988a70df8a39034ce817d6b968e48103d824a426 |
| FileHash-SHA1 |
9a2daf6cf400408f1714ef9ba659f7491bdab612 |
| FileHash-SHA1 |
9c99eb944db0797682d54a57e2782956223e9bd8 |
| FileHash-SHA1 |
9f7790524bd759373ab57ee2aafa6f5d8bcb918a |
| FileHash-SHA1 |
a20c5bf7a30f597524a74d78dfe7ef6f15edad52 |
| FileHash-SHA1 |
a80c7010fea9915a0a82108139aec3aa2363f0df |
| FileHash-SHA1 |
b2a14e77c96640914399e5f46e1dec279e7b940f |
| FileHash-SHA1 |
b3dfb40336c2f17ec74051844ffaf65ddb874cfc |
| FileHash-SHA1 |
b663c7381f53c2fa6d4619a5fe7d63d3fd7a3455 |
| FileHash-SHA1 |
bca97bf7e93309e49311701b22569395b2baecc7 |
| FileHash-SHA1 |
bed9efb245fac8cfff8333ae37ad78ccfb7e2198 |
| FileHash-SHA1 |
c64435ccd604e142c6498417d66b4950c7c6b670 |
| FileHash-SHA1 |
ca25fb923f8a8f0293e52893979b7e429e913d7b |
| FileHash-SHA1 |
cdbbb6617d8937d17a1a9ef12750bee1cddf4562 |
| FileHash-SHA1 |
cf4210f762798486cc9d4911d2d9f0f6b2bdf687 |
| FileHash-SHA1 |
dcb4d0a47ea40fe4420b14552082e03e0e5fda9d |
| FileHash-SHA1 |
eca6363825c079099f3729097c06808ac32d4547 |
| FileHash-SHA1 |
f04feb22efaa8f401470fa5808adab9b35e87c4c |
| FileHash-SHA1 |
f1df0c5a74c9885cb5934e3eee5e7d3cf4d291c0 |
| FileHash-SHA1 |
f43d4d46bae9ad963c2eb05ef43e90aa3a5d88e3 |
| FileHash-SHA1 |
fd601a54bc622c041df0242662964a7ed31c6b9c |
| FileHash-SHA256 |
00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec |
| FileHash-SHA256 |
109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473 |
| FileHash-SHA256 |
1a9d78e5c255de239fb18b2cf47c4c2298f047073299c27fb54a0edf08a1d5a1 |
| FileHash-SHA256 |
1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9 |
| FileHash-SHA256 |
1ec286f2194199206e4ce345f1bf322b6b0b4c947b1cf32db59cca2d89370738 |
| FileHash-SHA256 |
1f6de1af513f60572799a0893818e1b694c3ec3ff5dabddc8a0f0aa0d96d15d2 |
| FileHash-SHA256 |
29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd |
| FileHash-SHA256 |
2bab6b951ea0ae3ea9452fd503bacafb45b6687d6352f5415d14810f9cf7a89e |
| FileHash-SHA256 |
31d5e55f21246f97da006ddba6306b357d2823c90754a920c7bd268af0d2a1e4 |
| FileHash-SHA256 |
46338cae732ee1664aac77d9dce57c4ff8666460c1a51bee49cae44c86e42df9 |
| FileHash-SHA256 |
5299fe79a66b407555cdab68806564ae988b745be589767b004f7bccd7f7ac3b |
| FileHash-SHA256 |
552388d74478a84b8e64e3ee2316331740a0d060f322e92b5c608ea745adba90 |
| FileHash-SHA256 |
5d12c085b600ea2ea42d09e2104ac40d8ba2b6d005db06e12c16016200a92bd8 |
| FileHash-SHA256 |
6005ecce702b84de6d46838839b2271df631ab42325b70e27324e6cabda76e7f |
| FileHash-SHA256 |
6eaeca0cf28e74de6cfd82d29a3c3cc30c2bc153ac811692cc41ee290d766474 |
| FileHash-SHA256 |
7795a7f3bd08cb62ec6f828ad1f6836114b3e8cf153d905e3f03d6199f1f8354 |
| FileHash-SHA256 |
93c29bf19e09ea3b1e4ac5d31f47024a544738671488ff7ab2cd8f9a9c302262 |
| FileHash-SHA256 |
97982e098a4538d05e78c172c9bbc5b412754df86dc73e760004f0038ec928fb |
| FileHash-SHA256 |
ae1b66e35a4e1ab8870837a52f3e4acda9e722b3f835d238acb472be49e915d6 |
| FileHash-SHA256 |
c26d239f415bec27125862acafdeac267be398bc9208e27f09217dc8ecf64225 |
| FileHash-SHA256 |
cff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263 |
| FileHash-SHA256 |
d986207bc108e55f4b110ae208656b415d2c5fcc8f99f98b4b3985e82b9d5e5b |
| FileHash-SHA256 |
ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a |
| FileHash-SHA256 |
f0d23aa026ae6ba96051401dc2b390ba5c968d55c2a4b31a36e45fb67dfc2e3c |
| FileHash-SHA256 |
fddec9ff14ebd957038f9c24843bff935c4f73651e9704b553dec116851f7ae5 |
| FileHash-SHA256 |
fe71b66d65d5ff9d03a47197c99081d9ec8d5f6e95143bdc33f5ea2ac0ae5762 |
| domain |
4vw37z.cn |
| domain |
asidomain.com |
| domain |
dsdsei.com |
| hostname |
acro.ns1.name |
| hostname |
domain.dns04.com |
| hostname |
info.96html.com |
| hostname |
microsoftservice.dns1.us |
| hostname |
pctftp.otzo.com |
| hostname |
sitesafecdn.hopto.org |
| hostname |
traveltime.hopto.org |
| hostname |
www.sitesafecdn.dynamic-dns.net |
| hostname |
www.travel.dns04.com |
| FileHash-MD5 |
5ebd4452848879202414a46a09cd2eab |
| FileHash-SHA1 |
ed5342d9788392c6e854aaefa655c4d3b4831b6b |
| FileHash-SHA256 |
a67ac84f61b34b59827cef79b11709d137cc9490d6027e16279793b9b3e894c4 |
| hostname |
rootkit.agent.ec |
|
| Christmas "Gift" Delivered Through SSH |
A malicious file named "christmas_slab.pdf.lnk" was discovered, utilizing Windows' built-in SSH support to deliver malware. The LNK file executes ssh.exe to transfer and run a PE file from a remote server. The attack leverages the SSH/SCP protocol, taking advantage of its widespread availability on modern Windows systems. The malicious payload is downloaded from an IP address belonging to Apple's range, raising suspicions. The LNK file's command line arguments reveal the attacker's intent to bypass host key checking and execute the downloaded malware. This technique demonstrates how threat actors are adapting to use legitimate system tools for malicious purposes. |
| Type |
Indicator |
| FileHash-MD5 |
5e86eb5528e8357fbfa8744f239483ca |
| FileHash-SHA1 |
d7c7beb8d38fbc65af3e3fa782ad688dd60bd8ef |
| FileHash-SHA256 |
8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494 |
|
| Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack |
Two npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack, allowing the publication of malicious versions containing cryptocurrency mining malware. The attack targeted specific countries and aimed to execute XMRig cryptocurrency miner on Linux hosts. The malicious versions have been unpublished, and version 1.1.8 is now considered safe. The incident highlights the need for stricter safeguards in package managers to protect developers. The Rspack project maintainers have taken steps to secure their infrastructure, including invalidating tokens and auditing source code. An investigation into the root cause of the token theft is ongoing. |
| Type |
Indicator |
| IPv4 |
80.78.28.72 |
|
| BellaCPP: Discovering a new BellaCiao variant written in C++ |
A new C++ variant of the BellaCiao malware, dubbed BellaCPP, has been discovered by researchers. This variant shares similarities with the original .NET-based BellaCiao, including domain generation and SSH tunneling capabilities. BellaCPP was found on a machine also infected with a .NET BellaCiao sample. The malware is designed to run as a Windows service and uses XOR encryption to decrypt strings. It generates domains and checks DNS records to establish communication. The discovery highlights the importance of thorough network investigations, as attackers may deploy unknown samples to maintain persistence. The malware is attributed to the Charming Kitten threat actor with medium-to-high confidence based on similarities in functionality and infrastructure. |
| Type |
Indicator |
| FileHash-MD5 |
103ce1c5e3fdb122351868949a4ebc77 |
| FileHash-MD5 |
14f6c034af7322156e62a6c961106a8c |
| FileHash-MD5 |
222380fa5a0c1087559abbb6d1a5f889 |
| FileHash-MD5 |
28d02ea14757fe69214a97e5b6386e95 |
| FileHash-MD5 |
36b97c500e36d5300821e874452bbcb2 |
| FileHash-MD5 |
44d8b88c539808bb9a479f98393cf3c7 |
| FileHash-MD5 |
4c6aa8750dc426f2c676b23b39710903 |
| FileHash-MD5 |
8ecd457c1ddfbb58afea3e39da2bf17b |
| FileHash-MD5 |
ac4606a0e10067b00c510fb97b5bd2cc |
| FileHash-MD5 |
ac6ddd56aa4bf53170807234bc91345a |
| FileHash-MD5 |
e24b07e2955eb3e98de8b775db00dc68 |
| FileHash-MD5 |
febf2a94bc59011b09568071c52512b5 |
| FileHash-SHA1 |
dccdfc77dd2803b3c5a97af0851efa0aa5bbeeeb |
| FileHash-SHA256 |
e4e3f09c4257269cef6cfbebc83c8a60376ce5e547080502e3e408a3f9916218 |
| domain |
systemupdate.info |
|
| Now You See Me, Now You Don't: Using LLMs to Obfuscate Malicious JavaScript |
This article discusses an adversarial machine learning algorithm that uses large language models (LLMs) to generate novel variants of malicious JavaScript code at scale. The algorithm iteratively transforms malicious code to evade detection while maintaining its functionality. The process involves rewriting prompts such as variable renaming, dead code insertion, and whitespace removal. The technique significantly reduced detection rates on VirusTotal. To counter this, the researchers retrained their classifier on LLM-rewritten samples, improving real-world detection by 10%. The study highlights both the potential threats and opportunities presented by LLMs in cybersecurity, demonstrating how they can be used to create evasive malware variants but also to enhance defensive capabilities. |
| Type |
Indicator |
| FileHash-SHA256 |
03d3e9c54028780d2ff15c654d7a7e70973453d2fae8bdeebf5d9dbb10ff2eab |
| FileHash-SHA256 |
3f0b95f96a8f28631eb9ce6d0f40b47220b44f4892e171ede78ba78bd9e293ef |
| FileHash-SHA256 |
4f1eb707f863265403152a7159f805b5557131c568353b48c013cad9ffb5ae5f |
| URL |
http://jakang.freewebhostmost.com/korea/app.html |
| hostname |
bafkreihpvn2wkpofobf4ctonbmzty24fr73fzf4jbyiydn3qvke55kywdi.ipfs.dweb.link |
|
| Recent Cases of Watering Hole Attacks, Part 1 |
This analysis focuses on a watering hole attack targeting a Japanese university research laboratory website in 2023. The attack used social engineering to trick users into downloading and executing malware disguised as an Adobe Flash Player update. The malware, identified as a modified Cobalt Strike Beacon, was injected into the Explorer process. The attackers used Cloudflare Workers for their C2 server and employed various techniques to evade detection, including disabling anti-analysis functions and stopping antivirus software. The report also mentions other attacks by the same group, using decoy documents and malware with specific execution options. The article emphasizes the importance of maintaining awareness of diverse attack vectors beyond commonly exploited vulnerabilities in exposed assets. |
| Type |
Indicator |
| CVE |
CVE-2022-1388 |
| FileHash-SHA256 |
284431674a187a4f5696c228ce8575cbd40a3dc21ac905083e813d7ba0eb2f08 |
| FileHash-SHA256 |
3bf1e683e0b6050292d13be44812aafa2aa42fdb9840fb8c1a0e4424d4a11e21 |
| FileHash-SHA256 |
791c28f482358c952ff860805eaefc11fd57d0bf21ec7df1b9781c7e7d995ba3 |
| FileHash-SHA256 |
7b334fce8e3119c2807c63fcc7c7dc862534f38bb063b44fef557c02a10fdda1 |
| FileHash-SHA256 |
a0224574ed356282a7f0f2cac316a7a888d432117e37390339b73ba518ba5d88 |
| FileHash-SHA256 |
df0ba6420142fc09579002e461b60224dd7d6d159b0f759c66ea432b1430186d |
| FileHash-SHA256 |
f8ba95995d772f8c4c0ffcffc710499c4d354204da5fa553fd33cf1c5f0f6edb |
| URL |
http://cdn.nifttymail.com/ |
| hostname |
cdn.nifttymail.com |
| hostname |
www.mcasprod.com |
|
| Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559) |
A cyber attack attributed to UAC-0125 has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on Cloudflare Workers, prompt users to download a malicious executable. The EXE file, an NSIS installer, contains a decoy .NET file, Python interpreter, Tor files, and a PowerShell script. When executed, it installs an OpenSSH server, generates RSA keys, and sets up remote hidden access to the victim's computer via Tor. This activity is associated with UAC-0002 (APT44/Sandworm). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful. |
| Type |
Indicator |
| FileHash-MD5 |
0799756f104a70cb6ce0cfc422de25db |
| FileHash-MD5 |
08a0c1166d8e50d95254b198b8168726 |
| FileHash-MD5 |
4316eb790d186ffda2999257f8ded747 |
| FileHash-MD5 |
52853b39922251a4166a5b032e577e7a |
| FileHash-MD5 |
79782773ffee7b8141674c27e9bfc109 |
| FileHash-MD5 |
a27a90a685dad9fc7f1c5962f278f197 |
| FileHash-MD5 |
a2f355057ade20d32afc5c4192ce3986 |
| FileHash-MD5 |
ed0c7c1925ac23bd8b4d09e77aabb0ee |
| FileHash-SHA1 |
102f9a4c97669da4f564b4d8f78bf0def7ab3a51 |
| FileHash-SHA1 |
ccec79b6300f8e86c3beff86bac01362f71e7715 |
| FileHash-SHA256 |
4dca04f1e16cbe88776a3187031cff64981155cb3b992031250c6fed40496318 |
| FileHash-SHA256 |
86039bc8b1a6bb823f5cbf27d1a4a3b319b83d242f09ffcd96f38bbdbbaaa78f |
| FileHash-SHA256 |
8ba4c3ede1ed05a3ad7075fee503215648ec078a13523492e2e91a59fa40c8da |
| FileHash-SHA256 |
b663e08cc267cdb7a02d5131cb04b8b05cb6ad13ac1d571c6aafe69e06bf8f80 |
| FileHash-SHA256 |
d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2 |
| domain |
wvtmsouaa2gt6jmcuxj5hkfrqdss5lhecoqijt5dl7gfruueu3i5mkad.onion |
|
| cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3) |
A new DDoS malware strain named cShell is targeting poorly managed Linux servers through SSH services. The threat actor uses brute force attacks to gain initial access, then installs the cShell bot developed in Go language. cShell exploits Linux tools 'screen' and 'hping3' to perform various DDoS attacks. It supports multiple DDoS commands, including SYN, ACK, and UDP floods. The malware maintains persistence by registering as a service and can update itself using Pastebin URLs. cShell's simple design leverages existing Linux tools, making it an effective DDoS bot. To protect against such attacks, administrators should use strong passwords, regularly update systems, and implement security measures like firewalls. |
| Type |
Indicator |
| FileHash-MD5 |
29d6ef7365c18d243163a648fa6cd697 |
| FileHash-MD5 |
cd8bf4ce178ef5ddac77933d03ffb381 |
| FileHash-SHA1 |
b5ec51ae8d64810119ac8f1f2ae84448af31c5a7 |
| FileHash-SHA256 |
781b4790834757804bd0e80ce5d8180155cac6fc8952cd03d8f824ccba376058 |
|
| Welcome to the party, pal! |
This end-of-year newsletter discusses cybersecurity trends and personal anecdotes. It emphasizes the importance of multi-factor authentication and password management, highlighting the prevalence of identity-based attacks. The author shares a story about introducing hardware tokens to family members, which was met with limited enthusiasm. The newsletter also mentions Cisco Talos' vulnerability research efforts, recent security headlines, and upcoming events. It concludes with a list of prevalent malware files detected by Talos telemetry. |
| Type |
Indicator |
| FileHash-MD5 |
2915b3f8b703eb744fc54c81f4a9c67f |
| FileHash-MD5 |
71fea034b422e4a17ebb06022532fdde |
| FileHash-MD5 |
7bdbd180c081fa63ca94f9c22c457376 |
| FileHash-MD5 |
d86808f6e519b5ce79b83b99dfb9294d |
| FileHash-MD5 |
ff1b6bb151cf9f671c929a4cbdb64d86 |
| FileHash-SHA1 |
105a1c3972fcfd3d0609d3384ea5dbf239a3f52d |
| FileHash-SHA1 |
61c39b571c368ca1f37c82f27c010e86f622a62d |
| FileHash-SHA1 |
6961bb05459f43c3bb9374cdfc515226a17a017c |
| FileHash-SHA1 |
bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c |
| FileHash-SHA1 |
e10361a11f8a7f232ac3cb2125c1875a0a69a3e4 |
| FileHash-SHA256 |
47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca |
| FileHash-SHA256 |
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 |
| FileHash-SHA256 |
873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f |
| FileHash-SHA256 |
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 |
| FileHash-SHA256 |
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
|
| Araneida Scanner: Cracked Acunetix Web App & API Scanner Discovered |
Silent Push Threat Analysts have uncovered the Araneida Scanner, a cracked version of Acunetix being used for illegal purposes. The scanner is employed for offensive reconnaissance, user data scraping, and vulnerability exploitation. It was detected during a partner's reconnaissance effort, prompting an investigation. The tool is being promoted on Telegram, where actors boast about taking over thousands of websites and selling stolen credentials. A separate Chinese-language panel, also likely using cracked Acunetix software, was discovered. Both tools pose significant threats for reconnaissance prior to sophisticated attacks. The investigation revealed multiple IP addresses hosting Araneida customer panels and the continued sale of the scanner through a specific domain. |
| Type |
Indicator |
| IPv4 |
23.26.77.145 |
| IPv4 |
163.5.210.49 |
| IPv4 |
157.254.237.94 |
| IPv4 |
163.5.169.250 |
| IPv4 |
163.5.169.45 |
| IPv4 |
163.5.32.179 |
| IPv4 |
163.5.32.202 |
| IPv4 |
163.5.32.203 |
| IPv4 |
163.5.32.204 |
| IPv4 |
163.5.32.72 |
| IPv4 |
205.234.181.204 |
| domain |
araneida.co |
| domain |
fofa.su |
|
| Threat Actors Hijack Misconfigured Servers for Live Sports Streaming |
Aqua Nautilus researchers uncovered a new attack vector where threat actors exploit misconfigured JupyterLab and Jupyter Notebook applications to hijack servers for streaming sports events. The attackers gain unauthenticated access, install ffmpeg, and use it to capture live streams, redirecting them to illegal servers. This activity, while seemingly minor, poses significant risks including data manipulation, theft, and potential financial damage. The researchers used Aqua Tracee and TraceeShark tools to analyze the attack, revealing the process of server compromise and stream ripping. The campaign primarily targeted Qatari beIN Sports network broadcasts, with evidence suggesting the attackers may be of Arab-speaking origin. The attack demonstrates the importance of securing data science environments and highlights the growing threat of illegal sports streaming to the entertainment industry. |
| Type |
Indicator |
| domain |
x9pro.xyz |
|
| One Sock Fits All: The use and abuse of the NSOCKS botnet |
The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks. |
| Type |
Indicator |
| domain |
antigutation.info |
| domain |
antihicipate.com |
| domain |
dnslookips.com |
| domain |
emelenalike.com |
| domain |
inofokable.net |
| domain |
interocakate.com |
| domain |
minixetepate.biz |
| domain |
overedaxive-nonameraness.net |
| domain |
overuvezor.com |
| domain |
promexucate.com |
| domain |
subonuker.name |
| domain |
ultradomafy.net |
| domain |
underuvukent.com |
| FileHash-MD5 |
9998be16901e7f80aad8d931305e057e |
|
| Attackers exploiting a FortiClient EMS vulnerability in the wild |
Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like ScreenConnect and AnyDesk, performed network enumeration, credential theft, and defense evasion. The vulnerability allows unauthorized code execution via specially crafted data packets. Multiple threat actors have been observed exploiting this vulnerability globally, targeting various companies and consistently altering ScreenConnect subdomains. The analysis highlights the importance of timely patching and implementing additional security controls to prevent such attacks. |
| Type |
Indicator |
| FileHash-MD5 |
0f73b467ff03f9224c024f4eb3aecedb |
| FileHash-MD5 |
29efd64dd3c7fe1e2b022b7ad73a1ba5 |
| FileHash-MD5 |
52746d457f8ec149fd13dea85b654b19 |
| FileHash-MD5 |
ca564428a29faf1a613f35d9fa36313f |
| FileHash-MD5 |
f3d20449bab41301aefad304cb02773b |
| FileHash-MD5 |
f6efd0e3b1d30954b1f67bef372bef79 |
| FileHash-MD5 |
fae1061813f2148296767d28262d2c25 |
| FileHash-SHA1 |
34162aaf41c08f0de2f888728b7f4dc2a43b50ec |
| FileHash-SHA1 |
441a52f0112da187244eeec5b24a79f40cc17d47 |
| FileHash-SHA1 |
44b83dd83d189f19e54700a288035be8aa7c8672 |
| FileHash-SHA1 |
59e1322440b4601d614277fe9092902b6ca471c2 |
| FileHash-SHA1 |
73f8e5c17b49b9f2703fed59cc2be77239e904f7 |
| FileHash-SHA1 |
746710470586076bb0757e0b3875de9c90202be2 |
| FileHash-SHA1 |
75ebd5bab5e2707d4533579a34d983b65af5ec7f |
| FileHash-SHA1 |
83cff3719c7799a3e27a567042e861106f33bb19 |
| FileHash-SHA1 |
841fff3a36d82c14b044da26967eb2a8f61175a8 |
| FileHash-SHA1 |
8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8 |
| FileHash-SHA1 |
8cfd968741a7c8ec2dcbe0f5333674025e6be1dc |
| FileHash-SHA1 |
bc29888042d03fe0ffb57fc116585e992a4fdb9b |
| FileHash-SHA1 |
cf1ca6c7f818e72454c923fea7824a8f6930cb08 |
| FileHash-SHA1 |
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 |
| FileHash-SHA256 |
3bb8445c95142da1bda0e3440b53cc70e05a3fe996a77e6dcfb2919fd8878ca9 |
| FileHash-SHA256 |
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 |
| FileHash-SHA256 |
99839c78ee69f81fe0a92d3fea01eb50d7bd47cbaf90fdb64bda9bcfbe29955a |
| FileHash-SHA256 |
c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc |
| FileHash-SHA256 |
c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4 |
| FileHash-SHA256 |
e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e |
| FileHash-SHA256 |
ee4dc882b4b8a9850938b33811deda219fac8764fcb9d09b6f697cee598eb7c0 |
| IPv4 |
185.196.9.31 |
| IPv4 |
206.206.77.33 |
| IPv4 |
24.1.92.155 |
| IPv4 |
45.141.84.45 |
| IPv4 |
5.61.59.201 |
| IPv4 |
87.120.125.55 |
| hostname |
qvmlaztyjogwgkikmknv2ch3t5yhb6vw4.oast.fun |
| hostname |
www.lidahtoto2.com |
|
| Security Brief: Threat Actors Gift Holiday Lures to Threat Landscape |
As the holiday season approaches, threat actors are exploiting people's desires for deals, jobs, and end-of-year bonuses. Researchers have observed an increase in themed content delivering malware, fraud, and credential phishing campaigns. Examples include a 'Winter Holiday Promotion' campaign delivering Remcos RAT, credential phishing campaigns impersonating HR departments to steal login information, and employment fraud schemes targeting universities. These attacks use timely lures such as holiday promotions, bonus announcements, and seasonal job offers to manipulate victims into risky online behaviors. The campaigns employ various techniques, including compressed executables, QR codes, and specially crafted OOXML files to bypass detection and harvest user credentials. |
| Type |
Indicator |
| FileHash-SHA256 |
713d2cca841c2d3df5ba1a4f8926970966ff931d01616ac48d5170a69c1e0765 |
| IPv4 |
185.161.251.208 |
| domain |
jobs-projecthope.org |
| domain |
orients-pk.com |
| domain |
quantumdhub.ru |
|
| Python-Based NodeStealer Version Targets Facebook Ads Manager |
The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook Ads Manager accounts, stealing critical financial and business information alongside credit card details and browser data. The infection begins with a spear-phishing email containing a malicious link, which downloads and installs the malware disguised as a legitimate application. Sophisticated techniques like DLL sideloading and encoded PowerShell commands are used to bypass security and execute the final payload, exfiltrating data via Telegram. |
| Type |
Indicator |
| FileHash-SHA256 |
1c9c7bb07acb9d612af2007cb633a6b1f569b197b1f93abc9bd3af8593e1ec66 |
| FileHash-SHA256 |
786db3ddf2a471516c832e44b0d9a230674630c6f99d3e61ada6830726172458 |
| FileHash-SHA256 |
ed1c48542a3e58020bd624c592f6aa7f7868ee16fbb03308269d44c4108011b1 |
| FileHash-SHA256 |
f813da93eed9c536154a6da5f38462bfb4ed80c85dd117c3fd681cf4790fbf71 |
|
| Effective Phishing Campaign Targeting European Companies and Institutions |
A sophisticated phishing operation targeting European automotive, chemical, and industrial manufacturing companies has been uncovered. The campaign, which peaked in June 2024, used HubSpot Free Form Builder and Docusign-enabled PDFs to harvest account credentials and infiltrate Microsoft Azure cloud infrastructures. Approximately 20,000 users were targeted across various European organizations. The attackers employed multiple redirection techniques, custom user-agent strings, and Bulletproof VPS hosts to evade detection. Once access was gained, the threat actors attempted to maintain persistence by adding new devices to compromised accounts. The campaign highlights the ongoing threat of targeted phishing attacks against corporate cloud infrastructures. |
| Type |
Indicator |
| IPv4 |
144.217.158.133 |
| IPv4 |
91.92.245.39 |
| FileHash-MD5 |
fcaff35c15872a69c6757196acd79173 |
| FileHash-SHA256 |
b2ca9c6859598255cd92700de1c217a595adb93093a43995c8bb7af94974f067 |
| FileHash-SHA256 |
deff0a6fbf88428ddef2ee3c4d857697d341c35110e4c1208717d9cce1897a21 |
| FileHash-SHA256 |
f3f0bf362f7313d87fcfefcd6a80ab0f18bc6c5517d047be186f7b81a979ff91 |
| IPv4 |
167.114.27.228 |
| IPv4 |
188.166.3.116 |
| IPv4 |
208.115.208.118 |
| IPv4 |
208.91.198.96 |
| IPv4 |
49.12.110.250 |
| IPv4 |
91.92.242.68 |
| IPv4 |
91.92.244.131 |
| IPv4 |
91.92.253.66 |
| IPv4 |
94.156.71.208 |
| IPv4 |
94.46.246.46 |
| URL |
http://orderconfirmation.dgpropertyconsultants.buzz/ |
| URL |
https://9qe.daginvusc.com/miUxeH/ |
| URL |
https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf |
| URL |
https://docs.doc2rprevn.buzz/?username= |
| URL |
https://docs.doc2rprevn.buzz?username= |
| URL |
https://docusharepoint.fundament-advisory.buzz/?3aGw=Nl9 |
| URL |
https://espersonal.org/doc0024/index.php?submissionGuid=6e59d483-9dc2-48f8-ad5a-c2d2ec8f4569 |
| URL |
https://espersonal.org/doc0024/index.php?submissionGuid=96a9b82a-55d3-402d-9af4-c2c5361daf5c |
| URL |
https://orderconfirmating.symmetric.buzz/?df=ZUvkMN&submissionGuid=e06a1f83-c24e-4106-b415-d2f43a06a048 |
| URL |
https://orderspecification.tekfenconstruction.buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521 |
| URL |
https://purchaseorder.europeanfreightleaders.buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3 |
| URL |
https://purchaseorder.vermeernigeria.buzz/?cKg=C3&submissionGuid=4631b0c9-5e10-4d81-b1d6-4d01045907e7 |
| URL |
https://technicaldevelopment.industrialization.buzz/?o0B=RLNT |
| URL |
https://technicaldevelopment.rljaccommodationstrust.buzz/?WKg=2Ljv8 |
| URL |
https://vigaspino.com/2doc5/index.php?submissionGuid=093410a5-c228-4ddf-890c-861cdc6fe5d8 |
| URL |
https://vigaspino.com/2doc5/index.php?submissionGuid=1d51a08d-cf55-4146-8b5b-22caa765ac85 |
| URL |
https://vomc.qeanonsop.xyz/?hh5=IY&username=ian@deloitte.es |
| URL |
https://wr43wer3ee.cyptech.com.au/oeeo4/ewi9ew/mnph_term=?/&submissionGuid=50aa078a-fb48-4fec-86df-29f40a680602 |
| domain |
espersonal.org |
| domain |
vigaspino.com |
| hostname |
9qe.daginvusc.com |
| hostname |
asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz |
| hostname |
docs.doc2rprevn.buzz |
| hostname |
docusharepoint.fundament-advisory.buzz |
| hostname |
orderconfirmating.symmetric.buzz |
| hostname |
orderconfirmation.dgpropertyconsultants.buzz |
| hostname |
orderspecification.tekfenconstruction.buzz |
| hostname |
purchaseorder.europeanfreightleaders.buzz |
| hostname |
purchaseorder.vermeernigeria.buzz |
| hostname |
technicaldevelopment.industrialization.buzz |
| hostname |
technicaldevelopment.rljaccommodationstrust.buzz |
| hostname |
vomc.qeanonsop.xyz |
| hostname |
wr43wer3ee.cyptech.com.au |
| hostname |
www.acmeinc.buzz |
|
| Your Data Is Under New Management: The Rise of LummaStealer |
LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized businesses. The malware employs various infection vectors, including phishing emails, cracked software, and malicious downloads. It harvests credentials, cookies, cryptocurrency wallets, and system information, exfiltrating data to remote servers. Recent campaigns have shown increased sophistication in social engineering tactics and the use of legitimate platforms like Steam and Dropbox to evade detection. The malware's accessibility through MaaS has made it popular among diverse threat actors, complicating attribution efforts. |
| Type |
Indicator |
| FileHash-MD5 |
3e35a7a3203cc7726ce4e9f7f30806ef |
| FileHash-MD5 |
3f58a517f1f4796225137e7659ad2adb |
| FileHash-MD5 |
477264c48dbbc071190a6c7fc22cbb9c |
| FileHash-MD5 |
4b7f5578a6189b71b5f2d81f30a948f4 |
| FileHash-MD5 |
870feaab725b148208dd12ffabe33f9d |
| FileHash-MD5 |
cbf6c2a14cba45f95569c9d011219518 |
| FileHash-MD5 |
e74b1e485e42e8ba7a65ab6927e872a5 |
| FileHash-SHA1 |
128a085b84667420359bfd5b7bad0a431ca89e35 |
| FileHash-SHA1 |
594d61532fb2aea88f2e3245473b600d351ee398 |
| FileHash-SHA1 |
99b8464e2aabff3f35899ead95dfac83f5edac51 |
| FileHash-SHA1 |
9f3651ad5725848c880c24f8e749205a7e1e78c1 |
| FileHash-SHA1 |
a01fa9facf3a13c5a9c079d79974842abff2a3f2 |
| FileHash-SHA1 |
afdefcd9eb251202665388635c0109b5f7b4c0a5 |
| FileHash-SHA1 |
bfc1422d1c5351561087bd3e6d82ffbad5221dae |
| FileHash-SHA1 |
c07e49c362f0c21513507726994a9bd040c0d4eb |
| FileHash-SHA1 |
e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| FileHash-SHA1 |
f2c37ad5ca8877186c846b6dfb2cb761f5353305 |
| FileHash-SHA1 |
f89f91e33bf59d0a07dfb1c4d7246d74a05dd67d |
| FileHash-SHA256 |
1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36 |
| FileHash-SHA256 |
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| FileHash-SHA256 |
2468e5bb596fa4543dba2adfe8fd795073486193b77108319e073b9924709a8a |
| FileHash-SHA256 |
3aa011528c4d261a82a0698a5be19d47c4114e2443b93617978fe7f34957930f |
| FileHash-SHA256 |
bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55 |
| FileHash-SHA256 |
c28c1d76b1937373be1b5d5455e2accf3698c41cb3815d01209b232e82b6dae0 |
| IPv4 |
146.19.128.68 |
| IPv4 |
89.187.169.3 |
| domain |
carrtychaintnyw.shop |
| domain |
clicktogo.click |
| domain |
complainnykso.shop |
| domain |
conservaitiwo.shop |
| domain |
crowdstrike-office365.com |
| domain |
matteryshzh.cfd |
| domain |
naggersanimism.shop |
| domain |
pardaoboccia.shop |
| domain |
proffoduwnuq.shop |
| domain |
quotamkdsdqo.shop |
| domain |
steppyplantnw.shop |
| hostname |
a3.bigdownloadtech.shop |
|
| Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising |
A large-scale fake captcha campaign has been distributing Lumma info-stealer malware through malvertising techniques. The campaign, relying on a single ad network, delivers over 1 million daily ad impressions, causing thousands of daily victims to lose their accounts and money. The malicious activity is propagated through a network of 3,000+ content sites funneling traffic. The campaign uses deceptive captcha pages that trick users into executing PowerShell commands, instantly installing stealer malware. The ad network Monetag, a subsidiary of PropellerAds, is identified as the primary facilitator. The threat actors leverage services like BeMob for cloaking, showcasing the fragmented accountability in the ad ecosystem. The campaign's success highlights the need for stronger proactive measures in ad networks and the importance of user caution when encountering free content online. |
| Type |
Indicator |
| domain |
chromeupdates.com |
| FileHash-MD5 |
7a0525921ff54f1193db83d7303c6ee8 |
| domain |
adstrails.com |
| domain |
boltsreach.com |
| domain |
cdn-downloads-now.xyz |
| domain |
fiare-activity.com |
| domain |
fingerboarding.com |
| domain |
foodrailway.cfd |
| domain |
glidronix.com |
| domain |
impressflow.com |
| domain |
insigelo.com |
| domain |
marimarbahamas.me |
| domain |
mediamanagerverif.com |
| domain |
nettrilo.com |
| domain |
nowuseemi.com |
| domain |
offerztodayforu.com |
| domain |
privatemeld.com |
| domain |
restoindia.me |
| domain |
satisfiedweb.com |
| domain |
secureporter.com |
| domain |
servinglane.com |
| domain |
sheenglathora.com |
| domain |
stephighs.com |
| domain |
taketheright.com |
| domain |
techstalone.com |
| domain |
tracksvista.com |
| domain |
travelwithandrew.xyz |
| domain |
tunneloid.com |
| domain |
westreamdaily.com |
| domain |
yourtruelover.com |
| hostname |
sos-ch-gva-2.sos-cdn.net |
| hostname |
xxxx.bmtrck.com |
|
| A new playground: Malicious campaigns proliferate from VSCode to npm |
This intelligence details the emergence of malicious campaigns spreading from VSCode to npm. Researchers observed an increasing amount of malicious activity in VSCode Marketplace, with threat actors using npm packages to inject malicious code into VSCode IDE. The campaign initially targeted the crypto community but later expanded to impersonate the Zoom application. Malicious extensions contained downloader functionality and were obfuscated with Javascript Obfuscator. The campaign then spread to npm with the package 'etherscancontracthandler'. The analysis highlights the importance of scrutinizing open source, third-party, and commercial code, as well as performing regular security assessments to prevent IDE compromises and protect the software supply chain. |
| Type |
Indicator |
| FileHash-SHA1 |
025daf1d161f0dc30280359b4ff2731b6458715e |
| FileHash-SHA1 |
0289c2bc1c9e10bc053ef25d151793e327a8f714 |
| FileHash-SHA1 |
0d5710de0832f2c3667536fc3d808642e6593a27 |
| FileHash-SHA1 |
11d432d5d6d8792900e31371db4380a9ac9eb984 |
| FileHash-SHA1 |
1f8ead255e26a57e7b6c4b211ace51a7788d5698 |
| FileHash-SHA1 |
44c5170aba403943fa054432852f3c1a00178311 |
| FileHash-SHA1 |
5312be1dbfd1b2dd2ba15d05b4e607c4bde533b4 |
| FileHash-SHA1 |
5390a60adfd8dbf5aef4e132e8565659518ef995 |
| FileHash-SHA1 |
53c4207325d46bfad2c39111fc6ce79d0274f031 |
| FileHash-SHA1 |
53f7be3adec90f264592113d9fff98829d8c2fdd |
| FileHash-SHA1 |
5ae998a23d7aacd4faf9f42a92bd4d9b2b598ddd |
| FileHash-SHA1 |
5e524e3f5b59b2ddd9072d63d60cc324d7bbfee1 |
| FileHash-SHA1 |
6da24384853e68cc80107f8b87a185b1cd45f93d |
| FileHash-SHA1 |
6f2d90229f8d3a20af51fc7d20dbcc02342b3d3e |
| FileHash-SHA1 |
8d224808b2f10a40277410efd92246712e827bee |
| FileHash-SHA1 |
b1f8c2cce439863b9a4bd0a41c9b356cc93de930 |
| FileHash-SHA1 |
b9544c0bd0a1da21f2f048673c214795312c636c |
| FileHash-SHA1 |
c7f67ff39917a8f22da34fdeb4a0c1915db2ad10 |
| FileHash-SHA1 |
cdc2389f62f40773fc196f26fbc73d7607ef71d6 |
| FileHash-SHA1 |
db03d411690a977d24255311379cb52ff4c6fb6f |
| FileHash-SHA1 |
e114543341a47477f325098008a099ec688831e4 |
| FileHash-SHA1 |
e950ead90af29948e1b0b19b4bdf65821648aeeb |
| FileHash-SHA1 |
f2c8e3fbaa7c398f8678ab5cfb2c6b2d9124641e |
| domain |
captchacdn.com |
| domain |
microsoft-visualstudiocode.com |
|
| NotLockBit: A Deep Dive Into the New Ransomware Threat |
NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gathers system information, generates and encrypts a master key, and writes collected data to text files. It utilizes AWS credentials for data exfiltration, encrypts specific file types while avoiding certain directories, and employs AES encryption. NotLockBit alters the desktop wallpaper and performs self-deletion after execution. The analysis reveals variations in obfuscation and compilation techniques across samples, highlighting its sophistication and evolving nature in the ransomware landscape. |
| Type |
Indicator |
| FileHash-MD5 |
06bd47b8ec7e6277dc6c8842d00f7243 |
| FileHash-MD5 |
37ec80fbc2302d5893cb6984cb1a43e2 |
| FileHash-MD5 |
6316694dd1f6fd53bd04e351b86ddf70 |
| FileHash-MD5 |
6744ed739ba526283864fe4917c91bb3 |
| FileHash-MD5 |
8b26b29569c5d912d1d46e0de6a84edc |
| FileHash-SHA1 |
23f3b070aad47f72ddf2d148f455cce2266901fd |
| FileHash-SHA1 |
2e8cadad5ab90651ae36fb09fb386ffd91bd0d41 |
| FileHash-SHA1 |
367362b4ab6384833752b6936c296f3746859b82 |
| FileHash-SHA1 |
6c19a41d033ccc39bd42bc2f2e830e1f5808ca15 |
| FileHash-SHA1 |
c9611cba90349e78b6051c299dc8d012048a91a4 |
| FileHash-SHA256 |
14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31 |
| FileHash-SHA256 |
2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c |
| FileHash-SHA256 |
a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564 |
| FileHash-SHA256 |
aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec |
| FileHash-SHA256 |
e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac |
|
| North Korean group targets nuclear-related organization with new malware |
The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MISTPEN, RollMid, LPEClient, CookieTime, and a new modular backdoor called CookiePlus. The infection chain has become more complex, demonstrating improved delivery and persistence methods. CookiePlus, likely the successor to MISTPEN, can download both DLLs and shellcode, making it difficult to detect. The group used compromised WordPress servers as command and control infrastructure for most of the malware. |
| Type |
Indicator |
| CVE |
CVE-2019-0797 |
| CVE |
CVE-2019-0859 |
| FileHash-MD5 |
00a2952a279f9c84ae71367d5b8990c1 |
| FileHash-MD5 |
0ee8246de53c20a424fb08096922db08 |
| FileHash-MD5 |
1315027e1c536d488fe63ea0a528b52d |
| FileHash-MD5 |
2b2cbc8de3bdefcd7054f56b70ef58b4 |
| FileHash-MD5 |
37973e29576db8a438250a156977ccdf |
| FileHash-MD5 |
4c4abe85a1c68ba8385d2cb928ac5646 |
| FileHash-MD5 |
57453d6d918235adb66b896e5ab252b6 |
| FileHash-MD5 |
5eac943e23429a77d9766078e760fc0b |
| FileHash-MD5 |
739875852198ecf4d734d41ef1576774 |
| FileHash-MD5 |
778942b891c4e2f3866c6a3c09bf74f4 |
| FileHash-MD5 |
80ab98c10c23b7281a2bf1489fc98c0d |
| FileHash-MD5 |
b0e795853b655682483105e353b9cd54 |
| FileHash-MD5 |
bf5a3505273391c5380b3ab545e400eb |
| FileHash-MD5 |
c6323a40d1aa5b7fe95951609fb2b524 |
| FileHash-MD5 |
cf8c0999c148d764667b1a269c28bdcb |
| FileHash-MD5 |
d966af7764dfeb8bf2a0feea503be0fd |
| FileHash-MD5 |
e0dd4afb965771f8347549fd93423985 |
| FileHash-MD5 |
e6a1977ecce2ced5a471baa52492d9f3 |
| FileHash-MD5 |
fdc5505d7277e0bf7b299957eadfd931 |
| FileHash-SHA1 |
8edcd1d8d390d61587d334f4527e569a5bdf915c |
| FileHash-SHA256 |
6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d |
|
| Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook |
This analysis explores a rising trend in cyber attacks where threat actors leverage LNK files and SSH commands as initial infection vectors. The attackers use meticulously crafted shortcut files, often disguised as legitimate documents, to execute commands using Living-off-the-Land Binaries (LOLBins). The report highlights three specific campaigns: one using SCP to download and execute malicious files, another abusing SSH and PowerShell commands to run harmful payloads, and a third combining SSH and CMD commands to load malicious DLLs. These sophisticated techniques aim to bypass traditional security mechanisms and evade detection by exploiting trusted system utilities. The evolving tactics underscore the need for continuous vigilance and adapted security strategies to counter these advanced attack vectors. |
| Type |
Indicator |
| CVE |
CVE-2017-11882 |
| CVE |
CVE-2021-44228 |
| CVE |
CVE-2023-46805 |
| CVE |
CVE-2024-21887 |
| CVE |
CVE-2024-21893 |
| FileHash-MD5 |
7bdbd180c081fa63ca94f9c22c457376 |
| FileHash-MD5 |
8c69830a50fb85d8a794fa46643493b2 |
| FileHash-MD5 |
bbcf7a68f4164a9f5f5cb2d9f30d9790 |
| FileHash-SHA1 |
a90f871f87f0ba08b84a720ded3466ebf667af5e |
| FileHash-SHA1 |
bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c |
| FileHash-SHA1 |
e6d06bb9afaeb8aa80e62e76a26c7cffd14497f6 |
| FileHash-SHA256 |
0016e1ec6fc56e4214e7d54eb7ab3d84a4a83b4befd856e984d77d6db8fc221d |
| FileHash-SHA256 |
0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 |
| FileHash-SHA256 |
5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 |
| FileHash-SHA256 |
8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494 |
| FileHash-SHA256 |
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
| FileHash-SHA256 |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 |
|
| Chinese hackers exploit Fortinet VPN zero-day to steal credentials |
Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN server information from the process memory. Volexity researchers discovered the flaw in July 2024 and reported it to Fortinet, but it remains unresolved. The vulnerability allows attackers to dump credentials from memory after user authentication. BrazenBamboo is known for deploying advanced malware targeting multiple platforms in surveillance operations. By compromising VPN accounts, they can gain initial access to corporate networks and expand espionage campaigns. |
| Type |
Indicator |
| FileHash-MD5 |
0d54964999408073f9fea299724ad483 |
| FileHash-MD5 |
32076ae7b19f2669fd7c36e48425acd6 |
| FileHash-MD5 |
480da467b4687549b38eeea4d4ced293 |
| FileHash-MD5 |
54570441e91d8e65ea81bb265ba71c8c |
| FileHash-MD5 |
564235b40d78f9c763b5022954ee9aae |
| FileHash-MD5 |
59ac7dd41dca19a25a78a242e93a7ded |
| FileHash-MD5 |
6371a942334444029f73b2faa2b76cf6 |
| FileHash-MD5 |
707d410a72a630d61168593f17116119 |
| FileHash-MD5 |
7efb1bc15ee6e3043f8eaefcf3f10864 |
| FileHash-MD5 |
a2fee8cfdabe4fdeeeb8faa921a3d158 |
| FileHash-MD5 |
cad4de220316eebc9980fab812b9ed43 |
| FileHash-MD5 |
ef92e192d09269628e65145070a01f97 |
| FileHash-MD5 |
f162b87ad9466381711ebb4fe3337815 |
| FileHash-MD5 |
fb99f5da9c0c46c27e17dc2dc1e162d7 |
| FileHash-SHA1 |
0563225dcc2767357748d9f1f6ac2db9825d3cf9 |
| FileHash-SHA1 |
174519da762cf673051ed1c02a6edb9520886fec |
| FileHash-SHA1 |
30e33f1188ca4cffc997260c9929738594e7488c |
| FileHash-SHA1 |
33c39728a0393d4271f27cc1d85cf3c1610be333 |
| FileHash-SHA1 |
476c726b58409a8e3e6cf8fb6bb7d46596917e24 |
| FileHash-SHA1 |
521c5f2fabd1785db1fea5d5bb22f3b16809035e |
| FileHash-SHA1 |
5ac2ef263f328980062217135f2d0c359811dbd4 |
| FileHash-SHA1 |
7aceb8db03b8b8c7899982b5befcaf455a86fe0b |
| FileHash-SHA1 |
8e7e8d896ed61bea7a49271e2e6ffc982942e5c7 |
| FileHash-SHA1 |
8f390335b571297a9eb605576745876666ee7f6a |
| FileHash-SHA1 |
9a00f6ca0d9140316f9ae03f79c7511cec32849f |
| FileHash-SHA1 |
a77204b049f622b6995c223d0f5f53118cc72f37 |
| FileHash-SHA1 |
c65817a55b003462d48189875f18fa8bdb57b402 |
| FileHash-SHA1 |
fd49866245721acc6e7431ec61b066696b72a1e1 |
| FileHash-SHA256 |
035db9a3bc9bfba542583c9350baa39741018127a27e7e3ebb6e9f50ddb96f41 |
| FileHash-SHA256 |
041c13a29d3bee8d2e4bd9d8bde8152b5ac8305c1efcc198244b224e33635282 |
| FileHash-SHA256 |
08e0ed3c9a4c04a4cb83e17f14a4959236dda048336c04e30ab7786b5bf8ffa7 |
| FileHash-SHA256 |
0b8c9d991162efca3c34d3d97b79f8edfd45ec3e052c4fef080523bacd586d11 |
| FileHash-SHA256 |
0c4ebc3d96911af9878343ee8dcba7f79a64cf86ae9b8e6cdc7bbb100177b9af |
| FileHash-SHA256 |
0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144 |
| FileHash-SHA256 |
0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c |
| FileHash-SHA256 |
151edcd7d877048d5e8fce9919477cbe5c2de4bd65cd46aa228528dd00360db1 |
| FileHash-SHA256 |
18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a |
| FileHash-SHA256 |
1bfb7c520335f96c1b268bd9e59688fca49e67e5785aa2a5a3bb281484318101 |
| FileHash-SHA256 |
205e62b04478c0ef69d69970716e5cb9e5d03293157733194d95ea801df3726c |
| FileHash-SHA256 |
213520170fc7113ac8f5e689f154f5c8074dd972584b56d820c19d84b7e5b477 |
| FileHash-SHA256 |
2b4fbd5aa06f70d84091d2f7cca4bd582237f1a1084835c3c031a718b6e283f9 |
| FileHash-SHA256 |
2bfb82a43bb77127965a4011a87de845242b1fb98fd09085885be219e0499073 |
| FileHash-SHA256 |
37c74a4a8bbe272da16f956eea69f0dcbf0caeb0d3da72d084502499c124b879 |
| FileHash-SHA256 |
3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d |
| FileHash-SHA256 |
3d9f8e1e84e9cfc742bc51742863a325eda1ea459ed6a6a5b2c47710fc171848 |
| FileHash-SHA256 |
424aaacf3444fe51b9865af3079777a977111cab9a329494f1f12c0a48dbffa7 |
| FileHash-SHA256 |
4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f |
| FileHash-SHA256 |
460f1a00002e1c713a7753293b4737e65d27d0b65667b109d66afca873c23894 |
| FileHash-SHA256 |
4cbc692e0c914e235b92c55e910c818ec014461462736c56e5328dbcb9971756 |
| FileHash-SHA256 |
51b83c5732fbfc8da9d333e7daea85725c04f241f27648708d326077a4556717 |
| FileHash-SHA256 |
55e2dbb906697dd1aff87ccf275efd06ee5e43bb21ea7865aef59513a858cf9f |
| FileHash-SHA256 |
5d39dd90ee6e01afbe070030d863385adf5976752274f95f936c1b6241f78d6a |
| FileHash-SHA256 |
5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5 |
| FileHash-SHA256 |
65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883 |
| FileHash-SHA256 |
666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724 |
| FileHash-SHA256 |
7008e312446919cceb73db951af89602aaa9312c0c793b9bbb2e1a306f84d82f |
| FileHash-SHA256 |
724351b5cc9ad496a6c9486b8ef34772f640590a90293f913f005e994717134b |
| FileHash-SHA256 |
72bfd0f5299809c66a1fea743d5bd6559d031052bc31ced95884aeb860f318a1 |
| FileHash-SHA256 |
742fd59971ac576e579a45d8f2d4165c4c18b08685880fd457be1651523b5da4 |
| FileHash-SHA256 |
75dadf4ead9e1b3ad73fb135a5950534d0a9e58bdb4c6f2dbd4ca8b7f66b4a56 |
| FileHash-SHA256 |
765ef96d1f46aca2c2b816f92e57b92ba8126a601e76a9377d742eb6bb2d95ef |
| FileHash-SHA256 |
7d4c9e9b73f74426a975a5f8584059e8c8ca24418e7994ec83ef735c84cf2d31 |
| FileHash-SHA256 |
80c0cdb1db961c76de7e4efb6aced8a52cd0e34178660ef34c128be5f0d587df |
| FileHash-SHA256 |
83c610c4a56aa15a2220d2c3b05e0ff073f6ffb97f892118ae10c03b1bee35b0 |
| FileHash-SHA256 |
84edc435eac5543a01c5aa1391e73e5dfe49f6b6fd577750204d514f1caaa9b4 |
| FileHash-SHA256 |
87daf1ee49925271f0f3b2f5671ef028d9e6b79d487a68b879103a752d6fdb7f |
| FileHash-SHA256 |
87f9766eb91e966a7599f65d16a696fea6452383d298be65635e63dfac226976 |
| FileHash-SHA256 |
88e5ca44189dabb4cec8a183f6268a42f3f92b2c6d7c722d7f55efd3dc5334c8 |
| FileHash-SHA256 |
91b3e5e9ea4b1d7dc188dec0b28afa53f1048b4162ec9dbd60a458b650410585 |
| FileHash-SHA256 |
a560931baa404189257ec9cbcc2b9449c579018218cc1d70c99b1d36dd292a0e |
| FileHash-SHA256 |
ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6 |
| FileHash-SHA256 |
ac7e20d4ddccc5e249ff0c1a72e394f9c1667a896995cf55b97b4f9fbf5de2fd |
| FileHash-SHA256 |
af0de88e8b17d628b354b5586da7718b06755d88ddde8c933c8606018e5ed7ff |
| FileHash-SHA256 |
b208b73d003a8ee0eb24ce09f7ff515e18229d1836c43159a8e1821615aab19c |
| FileHash-SHA256 |
b523cdd1669dbd7ab68b43fd20f30a790ec0351876a0610958b9405468753a10 |
| FileHash-SHA256 |
be02ce6964d1a10b48897466846e0889c7cf54bdf34133f52bc9226fefb31548 |
| FileHash-SHA256 |
c3995f28476f7a775f4c1e8be47c64a300e0f16535dc5ed665ba796f05f19f73 |
| FileHash-SHA256 |
c782346bf9e5c08a0c43a85d4991f26b0b3c99c054fa83beb4a9e406906f011e |
| FileHash-SHA256 |
d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63 |
| FileHash-SHA256 |
d4aea0bbfe5b309f2464fef8ebb44dd514f8162d41be53b423c64b4acb4a5ee6 |
| FileHash-SHA256 |
d804e5cde29c10fa3ca56386c147706d9501b6c2fb73f8fd329a24b9acb4c4e0 |
| FileHash-SHA256 |
dab112f7c765a375f0f12313d1b1e3cf14963113cf7b6f101ba5192a0c3874de |
| FileHash-SHA256 |
dbf0ee5e96b418bb6237772262701baf213bf60ede3ed7d90c126117097aa3ec |
| FileHash-SHA256 |
e5f0022cd79fad21c760a57fedff48e559aaf80ac0e8bbf44401b465654aba02 |
| FileHash-SHA256 |
ea2c0cbd35465dad118d69fdbf37ecfb9b0eca461e9854d2790dd98201af6dc4 |
| FileHash-SHA256 |
ee7c3e2352a4e7bf37e3d76972de1ba493c0be26832cae5978c134155ac7835b |
| FileHash-SHA256 |
efff4106cfd21a356b13a5a99c626a4f103f03b9491c0f1f5e135c1e3c84e76c |
| FileHash-SHA256 |
fc1c30f6f23a303944d8d04c6c0a7f21b137f70f60ce4f03b2e930f3e98a91da |
| FileHash-SHA256 |
fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835 |
| FileHash-SHA256 |
fd261e970d01f0f123e32baf02f5f32edd0db1ee3ffc6c44d18565ecf1194630 |
|
| "Breach Report" from UAC-0099 (CERT-UA#12463) |
The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted files and .NET programs for decryption and in-memory execution. The group's espionage activities continue to evolve, with changing targets and infrastructure. The attackers use Cloudflare for hiding and ensuring fault tolerance. The report emphasizes the importance of implementing proper cyber defense measures to protect state information resources. |
| Type |
Indicator |
| FileHash-MD5 |
04833a30808fcc118eed6a748b95fada |
| FileHash-MD5 |
19391b5bd1455864dfbfb91f3fe9fcb2 |
| FileHash-MD5 |
34c68108eb2e381112ae0dfaba0c80c3 |
| FileHash-MD5 |
4d086e04009690245bbfc6125e4edf42 |
| FileHash-MD5 |
5c935fbb11100a738b4451a8d85f192f |
| FileHash-MD5 |
92cbb147159f3a6225a3580046591d37 |
| FileHash-MD5 |
946ee0ca399acc84abfed9e41ab3cf80 |
| FileHash-MD5 |
9ad38f58f3a7d039d8c540365e1e3421 |
| FileHash-MD5 |
9b9552472a4e41df56662734be9d8ce0 |
| FileHash-MD5 |
b21d0df863af16c39348238409e8bd9d |
| FileHash-MD5 |
b452c8eb4a4aee4978a10b1b9143d15f |
| FileHash-MD5 |
bd89dfb42612f5f7c9e28d81609aec8d |
| FileHash-MD5 |
c9735877c66597ed493e322bdb9bd30f |
| FileHash-MD5 |
e55118b29430970476d743c3993a143e |
| FileHash-MD5 |
e5f6ea0297f0f4773697c1675f05fc12 |
| FileHash-MD5 |
eec19fca4cafc2980f077d934644578e |
| FileHash-MD5 |
f73ab22c63de6bbc08a8ddc1edf11270 |
| FileHash-MD5 |
fb0c754f91836abee965a99cde137fcb |
| FileHash-SHA1 |
2d22b64adf12d99ad86e2f17610aa4ba3ec66e28 |
| FileHash-SHA256 |
025b9bdd156b59b18ab08921572501b6386ae45e8c0c0440855a719ae4b4c24a |
| FileHash-SHA256 |
0aaee2882e4a71b25de5722d8936c67d40355e2f79caf994c8e10164468d3272 |
| FileHash-SHA256 |
0af76e87614126042a2c3409d273d606a4562f99cb9f003a9f9ec0596213a35a |
| FileHash-SHA256 |
0b16ee402ad04a673d61af43f461d475d1e3fcbdaf8714a1183ac35056bbae25 |
| FileHash-SHA256 |
16f809cd9fb1a06f07bb947ea8b6a27f66cfca0947e29666c34ae7b35b6e471b |
| FileHash-SHA256 |
25e725e4be880354c42c008e0960ee67481229b299ff61c29c48a23939d9a041 |
| FileHash-SHA256 |
322de3a4e1d356a7db22d6447807bd7576f91ed1910a57d9e8eb6f678ceb6ab4 |
| FileHash-SHA256 |
4a42bfc95772e2f6ae58ccb37fe74b5e810f6c2973ec7a70e09884e1fe97e794 |
| FileHash-SHA256 |
53f4e38d56946a385a681c66d891d3d70c2b2fee1691ff7e7af317955e0d8b88 |
| FileHash-SHA256 |
5441cb26f32a433b0abd80dfa98a3a30c78df00ca9d2a0cfc5b20c55f3aaadce |
| FileHash-SHA256 |
6161be2016a1fd8096b6b43544eb5df97cd3fa73a820b5e0a44618389897d733 |
| FileHash-SHA256 |
7a0ae128961a6239a2e10059305bb83fa64251bb3f0b44162ec6efdde10fd1e8 |
| FileHash-SHA256 |
88b64a3eb0dc38e3f8288b977b1cd67af7d4ba959297ac48ef5f06bec3e77560 |
| FileHash-SHA256 |
8cc89a917ed89a8407aa1e5caa4af585f26946124cf1764e3b178261a27177af |
| FileHash-SHA256 |
d4eafc11cd0e4fe417c59db804ca6e8bd8bf9c0d0886627f15165937fcb68395 |
| FileHash-SHA256 |
eb08f96acba2b316408f66ef0c4f45a42eb207e43c605476405324726e97f9e3 |
| FileHash-SHA256 |
fa331a275d2f966f42a6168f1cb6fdb919d272b32175985c8bf383f2d800ced2 |
| FileHash-SHA256 |
fbc4fbb3c2926300ee820ff7044f35231c2a1aeeb74d1f49a6caaec7736739c6 |
| IPv4 |
160.119.251.83 |
| IPv4 |
172.86.117.53 |
| IPv4 |
45.61.157.118 |
| domain |
captcha-challenge.com |
| domain |
newyorktlimes.life |
| domain |
webappapiservice.life |
| hostname |
gosp16.spd.ics.gov.ua |
|
| A Look Back: The Evolution of Latin American eCrime Malware in 2024 |
Latin American cybercrime continues to evolve as adversaries refine their tactics and techniques. Key developments in 2024 include the adoption of Rust for improved evasion, consistent use of multi-stage infection chains and malspam campaigns, and evidence of collaboration among threat actors. Notable updates were observed across malware families like Mispadu, Kiron, Caiman, Culebra, Salve, and Astaroth. These updates ranged from new delivery mechanisms and obfuscation techniques to enhanced stealer features. Despite innovations, Delphi-based components remain prevalent. The ongoing refinement of these malware families highlights the adaptability and ingenuity of Latin American cybercriminals in sustaining their operations. |
| Type |
Indicator |
| IPv4 |
191.55.53.136 |
| FileHash-MD5 |
9d2c907ca5f7b8281fc986ff323e63d8 |
| FileHash-SHA1 |
e8d6909ee1579f1defe1410a77025736192db16a |
| FileHash-SHA256 |
07a58395e20090f139eb0cb3aa1872da4fae8c1630de818a405d3329a7406150 |
| FileHash-SHA256 |
0f035dced631ac58cfae510cfc61bb1dbef119331a8aea8d5c724a5ddca0f8c5 |
| FileHash-SHA256 |
129971e378991d14c444db7a7f4c9a16ece750dd6498261d2f35c85baa9bfd07 |
| FileHash-SHA256 |
148cd318aec19451b9ad17e58e0d97ebaffd46b56d3528608de20b95dd429c45 |
| FileHash-SHA256 |
15899e250892c2cc6b38d7cdcd2a3934a49c5dca954889564a98d15a52bf3b7c |
| FileHash-SHA256 |
2776c052d11f52501871c4cb5a051a1970f002c3f099969040945fb94a158d9a |
| FileHash-SHA256 |
27f482377777a1b8e1e679863685f64121f28e1e6e2bba832397269d1763e118 |
| FileHash-SHA256 |
3972d6c85bb37889265fef3bb3b3ed8494e038ca37e345a515e39b3e95766a50 |
| FileHash-SHA256 |
46b8e68f5e85935349d0bfc555b9786f7adbac9ec9a9fa174ba0c4f89baa098f |
| FileHash-SHA256 |
57e76a7af5bafb4ff06f5f44dcf1182ea5c6a8682651c260f555c52fd441b412 |
| FileHash-SHA256 |
5d74d439bbb0be789e23bdaafd8cff938e6e686af7c8e215dc945cacc88d131c |
| FileHash-SHA256 |
5f6c0ba669db489bc2ff186af312bfe7616f9e4a12706e195225da7168e10db0 |
| FileHash-SHA256 |
60b32e40ec0a5e59081fa9816a26346892899175ce97c811761423c3533e0651 |
| FileHash-SHA256 |
aec68d256d8d2caf2d94c5944279806dd4da36d125c7a7d1485c89f718d0db15 |
| FileHash-SHA256 |
b23aabe16db5f6ccdd061b457d01b94647ed5b5852806624dca277b43d63e188 |
| FileHash-SHA256 |
ba4e715fe25aeaaf186e8395c2f13ca580457ab4e8ec1c037fd13821d97a6848 |
| FileHash-SHA256 |
bbf766df1972966b0ab3928d82c61d953e849638bb2c0bab60df3ad8aaacf174 |
| FileHash-SHA256 |
d7a918b29b4423b2a4be151f1b37c28abc081068c13a04ad8fd70dbd725d659b |
| FileHash-SHA256 |
fc258ef827620184253ba37d94efc0043745c29cf3c9f21a6c730f7727d6d076 |
| IPv4 |
108.165.96.26 |
| IPv4 |
147.45.116.5 |
| IPv4 |
162.200.178.68 |
| IPv4 |
192.101.68.150 |
| IPv4 |
38.54.57.26 |
| IPv4 |
84.246.85.94 |
| URL |
http://84.246.85.94:7890 |
| domain |
contpt.top |
| domain |
massgrave.site |
| hostname |
adjunto.pdfxml.store |
| hostname |
api.cacher.io |
| hostname |
lovecollege.hosthampster.com |
|
| November 18 Advisory: Active Exploitation of Critical RCE in Palo Alto Networks PAN-OS [CVE-2024-0012 and CVE-2024-9474] |
Two critical vulnerabilities in Palo Alto Networks PAN-OS, CVE-2024-0012 and CVE-2024-9474, have been disclosed. CVE-2024-0012 is an authentication bypass allowing unauthenticated remote attackers to gain admin privileges, while CVE-2024-9474 is an authenticated privilege escalation bug. These can be chained for full system compromise. Active exploitation has been observed for CVE-2024-0012. Affected versions include PAN-OS 10.2, 11.0, 11.1, and 11.2. Patches are available, and organizations are urged to update immediately. Censys identified 13,324 publicly exposed NGFW management interfaces, with 34% in the US. Limiting public exposure and upgrading to PAN-OS 10.2 or later is recommended. |
| Type |
Indicator |
| CVE |
CVE-2014-6271 |
| CVE |
CVE-2023-44467 |
| CVE |
CVE-2023-46229 |
| CVE |
CVE-2024-0012 |
| CVE |
CVE-2024-3094 |
| CVE |
CVE-2024-3400 |
| CVE |
CVE-2024-6387 |
| CVE |
CVE-2024-9474 |
| FileHash-SHA256 |
3c5f9034c86cb1952aa5bb07b4f77ce7d8bb5cc9fe5c029a32c72adc7e814668 |
| FileHash-MD5 |
3ab22b6f3f0d4271e8d038c05cfbd5c9 |
| FileHash-MD5 |
c8c08bbe0b78b27d61002db456c741cc |
|
| Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 |
A critical authentication bypass vulnerability (CVE-2024-0012) in Palo Alto Networks PAN-OS software allows unauthenticated attackers to gain administrator privileges on affected devices. The issue affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2, but not Cloud NGFW or Prisma Access. Limited exploitation attempts have been observed, primarily from anonymous VPN services. Post-exploitation activities include command execution and webshell deployment. Palo Alto Networks is actively monitoring the situation, dubbed Operation Lunar Peek, and has released patches. Customers are urged to update their systems and restrict management interface access to trusted internal IP addresses to mitigate the risk. |
| Type |
Indicator |
| CVE |
CVE-2014-6271 |
| CVE |
CVE-2023-44467 |
| CVE |
CVE-2023-46229 |
| CVE |
CVE-2024-0012 |
| CVE |
CVE-2024-3094 |
| CVE |
CVE-2024-3400 |
| CVE |
CVE-2024-6387 |
| CVE |
CVE-2024-9474 |
| FileHash-SHA256 |
3c5f9034c86cb1952aa5bb07b4f77ce7d8bb5cc9fe5c029a32c72adc7e814668 |
|
| Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads |
The FLUX#CONSOLE campaign involves a sophisticated tax-themed phishing attack that exploits Microsoft Management Console (MSC) files to deliver a stealthy backdoor payload. Threat actors use tax-related lures to trick users into executing malicious code. The attack leverages MSC files, which are normally used for administrative tasks, to execute obfuscated JavaScript. This leads to the deployment of a malicious DLL file (DismCore.dll) through DLL sideloading. The campaign employs advanced obfuscation techniques, including multiple layers of encoding and encryption, to evade detection. Persistence is established using scheduled tasks. The malware communicates with a command and control server, potentially exfiltrating data from infected systems. |
| Type |
Indicator |
| FileHash-MD5 |
2b0bbee382c9bdfcac53f2349a379fa4 |
| FileHash-SHA256 |
5756f6998e14df4dd09f92b9716cffa5cd996d961b41b82c066f5f51c037a62f |
| FileHash-SHA256 |
b33d76c413ef0f4c48a8a61cfeb5e24ff465bbc6b70bf0cada2bb44299a2768f |
| FileHash-SHA256 |
b3b2d915f47aa631cc4900ec56f9b833e84d20e850d78f42f78ad80eb362b8fc |
| FileHash-SHA256 |
f6c435a9a63bdef0517d60b6932cb05a8af3b29fc76abafc5542f99070db1e77 |
| domain |
siasat.top |
|
| ICS Threat Analysis: New Malware Can Kill Engineering Processes |
An analysis of a public malware repository reveals a persistent presence of OT/ICS malware, with engineering workstations being a significant target. Two notable clusters were identified: Mitsubishi engineering workstation software infected with the Ramnit worm, and a new experimental malware named Chaya_003 capable of terminating Siemens engineering processes. The research highlights the evolving threat landscape in OT/ICS environments, emphasizing the need for enhanced security measures. Recommendations include hardening engineering workstations, proper network segmentation, and implementing comprehensive threat monitoring solutions across both IT and OT systems. |
| Type |
Indicator |
| FileHash-MD5 |
0f5d53fc15762a966e8c5ead271e0960 |
| FileHash-MD5 |
4933a93f7ed1c571e2b1064e9064c846 |
| FileHash-MD5 |
617ee2ab7f47f3af917e96aa343f905d |
| FileHash-MD5 |
856bf67eadb7f1cb7ff60279f083328e |
| FileHash-MD5 |
a76ebfae063c9112c40ad34063d2474e |
| FileHash-MD5 |
b70c02a9a95afa230a73345558910565 |
| FileHash-MD5 |
bbaa50bed8d4cc2fd3d2c92d364e9df4 |
| FileHash-MD5 |
bcb33eea79291f2ac625d0e2d06c461d |
| FileHash-MD5 |
e1a36c6e5a05ec1d792acec7def0c6fb |
| FileHash-MD5 |
f470a0c437accc0b65a41f71bc787e13 |
| FileHash-MD5 |
ff5e1f27193ce51eec318714ef038bef |
| FileHash-SHA1 |
1dae1485d7a0a73833bd7811bb6d2b44906a5b1c |
| FileHash-SHA1 |
21170242c7910587918238bfe29fb477f38b2dd3 |
| FileHash-SHA1 |
4cec4a0dc5be56b07c1ac4503fdce2e75506d017 |
| FileHash-SHA1 |
5bdf3ad07816bc25b58867ab3144d70e5337eca5 |
| FileHash-SHA1 |
7cc8013168f3e2dc186fb6bc75bca6aef8a54e58 |
| FileHash-SHA1 |
7f14d5fccb492295ce96f9263ff69d8ac274e794 |
| FileHash-SHA1 |
870361c5843cef92184f7a8fa93dfd7c6acf1b44 |
| FileHash-SHA1 |
9556cff1d10f6ccefd0ab919ecd5377f9056980c |
| FileHash-SHA1 |
9cdf1eca10fc74dcb1849a8bd9f139bbc0847300 |
| FileHash-SHA1 |
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| FileHash-SHA1 |
fd81716626c152071258b49dfda3eff0da34ebb1 |
| FileHash-SHA256 |
1b8957804dfa7324d10bf6d7ca22fc038951ab57ab1e6838da9c63ad057c1d20 |
| FileHash-SHA256 |
1f1035b91db1264eb94aa055cdb50f35f0c27744e77e74b7031e099b112a5837 |
| FileHash-SHA256 |
517e35b32c4a1dedb155bbd208422cd5c5d34b5ec378712b7e8182fd26473c7e |
| FileHash-SHA256 |
5b63ca75f95dc549729bb6261e9dc22f6425547584366188770507bd964221b4 |
| FileHash-SHA256 |
5ec05f903cc94d559b8eb23aa749805b78de2845bd2317017bc8e50cdceb613f |
| FileHash-SHA256 |
69eb2b940ba1fc7bc46699eeb3ff11d921683609f636efae05c0cb796b588a38 |
| FileHash-SHA256 |
703f0aac78d388f1fbe3800697015d092fa70cea2c01f22f456c8b1aa20a2334 |
| FileHash-SHA256 |
8b585155cdc7fcbe3d2fa169b307756557ef0d69afb392726f577a73f11d5a97 |
| FileHash-SHA256 |
9579c6987ac8969d0b0cc0cc2a9da3b034fac41525d96fa79fa02d05813e70f9 |
| FileHash-SHA256 |
a1d721db0583eed0077bb8ab542ff15a806d24e2dbf13557b12842bd49995354 |
| FileHash-SHA256 |
ad5922bcc740e5761a708c526d023450ca278168ebcefaaf80f85815d6d6d24e |
| FileHash-SHA256 |
b16a67f49ce5aa057236d2bff3e1ab2dcc2c6d3f2551e4520f54e125b2e289d8 |
| FileHash-SHA256 |
c1826e0d310a6a02f2ee1b5d88b6c0dd48baa8fe1dd99447e98e42c4ca023c96 |
| FileHash-SHA256 |
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| FileHash-SHA256 |
fd8558b8a4165ebb47f120fa237c2ada306c430ae4cb2109eb644fd8b0b82b15 |
| domain |
0g0d.com |
| domain |
432i.com |
| domain |
az-security.info |
| domain |
grpaper.com |
| domain |
x86assembly.xyz |
|
| Hacktivists attack Russian organizations using rare RATs |
The Cyber Anarchy Squad (C.A.S) is a hacktivist group targeting Russian and Belarusian organizations since 2022. They exploit vulnerabilities in public services and use free tools to inflict maximum damage. The group employs rare remote access Trojans like Revenge RAT and Spark RAT, alongside common tools like Mimikatz. C.A.S focuses on data theft and reputational damage, often collaborating with other hacktivist groups. They use Telegram to spread information about attacks and victims. The group's tactics include initial access through exploit of public-facing applications, execution via PowerShell and cmd, persistence through registry keys and startup folders, defense evasion by disabling security tools, and credential access using various utilities. C.A.S encrypts victim infrastructure using leaked ransomware builders and can destroy data using system utilities. |
| Type |
Indicator |
| FileHash-MD5 |
1fcd4f83bf6414d79d5f29ad1e795b3d |
| FileHash-MD5 |
23b873bb66dc09e91127e20825b6cbc7 |
| FileHash-MD5 |
48210ca2408dc76815ad1b7c01c1a21a |
| FileHash-MD5 |
6cbc93b041165d59ea5ded0c5f377171 |
| FileHash-MD5 |
7e101596eeb43ed2de78bb45d7031f7b |
| FileHash-MD5 |
8c70377554b291d4a231cf113398c00d |
| FileHash-MD5 |
a2d098f44aba4967826c3002541e3bb8 |
| FileHash-MD5 |
bcec17275114c6a87d8b7110aecec5cc |
| FileHash-MD5 |
fc3a8eabd07a221b478a4ddd77ddce43 |
|
| Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape |
The ClickFix social engineering technique, which tricks users into copying and running malicious PowerShell commands, has become increasingly prevalent across the threat landscape. Initially observed in campaigns by TA571 and ClearFake, it is now used by multiple threat actors to deliver various malware types. The technique often employs fake error messages or CAPTCHA checks to deceive users. Recent examples include GitHub notification impersonations delivering Lumma Stealer, Swiss-targeted campaigns distributing AsyncRAT, fake software updates deploying NetSupport RAT, and ChatGPT-themed malvertising delivering XWorm. The technique's popularity stems from its effectiveness in bypassing security measures by exploiting users' desire to resolve issues independently. |
| Type |
Indicator |
| domain |
eemmbryequo.shop |
| FileHash-MD5 |
fac2188e4a28a0cf32bf4417d797b0f8 |
| FileHash-SHA1 |
1970de8788c07b548bf04d0062a1d4008196a709 |
| FileHash-SHA256 |
d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207 |
| FileHash-MD5 |
5744e74d67f4cc91f262ddb95ac245a3 |
| FileHash-SHA1 |
890799de73d375478d3a5f0e2b86cec6a0585a91 |
| FileHash-SHA256 |
5d5b4f259ef3b3d20f6ef1a63def6dee9326efe2b7b7b7e474008aa978f1f19b |
| FileHash-SHA256 |
d9ab6cfa60cc75785e31ca9b5a31dae1c33022bdb90cb382ef3ca823c627590d |
| FileHash-SHA256 |
e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5 |
| URL |
http://178.215.224.252/v10/ukyh.php |
| URL |
http://185.147.124.40/Capcha.html |
| URL |
http://188.119.113.152/x64_stealth.dll |
| URL |
https://github-scanner.com/l6E.exe |
| URL |
https://ricardo.aljiri.es/ricardo/captchaV4DE/ |
| domain |
github-scanner.com |
| domain |
isomicrotich.com |
| domain |
keennylrwmqlw.shop |
| domain |
licenseodqwmqn.shop |
| domain |
promptcraft.online |
| domain |
promtcraft.online |
| domain |
reggwardssdqw.shop |
| domain |
relaxatinownio.shop |
| domain |
rilomenifis.com |
| domain |
tendencctywop.shop |
| domain |
tesecuuweqo.shop |
| hostname |
ricardo.aljiri.es |
|
| Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs |
An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task to communicate with a staging domain and manually deploying WmRAT and MiyaRAT malware. These RATs enable intelligence gathering and data exfiltration. The attack utilized NTFS alternate data streams and masqueraded files to evade detection. TA397's infrastructure included separate staging and command and control domains. The threat actor's tactics, targeting, and malware indicate it is likely an intelligence collection effort supporting a South Asian government's interests. |
| Type |
Indicator |
| FileHash-MD5 |
5b232b7417cb3965a942201de88f5055 |
| FileHash-SHA1 |
f01472fd8ffbcd0c2b54075ee01bde6a2cc4f4e6 |
| FileHash-SHA256 |
10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f |
| FileHash-SHA256 |
53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1 |
| FileHash-SHA256 |
c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 |
| FileHash-SHA256 |
f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733 |
| URL |
http://jacknwoods.com/gfxview.msi |
| domain |
academymusica.com |
| domain |
jacknwoods.com |
| domain |
samsnewlooker.com |
| hostname |
www.jacknwoods.com |
|
| Unpacking the Diicot Malware Targeting Linux Environments |
A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment-specific behavior. The malware targets Linux machines running OpenSSH, exploiting weak credentials for access. It employs various techniques such as file obfuscation, reverse shell capabilities, persistence mechanisms, and command and control communication. The campaign also includes SSH brute force functionality and potential cryptojacking capabilities. The attackers have earned over $16,000 from Monero mining alone. |
| Type |
Indicator |
| FileHash-MD5 |
1fcd346b7e53f1fedb6bf1af57a77a16 |
| FileHash-MD5 |
3ea482a490c613c126a37ef63cacf1a6 |
| FileHash-MD5 |
4ceab8769d9d1032e665d7f945c1d106 |
| FileHash-MD5 |
4fc9b1b6fe4a6d2d3f2e9355f6c2ba70 |
| FileHash-MD5 |
660b129216c50fc6e38c6f7cb7d9464f |
| FileHash-MD5 |
6aab14b38bbb6b07bd9e5b29a6514b62 |
| FileHash-MD5 |
9e2cb009b4fb131bb2b9e4790e33acb9 |
| FileHash-MD5 |
d1120ccda583f55c828de4884699e535 |
| FileHash-MD5 |
d35f12f672804102fffc4d8e4f127ad9 |
| FileHash-MD5 |
d7dfcda075f868a8b18472a7d189f1cd |
| FileHash-SHA1 |
2fda08b2a5a68998a4ac261a64aa33ce3afda0e1 |
| FileHash-SHA1 |
3bacfb936e56549ee81ecf40590058b1623d51bb |
| FileHash-SHA1 |
64af1b0dac905b6f33bf313e1e6878738e232d0e |
| FileHash-SHA1 |
84137d1f5e2a5478e830d400c23ba5bd4c07a230 |
| FileHash-SHA1 |
99bbc5de80abf726d90912f1c4547846ea7c1819 |
| FileHash-SHA1 |
9f7ea0275e703b3f18f5c5e0fcf901a7acb1dfaf |
| FileHash-SHA1 |
a8793f1a94ffa646e542bcaf5bd1fd09d3f677cd |
| FileHash-SHA1 |
b7d027995d7ecd1d734404462f6f03fc78c9a219 |
| FileHash-SHA1 |
c707fd5035011fc968e4b75758ef9142fd895c6b |
| FileHash-SHA1 |
e2c121a324922c8d28f4c043cea9d8382d563a2f |
| FileHash-SHA256 |
01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3 |
| FileHash-SHA256 |
4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900 |
| FileHash-SHA256 |
564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c |
| FileHash-SHA256 |
716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561 |
| FileHash-SHA256 |
7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc |
| FileHash-SHA256 |
8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e |
| FileHash-SHA256 |
b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c |
| FileHash-SHA256 |
bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1 |
| FileHash-SHA256 |
c43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16 |
| FileHash-SHA256 |
d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183 |
| URL |
http://slackforbusiness.net/api.php |
| URL |
http://slackforbusiness.net/main.php |
| domain |
macpaw.us |
| domain |
nextnovatech.com |
| domain |
slackforbusiness.net |
| domain |
wooofi.com |
| hostname |
slackcomtop.aab-e-pak.com |
| IPv4 |
87.120.114.219 |
| IPv4 |
87.120.116.242 |
| FileHash-MD5 |
3324133875daa3e763f44605c0d0cd6f |
| FileHash-MD5 |
3a2692ac5d17250992d3dd9fb214af11 |
| FileHash-MD5 |
78435bda484ffdee2312b140057d24e1 |
| FileHash-MD5 |
db8f3437f7951174b76d39d2a2c6c344 |
| FileHash-SHA1 |
07f200ad0b5a03433a184b442dcd7a688e1ff7a7 |
| FileHash-SHA1 |
1d56f998bc4f7b649f882a2d730d5e9b1b2e621f |
| FileHash-SHA1 |
2ec6af460feabfe9ed37c1955ff266cff63f31ff |
| FileHash-SHA1 |
7940c6e29ab9cf6abe5e570f73eed93265962e1a |
| FileHash-SHA1 |
7ece24f3b426169d720ab8353e07f0feb6dbc854 |
| FileHash-SHA1 |
970b45be172ffb9d3192a8d2d015b1c91b216107 |
| FileHash-SHA1 |
a2101ec53fb0934b23f83c582d3a0bed9f66fd13 |
| FileHash-SHA1 |
a8a5d0223519590bb48e0b52102786623ec45511 |
| FileHash-SHA1 |
e0e3456a0b3c06a33cbb4db1f7d1335b777cf107 |
| FileHash-SHA1 |
f657f695faf2cfd9f6f2188d154f7767da248b9e |
| FileHash-SHA1 |
f82b2df5e01abab70085a12388b3ec83c5e33ba1 |
| FileHash-SHA256 |
26a7661e8b3832ad0ba1308e005019179e064c633fc4585199aa21eab006f2d1 |
| FileHash-SHA256 |
2f2a0dbe8d190a3ce521cd494f46e74be061a2a2dd9d56586a12e88286fc54f4 |
| FileHash-SHA256 |
724e3ba433f8330b1cb7a1ebcfe5bfaaf6382fd2d8b0afb5a0b65b11a4b438f0 |
| FileHash-SHA256 |
766207c362bd73e2690f9d53c40104fbb22284e5b1fd0ef3a3a746a8179a6c47 |
| IPv4 |
185.112.249.20 |
| IPv4 |
80.76.51.5 |
| IPv4 |
87.120.116.35 |
| IPv4 |
91.92.250.6 |
| URL |
http://80.76.51.5/.NzJjOTY/.balu |
| URL |
http://80.76.51.5/.NzJjOTY/.diicot |
| URL |
http://80.76.51.5/.NzJjOTY/kuak |
| URL |
http://digital.digitaldatainsights.org/.x/black3 |
| URL |
http://test.digitaldatainsights.org:7777 |
| hostname |
digital.digitaldatainsights.org |
| hostname |
pauza.digitaldatainsights.org |
| hostname |
test.digitaldatainsights.org |
| hostname |
web.digitaldatainsights.org |
|
| BADBOX Botnet Is Back |
The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices. The botnet exploits compromised firmware to install malware and secondary payloads without user consent, enabling activities such as residential proxying, remote code installation, and ad fraud. The operation affects multiple countries, with Russia, China, and India being the most impacted. The malware's ability to adapt and spread through global supply chains poses significant challenges for consumers and enterprises alike, emphasizing the importance of trusted vendors and partners in cybersecurity. |
| Type |
Indicator |
| IPv4 |
103.145.58.236 |
| FileHash-MD5 |
bd6cb71c8046af6d0851276af7120e50 |
| FileHash-SHA1 |
5b3aa659cb8dece5c9a14d605c68a432b773969c |
| URL |
http://yydsmd.com/ota/api/conf/v1?m=bd6cb71c8046af6d0851276af7120e50&n=WIFI |
| URL |
http://yydsmd.com/ota/api/tasks/v2?m=bd6cb71c8046af6d0851276af7120e50&n=WIFI |
| domain |
bluefish.work |
| domain |
cxlcyy.com |
| domain |
cxzyr.com |
| domain |
giddy.cc |
| domain |
mtcpmpm.com |
| domain |
pccyy.com |
| domain |
pcxrlback.com |
| domain |
pixelscast.com |
| domain |
pixlo.cc |
| domain |
soyatea.online |
| domain |
swiftcode.work |
| domain |
tvsnapp.com |
| domain |
ycxad.com |
| domain |
yxcrl.com |
| domain |
yydsmd.com |
| domain |
ztword.com |
| hostname |
cast.jutux.work |
| hostname |
old.1ztop.work |
| hostname |
www.jolted.vip |
|
