Pulse Detail — Threat Intelligence

PULSE NAME

IOC - 摩诃草（APT-Q-36）利用 WebSocket 的新木马 StreamSpy 分析

WHITE celestre 2025-12-03 Modified: 2025-12-03

IOCs

MEDIUM VOLUME

摩诃草，又名 Patchwork、白象、Hangover、Dropping Elephant 等，奇安信内部跟踪编号 APT-Q-36。该组织被普遍认为具有南亚地区背景，其最早攻击活动可追溯到 2009 年 11 月，已持续活跃 10 余年。该组织主要针对亚洲地区的国家进行网络间谍活动，攻击目标包括政府、军事、电力、工业、科研教育、外交和经济等领域的组织机构。

streamspy spyder

Indicators of Compromise (6 / 45 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	331e7af55dc9e985a7918926b308ca3c24b1c47257c187de6481354c96f95b1e	SHA256 of df626ce2ad3d3dea415984a9d3839373	2025-12-03
FileHash-SHA256	3a4f47c60edf1e00adb3ca60a7643062657fe2c6dd85ace9dfd8fdec47078d4e	SHA256 of f78fd7e4d92743ef6026de98291e8dee	2025-12-03
FileHash-SHA256	6c4c388acbd9790526cc7e8c567e430540436da94c6febe0766a1bdc39016da7	SHA256 of 838e4d85346001dd04e11359b04c7c24	2025-12-03
FileHash-SHA256	9e4ba7cb08868ec0f88e6f3cd6e95c8e377f4f821860380d7ff2ea61347c2d0b	SHA256 of 0fe90212062957a529cba3938613c4da	2025-12-03
FileHash-SHA256	dbe909b6c6c03b4000d96de1f4b1bdd10eef8ef34876a648a00cd5ee7117bd31	SHA256 of 1c335be51fc637b50d41533f3bef2251	2025-12-03
FileHash-SHA256	dc297aded70b0692ad0a24509e7bbec210bc0a1c7a105e99e1a8f76e3861ad34	SHA256 of 20c9ac59c444625a7ee364b410da8f11	2025-12-03

References (1)

↗ https://www.ctfiot.com/284804.html