← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke
WHITE CozyDuke AlienVault 2026-04-13 Modified: 2026-04-13
44
IOCs
MEDIUM VOLUME
A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malicious links or attachments. The attack chain involves multi-stage droppers that deliver decoy media files while executing malicious payloads in the background. MiniDionis uses compromised legitimate websites for command and control, employs JSON-based configuration, and communicates over HTTPS using RC4 and AES encryption. The malware includes comprehensive command capabilities for system reconnaissance, file operations, and remote execution. The attackers demonstrate sophisticated techniques including manual HTTP redirection handling and cleanup mechanisms to evade forensic analysis.
minidioniscozercloudlookjson-configurationclouddukecozycarseadaddyseadeskgovernment-targetingseadukemulti-stage-droppercozydukecozybearhttps-c2euroaptspear-phishingforkmeimfamous
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
CloudDuke - S0054 MiniDionis CloudLook CozyCar - S0046 CozyDuke CozyBear Cozer EuroAPT SeaDuke - S0053 SeaDaddy SeaDesk Forkmeimfamous
Indicators of Compromise (44)
All CVE FileHash-MD5 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-55182 2026-04-13
FileHash-MD5 01039a95e0a14767784acc8f07035935 2026-04-13
FileHash-MD5 030da7510113c28ee68df8a19c643bb0 2026-04-13
FileHash-MD5 0d132ee171768dc30d14590ed2dbadd1 2026-04-13
FileHash-MD5 0f9534b63cb7af1e3aa34839d7d6e632 2026-04-13
FileHash-MD5 1dd593ad084e1526c8facce834b0e124 2026-04-13
FileHash-MD5 24083e6186bc773cd9c2e70a49309763 2026-04-13
FileHash-MD5 26bd36cc57e30656363ca89910579f63 2026-04-13
FileHash-MD5 2e64131c0426a18c1c363ec69ae6b5f2 2026-04-13
FileHash-MD5 3195110045f64a3c83fc3e043c46d253 2026-04-13
FileHash-MD5 3a04a5d7ed785daa16f4ebfd3acf0867 2026-04-13
FileHash-MD5 42ffc84c6381a18b1f6d000b94c74b09 2026-04-13
FileHash-MD5 4cbd9a0832dcf23867b092de37c10d9d 2026-04-13
FileHash-MD5 51ea28f4f3fa794d5b207475897b1eef 2026-04-13
FileHash-MD5 70f5574e4e7ad360f4f5c2117a7a1ca7 2026-04-13
FileHash-MD5 719cf63a3922953ceaca6fb4dbed6584 2026-04-13
FileHash-MD5 9018fa0826f237342471895f315dbf39 2026-04-13
FileHash-MD5 98613ecb3afde5fc48ca4204f8363f1d 2026-04-13
FileHash-MD5 a9c045c401afb9766e2ca838dc6f47a4 2026-04-13
FileHash-MD5 b0a9a175e2407352214b2d005253bc0c 2026-04-13
FileHash-MD5 b55628a605a5dfb5005c44220ae03b8a 2026-04-13
FileHash-MD5 c8b49b42e6ebb6b977ce7001b6bd96c8 2026-04-13
FileHash-MD5 ca770a4c9881afcd610aad30aa53f651 2026-04-13
FileHash-MD5 e00bf9b8261410744c10ae3fe2ce9049 2026-04-13
FileHash-MD5 e07ef8ffe965ec8b72041ddf9527cac4 2026-04-13
FileHash-MD5 f415470b9f0edc1298b1f6ae75dfaf31 2026-04-13
FileHash-MD5 f8cb10b2ee8af6c5555e9cf3701b845f 2026-04-13
IPv4 103.226.132.7 2026-04-13
IPv4 103.254.16.168 2026-04-13
IPv4 122.228.193.115 2026-04-13
IPv4 64.244.34.200 2026-04-13
URL https://www.illuminatistudios.net/mobile/viewer.php 2026-04-13
domain connectads.com 2026-04-13
domain illuminatistudios.net 2026-04-13
domain kane-consulting.net 2026-04-13
domain redbluffchamber.com 2026-04-13
domain visionresearch.com 2026-04-13
hostname betawebservices.ntnonline.com 2026-04-13
hostname edadmin.kearsney.com 2026-04-13
hostname extranet.qualityplanning.com 2026-04-13
hostname ff.whitebirchpaper.com 2026-04-13
hostname secure.hgl.com 2026-04-13
hostname staff.shasta.com 2026-04-13
hostname www.illuminatistudios.net 2026-04-13
References (1)
↗ https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke