{ "type": "SHA256", "indicator": "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004", "validation": [], "base_indicator": { "id": 12835, "indicator": "70f5574e4e7ad360f4f5c2117a7a1ca7", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69dcac5193a4767db4efdb48", "name": "Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke", "description": "A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malicious links or attachments. The attack chain involves multi-stage droppers that deliver decoy media files while executing malicious payloads in the background. MiniDionis uses compromised legitimate websites for command and control, employs JSON-based configuration, and communicates over HTTPS using RC4 and AES encryption. The malware includes comprehensive command capabilities for system reconnaissance, file operations, and remote execution. The attackers demonstrate sophisticated techniques including manual HTTP redirection handling and cleanup mechanisms to evade forensic analysis.", "modified": "2026-05-13T08:00:13.358000", "created": "2026-04-13T08:41:53.482000", "tags": [ "minidionis", "cozer", "cloudlook", "json-configuration", "cloudduke", "cozycar", "seadaddy", "seadesk", "government-targeting", "seaduke", "multi-stage-dropper", "cozyduke", "cozybear", "https-c2", "euroapt", "spear-phishing", "forkmeimfamous" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke" ], "public": 1, "adversary": "CozyDuke", "targeted_countries": [], "malware_families": [ { "id": "CloudDuke - S0054", "display_name": "CloudDuke - S0054", "target": null }, { "id": "MiniDionis", "display_name": "MiniDionis", "target": null }, { "id": "CloudLook", "display_name": "CloudLook", "target": null }, { "id": "CozyCar - S0046", "display_name": "CozyCar - S0046", "target": null }, { "id": "CozyDuke", "display_name": "CozyDuke", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Cozer", "display_name": "Cozer", "target": null }, { "id": "EuroAPT", "display_name": "EuroAPT", "target": null }, { "id": "SeaDuke - S0053", "display_name": "SeaDuke - S0053", "target": null }, { "id": "SeaDaddy", "display_name": "SeaDaddy", "target": null }, { "id": "SeaDesk", "display_name": "SeaDesk", "target": null }, { "id": "Forkmeimfamous", "display_name": "Forkmeimfamous", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 26, "URL": 1, "domain": 5, "hostname": 7 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "55a5854fb45ff5561d94e6c1", "name": "CozyCar\u2019s New Ride Is Related to Seaduke", "description": "Unit 42 has uncovered a new campaign from the CozyDuke threat actors, aka CozyCar [1], leveraging malware that appears to be related to the Seaduke malware described earlier this week by Symantec. [2]", "modified": "2017-08-24T10:45:06.727000", "created": "2015-07-14T21:55:27.757000", "tags": [ "apt", "cozycar", "seaduke", "cozyduke", "malware", "miniDionis", "paloalto" ], "references": [ "http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 6, "FileHash-MD5": 25 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386507, "modified_text": "3201 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "55afcff3b45ff57d4094e6b3", "name": "Duke APT group's latest tools: cloud services and Linux support", "description": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or \"solutions\" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "modified": "2017-07-24T11:16:43.608000", "created": "2015-07-22T17:16:35.665000", "tags": [ "cloudduke", "duke", "onedrive", "seaduke", "cozyduke", "minidionis", "trojan", "f-secure" ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 18, "YARA": 6, "FileHash-SHA256": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "3232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "55fae83567db8c6fb3518bcd", "name": "THE DUKES: 7 years of Russian cyberespionage", "description": "The Dukes are a well-resourced, highly dedicated and organized cyberespionage group\nthat we believe has been working for the Russian Federation since at least 2008 to\ncollect intelligence in support of foreign and security policy decision-making.\n...the Dukes show unusual confidence in their ability to\ncontinue successfully compromising their targets [...], as well as in their ability to operate with impunity.\nThe Dukes primarily target Western governments and related organizations, such\nas government ministries and agencies, political think tanks, and governmental\nsubcontractors. Their targets have also included the governments of members\nof the Commonwealth of Independent States; Asian, African, and Middle Eastern\ngovernments; organizations associated with Chechen extremism; and Russian\nspeakers engaged in the illicit trade of controlled substances and drugs.", "modified": "2017-03-06T17:17:18.888000", "created": "2015-09-17T16:20:05.303000", "tags": [ "russia", "apt", "asia", "africa", "middle east", "PinchDuke", "GeminiDuke", "CosmicDuke", "MiniDuke", "CozyDuke", "OnionDuke", "SeaDuke", "HammerDuke", "CloudDuke" ], "references": [ "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 4.0, "downvotes_count": 1.0, "votes_count": 3.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 3, "FileHash-SHA1": 275, "CVE": 4 }, "indicator_count": 297, "is_author": false, "is_subscribing": null, "subscriber_count": 386535, "modified_text": "3372 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-30T00:28:12.957000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58066, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873822, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-16T11:03:51.843000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 714, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ddc1e3a44d00f7e642dbac", "name": "Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke", "description": "", "modified": "2026-05-13T08:00:13.358000", "created": "2026-04-14T04:26:11.634000", "tags": [ "minidionis", "cozer", "cloudlook", "json-configuration", "cloudduke", "cozycar", "seadaddy", "seadesk", "government-targeting", "seaduke", "multi-stage-dropper", "cozyduke", "cozybear", "https-c2", "euroapt", "spear-phishing", "forkmeimfamous" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke" ], "public": 1, "adversary": "CozyDuke", "targeted_countries": [], "malware_families": [ { "id": "CloudDuke - S0054", "display_name": "CloudDuke - S0054", "target": null }, { "id": "MiniDionis", "display_name": "MiniDionis", "target": null }, { "id": "CloudLook", "display_name": "CloudLook", "target": null }, { "id": "CozyCar - S0046", "display_name": "CozyCar - S0046", "target": null }, { "id": "CozyDuke", "display_name": "CozyDuke", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Cozer", "display_name": "Cozer", "target": null }, { "id": "EuroAPT", "display_name": "EuroAPT", "target": null }, { "id": "SeaDuke - S0053", "display_name": "SeaDuke - S0053", "target": null }, { "id": "SeaDaddy", "display_name": "SeaDaddy", "target": null }, { "id": "SeaDesk", "display_name": "SeaDesk", "target": null }, { "id": "Forkmeimfamous", "display_name": "Forkmeimfamous", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69dcac5193a4767db4efdb48", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 26, "URL": 1, "domain": 5, "hostname": 7 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 282, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-01T08:53:34.200000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "IPv4": 1630, "IPv6": 2, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 20034, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "2015-11-16 - Introducing LogPOS.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-03-28 - UACME.pdf", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "https://cert.gov.ua/article/703548", "Behind the syria conflict.pdf", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "Bookworm Trojan (1).pdf", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "Energetic Bear.yar", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "2015-07-30 - Sakula Malware Family.pdf", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "APT 30.yar", "Copy Kittens.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "2015-04-15 - Betabot retrospective.pdf", "Dark Hotel.yar", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "https://isc.sans.edu/diary/28636", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "APT 28.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "BBSRAT Roaming Tiger.pdf", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "2015-12-08 - VT Report for SmartEyes.pdf", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "Dino.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "Attacks on France TV5 Monde.pdf", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "APT 19.yar", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "https://isc.sans.edu/diary/27308", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "2015-01-21 - The DGA of Symmi.pdf", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "blog.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "https://securelist.com/apt-luminousmoth/103332/", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "Demonstrating Hustle.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "Attacks against Israeli & Palestinian interests.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "APT CVE-2015-5119.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "Duke cloud Linux.pdf", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "2015-01-20 - Analysis of Project Cobra.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "Blue termite (1).pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-03-03 - C99Shell not dead.pdf", "Duke cloud Linux (1).pdf", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "Anthem hack all roads lead to China.pdf", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "APT 28 (1).pdf", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-08-19 - Antak WebShell.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "2015-09-12 - Stuxnet code.pdf", "APT 10.yar", "https://isc.sans.edu/diary/rss/27618", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "Verification failure observed in automated verification handlers during sandbox replay.", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "Black Energy.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/", "Duqu 2.0 Win32K Exploit.pdf", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "Wild Neutron.pdf", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "Animals in the APT Farm.pdf", "https://www.f-secure.com/weblog/archives/00002822.html", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://asec.ahnlab.com/en/31811/", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-09-09 - Pony Stealer Malware.pdf", "APT 1.yar", "Black Vine.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Agent.BTZ to ComRAT.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "https://asec.ahnlab.com/en/34549/", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "Indicators of Compormise Hellsing.pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://cert.gov.ua/article/619229", "2015-03-10 - The DGA of Pykspa.pdf", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "Rocket Kitten.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "Cmstar Downloader.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "Trojan Skelky.pdf", "2015-07-14 - BernhardPOS.pdf", "APT 28.yar", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "Winnti.yar", "APT group ups targets us gov.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "https://cert.gov.ua/article/37704", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "APT 21.yar", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Goldfish Phishing.pdf", "2015-08-18 - ransomware open-sources.pdf", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "IOCs.April.pdf", "Gorgon Group.yar", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "China Peace Palace.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://istrosec.com/blog/apt-sk-cobalt/", "Afghan Government Compromise - Browser Beware.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "Dukes.pdf", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "2015-10-13 - I am HDRoot! Part 2.pdf", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "Apt 28 (2).pdf", "2015-05-14 - The Naikon APT.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "Babar.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "Emdivi.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "https://isc.sans.edu/diary/rss/26862", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-02-15 - Carbanak.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "https://isc.sans.edu/diary/rss/28752", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-10-15 - Archivist.pdf", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "Equation Group.yar", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "2015-05-18 - TT Malware Log.pdf", "Casper Malware.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "Babar or Bunny.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "Duqu 2.0 Yara rules.pdf", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "2015-06-24 - UnFIN4ished Business.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke", "2015-02-20 - The DGAs of Necurs.pdf", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "APT 29.yar", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "2015-06-17 - The Spring Dragon APT.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf" ], "related": { "alienvault": { "adversary": [ "APT 29", "CozyDuke" ], "malware_families": [ "Cozyduke", "Forkmeimfamous", "Cloudduke - s0054", "Cozybear", "Seaduke - s0053", "Euroapt", "Cozer", "Cloudlook", "Seadesk", "Seadaddy", "Minidionis", "Cozycar - s0046" ], "industries": [ "Government" ] }, "other": { "adversary": [ "Threat", "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "CozyDuke" ], "malware_families": [ "Cobalt strike", "Cozyduke", "Grimplant", "Netsupport", "Shadow chaser", "Cloudduke - s0054", "Beacon", "Seaduke - s0053", "Microbackdoor", "Frp", "Win32.agent", "Euroapt", "Seadesk", "Elf", "Bazarloader", "Avoslocker", "Raspberry robin", "Cozycar - s0046", "Hades", "Pcap", "Fancybear", "Forkmeimfamous", "Conti", "Bumblebee", "Kronos", "Shadowpad", "Darkside", "Cozybear", "Trickbot", "Matanbuchus", "Cloudlook", "Socgholish netsupport", "Ryuk", "Socgholish", "Doorme", "Threat", "Ransomhub", "Primary threat", "Gootloader", "Seadaddy", "Minidionis", "Graphsteel", "Gold blackburn", "Threat analysis", "Win32.bitcoinminer", "Nbtscan", "Cyclops", "Win api", "Cozer", "Generic.933739", "Plugx", "Stellarparticle", "Apt29", "Handleref", "Credomap", "Beaconloader" ], "industries": [ "Military", "Pharmaceutical", "Defense", "Legal", "Banking", "Logistics", "Technology", "Energy", "Academics", "Aerospace", "Manufacturing", "Political", "Media", "Government", "Aviation", "Gas", "Financial", "Transport", "Diplomatic", "Foreign affairs", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Transportation", "Telecommunications", "Industrial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69dcac5193a4767db4efdb48", "name": "Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke", "description": "A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malicious links or attachments. The attack chain involves multi-stage droppers that deliver decoy media files while executing malicious payloads in the background. MiniDionis uses compromised legitimate websites for command and control, employs JSON-based configuration, and communicates over HTTPS using RC4 and AES encryption. The malware includes comprehensive command capabilities for system reconnaissance, file operations, and remote execution. The attackers demonstrate sophisticated techniques including manual HTTP redirection handling and cleanup mechanisms to evade forensic analysis.", "modified": "2026-05-13T08:00:13.358000", "created": "2026-04-13T08:41:53.482000", "tags": [ "minidionis", "cozer", "cloudlook", "json-configuration", "cloudduke", "cozycar", "seadaddy", "seadesk", "government-targeting", "seaduke", "multi-stage-dropper", "cozyduke", "cozybear", "https-c2", "euroapt", "spear-phishing", "forkmeimfamous" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke" ], "public": 1, "adversary": "CozyDuke", "targeted_countries": [], "malware_families": [ { "id": "CloudDuke - S0054", "display_name": "CloudDuke - S0054", "target": null }, { "id": "MiniDionis", "display_name": "MiniDionis", "target": null }, { "id": "CloudLook", "display_name": "CloudLook", "target": null }, { "id": "CozyCar - S0046", "display_name": "CozyCar - S0046", "target": null }, { "id": "CozyDuke", "display_name": "CozyDuke", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Cozer", "display_name": "Cozer", "target": null }, { "id": "EuroAPT", "display_name": "EuroAPT", "target": null }, { "id": "SeaDuke - S0053", "display_name": "SeaDuke - S0053", "target": null }, { "id": "SeaDaddy", "display_name": "SeaDaddy", "target": null }, { "id": "SeaDesk", "display_name": "SeaDesk", "target": null }, { "id": "Forkmeimfamous", "display_name": "Forkmeimfamous", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 26, "URL": 1, "domain": 5, "hostname": 7 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "55a5854fb45ff5561d94e6c1", "name": "CozyCar\u2019s New Ride Is Related to Seaduke", "description": "Unit 42 has uncovered a new campaign from the CozyDuke threat actors, aka CozyCar [1], leveraging malware that appears to be related to the Seaduke malware described earlier this week by Symantec. [2]", "modified": "2017-08-24T10:45:06.727000", "created": "2015-07-14T21:55:27.757000", "tags": [ "apt", "cozycar", "seaduke", "cozyduke", "malware", "miniDionis", "paloalto" ], "references": [ "http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 6, "FileHash-MD5": 25 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386507, "modified_text": "3201 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "55afcff3b45ff57d4094e6b3", "name": "Duke APT group's latest tools: cloud services and Linux support", "description": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or \"solutions\" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "modified": "2017-07-24T11:16:43.608000", "created": "2015-07-22T17:16:35.665000", "tags": [ "cloudduke", "duke", "onedrive", "seaduke", "cozyduke", "minidionis", "trojan", "f-secure" ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 18, "YARA": 6, "FileHash-SHA256": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "3232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "55fae83567db8c6fb3518bcd", "name": "THE DUKES: 7 years of Russian cyberespionage", "description": "The Dukes are a well-resourced, highly dedicated and organized cyberespionage group\nthat we believe has been working for the Russian Federation since at least 2008 to\ncollect intelligence in support of foreign and security policy decision-making.\n...the Dukes show unusual confidence in their ability to\ncontinue successfully compromising their targets [...], as well as in their ability to operate with impunity.\nThe Dukes primarily target Western governments and related organizations, such\nas government ministries and agencies, political think tanks, and governmental\nsubcontractors. Their targets have also included the governments of members\nof the Commonwealth of Independent States; Asian, African, and Middle Eastern\ngovernments; organizations associated with Chechen extremism; and Russian\nspeakers engaged in the illicit trade of controlled substances and drugs.", "modified": "2017-03-06T17:17:18.888000", "created": "2015-09-17T16:20:05.303000", "tags": [ "russia", "apt", "asia", "africa", "middle east", "PinchDuke", "GeminiDuke", "CosmicDuke", "MiniDuke", "CozyDuke", "OnionDuke", "SeaDuke", "HammerDuke", "CloudDuke" ], "references": [ "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 4.0, "downvotes_count": 1.0, "votes_count": 3.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 3, "FileHash-SHA1": 275, "CVE": 4 }, "indicator_count": 297, "is_author": false, "is_subscribing": null, "subscriber_count": 386535, "modified_text": "3372 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-30T00:28:12.957000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58066, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873822, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-16T11:03:51.843000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 714, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69ddc1e3a44d00f7e642dbac", "name": "Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke", "description": "", "modified": "2026-05-13T08:00:13.358000", "created": "2026-04-14T04:26:11.634000", "tags": [ "minidionis", "cozer", "cloudlook", "json-configuration", "cloudduke", "cozycar", "seadaddy", "seadesk", "government-targeting", "seaduke", "multi-stage-dropper", "cozyduke", "cozybear", "https-c2", "euroapt", "spear-phishing", "forkmeimfamous" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke" ], "public": 1, "adversary": "CozyDuke", "targeted_countries": [], "malware_families": [ { "id": "CloudDuke - S0054", "display_name": "CloudDuke - S0054", "target": null }, { "id": "MiniDionis", "display_name": "MiniDionis", "target": null }, { "id": "CloudLook", "display_name": "CloudLook", "target": null }, { "id": "CozyCar - S0046", "display_name": "CozyCar - S0046", "target": null }, { "id": "CozyDuke", "display_name": "CozyDuke", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Cozer", "display_name": "Cozer", "target": null }, { "id": "EuroAPT", "display_name": "EuroAPT", "target": null }, { "id": "SeaDuke - S0053", "display_name": "SeaDuke - S0053", "target": null }, { "id": "SeaDaddy", "display_name": "SeaDaddy", "target": null }, { "id": "SeaDesk", "display_name": "SeaDesk", "target": null }, { "id": "Forkmeimfamous", "display_name": "Forkmeimfamous", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69dcac5193a4767db4efdb48", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 26, "URL": 1, "domain": 5, "hostname": 7 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 282, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-01T08:53:34.200000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "IPv4": 1630, "IPv6": 2, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 20034, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170629.751852 }