Pulse Detail — Threat Intelligence

PULSE NAME

ExCobalt: GoRed, the hidden-tunnel technique

WHITE Armature_TIP 2025-02-22 Modified: 2025-03-24

191

IOCs

HIGH VOLUME

A hidden-tunnel tool used by a notorious cybercrime gang has been discovered by the PT ESC CSIRT team, which investigates attacks linked to Russia and other countries in the future.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003 T1020 T1021 T1027 T1033 T1041 T1046 T1048 T1053 T1057 T1059 T1068 T1070 T1071 T1074 T1082 T1083 T1087 T1090 T1095 T1106 T1132 T1136 T1140 T1195 T1199 T1485 T1486 T1505 T1560 T1563 T1567 T1572 T1573 T1583 T1587 T1595 T1601 T1614 T1110 T1566 T1102 T1049 T1547

MALWARE FAMILIES

Cobalt Strike GoRed Baron Samedit

Indicators of Compromise (191)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2019-12725	—	2025-02-22
CVE	CVE-2019-13272	—	2025-02-22
CVE	CVE-2021-3156	—	2025-02-22
CVE	CVE-2021-4034	—	2025-02-22
CVE	CVE-2021-40438	—	2025-02-22
CVE	CVE-2021-44228	—	2025-02-22
CVE	CVE-2022-2586	—	2025-02-22
CVE	CVE-2022-27228	—	2025-02-22
CVE	CVE-2023-3519	—	2025-02-22
FileHash-MD5	0385b0f83dbfc99c243ff066e3fe3cb2	MD5 of 4f6164321d10c7a54a54398ccc7b11c1e7390e38	2025-02-22
FileHash-MD5	0cda2ee10f5b8e9a241ef3e7e352752d	—	2025-02-22
FileHash-MD5	166a248f264fbf11998c86e8b384e47a	—	2025-02-22
FileHash-MD5	2cad1092a2828a33df2156a3a97d7cf1	—	2025-02-22
FileHash-MD5	3500760bc3e69102e01d256637f5f4a8	—	2025-02-22
FileHash-MD5	376531d8a3a19016aa64d80dec23d980	—	2025-02-22
FileHash-MD5	415d091f42fc62e8dfb6f8bb5ce641c5	—	2025-02-22
FileHash-MD5	46eb5fa7c75cc29d89f3e48be26bbd46	—	2025-02-22
FileHash-MD5	489fbca25049e5fab9dca10541e33214	—	2025-02-22
FileHash-MD5	4a04baf3c65581bcd14fbaf58aa6860b	—	2025-02-22
FileHash-MD5	63f6de3c86de55172b147b947f29c808	MD5 of 5a504869350a4bdbcda22b09dbe7b05a7551a860	2025-02-22
FileHash-MD5	64db61efc8acf370b91110b6f93d4dce	MD5 of a81373d92d798418109552fb91d4c407d4c37a89	2025-02-22
FileHash-MD5	6ea3feb1888ce02e3d0d2857b5ef71c4	—	2025-02-22
FileHash-MD5	6f6e7fe49a8d5696f389e202d3b8c7e2	—	2025-02-22
FileHash-MD5	76cc921e5b26a0720db213479bff1ea2	—	2025-02-22
FileHash-MD5	7dc1e49f1664af70d85d31af70f29071	—	2025-02-22
FileHash-MD5	83b8aa078be2a0a5ca0ebf1968989a4b	—	2025-02-22
FileHash-MD5	848faa5839487c4331cb2a1146811f23	—	2025-02-22
FileHash-MD5	89ae36448f1922870f1a09c29f17c775	MD5 of 3b1329e81739b1ea6acbb4ec4dff11f02ff42570	2025-02-22
FileHash-MD5	9b6122f1b4f6513c22b50ef05e881f38	—	2025-02-22
FileHash-MD5	a2ff5b0bc0782560090574c992ccf995	—	2025-02-22
FileHash-MD5	a5fa43f822b6dd88298371232d49c597	MD5 of 1aa5b4deae98f707b0a529d97fd8e7f2372c549e	2025-02-22
FileHash-MD5	ad5c0363e7e28c69007f891fbc3dd030	—	2025-02-22
FileHash-MD5	b3a07b9f99f8d36bda871b63d55afb01	MD5 of 7e3d46ce5aa7345d8b84e6145323366122bd21f4	2025-02-22
FileHash-MD5	b5dc9a67f76fa18784b51fd3c5b9607c	MD5 of de243b57b087f5d1cde50db1949aa3744f1f6b5e	2025-02-22
FileHash-MD5	b747c05888caf380edf6b2baab142272	—	2025-02-22
FileHash-MD5	b7735e157273a013f26515f0c969b093	—	2025-02-22
FileHash-MD5	b7db832b2598c83b7b077ce603a3ff73	MD5 of 1af6946263f4f548ffcf510c9f68378a4d7e0895	2025-02-22
FileHash-MD5	bc421b337fc639749528f2e756239269	—	2025-02-22
FileHash-MD5	c02bee46d6a7a46f54e6abe003fec897	—	2025-02-22
FileHash-MD5	c1f3f6efb9ef18268eb3b841065e6554	—	2025-02-22
FileHash-MD5	cad5cb82baccd1f28e381e5c924f204a	—	2025-02-22
FileHash-MD5	caf68b393d56548074b9434564cb0625	—	2025-02-22
FileHash-MD5	cded33e0e37e14bbf7cac53c4e305ece	—	2025-02-22
FileHash-MD5	d08bef69aee69d91b8cd0315175f665c	—	2025-02-22
FileHash-MD5	d215a54c581ab62079389c852d9ef84f	—	2025-02-22
FileHash-MD5	d3064fe5d8a402b26099fcdbaeaedef1	MD5 of f07e31056001ccc26be75772c9a2f3972cd8d96a	2025-02-22
FileHash-MD5	d3cd9d9bad6450e8fd4fd2e972639c69	MD5 of a190448a0c01a6e58610de27d022ccba0e755f79	2025-02-22
FileHash-MD5	e210c26d26a1395d9bc1de21fe1b2975	—	2025-02-22
FileHash-MD5	eda9ca5f9405b5e2d004a4ba5c0dcd16	—	2025-02-22
FileHash-MD5	fad11b841d84bbe33248719341b298d3	—	2025-02-22
FileHash-MD5	fbb3f02b37b10bde868fed9d7b750fd8	—	2025-02-22
FileHash-MD5	fc3b7f47958f6c1c6a93a2f2f970734c	MD5 of 8030f2430234426ab3bdc8cdd995be7c4805d7d2	2025-02-22
FileHash-MD5	fcc1ad58da960c5780a66fcc24c6c2fa	—	2025-02-22
FileHash-MD5	ffc418b222c08f3071ff53cde4acb22e	—	2025-02-22
FileHash-SHA1	0f621d371782f8e610c630f942a8951878e90bfe	—	2025-02-22
FileHash-SHA1	1981f9a1d885c0ccb2d1f5910765a52d1989bc37	—	2025-02-22
FileHash-SHA1	1aa5b4deae98f707b0a529d97fd8e7f2372c549e	—	2025-02-22
FileHash-SHA1	1af6946263f4f548ffcf510c9f68378a4d7e0895	—	2025-02-22
FileHash-SHA1	1d4c0b3c74ddacf7459743cc60dd2a819c0c7e27	—	2025-02-22
FileHash-SHA1	1d784e6c7d12fb7730895f21e4bfd3cde4b3900f	—	2025-02-22
FileHash-SHA1	1fc930a59587fd9faf7536add47d92de0cecea53	—	2025-02-22
FileHash-SHA1	2683dcce7fc3886f8305030b128103bd82cea528	—	2025-02-22
FileHash-SHA1	27dd8d144d0ac3af9f4ad3df8a060d86166ae7a5	—	2025-02-22
FileHash-SHA1	352a62abc61c93fdb08f6f4201326f147cb819ca	—	2025-02-22
FileHash-SHA1	36ef757aa3eedc3ec22bb56d60931c88cc62770e	—	2025-02-22
FileHash-SHA1	3b1329e81739b1ea6acbb4ec4dff11f02ff42570	—	2025-02-22
FileHash-SHA1	3dd9bd38a8f8166b1af25cb523a9a6f25b1791df	—	2025-02-22
FileHash-SHA1	4ba1ae554f2cfeeccf250ba5a258a4ffb8651c66	—	2025-02-22
FileHash-SHA1	4f6164321d10c7a54a54398ccc7b11c1e7390e38	—	2025-02-22
FileHash-SHA1	58d03630792f287184177660d9fd846fbde5416c	—	2025-02-22
FileHash-SHA1	5a504869350a4bdbcda22b09dbe7b05a7551a860	—	2025-02-22
FileHash-SHA1	5e79fffbbafddeb2d85c8fe835b07eeda08cc319	—	2025-02-22
FileHash-SHA1	6559a9eda3b8164e0c8926b4b71780f7744c4cb7	—	2025-02-22
FileHash-SHA1	680cb0a25e4a5148f5a1f7d3b75fad4fd345cdb0	—	2025-02-22
FileHash-SHA1	6ff2821bef28476341b75b67d9c9f2d66d4b6cfe	—	2025-02-22
FileHash-SHA1	6ffe11b31443bd9cef4928aa3f29b11d0e47ccec	—	2025-02-22
FileHash-SHA1	7c27d25dbc01958724fd55f0fadf966e892d181e	—	2025-02-22
FileHash-SHA1	7e0a4c53bf3dfcb08993231539986a220a6803fd	—	2025-02-22
FileHash-SHA1	7e3d46ce5aa7345d8b84e6145323366122bd21f4	—	2025-02-22
FileHash-SHA1	8030f2430234426ab3bdc8cdd995be7c4805d7d2	—	2025-02-22
FileHash-SHA1	81861a853216f78219dd8cb0b4717d5d63260e7d	—	2025-02-22
FileHash-SHA1	91eeab83ddcd82a77804f2e5572d849dc846b225	—	2025-02-22
FileHash-SHA1	928e4e776e82645fe14a53e2ad62b5cb75b98b53	—	2025-02-22
FileHash-SHA1	97a3ead87af829f77dacfa23ab2786b21b427332	—	2025-02-22
FileHash-SHA1	9de84bd7118dee80f5b309ddbc46dc31283cbb0e	—	2025-02-22
FileHash-SHA1	a16120cca64e0c9a73f02975691e4675bb4c44a4	—	2025-02-22
FileHash-SHA1	a190448a0c01a6e58610de27d022ccba0e755f79	—	2025-02-22
FileHash-SHA1	a81373d92d798418109552fb91d4c407d4c37a89	—	2025-02-22
FileHash-SHA1	ad6653a7ee1bcb9590f5da12cf46d856135bbb71	—	2025-02-22
FileHash-SHA1	ada92c3a38e227aa8d42b4886e036caddba2cf84	—	2025-02-22
FileHash-SHA1	c5540ec2ec79a21f07b0d793cc36b024a0db64cc	—	2025-02-22
FileHash-SHA1	ca9a2e18119ac348962e2112c6681268e1df73d1	—	2025-02-22
FileHash-SHA1	d75faee2f8ec90a69354a2c033f20e18e5ed0589	—	2025-02-22
FileHash-SHA1	de243b57b087f5d1cde50db1949aa3744f1f6b5e	—	2025-02-22
FileHash-SHA1	ef50067027e27bea188023fa6a8ce9054c7d4ce9	—	2025-02-22
FileHash-SHA1	f07e31056001ccc26be75772c9a2f3972cd8d96a	—	2025-02-22
FileHash-SHA1	f640f70d1b65b0bfc8bcbf5261f3cdc85cfe7a21	—	2025-02-22
FileHash-SHA1	f67dbe68fc11139b719fec11784247c5f6e7ea93	—	2025-02-22
FileHash-SHA1	fd7532d2a42dd3ba26a1a3453698b8bc481f4675	—	2025-02-22
FileHash-SHA256	017e03f9185e24c30de6b94bd6a36d48788d0b72134235e3f3dd1322dca426c9	—	2025-02-22
FileHash-SHA256	0ac2f15f3a36e67b8e03f69685193480edf3e3b10fc69ccbec76d3d5878c708c	—	2025-02-22
FileHash-SHA256	10f1aa385108a88a15c281774f424e18070dcc256d0f778883efe6d7bcacacb6	—	2025-02-22
FileHash-SHA256	17e57c5e71b99a386b18728eac4a27e83415756071c9e85859940da41e94976b	—	2025-02-22
FileHash-SHA256	1807c7a44da958f15e4dcb77cab78e92eeb96b3ace91d6923c2022d646d5593c	—	2025-02-22
FileHash-SHA256	1b96adc3c129e7e41f7c67f0d56dc05d6cdee31f69ff85f27e6a90270cfefdcf	—	2025-02-22
FileHash-SHA256	20927a1fc3441668264673d77c81652818a630f3b2055545b0e0938c523827c3	SHA256 of 1af6946263f4f548ffcf510c9f68378a4d7e0895	2025-02-22
FileHash-SHA256	211a73ab3fb49957277a2efb50ad3140673b65df577961a58c3c9c90791e961e	—	2025-02-22
FileHash-SHA256	22ab2abda59edc1b6ba733fc140ab0c6b0c503b726a377a2e2ee6e6c95644aae	SHA256 of f07e31056001ccc26be75772c9a2f3972cd8d96a	2025-02-22
FileHash-SHA256	32d76f2fe1188a131cb3219356639e83c60d47a703e40b8801a364d98e37128f	SHA256 of 4f6164321d10c7a54a54398ccc7b11c1e7390e38	2025-02-22
FileHash-SHA256	37affeab7fb06a052413e9cc9272ea9cb2fd160fd204b506620d4303b06298c4	—	2025-02-22
FileHash-SHA256	41d35016c78f86eee8972808c7de8c200ff24625639adff5b9d0ab8773fff6b4	—	2025-02-22
FileHash-SHA256	4561a38ff34cc71cc73d54e2adfbd378f58d54596b012ff1841fdd7fc42063c3	—	2025-02-22
FileHash-SHA256	5a3a44d5482bb9b632d0a9da47e5ae7d27cd397ca08d764bdf1ed636565ef5e7	—	2025-02-22
FileHash-SHA256	6262558adf132ae3c67d6f241c7abd62f987ce2881d459a66332234971e49e95	—	2025-02-22
FileHash-SHA256	67b7a8fad28dcc40c0889e5c4e40aef9348441c64bba74bd6db885d88ce6d246	—	2025-02-22
FileHash-SHA256	7d2ae888fd06b811f6ba880c1fec3f37d49d50e0716de1b28f978240abe7795e	SHA256 of 1aa5b4deae98f707b0a529d97fd8e7f2372c549e	2025-02-22
FileHash-SHA256	7e8bde3e34fbf9b99b7915e12de42f6b806153e44b6aaf68b172db50e18e3b9e	—	2025-02-22
FileHash-SHA256	86bd9caab7526f2cd7e468d692ee2bac571465d25eb0619a10b0b46ae9a5b8e2	—	2025-02-22
FileHash-SHA256	895988088f25c89295f1a17f222a4553eafb2137b115f2ad4a0a25d273eb6521	—	2025-02-22
FileHash-SHA256	8c545687a21481969ea4299e997cfc527a16503d042c2116801ee08f14ec6595	—	2025-02-22
FileHash-SHA256	8d055f3ad4d01f601df24a7c20ded981005adef7e6d26750415d1f95a471c2e3	—	2025-02-22
FileHash-SHA256	8fe0ba1cb68225ab9a2cb11c1419f52adb03898c5f11d2221ba9765843443d24	—	2025-02-22
FileHash-SHA256	91136b3145a52b66a3f5edd7d8a8d06698666300f24861074df1308491f50ba5	—	2025-02-22
FileHash-SHA256	9bad8f88be8f143e37616556b9331af69a806281019b8a336ee6e14cd04b3c0e	SHA256 of 7e3d46ce5aa7345d8b84e6145323366122bd21f4	2025-02-22
FileHash-SHA256	9ec7495bb6d3a7d3bfd5d5ae9e704d0f42f3136166652a5576f15d0379126d75	—	2025-02-22
FileHash-SHA256	a5e61987676b7aed2c6d6d32c657f9351c2daa7c36365db20713dd42a03b1504	—	2025-02-22
FileHash-SHA256	a6dfef8616959969c06b65685e39929630f2819e6d5920498cdb1e89185ab7cd	—	2025-02-22
FileHash-SHA256	a9b1a99729860c004fbef463958871956cbb3c8e365383042978c260012055bd	—	2025-02-22
FileHash-SHA256	ab801eaa9ad11199e1382a124d6024f9551a5a33ca1b9e5cafc0098621abb91f	SHA256 of 8030f2430234426ab3bdc8cdd995be7c4805d7d2	2025-02-22
FileHash-SHA256	ac0906ff674c555e102f076100d0c12ea4a4aa7d74cc15f67c4038a84100f4cf	—	2025-02-22
FileHash-SHA256	aca34d7c3832879f6f7ebe8f7c59160896909574c94d1d12d7c71b6f7918bc50	SHA256 of de243b57b087f5d1cde50db1949aa3744f1f6b5e	2025-02-22
FileHash-SHA256	bc159721bbe192f9c5cd24d3e9356a28f5b0c6b182de9fecf0b0ac28035f566a	—	2025-02-22
FileHash-SHA256	be246cdf932aa5b1c2ada0d74c8d1eca4028538b28fb61d7a8d930b4266fd55c	SHA256 of a190448a0c01a6e58610de27d022ccba0e755f79	2025-02-22
FileHash-SHA256	c0cd580d83f4171b34b956d0c29dbc8fcafba8889594d85d471c14d7cf33be79	—	2025-02-22
FileHash-SHA256	c287956c4eb683e1ee62bc9ddb739d3d1c9c5dad7a73be3977bc53468665c7f7	—	2025-02-22
FileHash-SHA256	c738d594d09c651109c4422acbecad23a461bab6cd4eafc41546f036816533a0	—	2025-02-22
FileHash-SHA256	e2b2ebe1b82d1c122dc2750f318f2484fe5361fcd964bfdcdcae631cf32f8d37	—	2025-02-22
FileHash-SHA256	ec36fcd64432843292d16f601a758ba4091ada906c5c4c4e540e326676911141	—	2025-02-22
FileHash-SHA256	f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1	SHA256 of 3b1329e81739b1ea6acbb4ec4dff11f02ff42570	2025-02-22
FileHash-SHA256	f3bb44d52e43477ce43c91eb8d9830e356fc105b96377edd6b190fcccda61e2f	—	2025-02-22
FileHash-SHA256	f43c99ef85166774ed47cad96c70b8273aa82c313e55bb08d9c74e2b3f59b000	SHA256 of a81373d92d798418109552fb91d4c407d4c37a89	2025-02-22
FileHash-SHA256	f56b7fbc5dda7e46aff1b7753a1edb1f6fad5c8953dd3dbff30b3d8675b1dbd3	—	2025-02-22
FileHash-SHA256	f6e8220dbf407300fbc78d823004de5d0c4d2816218b8e2b5f8993e97f1e6a32	—	2025-02-22
FileHash-SHA256	f91c9fd27bf0e3a7e82998721946ee70735ec46ee672ca80e3062aa2d5195447	SHA256 of 5a504869350a4bdbcda22b09dbe7b05a7551a860	2025-02-22
URL	http://red.team/go-red/	—	2025-02-22
URL	http://red.team/go-red/backend/	—	2025-02-22
URL	http://red.team/go-red/bb/	—	2025-02-22
URL	http://red.team/go-red/birdwatch/	—	2025-02-22
URL	http://red.team/go-red/collector/	—	2025-02-22
URL	http://red.team/go-red/config/	—	2025-02-22
URL	http://red.team/go-red/dns/	—	2025-02-22
URL	http://red.team/go-red/gecko/	—	2025-02-22
URL	http://red.team/go-red/icmptunnel/	—	2025-02-22
URL	http://red.team/go-red/packer/	—	2025-02-22
URL	http://red.team/go-red/proxy/	—	2025-02-22
URL	http://red.team/go-red/revshell/	—	2025-02-22
URL	http://red.team/go-red/util/	—	2025-02-22
YARA	613ad95e09293c4ea0897c2086d5f280f07d291b	—	2025-02-22
YARA	70a0d4b3aee061bd31db8bed1a3cc3f5dc974603	—	2025-02-22
YARA	d50823fdc1adc7bf269469da4dc640efa0fef888	—	2025-02-22
domain	common.run	—	2025-02-22
domain	read.me	—	2025-02-22
domain	rosm.pro	—	2025-02-22
hostname	8e1a4qb4oga66rpjchl72djgckrmior8cdn3edjbdooaeq3fedq5uqb4oga66rp.jchl6edjgckrmior8cdn3edjbdljg.rosm.pro	—	2025-02-22
hostname	amd64.rpm-bin.link	—	2025-02-22
hostname	base.upd-rkn.net	—	2025-02-22
hostname	bot.upd-rkn.net	—	2025-02-22
hostname	chifa.rpm-bin.link	—	2025-02-22
hostname	ci.rpm-bin.link	—	2025-02-22
hostname	ci.upd-rkn.net	—	2025-02-22
hostname	get.rpm-bin.link	—	2025-02-22
hostname	get.setup.mom	—	2025-02-22
hostname	get.upd-rk.net	—	2025-02-22
hostname	get.upd-rkn.net	—	2025-02-22
hostname	leo.rpm-bin.link	—	2025-02-22
hostname	lib.rpm-bin.link	—	2025-02-22
hostname	mtp.upd-rk.net	—	2025-02-22
hostname	mtp.upd-rkn.net	—	2025-02-22
hostname	narwhal.rpm-bin.link	—	2025-02-22
hostname	ops.rpm-bin.link	—	2025-02-22
hostname	pkg.collect.net.in	—	2025-02-22
hostname	pkg.dpkg-source.info	—	2025-02-22
hostname	rhl.rpm-bin.link	—	2025-02-22
hostname	rls.upd-rkn.net	—	2025-02-22
hostname	source.rpm-bin.link	—	2025-02-22
hostname	src.setup.mom	—	2025-02-22
hostname	sula.rpm-bin.link	—	2025-02-22
hostname	trust.setup.mom	—	2025-02-22
hostname	unicorn.rpm-bin.link	—	2025-02-22
hostname	wired.setup.mom	—	2025-02-22
YARA	abff0fea0377c12e3c7671bfad3ccf4a095b18c3	—	2025-02-22

References (1)

↗ https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique/