← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence
WHITE APT-C-13 AlienVault 2026-04-28 Modified: 2026-04-29
38
IOCs
MEDIUM VOLUME
APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.
tor hidden servicecovert persistencespear-phishingscheduled taskssandwormfrozenbarentsobfs4 obfuscationssh tunneling
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (38)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 09f402a02b615dcd14786aaa840db0a2 2026-04-28
FileHash-MD5 0b6f7356919b9632c1158681ee0462f3 2026-04-28
FileHash-MD5 1b39fce74193dd2cd5c36b2f8b626273 2026-04-28
FileHash-MD5 2156c270ffe8e4b23b67efed191b9737 2026-04-28
FileHash-MD5 227b3fa386cad73f0f388d801060e2c8 2026-04-28
FileHash-MD5 487557c9b7288a6b035911a7652ad57c 2026-04-28
FileHash-MD5 4d5074d6e0722ceec45a083fa8444164 2026-04-28
FileHash-MD5 53ac08488544ad1fefd6363db44549cf 2026-04-28
FileHash-MD5 5db8e71b8e82661408f96b43e7ae8faf 2026-04-28
FileHash-MD5 6616717dfb2a795113b47d862c5412e2 2026-04-28
FileHash-MD5 99732e49668e56527963742922277459 2026-04-28
FileHash-MD5 a6d095dc0e01f97db7e74cb5bed402dc 2026-04-28
FileHash-SHA1 3dd268fb969eaeb5d9068e185a9e33d5e25073cd 2026-04-28
FileHash-SHA1 7b50320a005cf68e5c17d51a8fd8422ceef1611a 2026-04-28
FileHash-SHA1 7e6b6b6ebd64d458a3ee0ce58bce0ddbbc0bb5e9 2026-04-28
FileHash-SHA1 8e49c3ee98fc722c77b3b37e3abafb3581369b6e 2026-04-28
FileHash-SHA1 940658590d938380b71fd5055635c02564a63ef1 2026-04-28
FileHash-SHA1 975d8bdfec6b58ae9004d526fa9f852108026a9c 2026-04-28
FileHash-SHA1 aaba9f60d81467c27c82f5c6d6cb6accd6890fc4 2026-04-28
FileHash-SHA1 aba35de9e819396f89f34c03058ebe71a7f98b6b 2026-04-28
FileHash-SHA1 c22150121a13713b395a155af5d55680dde56ac1 2026-04-28
FileHash-SHA1 d2106fa68e2e6416914855bb4898969365441685 2026-04-28
FileHash-SHA256 0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5 2026-04-28
FileHash-SHA256 111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d 2026-04-28
FileHash-SHA256 1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151 2026-04-28
FileHash-SHA256 2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082 2026-04-28
FileHash-SHA256 42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066 2026-04-28
FileHash-SHA256 54148383c8a8a5e51cf4892702f14176110beccd377af75cb184805b6a20986b 2026-04-28
FileHash-SHA256 63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a 2026-04-28
FileHash-SHA256 6df9cb909b321c24656b218a06dad56bb7916d8ce7de2342321f648af0124e56 2026-04-28
FileHash-SHA256 a79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5 2026-04-28
FileHash-SHA256 bbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71 2026-04-28
domain 2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion 2026-04-28
domain 3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion 2026-04-28
domain e3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion 2026-04-28
domain imnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion 2026-04-28
domain kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion 2026-04-28
domain nytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion 2026-04-28
References (1)
↗ https://mp.weixin.qq.com/s/nJpqvXCYV3ZdvNgYGrG4ow