Pulse Detail — Threat Intelligence

PULSE NAME

Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques

WHITE AustinBH 2025-10-27 Modified: 2025-11-26

IOCs

MEDIUM VOLUME

Researchers from the University of California, Berkeley, and the Institute of Advanced Technology (IAS) identify and track the spread of a malicious version of the Windows operating system, known as Agenda Ransomware.

MITRE ATT&CK & Malware Families

MALWARE FAMILIES

Deploys Linux Agenda

Indicators of Compromise (31)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	2149a070e76f4ccabd67228f754768dc	—	2025-10-27
FileHash-MD5	6bc8e3505d9f51368ddf323acb6abc49	MD5 of 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0	2025-10-27
FileHash-MD5	959ff112c2eb41ce8f7b24e38c9b4f94	—	2025-10-27
FileHash-MD5	a768244ca664349a6d1af84a712083c0	MD5 of e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c	2025-10-27
FileHash-MD5	b2398a81b5467f75f476a107027b3259	MD5 of 15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67	2025-10-27
FileHash-SHA1	13ca66d08c04e5be77582f5dd4ab6ca28563b6d9	SHA1 of 15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67	2025-10-27
FileHash-SHA1	39300863bcaad71e5d4efc9a1cae118440aa778f	SHA1 of e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c	2025-10-27
FileHash-SHA1	82ed942a52cdcf120a8919730e00ba37619661a3	SHA1 of 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0	2025-10-27
FileHash-SHA1	c150e4ab20d59affc62b916c2c90686f43040a9f	—	2025-10-27
FileHash-SHA256	15e5bf0082fbb1036d39fc279293f0799f2ab5b2b0af47d9f3c3fdc4aa93de67	—	2025-10-27
FileHash-SHA256	16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0	—	2025-10-27
FileHash-SHA256	331d136101b286c2f7198fd41e5018fcadef720ca0e74b282c1a44310a792e7f	—	2025-10-27
FileHash-SHA256	3dba9ba8e265faefce024960b69c1f472ab7a898e7c224145740f1886d97119f	—	2025-10-27
FileHash-SHA256	454e398869e189874c796133f68a837c9b7f2190b949a8222453884f84cf4a1b	—	2025-10-27
FileHash-SHA256	549a1ae688edfcb2e7a254ac3aded866b378b2e829f1bb8af42276b902f475e6	—	2025-10-27
FileHash-SHA256	5f0253f959d65c45a11b7436301ee5a851266614f811c753231d684eb5083782	—	2025-10-27
FileHash-SHA256	5fff877789223fa9810a365dfdeafe982c92f346ecd20e003319c3067becd8ba	—	2025-10-27
FileHash-SHA256	c0f7c2bb04aa09dae62f0e5feeb7c9c867685abc788ae6b0e6928ad7979dbcaf	—	2025-10-27
FileHash-SHA256	e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c	—	2025-10-27
FileHash-SHA256	e38d4140fce467bfd145a8f6299fc76b8851a62555b5c0f825b9a2200f85017c	—	2025-10-27
FileHash-SHA256	e46bde83b8a3a7492fc79c22b337950fc49843a42020c41c615b24579c0c3251	—	2025-10-27
FileHash-SHA256	f488861f8d3d013c3eef88983de8f5f37bb014ae13dc13007b26ebbd559e356e	—	2025-10-27
URL	http://104.164.55.7/231/means.d	—	2025-10-27
URL	http://185.141.216.127/tr.e	—	2025-10-27
URL	http://45.221.64.245/mot/	—	2025-10-27
URL	https://chatgptitalia.net/	—	2025-10-27
domain	chatgptitalia.net	—	2025-10-27
URL	https://pub-2149a070e76f4ccabd67228f754768dc.r2.dev/I-Google-Captcha-Continue-Latest-27-L-1.html	—	2025-10-27
URL	https://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev/Google-Captcha-Continue-Latest-J-KL-3.html	—	2025-10-27
hostname	pub-2149a070e76f4ccabd67228f754768dc.r2.dev	—	2025-10-27
hostname	pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2.dev	—	2025-10-27

References (2)

↗ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/agenda-ransomware-deploys-linux-variant/agenda-ransomware-iocs.txt ↗ https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html