{ "type": "MD5", "indicator": "4c71357de3c0b12094693ca6eff94cad", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "4c71357de3c0b12094693ca6eff94cad", "validation": [], "base_indicator": { "id": 4142040062, "indicator": "843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69f9f99c0dc1060430bf089e", "name": "UAT-8302 and its box full of malware", "description": "UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.", "modified": "2026-05-05T15:55:09.079000", "created": "2026-05-05T14:07:24.061000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386447, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6a02a0b3dd97f4bd74ca7622", "name": "IOC - UAT-8302 and its box full of malware", "description": "", "modified": "2026-05-12T03:38:27.036000", "created": "2026-05-12T03:38:27.036000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fc4cf52edcbd28c6d1ee10", "name": "sgwrfsdf", "description": "Photography: Kaspersky/Google.com/Kasperska.org/Naspersy/RKP.net. and a list of other sites on the web that users can check.", "modified": "2026-05-07T08:27:33.317000", "created": "2026-05-07T08:27:33.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "URL": 4, "domain": 2, "hostname": 3 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fb1d8245861e48f4ee9ad5", "name": "['UAT-8302 and its box full of malware'] clone credit AlienVault", "description": "", "modified": "2026-05-06T10:57:43.983000", "created": "2026-05-06T10:52:50.152000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 11, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fabb599b517da83fe7f1d9", "name": "UAT-8302 and its box full of malware", "description": "", "modified": "2026-05-06T03:54:01.190000", "created": "2026-05-06T03:54:01.190000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fabb550dac4e682d0276ed", "name": "UAT-8302 and its box full of malware", "description": "", "modified": "2026-05-06T03:53:57.321000", "created": "2026-05-06T03:53:57.321000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6903e18174d29518a9647d94", "name": "fghdfgdgsdgsdgsdgsdg", "description": "", "modified": "2025-11-29T22:04:26.882000", "created": "2025-10-30T22:06:57.365000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "182 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "68fb16f51c54c5b44fd11530", "name": "The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns ..", "description": "Recent analysis highlights the emergence of cooperative strategies among China-aligned APT (Advanced Persistent Threat) groups, specifically examining the interaction between Earth Estries and Earth Naga. This collaboration is encapsulated in the evolving model termed \"Premier Pass-as-a-Service,\" where one group acts as an access broker, facilitating continued exploitation for another. This tactic complicates detection and attribution, as multiple threat actors share access to target organizations, thereby obscuring their individual identities and activities.", "modified": "2025-11-23T06:01:38.070000", "created": "2025-10-24T06:04:37.493000", "tags": [ "earth estries", "draculoader", "crowdoor c", "cobalt strike", "earth naga", "compromise", "cyber espionage", "campaigns", "type", "description", "earthworm" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 15, "hostname": 6 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68faea960c043cc3fce2a85d", "name": "IOC - The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns", "description": "In the domain of cyberespionage, Trend\u2122 Research has observed an emerging development in recent years: close collaboration between different advanced persistent threat (APT) groups of what looks like a single cyber campaign at first sight. This report highlights instances of such cooperation, where the APT group Earth Estries handed over a compromised asset to Earth Naga, another APT group also known as Flax Typhoon, RedJuliett, or Ethereal Panda. This phenomenon, which we have termed \"Premier Pass,\" represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors.", "modified": "2025-11-23T02:02:15.255000", "created": "2025-10-24T02:55:18.468000", "tags": [ "earth estries", "draculoader", "crowdoor c", "cobalt strike", "earth naga", "compromise", "cyber espionage", "campaigns", "type", "description", "earthworm" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 15, "hostname": 5 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "OCT.pdf", "https://blog.talosintelligence.com/uat-8302/", "https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html", "IOCs-May1.csv" ], "related": { "alienvault": { "adversary": [ "UAT-8302" ], "malware_families": [ "Snowrust", "Finaldraft", "Snowlight", "Snappybee", "Squiddoor", "Draculoader", "Netdraft", "Vshell", "Fringeporch", "Deedrat", "Nosydoor", "Cloudsorcerer", "Zingdoor" ], "industries": [ "Technology", "Government", "Telecommunications" ] }, "other": { "adversary": [ "UAT-8302", "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT" ], "malware_families": [ "Snowrust", "Finaldraft", "Snowlight", "Snappybee", "Squiddoor", "Draculoader", "Netdraft", "Vshell", "Fringeporch", "Deedrat", "Nosydoor", "Cloudsorcerer", "Zingdoor" ], "industries": [ "Technology", "Government", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69f9f99c0dc1060430bf089e", "name": "UAT-8302 and its box full of malware", "description": "UAT-8302 is a sophisticated China-nexus advanced persistent threat group targeting government entities in South America since late 2024 and southeastern Europe in 2025. The actor deploys multiple custom-made malware families including NetDraft, a .NET-based backdoor variant of FinalDraft/SquidDoor, and CloudSorcerer version 3. Post-compromise activities involve extensive reconnaissance, credential extraction, information collection from Active Directory, and network proliferation using tools like Impacket. The group establishes persistence through scheduled tasks and deploys additional malware including VSHELL, SNAPPYBEE/DeedRAT, and ZingDoor. UAT-8302 demonstrates connections to several China-nexus threat clusters through shared tooling, including Draculoader and SNOWLIGHT stager. The actor uses legitimate services like MS Graph and OneDrive for command-and-control infrastructure and establishes backdoor access through proxy servers using tools written in Simplified Chinese.", "modified": "2026-05-05T15:55:09.079000", "created": "2026-05-05T14:07:24.061000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386447, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6a02a0b3dd97f4bd74ca7622", "name": "IOC - UAT-8302 and its box full of malware", "description": "", "modified": "2026-05-12T03:38:27.036000", "created": "2026-05-12T03:38:27.036000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fc4cf52edcbd28c6d1ee10", "name": "sgwrfsdf", "description": "Photography: Kaspersky/Google.com/Kasperska.org/Naspersy/RKP.net. and a list of other sites on the web that users can check.", "modified": "2026-05-07T08:27:33.317000", "created": "2026-05-07T08:27:33.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "URL": 4, "domain": 2, "hostname": 3 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fb1d8245861e48f4ee9ad5", "name": "['UAT-8302 and its box full of malware'] clone credit AlienVault", "description": "", "modified": "2026-05-06T10:57:43.983000", "created": "2026-05-06T10:52:50.152000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 11, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fabb599b517da83fe7f1d9", "name": "UAT-8302 and its box full of malware", "description": "", "modified": "2026-05-06T03:54:01.190000", "created": "2026-05-06T03:54:01.190000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fabb550dac4e682d0276ed", "name": "UAT-8302 and its box full of malware", "description": "", "modified": "2026-05-06T03:53:57.321000", "created": "2026-05-06T03:53:57.321000", "tags": [ "fringeporch", "netdraft", "draculoader", "snowrust", "snowlight", "zingdoor", "finaldraft", "nosydoor", "vshell", "deedrat", "cloudsorcerer", "squiddoor", "snappybee" ], "references": [ "https://blog.talosintelligence.com/uat-8302/" ], "public": 1, "adversary": "UAT-8302", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [ { "id": "NetDraft", "display_name": "NetDraft", "target": null }, { "id": "FringePorch", "display_name": "FringePorch", "target": null }, { "id": "CloudSorcerer", "display_name": "CloudSorcerer", "target": null }, { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "SNOWRUST", "display_name": "SNOWRUST", "target": null }, { "id": "DeedRAT", "display_name": "DeedRAT", "target": null }, { "id": "SNAPPYBEE", "display_name": "SNAPPYBEE", "target": null }, { "id": "ZingDoor", "display_name": "ZingDoor", "target": null }, { "id": "Draculoader", "display_name": "Draculoader", "target": null }, { "id": "FinalDraft", "display_name": "FinalDraft", "target": null }, { "id": "SquidDoor", "display_name": "SquidDoor", "target": null }, { "id": "NosyDoor", "display_name": "NosyDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "69f9f99c0dc1060430bf089e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 8, "CVE": 3, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 20, "URL": 4, "domain": 2, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6903e18174d29518a9647d94", "name": "fghdfgdgsdgsdgsdgsdg", "description": "", "modified": "2025-11-29T22:04:26.882000", "created": "2025-10-30T22:06:57.365000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 5 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "182 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "68fb16f51c54c5b44fd11530", "name": "The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns ..", "description": "Recent analysis highlights the emergence of cooperative strategies among China-aligned APT (Advanced Persistent Threat) groups, specifically examining the interaction between Earth Estries and Earth Naga. This collaboration is encapsulated in the evolving model termed \"Premier Pass-as-a-Service,\" where one group acts as an access broker, facilitating continued exploitation for another. This tactic complicates detection and attribution, as multiple threat actors share access to target organizations, thereby obscuring their individual identities and activities.", "modified": "2025-11-23T06:01:38.070000", "created": "2025-10-24T06:04:37.493000", "tags": [ "earth estries", "draculoader", "crowdoor c", "cobalt strike", "earth naga", "compromise", "cyber espionage", "campaigns", "type", "description", "earthworm" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 15, "hostname": 6 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "4c71357de3c0b12094693ca6eff94cad", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "4c71357de3c0b12094693ca6eff94cad", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780173259.5910192 }