← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Analysis of StreamSpy, a new Trojan horse utilizing WebSocket in Mahabusa (APT-Q-36)
WHITE PetrP.73 2025-12-03 Modified: 2025-12-03
60
IOCs
HIGH VOLUME
The analysis of the StreamSpy Trojan, attributed to the Mahabusa group (also known as APT-Q-36), reveals its innovative use of WebSocket for communication, marking a significant evolution in its attack methodology. This group has been active for over a decade, with a focus on cyber espionage directed at various sectors in the Asian region, including government, military, energy, industrial, research, education, diplomacy, and economic organizations. StreamSpy leverages the WebSocket protocol to maintain persistent and real-time communication with its command and control (C2) servers, which allows for dynamic and covert data extraction. This technique presents advantages over traditional HTTP-based communications by facilitating a two-way interactive channel capable of bypassing certain network defenses. The use of WebSocket can also make traffic patterns harder to detect, increasing the malware's stealth and operational longevity.
streamspywebsocketspyderhttpprefixzipnameauthc0v3rtfidushttpspersistencestreamshellpowershelldonotalphagalaxykonnimuddywater
Indicators of Compromise (60)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-6218 2025-12-03
FileHash-MD5 0fe90212062957a529cba3938613c4da 2025-12-03
FileHash-MD5 1c335be51fc637b50d41533f3bef2251 2025-12-03
FileHash-MD5 20c9ac59c444625a7ee364b410da8f11 2025-12-03
FileHash-MD5 838e4d85346001dd04e11359b04c7c24 2025-12-03
FileHash-MD5 c3c277cca23f3753721435da80cad1ea 2025-12-03
FileHash-MD5 df626ce2ad3d3dea415984a9d3839373 2025-12-03
FileHash-MD5 e0ac399cff3069104623cc38395bd946 2025-12-03
FileHash-MD5 e4a7a85feff6364772cf1d12d8153a69 2025-12-03
FileHash-MD5 f78fd7e4d92743ef6026de98291e8dee 2025-12-03
FileHash-SHA1 02dd360d10d091b3985b0d21b559b15b834fd066 SHA1 of 20c9ac59c444625a7ee364b410da8f11 2025-12-03
FileHash-SHA1 0559c07b81a6816a816d461c6b2e292a9291f139 SHA1 of f78fd7e4d92743ef6026de98291e8dee 2025-12-03
FileHash-SHA1 19a62bc33fe23d27860bd7c5d5a4db4d7e40194b SHA1 of e0ac399cff3069104623cc38395bd946 2025-12-03
FileHash-SHA1 2f09d4bec51ae223b3e4b93313f3566dc93a84d9 SHA1 of 0fe90212062957a529cba3938613c4da 2025-12-03
FileHash-SHA1 357221ac9f603b0437c6ac54448a0ead4a27276e SHA1 of e4a7a85feff6364772cf1d12d8153a69 2025-12-03
FileHash-SHA1 3721f0e042ecddc713e8899a34b873c9950e0995 SHA1 of 838e4d85346001dd04e11359b04c7c24 2025-12-03
FileHash-SHA1 b8853c49d54b887e6abcd5f88566ccc85f324577 SHA1 of c3c277cca23f3753721435da80cad1ea 2025-12-03
FileHash-SHA1 bd924b5c3d21a93442e02c2934c2ee3b53bc113b SHA1 of df626ce2ad3d3dea415984a9d3839373 2025-12-03
FileHash-SHA1 ce414a048da1d518e5a14ad6568b748ba77353cd SHA1 of 1c335be51fc637b50d41533f3bef2251 2025-12-03
FileHash-SHA256 331e7af55dc9e985a7918926b308ca3c24b1c47257c187de6481354c96f95b1e SHA256 of df626ce2ad3d3dea415984a9d3839373 2025-12-03
FileHash-SHA256 3a4f47c60edf1e00adb3ca60a7643062657fe2c6dd85ace9dfd8fdec47078d4e SHA256 of f78fd7e4d92743ef6026de98291e8dee 2025-12-03
FileHash-SHA256 6c4c388acbd9790526cc7e8c567e430540436da94c6febe0766a1bdc39016da7 SHA256 of 838e4d85346001dd04e11359b04c7c24 2025-12-03
FileHash-SHA256 8ffdc7d783f87eab110921b33c74867a5eed7566d67d943f8d7deb5659d60c27 SHA256 of c3c277cca23f3753721435da80cad1ea 2025-12-03
FileHash-SHA256 9e4ba7cb08868ec0f88e6f3cd6e95c8e377f4f821860380d7ff2ea61347c2d0b SHA256 of 0fe90212062957a529cba3938613c4da 2025-12-03
FileHash-SHA256 a943b5b03b31604830766f41187f65dff2f18d9f7dcdb4241b375a5d95aaa043 SHA256 of e4a7a85feff6364772cf1d12d8153a69 2025-12-03
FileHash-SHA256 dbe909b6c6c03b4000d96de1f4b1bdd10eef8ef34876a648a00cd5ee7117bd31 SHA256 of 1c335be51fc637b50d41533f3bef2251 2025-12-03
FileHash-SHA256 dc297aded70b0692ad0a24509e7bbec210bc0a1c7a105e99e1a8f76e3861ad34 SHA256 of 20c9ac59c444625a7ee364b410da8f11 2025-12-03
FileHash-SHA256 f26e2121d99464ea58901675395c7afed303c590eaa36add3562d73da6499741 SHA256 of e0ac399cff3069104623cc38395bd946 2025-12-03
URL http://adobefileshare.com/download 2025-12-03
URL http://adobefileshare.com/getData 2025-12-03
URL http://adobefileshare.com/getData”,服务器返回响应中会包含一个数字字符串。 2025-12-03
URL http://adobefileshare.com/getfilename 2025-12-03
URL http://azureinternalupdates.com/download 2025-12-03
URL http://azureinternalupdates.com/getData 2025-12-03
URL http://azureinternalupdates.com/getfilename 2025-12-03
URL http://www.mydropboxbackup.com/analytics/stream 2025-12-03
URL http://www.virtualworldsapinner.com/insights/stream 2025-12-03
URL http://www.virtualworldsapinner.com/metrics/stream 2025-12-03
URL https://brityservice.info/ZxStpliGBsfdutMawer/lkhgBrPUyXbgIlErAStyilzsh/N1/SA 2025-12-03
URL https://brityservice.info/ZxStpliGBsfdutMawer/lkhgBrPUyXbgIlErAStyilzsh/N1/SA”。 2025-12-03
URL https://brityservice.info/ZxStpliGBsfdutMawer/sIOklbgrTYULKcsdGBZxsfetmw 2025-12-03
URL https://brityservice.info/ZxStpliGBsfdutMawer/sIOklbgrTYULKcsdGBZxsfetmw” 2025-12-03
URL https://firebasescloudemail.com/reports/OPS-VII-SIR.zip”,该压缩包中有两个 2025-12-03
URL https://scrollzshare.info/eeCetyUo8Tr 2025-12-03
URL https://ti.qianxin.com/blog/articles/analysis-of-new-variants-and-components-of-patchwork-spyder-downloader-cn/ 2025-12-03
URL https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activity-of-the-apt-q-38-using-pdf-document-decoys-cn/ 2025-12-03
URL https://ti.qianxin.com/blog/articles/patchwork-attack-weapons-reuse-the-infrastructure-of-the-donot-cn/ 2025-12-03
URL https://www.mydropboxbackup.com/analytics/ 2025-12-03
URL https://www.virtualworldsapinner.com/insights/ 2025-12-03
URL https://www.virtualworldsapinner.com/metrics/ 2025-12-03
domain adobefileshare.com 2025-12-03
domain azureinternalupdates.com 2025-12-03
domain brityservice.info 2025-12-03
domain firebasescloudemail.com 2025-12-03
domain mydropboxbackup.com 2025-12-03
domain scrollzshare.info 2025-12-03
hostname sandbox.ti.qianxin.com 2025-12-03
hostname ti.qianxin.com 2025-12-03
hostname www.mydropboxbackup.com 2025-12-03
hostname www.virtualworldsapinner.com 2025-12-03
References (1)
↗ https://www.ctfiot.com/284804.html