← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
WHITE celestre 2025-09-30 Modified: 2025-10-30
47
IOCs
MEDIUM VOLUME
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.
domainslsassa backdoorcobalt strikebackconnect ipbrute ratelratel ipmetasploit ipbruteratel
Indicators of Compromise (47)
All domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
domain altynbe.com 2025-09-30
domain anikvan.com 2025-09-30
domain avtechupdate.com 2025-09-30
domain boriz400.com 2025-09-30
domain cloudmeri.com 2025-09-30
domain dauled.com 2025-09-30
domain erbolsan.com 2025-09-30
domain grasmetral.com 2025-09-30
domain illoskanawer.com 2025-09-30
domain jarkaairbo.com 2025-09-30
domain kasym500.com 2025-09-30
domain kasymdev.com 2025-09-30
domain samderat200.com 2025-09-30
domain scupolasta.store 2025-09-30
domain workspacin.cloud 2025-09-30
hostname ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io 2025-09-30
hostname uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io 2025-09-30
FileHash-MD5 495363b0262b62dfc38d7bfb7b5541aa 2025-09-30
FileHash-MD5 4b3e9c9e018659d1cf04daf82abe3b64 2025-09-30
FileHash-MD5 50abc42faa70062e20cd5e2a2e2b6633 2025-09-30
FileHash-MD5 91889658f1c8e1462f06f019b842f109 MD5 of 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-MD5 9eaa8464110883a15115b68ffa1ecf7d 2025-09-30
FileHash-MD5 a2b6479a69b51ae555f695b243e4fda1 2025-09-30
FileHash-MD5 ad3c52316e0059c66bc1dd680cf9edad 2025-09-30
FileHash-MD5 c8ea31665553cbca19b22863eea6ca2c 2025-09-30
FileHash-MD5 ccb6d3cb020f56758622911ddd2f1fcb 2025-09-30
FileHash-MD5 d7bd590b6c660716277383aa23cb0aa9 2025-09-30
FileHash-SHA1 23fff588e3e5cc6678e1f77fab9318d60f3ac55f 2025-09-30
FileHash-SHA1 2d92890374904b49d3c54314d02b952e1a714e99 2025-09-30
FileHash-SHA1 333e1c5967a9a6c881c9573a3222bed6ada911c6 2025-09-30
FileHash-SHA1 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-SHA1 38999890b3a2c743e0abea1122649082a5fa1281 2025-09-30
FileHash-SHA1 4a013f752c2bf84ca37e418175e0d9b6f61f636d 2025-09-30
FileHash-SHA1 5348970723b378c7cae35bb03d8736f8e5a9f0ac 2025-09-30
FileHash-SHA1 8dfa63c0bb611e18c8331ed5b89decf433ac394a 2025-09-30
FileHash-SHA1 97d72c8bbcf367be6bd5e80021e3bd3232ac309a 2025-09-30
FileHash-SHA1 ba99cd73b74c64d6b1257b7db99814d1dc7d76b1 2025-09-30
FileHash-SHA256 100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168 2025-09-30
FileHash-SHA256 1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed 2025-09-30
FileHash-SHA256 203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592 2025-09-30
FileHash-SHA256 36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24 SHA256 of 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-SHA256 37471af00673af4080ee21bd248536147e450d2eff45e8701a95d1163a9d62fe 2025-09-30
FileHash-SHA256 411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2 2025-09-30
FileHash-SHA256 6c3b2490e99cd8397fb79d84a5638c1a0c4edb516a4b0047aa70b5811483db8f 2025-09-30
FileHash-SHA256 77eede38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28 2025-09-30
FileHash-SHA256 8fb5034aedf41f8c8c4c4022fdde7db3c70a5a7c7b5b4dec7f6a57715c18a5bf 2025-09-30
FileHash-SHA256 f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de 2025-09-30
References (1)
↗ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/