Pulse Detail — Threat Intelligence

PULSE NAME

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

WHITE Armature_TIP 2025-02-22 Modified: 2025-03-24

IOCs

HIGH VOLUME

Cisco Talos has uncovered a new remote access trojan (RAT) used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia, with lures from Turkmenistan.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1553 T1055 T1059 T1573 T1102 T1574 T1140 T1547 T1036 T1566 T1113

MALWARE FAMILIES

SugarGh0st RAT PlugX SPIVY SugarGh0st generatedThe TorNet

Indicators of Compromise (86)

All URL hostname domain FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://45.144.31.57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zip	—	2025-02-22
URL	http://94.198.40.4/homepage/index.aspx	—	2025-02-22
URL	http://stock.adobe-service.net/homepage/index.aspx	—	2025-02-22
hostname	stock.adobe-service.net	—	2025-02-22
domain	androidadbserver.com	—	2025-02-22
domain	androidmetricsasia.com	—	2025-02-22
domain	androidsdkstream.com	—	2025-02-22
domain	androidwebkit.com	—	2025-02-22
domain	backupitfirst.com	—	2025-02-22
domain	badbutperfect.com	—	2025-02-22
domain	buassinnndm.net	—	2025-02-22
domain	cloudieapp.net	—	2025-02-22
domain	craftwithme.uk	—	2025-02-22
domain	cvscout.uk	—	2025-02-22
domain	diveupdown.com	—	2025-02-22
domain	escuelademarina.com	—	2025-02-22
domain	goingupdate.com	—	2025-02-22
domain	irreceiver.com	—	2025-02-22
domain	javacdnlib.com	—	2025-02-22
domain	jdklibraries.com	—	2025-02-22
domain	nextroundst.com	—	2025-02-22
domain	officelibraries.com	—	2025-02-22
domain	passiovinum.com	—	2025-02-22
domain	playstoreapi.net	—	2025-02-22
domain	rockamore.co.uk	—	2025-02-22
domain	sdklibraries.com	—	2025-02-22
domain	sexyber.net	—	2025-02-22
domain	teraspace.co.in	—	2025-02-22
domain	wassonite.com	—	2025-02-22
domain	webbucket.co.uk	—	2025-02-22
domain	windowsupdatecloud.com	—	2025-02-22
domain	withupdate.com	—	2025-02-22
domain	wpseed.com	—	2025-02-22
domain	zclouddrive.com	—	2025-02-22
hostname	account.drive-google-com.tk	—	2025-02-22
hostname	account.gommask.online	—	2025-02-22
hostname	adb.androidadbserver.com	—	2025-02-22
hostname	api1.androidsdkstream.com	—	2025-02-22
hostname	dev.androidadbserver.com	—	2025-02-22
hostname	dl01.mozillasecurity.com	—	2025-02-22
hostname	dl01.windowsupdatecloud.com	—	2025-02-22
hostname	download.cvscout.uk	—	2025-02-22
hostname	download.rockamore.co.uk	—	2025-02-22
hostname	download.sexyber.net	—	2025-02-22
hostname	download.teraspace.co.in	—	2025-02-22
hostname	download.webbucket.co.uk	—	2025-02-22
hostname	jre.jdklibraries.com	—	2025-02-22
hostname	jun.javacdnlib.com	—	2025-02-22
hostname	jupiter.playstoreapi.net	—	2025-02-22
hostname	library.androidwebkit.com	—	2025-02-22
hostname	moon.playstoreapi.net	—	2025-02-22
hostname	sdk2.sdklibraries.com	—	2025-02-22
hostname	sni1.androidmetricsasia.com	—	2025-02-22
hostname	tl37.officelibraries.com	—	2025-02-22
hostname	ux.androidwebkit.com	—	2025-02-22
hostname	www.craftwithme.uk	—	2025-02-22
hostname	www.sexyber.net	—	2025-02-22
URL	http://45.144.31.57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zipservers	—	2025-02-22
FileHash-SHA1	aae00106b5388e2cc1e7e31ed4568bbc2e0ab396	—	2025-02-22
FileHash-SHA256	0374a9812c7e43db1bde605cc3decff3d77c8b041b959a5422e4da0b60e0f6dc	—	2025-02-22
FileHash-SHA256	14c28d45b85f3301201448230623f9496161c2fabfbc855b0bb36ce1f48028bd	—	2025-02-22
FileHash-SHA256	182288af00ba55422d733dc9b3c6ec6ee7b7f231c59de91b8e352e6acc4500cf	—	2025-02-22
FileHash-SHA256	197f3be195767142f1a4da0ad9e108c23993361d1a180b62749a9b84ed0b1a45	—	2025-02-22
FileHash-SHA256	249d206a8cd18f10036cb45c470746438fc2c46dae40dbaa0f80bb8c4539b047	—	2025-02-22
FileHash-SHA256	427b6dc489cbfad36413fce6f71e82e158a6632c9986c1dee1af7676a129f048	—	2025-02-22
FileHash-SHA256	48c65bb99ce954df0ee492b92e634d602d621295be2ff87e57fcb07c8b33db8b	—	2025-02-22
FileHash-SHA256	4d4d8f9941fa5e378f6019d1a4e20bb70bce31db23720724ec35a373eb7ecf75	—	2025-02-22
FileHash-SHA256	598c2b0b15b7b35b93f7435aecbd377de66ac3ccc4b7af8edce1ce3bc6d773cd	—	2025-02-22
FileHash-SHA256	65a5d5d55307b1f8fd7d087d560ff8b64e0e2e3d78a73f43e9d3550bce8d17bb	—	2025-02-22
FileHash-SHA256	6ca2415aabb806a871889c2ab48ad05b1ba444b5867ceadbcea3ab7f23de72f4	—	2025-02-22
FileHash-SHA256	83f6fc6d74667390f330e92a9c80f63795acaa8bc915907a4d69446cf0697a9b	—	2025-02-22
FileHash-SHA256	8fd7e05fd420f85fa978dea833be454eb2043110112edea3e433d7fc0d08e01d	—	2025-02-22
FileHash-SHA256	9d4283c05417c0b49a00c6e5159eb5bcb52142036f94fcdfb9712b231d020955	—	2025-02-22
FileHash-SHA256	9f1cd725116114ab72c772c99a4809f5870dfceebb1f47f24c68025e34e714f9	—	2025-02-22
FileHash-SHA256	ace39c3b6632770952207593607e6e0be0db363435a8b877b1f96abe6430f345	—	2025-02-22
FileHash-SHA256	b84ebbe57151844ac7ac9fc5d488e4696f37f98779d13dceafe6c5a7f2219a4c	—	2025-02-22
FileHash-SHA256	bd3d9bad4d460da08a4a3ae655e7c49b8435efd39ea4faa19ed052c7f65423ab	—	2025-02-22
FileHash-SHA256	d7e38434ef11b3a4136492a9adfc1855177d90b68e056a7e2a2b7fe1582065e9	—	2025-02-22
FileHash-SHA256	dc00f24eaba97b0bdaef7e7bf29101b675f8acef43b66bf3204003267fced67b	—	2025-02-22
FileHash-SHA256	dde3e5dca9e0498db558dd8e83f27143ad86cd0fcca1a33964ee4f3100682db8	—	2025-02-22
FileHash-SHA256	e0d74111df756724d22b00c9e2c084a851e5afecf111697dc8f719d9ce5a9589	—	2025-02-22
FileHash-SHA256	e2330f64c92a49927098f8a07de9da8fc54c87a89dc549f6ebdcf3bc78732db2	—	2025-02-22
FileHash-SHA256	f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb	—	2025-02-22
FileHash-SHA256	f654cf88132548c4bbf22452395a1ba5b6511ff32842baef4b7bee3fa51f574e	—	2025-02-22
URL	http://app.turkmensk.org/homepage/index.aspx	—	2025-02-22
domain	2fgithub.com	—	2025-02-22

References (2)

↗ https://blog.talosintelligence.com/new-spicerat-sneakychef/ ↗ https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/new-spicerat-sneakychef.txt