Pulse Detail — Threat Intelligence

PULSE NAME

Fake Zoom Ends in BlackSuit Ransomware

WHITE AlienVault 2025-03-31 Modified: 2025-04-30

IOCs

MEDIUM VOLUME

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1560.001 T1047 T1033 T1204.002 T1087.001 T1069.002 T1135 T1082 T1021.002 T1572 T1003.001 T1482 T1059.001 T1547.001 T1069.001 T1486 T1218.010 T1567.002 T1570 T1127.001 T1518.001 T1059.003 T1189 T1134 T1071.001 T1018 T1105 T1021.001 T1564.001 T1569.002 T1490 T1102.001

MALWARE FAMILIES

BlackSuit SectopRAT Brute Ratel Cobalt Strike - S0154 QDoor d3f@ckloader

Indicators of Compromise (46)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	4b22032954a12677675add0de20d7b94	—	2025-03-31
FileHash-MD5	5b8ebe43ded7ba460e4827206329375a	—	2025-03-31
FileHash-MD5	80110fbb81d0407340b908bb43c815d3	—	2025-03-31
FileHash-MD5	8477ef317b8974e18ed84ca69b9f6a08	—	2025-03-31
FileHash-MD5	85144918f213e38993383f0745d7e41e	—	2025-03-31
FileHash-MD5	91f69fa3439f843b51c878688963e574	—	2025-03-31
FileHash-MD5	9bddb0e95a03fdcea4c62210f5818184	—	2025-03-31
FileHash-MD5	c0230d748e61819d9dfad0da03fe6ec8	—	2025-03-31
FileHash-MD5	d1ba9412e78bfc98074c5d724a1a87d6	—	2025-03-31
FileHash-MD5	d98fb34b4fa0f83d02e3272f1cb9c5fc	—	2025-03-31
FileHash-MD5	eae6cd02784743cde314afb8c533c5cd	—	2025-03-31
FileHash-MD5	f91fbe09b593fb1104b30e3343afb392	—	2025-03-31
FileHash-MD5	ffb3755897b8d38ccc70b9c3baa38960	—	2025-03-31
FileHash-SHA1	0572f98d78fb0b366b5a086c2a74cc68b771d368	—	2025-03-31
FileHash-SHA1	328d5554025757e5ec8e2e9eee2ad97d0e986a59	—	2025-03-31
FileHash-SHA1	3eb042e449c6097f29fad255d21aac336fae534b	—	2025-03-31
FileHash-SHA1	41360d3eae3a71dd60c9ac34788d6863ef4e3e30	—	2025-03-31
FileHash-SHA1	5b1e0d72435da7d3a97107cddc655be71769ba53	—	2025-03-31
FileHash-SHA1	6c75e2c704f69aaa09cdfd455c7bdbf9336dc7fe	—	2025-03-31
FileHash-SHA1	8d4f2aa315ce17505b8698db22ec2526805645a4	—	2025-03-31
FileHash-SHA1	951154980d3ddd4101b8e09b11669cbedc86f979	—	2025-03-31
FileHash-SHA1	a13061b229a225441f67d2b25ccda139ee21b14e	—	2025-03-31
FileHash-SHA1	a25cfdcff675277035fb35add9d273934117e943	—	2025-03-31
FileHash-SHA1	a6dcdfc8e97616c07549290950e78b145883e532	—	2025-03-31
FileHash-SHA1	c5826e9e3c4b1fece4991f269fd4e5307e92bfe2	—	2025-03-31
FileHash-SHA1	e50d9e3bd91908e13a26b3e23edeaf577fb3a095	—	2025-03-31
FileHash-SHA256	3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef	—	2025-03-31
FileHash-SHA256	3967b38f763b2e58b0679bc0178247b855c68d761187c71c2f1760b6882e473a	—	2025-03-31
FileHash-SHA256	58dde623e36fefe8038aa2d579d3d1f5394b96ea3623b3125876137b4ee08d80	—	2025-03-31
FileHash-SHA256	63dcff4bad9576794c3a412cf8dae83b807a138cc09c4de64485bb8ec991cd4b	—	2025-03-31
FileHash-SHA256	a8a88bf91d1280ffa59536a6e50f24fe9c1ef79f68a300ef047d92eec7231d9e	—	2025-03-31
FileHash-SHA256	b594b8b91b6967e2fa6946753c8fd3f6ed3592c55c49a0ada7abd41752ae8a41	—	2025-03-31
FileHash-SHA256	b676dbc3e20fa7acb92c1cc0a90132798c482dbf43211793abb937bd43295d42	—	2025-03-31
FileHash-SHA256	b837bec967df6748b72c3b43c254532620977d0bbe0fc23e0c178c74516baab9	—	2025-03-31
FileHash-SHA256	cb53118ec2d578febfd311bcda298c716f1f543b24f780f2721f45df0bda3dc3	—	2025-03-31
FileHash-SHA256	cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15	—	2025-03-31
FileHash-SHA256	e6cfae572f777def856878e36bbacfaa82cb5662fc97c1492e2367a105dddbc9	—	2025-03-31
FileHash-SHA256	ecb0b3057163cd25c989a66683cfb47c19f122407cbbb49b1043e908c4f07ad1	—	2025-03-31
FileHash-SHA256	f34aad9a56ca9310f40ecbcb075e4be12aaf9ef60fd24893b5e8fb28934cd730	—	2025-03-31
URL	http://78.47.105.28/manual/152/152.zip	—	2025-03-31
URL	http://78.47.105.28/manual/152/1522.zip	—	2025-03-31
URL	http://administrative-manufacturer-gw.aws-usw2.cloud-ara.tyk.io:443	—	2025-03-31
URL	http://megupdate.com:443	—	2025-03-31
URL	http://provincial-gaiters-gw.aws-use1.cloud-ara.tyk.io:443	—	2025-03-31
domain	megupdate.com	—	2025-03-31
hostname	administrative-manufacturer-gw.aws-usw2.cloud-ara.tyk.io	—	2025-03-31

References (1)

↗ https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/