Pulse Detail — Threat Intelligence

PULSE NAME

New Botnet Emerges from the Shadows: NightshadeC2

WHITE AlienVault 2025-09-05 Modified: 2025-10-05

IOCs

HIGH VOLUME

A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1113 T1033 T1056.001 T1204.002 T1115 T1082 T1055 T1547.009 T1112 T1016 T1083 T1497 T1057 T1059.001 T1547.001 T1027 T1012 T1059.003 T1027.002 T1518 T1055.001

Indicators of Compromise (76)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	03935f58d2d3efb35c1ddaafb6d90b98	—	2025-09-05
FileHash-MD5	185fcf0307266e4852432ca35aee0d9a	—	2025-09-05
FileHash-MD5	4b139d1e079eb10ffd2543e22ea438dd	—	2025-09-05
FileHash-MD5	66b2d356076a39300abc31abfe8cfea8	—	2025-09-05
FileHash-MD5	67deffe47d3cd06280a8ed4c45732ad8	—	2025-09-05
FileHash-MD5	8193d8266f7e1c6b9224ac9da2fbf990	—	2025-09-05
FileHash-MD5	82c7d087f69e5594489ea1be1755e829	—	2025-09-05
FileHash-MD5	87f7c07fec9cf5396e09b19b56f9be2c	—	2025-09-05
FileHash-MD5	a1652546e05709972a040dcf2f452b82	—	2025-09-05
FileHash-MD5	aa6c3ddf1ca9fccc6e9518a9b004f4ee	—	2025-09-05
FileHash-MD5	ac77ab1a3f5a3691e23265bc495e84e8	—	2025-09-05
FileHash-MD5	b8ddd22670522a352a7586303c785d62	—	2025-09-05
FileHash-MD5	c16d822930acf6e2f788e98966a69d80	—	2025-09-05
FileHash-MD5	cf4958e8024e9071b540eacee8b3e424	—	2025-09-05
FileHash-MD5	f8fae59f47f269cb4ee50e701fddc76c	—	2025-09-05
FileHash-SHA1	02fb82b08fddb0e648c57750a3502b74475f3035	—	2025-09-05
FileHash-SHA1	1a1fd402595c59e311a265ebe63a30b69361180f	—	2025-09-05
FileHash-SHA1	29bac75338fd0c4767db87473920677ded49ae5f	—	2025-09-05
FileHash-SHA1	33c1f41da4df460b8c0b3d5624f9635d3f6f5f9f	—	2025-09-05
FileHash-SHA1	3f94d8fbe3478cafe5b14db43810ce1f508528ee	—	2025-09-05
FileHash-SHA1	50c4a056ceff2ab24a0d1756f116e3a5de8c8b2b	—	2025-09-05
FileHash-SHA1	562e9907f6f6b4ebfc929bf7378e0348ddde1029	—	2025-09-05
FileHash-SHA1	593b0e04cdfdba94d3cb78f113d8a971fe1deb21	—	2025-09-05
FileHash-SHA1	861fa0a2edec4b773852029abea4b03ba17f181d	—	2025-09-05
FileHash-SHA1	8e8a76205809bdbf17b0760a001a5aa1a2ac9e74	—	2025-09-05
FileHash-SHA1	ae1a8e192b8416b72da711dbd8b32eaf80d788e3	—	2025-09-05
FileHash-SHA1	bcaca5c44f6f95aa6ef9c8af59d8d25902bb92cd	—	2025-09-05
FileHash-SHA1	bef2555eaff165cae5f67f9191d7431a14a04180	—	2025-09-05
FileHash-SHA1	ce76704011fa860b129a9a23deffa8c0e129e0c9	—	2025-09-05
FileHash-SHA1	fdda195f3570dcd412db8dc74fb2f804259b331a	—	2025-09-05
FileHash-SHA256	04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c	—	2025-09-05
FileHash-SHA256	05a4f648099d0b35d6eb4662266b1046d4691bb8e739a4fd4e4e55e69774ef1f	—	2025-09-05
FileHash-SHA256	05d2d06143d363c1e41546f14c1d99b082402460ba4e8598667614de996d2fbc	—	2025-09-05
FileHash-SHA256	0c08b5f3c24841d5fe02ddebdcf4707a75c790916c3ad4c769108241ddf999e4	—	2025-09-05
FileHash-SHA256	0e9d984f980ceffb846946a8926e1d69abf2d07a6b710b8f8c802026ba3bbdb4	—	2025-09-05
FileHash-SHA256	0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6	—	2025-09-05
FileHash-SHA256	1178fa21928e5aac0f320e18bfb15603e00d3b8874719f4e74dd4f49db6dc5a8	—	2025-09-05
FileHash-SHA256	1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75	—	2025-09-05
FileHash-SHA256	21497a0eb89f321f971b4346880b43b342df131c431788cff4685c5a5a71b53e	—	2025-09-05
FileHash-SHA256	24934295a5824ef8ec8df1df9ee5bc719bb98e9b6b55b2cbbb02498782762cc5	—	2025-09-05
FileHash-SHA256	26a5e18d6ac86a865250452528664d4cde74187d741fcf98370efb34d4219490	—	2025-09-05
FileHash-SHA256	282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207	—	2025-09-05
FileHash-SHA256	2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4	—	2025-09-05
FileHash-SHA256	375229df144b3fb0d0560d90b06aa7fe34825886069653a088fa4071476cf63e	—	2025-09-05
FileHash-SHA256	39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f	—	2025-09-05
FileHash-SHA256	3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063	—	2025-09-05
FileHash-SHA256	420f13538c0c2620eba396e96afdf36430b2618d7d215e96c81444379ab8a7bc	—	2025-09-05
FileHash-SHA256	53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df	—	2025-09-05
FileHash-SHA256	58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b	—	2025-09-05
FileHash-SHA256	5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318	—	2025-09-05
FileHash-SHA256	6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c	—	2025-09-05
FileHash-SHA256	7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5	—	2025-09-05
FileHash-SHA256	85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e	—	2025-09-05
FileHash-SHA256	8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94	—	2025-09-05
FileHash-SHA256	94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a	—	2025-09-05
FileHash-SHA256	a2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4	—	2025-09-05
FileHash-SHA256	c4fd98db8d8181d949ee4ff47991dda70f73b47c72104aa519150223dd8d3588	—	2025-09-05
FileHash-SHA256	cbee972115b129ed3ce366217321a6f431ab86d9bf61c90ef7d224f1004a672c	—	2025-09-05
FileHash-SHA256	ce2ad8b6d76ba03c96d9248ac3d22590801e00611244c1942875adf52c154971	—	2025-09-05
FileHash-SHA256	cf0c7e0f3c3ea60da7bfe779f09d32b441d5089c905a5d905253e2f4b2b202fd	—	2025-09-05
FileHash-SHA256	e77bc95772ae84e5ecf68c928059cab3e305f92b1518d0ec3f8a7eb6eb728503	—	2025-09-05
FileHash-SHA256	f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be	—	2025-09-05
domain	bikbal.com	—	2025-09-05
domain	bilaskf.com	—	2025-09-05
domain	bioakw.com	—	2025-09-05
domain	bioomx.com	—	2025-09-05
domain	biosefjk.com	—	2025-09-05
domain	bkkil.com	—	2025-09-05
domain	bliokdf.com	—	2025-09-05
domain	boiksal.com	—	2025-09-05
domain	programsbookss.com	—	2025-09-05
domain	tdbfvgwe456yt.com	—	2025-09-05
FileHash-SHA1	7f3ad607b3701d2c4cfdad04269f0d5e390ab5c2	—	2025-09-05
FileHash-SHA1	9868b16a166cba78cfb604c04b0b4287bebaed26	—	2025-09-05
FileHash-SHA1	a89d26131172c095f31830ff2e26372bced81dde	—	2025-09-05
hostname	exclusionandautorun.payloadexecutor.run	—	2025-09-05

References (1)

↗ https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2