← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Unfurling Hemlock: Threat group uses cluster bomb campaigns
WHITE Unfurling Hemlock AlienVault 2024-07-01 Modified: 2024-07-31
41
IOCs
MEDIUM VOLUME
A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.
redlinecluster bombsmokeloadermass distributioneastern europeanamadeyriseprostealersmystic stealer
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Redline Mystic Stealer RisePro Amadey - S1025 SmokeLoader
Indicators of Compromise (14 / 41 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://5.42.92.93/39902/from.exe 2024-07-01
URL http://5.42.92.93/i/smo.exe 2024-07-01
URL http://77.91.124.130/gallery/photo_570.exe 2024-07-01
URL http://77.91.68.21/nova/foxi.exe 2024-07-01
URL http://109.107.182.3/love/bongo.exe 2024-07-01
URL http://109.107.182.3/some/love.exe 2024-07-01
URL http://109.107.182.45/red/line.exe 2024-07-01
URL http://185.215.113.68/theme/index.php 2024-07-01
URL http://185.46.46.146/none/vah50.exe 2024-07-01
URL http://193.233.255.73/loghub/master 2024-07-01
URL http://77.91.124.1/theme/index.php 2024-07-01
URL http://77.91.124.20/store/games/index.php 2024-07-01
URL http://77.91.68.29/fks/ 2024-07-01
URL http://globalsystemperu.com/forms/gate4.exe 2024-07-01
References (1)
↗ https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/