← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs
WHITE celestre 2025-12-22 Modified: 2025-12-22
20
IOCs
MEDIUM VOLUME
An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported functions like xlAutoOpen. Since at least mid-2017, threat actors began abusing Microsoft Excel add-ins via the .XLL format, the earliest documented misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting backdoor payloads via XLLs.
c2 addressfiles sha256file namevirustotal
Indicators of Compromise (20)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1e958b4f40358763ed8ac283a031bf23 MD5 of dd5a16d0132eb38f64293b8419bab3a3a80f48dc050129a8752989539a5c97bf 2025-12-22
FileHash-SHA1 08c12add098ae562ef47e9a9f0a3d3e7c055369a SHA1 of dd5a16d0132eb38f64293b8419bab3a3a80f48dc050129a8752989539a5c97bf 2025-12-22
FileHash-SHA256 0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da 2025-12-22
FileHash-SHA256 0d1dd7a62f3ea0d0fbeea905a48ae8794f49319ee0c34f15a3a871899404bf05 2025-12-22
FileHash-SHA256 23d917781e288a6fa9a1296404682e6cf47f11f2a09b7e4f340501bf92d68514 2025-12-22
FileHash-SHA256 29101c580b33b77b51a6afe389955b151a4d0913716b253672cc0c0a41e5ccc8 2025-12-22
FileHash-SHA256 2abb9e7c155beaa3dcfa38682633dcbea42f07740385cac463e4ca5c6598b438 2025-12-22
FileHash-SHA256 6a00b1ed5afcd63758b9be4bd1c870dbfe880a1a3d4e852bb05c92418d33e6da 2025-12-22
FileHash-SHA256 74fab6adc77307ef9767e710d97c885352763e68518b2109d860bb45e9d0a8eb 2025-12-22
FileHash-SHA256 76e4d344b3ec52d3f1a81de235022ad2b983eb868b001b93e56deee54ae593c5 2025-12-22
FileHash-SHA256 b2419afcfc24955b4439100706858d7e7fc9fdf8af0bb03b70e13d8eed52935c 2025-12-22
FileHash-SHA256 b6914d702969bc92e8716ece92287c0f52fc129c6fb4796676a738b103a6e039 2025-12-22
FileHash-SHA256 c3e04bb4f4d51bb1ae8e67ce72aff1c3abeca84523ea7137379f06eb347e1669 2025-12-22
FileHash-SHA256 cdc3355ae57cc371c6c0918c0b5451b9298fc7d7c7035fa4b24d0cd08af4122c 2025-12-22
FileHash-SHA256 dc2df351c306a314569b1eeaccf5046ce5a64df487fa51c907cb065e968bba80 2025-12-22
FileHash-SHA256 dd5a16d0132eb38f64293b8419bab3a3a80f48dc050129a8752989539a5c97bf 2025-12-22
URL https://fast-eda.my/dostavka/lavka/kategorii/zakuski/sushi/sety/skidki/regiony/msk/birylievo d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090 2025-12-22
URL https://ruzeda.com/blogs/drafts/publish/schedule/seosso/login/mfa/verify/token/refresh/ips/blocklist/whitelist 2025-12-22
domain fast-eda.my 2025-12-22
domain ruzeda.com 2025-12-22
References (1)
↗ https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/#toc-heading-8