← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Unfurling Hemlock: Threat group uses cluster bomb campaigns
WHITE Unfurling Hemlock AlienVault 2024-07-01 Modified: 2024-07-31
41
IOCs
MEDIUM VOLUME
A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.
redlinecluster bombsmokeloadermass distributioneastern europeanamadeyriseprostealersmystic stealer
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Redline Mystic Stealer RisePro Amadey - S1025 SmokeLoader
Indicators of Compromise (41)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://5.42.92.93/39902/from.exe 2024-07-01
URL http://5.42.92.93/i/smo.exe 2024-07-01
URL http://77.91.124.130/gallery/photo_570.exe 2024-07-01
URL http://77.91.68.21/nova/foxi.exe 2024-07-01
FileHash-MD5 8e05c72da260ffa2255ca5b309377959 2024-07-01
FileHash-MD5 d5e9742ea32944bf7b147fe8bf9a8054 2024-07-01
FileHash-SHA1 14031a40973ef9851a9e6dd2d1843b00247c32f0 2024-07-01
FileHash-SHA1 e04fea9ed997d9ad2d73dd8ca661625d7292eb98 2024-07-01
FileHash-SHA256 229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2 2024-07-01
FileHash-SHA256 37b9e74da5fe5e27aaedc25e4aac7678553b6d7d89ec4d99e8b9d0627dcbdc12 2024-07-01
FileHash-MD5 06a6db9acf05fbb473df1c207a7c4124 2024-07-01
FileHash-SHA1 05a6cb77200d23c45296b4af0d88006adf9b77be 2024-07-01
FileHash-SHA256 0c48529d2979698341e89d6ea5f7e9211fa277e40d3f6a55a8996135944ebdad 2024-07-01
FileHash-SHA256 0ef7459cebfe9bd9102c5eccc16eedddec5931e69bf705aa44aa3c7af584f209 2024-07-01
FileHash-SHA256 1f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab 2024-07-01
FileHash-SHA256 301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5 2024-07-01
FileHash-SHA256 35c55b402e770e25adf57ffbd408a428af9ce21a735474b5d94ccdd4123e68f8 2024-07-01
FileHash-SHA256 5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326 2024-07-01
FileHash-SHA256 65923603a6f117c7460b8cc69009105208bdfa544b90446580915db8fe127ae8 2024-07-01
FileHash-SHA256 7d18c67c13ec919f3950092319d11eda129c8498e171612e681eebf1c977493d 2024-07-01
FileHash-SHA256 7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd 2024-07-01
FileHash-SHA256 80df101f1f93fa53b3dcbc315d3ec5d8c8330c08b5622ac3207f746d016b66dc 2024-07-01
FileHash-SHA256 8fe4d34a6a245c5acd3d1741213c1dd195468089b1a3fe80adfa6d8d8c94f2d8 2024-07-01
FileHash-SHA256 94115d0eae0422b6605f0f25841c29b7cc6c029472a983b21d1cedcd7fdcd647 2024-07-01
FileHash-SHA256 be25926929b1aae0257d7f7614dd5ad637b8fd8e139c68f4d717e3dc9913e3cf 2024-07-01
FileHash-SHA256 da4f614c983fa226d813de390937389ae4d1e043dd86524aa7a5246fd587826b 2024-07-01
FileHash-SHA256 edfb4374d5c586f0690c95ff8cacb36bda6fb4743f20dda5e6f17e7e241edd47 2024-07-01
FileHash-SHA256 fd7a9b8e52e2fbcb090d5f5046a73d6e42b421abf063083210889f3fcb47dee0 2024-07-01
URL http://109.107.182.3/love/bongo.exe 2024-07-01
URL http://109.107.182.3/some/love.exe 2024-07-01
URL http://109.107.182.45/red/line.exe 2024-07-01
URL http://185.215.113.68/theme/index.php 2024-07-01
URL http://185.46.46.146/none/vah50.exe 2024-07-01
URL http://193.233.255.73/loghub/master 2024-07-01
URL http://77.91.124.1/theme/index.php 2024-07-01
URL http://77.91.124.20/store/games/index.php 2024-07-01
URL http://77.91.68.29/fks/ 2024-07-01
URL http://globalsystemperu.com/forms/gate4.exe 2024-07-01
domain globalsystemperu.com 2024-07-01
domain host-file-host6.com 2024-07-01
domain host-file-host8.com 2024-07-01
References (1)
↗ https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/