Pulse Detail — Threat Intelligence

PULSE NAME

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

WHITE Lunar Spider Tr1sa111 2025-10-02 Modified: 2025-10-29

IOCs

HIGH VOLUME

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1053.005 T1560.001 T1047 T1033 T1218.011 T1059.007 T1548.002 T1087.002 T1204.002 T1087.001 T1069.002 T1135 T1222.001 T1082 T1036 T1055 T1021.002 T1555.003 T1003.001 T1482 T1083 T1552.001 T1059.001 T1210 T1547.001 T1069.001 T1048 T1571 T1570 T1078.002 T1518.001 T1059.003 T1070.004 T1189 T1134 T1071.001 T1018 T1046 T1105 T1021.001 T1569.002 T1048.003

MALWARE FAMILIES

Latrodectus Brute Ratel C4 Cobalt Strike - S0154 BackConnect

Indicators of Compromise (71)

All FileHash-SHA256 FileHash-SHA1 CVE FileHash-MD5 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592	—	2025-10-02
FileHash-SHA256	6c3b2490e99cd8397fb79d84a5638c1a0c4edb516a4b0047aa70b5811483db8f	—	2025-10-02
FileHash-SHA256	7f04fffad5549592c3d2baaa9c893ba046e94f7c83c9b5be4cc2d507245c4d86	—	2025-10-02
FileHash-SHA256	f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de	—	2025-10-02
FileHash-SHA1	0a20ccc984e88d6e91a6153bb34ebf15e849919f	—	2025-10-02
FileHash-SHA1	4b5da21c31fb9cf37d854f420c98a23c9649b0f9	—	2025-10-02
FileHash-SHA1	8fbd5da88704c6422a8f96271c5dcb16f790cfa0	—	2025-10-02
CVE	CVE-2020-1472	—	2025-10-02
FileHash-MD5	495363b0262b62dfc38d7bfb7b5541aa	—	2025-10-02
FileHash-MD5	4b3e9c9e018659d1cf04daf82abe3b64	—	2025-10-02
FileHash-MD5	50abc42faa70062e20cd5e2a2e2b6633	—	2025-10-02
FileHash-MD5	91889658f1c8e1462f06f019b842f109	—	2025-10-02
FileHash-MD5	9eaa8464110883a15115b68ffa1ecf7d	—	2025-10-02
FileHash-MD5	a2b6479a69b51ae555f695b243e4fda1	—	2025-10-02
FileHash-MD5	ad3c52316e0059c66bc1dd680cf9edad	—	2025-10-02
FileHash-MD5	c8ea31665553cbca19b22863eea6ca2c	—	2025-10-02
FileHash-MD5	ccb6d3cb020f56758622911ddd2f1fcb	—	2025-10-02
FileHash-MD5	d7bd590b6c660716277383aa23cb0aa9	—	2025-10-02
FileHash-SHA1	23fff588e3e5cc6678e1f77fab9318d60f3ac55f	—	2025-10-02
FileHash-SHA1	2d92890374904b49d3c54314d02b952e1a714e99	—	2025-10-02
FileHash-SHA1	333e1c5967a9a6c881c9573a3222bed6ada911c6	—	2025-10-02
FileHash-SHA1	33a6b39fbe8ec45afab14af88fd6fa8e96885bf1	—	2025-10-02
FileHash-SHA1	38999890b3a2c743e0abea1122649082a5fa1281	—	2025-10-02
FileHash-SHA1	4a013f752c2bf84ca37e418175e0d9b6f61f636d	—	2025-10-02
FileHash-SHA1	5348970723b378c7cae35bb03d8736f8e5a9f0ac	—	2025-10-02
FileHash-SHA1	8dfa63c0bb611e18c8331ed5b89decf433ac394a	—	2025-10-02
FileHash-SHA1	97d72c8bbcf367be6bd5e80021e3bd3232ac309a	—	2025-10-02
FileHash-SHA1	ba99cd73b74c64d6b1257b7db99814d1dc7d76b1	—	2025-10-02
FileHash-SHA256	100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168	—	2025-10-02
FileHash-SHA256	1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed	—	2025-10-02
FileHash-SHA256	36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24	—	2025-10-02
FileHash-SHA256	37471af00673af4080ee21bd248536147e450d2eff45e8701a95d1163a9d62fe	—	2025-10-02
FileHash-SHA256	411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2	—	2025-10-02
FileHash-SHA256	77eede38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28	—	2025-10-02
FileHash-SHA256	8fb5034aedf41f8c8c4c4022fdde7db3c70a5a7c7b5b4dec7f6a57715c18a5bf	—	2025-10-02
URL	http://45.129.199.214/vodeo/wg01ck01	—	2025-10-02
URL	http://45.129.199.214/vodeo/wg01ck01.	—	2025-10-02
URL	http://94.232.249.186/vodeo/vid_wg01ck01	—	2025-10-02
URL	http://94.232.249.186/vodeo/wg01ck01	—	2025-10-02
URL	http://94.232.40.49/vodeo/wg01ck01	—	2025-10-02
URL	http://filomeruginfor.com/christian/house/cwk01	—	2025-10-02
URL	http://filomeruginfor.com/deolefor/wg01ck01m	—	2025-10-02
URL	http://grasmertal.com/live/	—	2025-10-02
URL	http://resources.avtechupdate.com/samlss/vm.ico.	—	2025-10-02
URL	http://techbulldigital.com/Apply/readme/VJICARU60DC?_WHBEXNIA=HNMIIIANEMPMLIDFEOPKLBDOEMPI	—	2025-10-02
URL	http://techbulldigital.com/List/com2/9O29EO3IRSBB	—	2025-10-02
URL	http://wehelpgood.xyz/Complete/v9.56/KT84GVGD135E	—	2025-10-02
URL	http://wehelpgood.xyz/derive/n/nzoqjd9mme	—	2025-10-02
URL	https://cloudmeri.com/comm.php	—	2025-10-02
URL	https://illoskanawer.com/live/	—	2025-10-02
URL	https://workspacin.cloud/live/	—	2025-10-02
domain	altynbe.com	—	2025-10-02
domain	anikvan.com	—	2025-10-02
domain	avtechupdate.com	—	2025-10-02
domain	boriz400.com	—	2025-10-02
domain	cloudmeri.com	—	2025-10-02
domain	dauled.com	—	2025-10-02
domain	erbolsan.com	—	2025-10-02
domain	grasmertal.com	—	2025-10-02
domain	grasmetral.com	—	2025-10-02
domain	illoskanawer.com	—	2025-10-02
domain	jarkaairbo.com	—	2025-10-02
domain	kasym500.com	—	2025-10-02
domain	kasymdev.com	—	2025-10-02
domain	samderat200.com	—	2025-10-02
domain	scupolasta.store	—	2025-10-02
domain	wehelpgood.xyz	—	2025-10-02
domain	workspacin.cloud	—	2025-10-02
hostname	resources.avtechupdate.com	—	2025-10-02
hostname	ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io	—	2025-10-02
hostname	uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io	—	2025-10-02

References (1)

↗ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/