← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion .
WHITE PetrP.73 2025-09-30 Modified: 2025-10-30
73
IOCs
HIGH VOLUME
In May 2024, an intrusion attributed to the Lunar Spider threat actor commenced when a user executed a malicious JavaScript file disguised as a tax form. This file, associated with the Lunar Spider group, contained obfuscated code that triggered the download of an MSI installer, which subsequently deployed a Brute Ratel DLL file using the Windows utility rundll32. Upon execution, the Brute Ratel loader injected Latrodectus malware into the explorer.exe process, establishing command and control (C2) communications with multiple domains. The attack began with extensive reconnaissance activities approximately one hour after the initial access, utilizing built-in Windows commands to enumerate hosts and domains. Subsequent actions included establishing a BackConnect session for remote access via VNC, and accessing an unattend.xml file to extract plaintext domain administrator credentials.
strongcobalt strikebrute ratellatrodectusbackconnectdfir labsuserprofilecommanddomainlunar spidericedidmetasploitjunepsexecratelpowershellacceptexecutionlsassslivercontactvirustotaldoublekeyholelaterpersistencebypassmodelatomicconfigerrormanipulationwriteovershellclickfacebook
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (73)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2020-1472 2025-09-30
FileHash-MD5 495363b0262b62dfc38d7bfb7b5541aa 2025-09-30
FileHash-MD5 4b3e9c9e018659d1cf04daf82abe3b64 2025-09-30
FileHash-MD5 50abc42faa70062e20cd5e2a2e2b6633 2025-09-30
FileHash-MD5 91889658f1c8e1462f06f019b842f109 MD5 of 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-MD5 9eaa8464110883a15115b68ffa1ecf7d MD5 of 5348970723b378c7cae35bb03d8736f8e5a9f0ac 2025-09-30
FileHash-MD5 a2b6479a69b51ae555f695b243e4fda1 2025-09-30
FileHash-MD5 ad3c52316e0059c66bc1dd680cf9edad 2025-09-30
FileHash-MD5 c8ea31665553cbca19b22863eea6ca2c 2025-09-30
FileHash-MD5 ccb6d3cb020f56758622911ddd2f1fcb MD5 of 4a013f752c2bf84ca37e418175e0d9b6f61f636d 2025-09-30
FileHash-MD5 d7bd590b6c660716277383aa23cb0aa9 2025-09-30
FileHash-SHA1 23fff588e3e5cc6678e1f77fab9318d60f3ac55f 2025-09-30
FileHash-SHA1 2d92890374904b49d3c54314d02b952e1a714e99 2025-09-30
FileHash-SHA1 333e1c5967a9a6c881c9573a3222bed6ada911c6 2025-09-30
FileHash-SHA1 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-SHA1 38999890b3a2c743e0abea1122649082a5fa1281 2025-09-30
FileHash-SHA1 4a013f752c2bf84ca37e418175e0d9b6f61f636d 2025-09-30
FileHash-SHA1 5348970723b378c7cae35bb03d8736f8e5a9f0ac 2025-09-30
FileHash-SHA1 8dfa63c0bb611e18c8331ed5b89decf433ac394a 2025-09-30
FileHash-SHA1 97d72c8bbcf367be6bd5e80021e3bd3232ac309a 2025-09-30
FileHash-SHA1 ba99cd73b74c64d6b1257b7db99814d1dc7d76b1 2025-09-30
FileHash-SHA256 100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168 2025-09-30
FileHash-SHA256 1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed 2025-09-30
FileHash-SHA256 203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592 2025-09-30
FileHash-SHA256 36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24 SHA256 of 33a6b39fbe8ec45afab14af88fd6fa8e96885bf1 2025-09-30
FileHash-SHA256 37471af00673af4080ee21bd248536147e450d2eff45e8701a95d1163a9d62fe SHA256 of 5348970723b378c7cae35bb03d8736f8e5a9f0ac 2025-09-30
FileHash-SHA256 411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2 2025-09-30
FileHash-SHA256 6c3b2490e99cd8397fb79d84a5638c1a0c4edb516a4b0047aa70b5811483db8f 2025-09-30
FileHash-SHA256 77eede38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28 2025-09-30
FileHash-SHA256 8fb5034aedf41f8c8c4c4022fdde7db3c70a5a7c7b5b4dec7f6a57715c18a5bf 2025-09-30
FileHash-SHA256 f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de SHA256 of 4a013f752c2bf84ca37e418175e0d9b6f61f636d 2025-09-30
URL http://206.206.123.209:443 2025-09-30
URL http://45.129.199.214/vodeo/wg01ck01 2025-09-30
URL http://45.129.199.214/vodeo/wg01ck01. 2025-09-30
URL http://91.194.11.64/MSI.msi ead5ebf464c313176174ff0fdc3360a3477f6361d0947221d31287eeb04691b3 2025-09-30
URL http://94.232.249.186/vodeo/vid_wg01ck01 2025-09-30
URL http://94.232.249.186/vodeo/wg01ck01 2025-09-30
URL http://94.232.40.49/vodeo/wg01ck01 2025-09-30
URL http://filomeruginfor.com/christian/house/cwk01 2025-09-30
URL http://filomeruginfor.com/deolefor/wg01ck01m 2025-09-30
URL http://grasmertal.com/live/ 2025-09-30
URL http://resources.avtechupdate.com/samlss/vm.ico. 2025-09-30
URL http://techbulldigital.com/Apply/readme/VJICARU60DC?_WHBEXNIA=HNMIIIANEMPMLIDFEOPKLBDOEMPI 2025-09-30
URL http://techbulldigital.com/List/com2/9O29EO3IRSBB 2025-09-30
URL http://wehelpgood.xyz/Complete/v9.56/KT84GVGD135E 2025-09-30
URL http://wehelpgood.xyz/derive/n/nzoqjd9mme 2025-09-30
URL https://cloudmeri.com/comm.php 2025-09-30
URL https://illoskanawer.com/live/ 2025-09-30
URL https://workspacin.cloud/live/ 25fb23868ebf48348f9e438e00cb9b9d9b3a054f32482a781c762cc4f9cc6393 2025-09-30
domain altynbe.com 2025-09-30
domain anikvan.com 2025-09-30
domain avtechupdate.com 2025-09-30
domain boriz400.com 2025-09-30
domain cloudmeri.com 2025-09-30
domain dauled.com 2025-09-30
domain detection.fyi 2025-09-30
domain erbolsan.com 2025-09-30
domain filomeruginfor.com 2025-09-30
domain grasmertal.com 2025-09-30
domain grasmetral.com 2025-09-30
domain illoskanawer.com 2025-09-30
domain jarkaairbo.com 2025-09-30
domain kasym500.com 2025-09-30
domain kasymdev.com 2025-09-30
domain samderat200.com 2025-09-30
domain scupolasta.store 2025-09-30
domain sigmasearchengine.com 2025-09-30
domain techbulldigital.com 2025-09-30
domain wehelpgood.xyz 2025-09-30
domain workspacin.cloud 2025-09-30
hostname resources.avtechupdate.com 2025-09-30
hostname ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io 2025-09-30
hostname uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io 2025-09-30
References (1)
↗ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/