← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
SEO Poisoning Attack Abuses Microsoft Signed Binary for RMM Tool Installation
WHITE cryptocti 2026-04-19 Modified: 2026-04-19
7
IOCs
LOW VOLUME
SEO poisoning campaign has discovered impersonating legitimate open source data recovery tool named TestDisk. It silently installs ScreenConnect remote monitoring and management client to gain command execution, file transfer and lateral movement in the network.
Indicators of Compromise (7)
All FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5 2026-04-19
FileHash-SHA256 964843d2ac9fe0a7a7f568afd29dd712e8b2b44d6ac426d961ead5416d6f1999 2026-04-19
URL http://www.testdisk.dev/download.html 2026-04-19
domain directdownload.icu 2026-04-19
domain testdisk.dev 2026-04-19
hostname direct-download.gleeze.com 2026-04-19
hostname www.testdisk.dev 2026-04-19