← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
WHITE celestre 2025-09-30 Modified: 2025-10-30
47
IOCs
MEDIUM VOLUME
The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.
domainslsassa backdoorcobalt strikebackconnect ipbrute ratelratel ipmetasploit ipbruteratel
Indicators of Compromise (10 / 47 total)
All domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 495363b0262b62dfc38d7bfb7b5541aa 2025-09-30
FileHash-MD5 4b3e9c9e018659d1cf04daf82abe3b64 2025-09-30
FileHash-MD5 50abc42faa70062e20cd5e2a2e2b6633 2025-09-30
FileHash-MD5 91889658f1c8e1462f06f019b842f109 MD5 of 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-MD5 9eaa8464110883a15115b68ffa1ecf7d 2025-09-30
FileHash-MD5 a2b6479a69b51ae555f695b243e4fda1 2025-09-30
FileHash-MD5 ad3c52316e0059c66bc1dd680cf9edad 2025-09-30
FileHash-MD5 c8ea31665553cbca19b22863eea6ca2c 2025-09-30
FileHash-MD5 ccb6d3cb020f56758622911ddd2f1fcb 2025-09-30
FileHash-MD5 d7bd590b6c660716277383aa23cb0aa9 2025-09-30
References (1)
↗ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/