{ "type": "Domain", "indicator": "avtechupdate.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/avtechupdate.com", "alexa": "http://www.alexa.com/siteinfo/avtechupdate.com", "indicator": "avtechupdate.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4125719319, "indicator": "avtechupdate.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68dab5b611126784770068b5", "name": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "description": "A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.", "modified": "2025-10-29T16:03:07.232000", "created": "2025-09-29T16:37:10.253000", "tags": [ "cobalt strike", "backconnect", "credential-harvesting", "javascript", "cobalt-strike", "data-exfiltration", "brute-ratel", "lateral-movement", "latrodectus", "brute ratel c4" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "Lunar Spider", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "BackConnect", "display_name": "BackConnect", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "FileHash-SHA1": 13, "CVE": 1, "FileHash-MD5": 10, "URL": 16, "domain": 17, "hostname": 3 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-31T06:03:25.904000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 18402, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dbca938e8e29bf9cd560d8", "name": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion .", "description": "In May 2024, an intrusion attributed to the Lunar Spider threat actor commenced when a user executed a malicious JavaScript file disguised as a tax form. This file, associated with the Lunar Spider group, contained obfuscated code that triggered the download of an MSI installer, which subsequently deployed a Brute Ratel DLL file using the Windows utility rundll32. Upon execution, the Brute Ratel loader injected Latrodectus malware into the explorer.exe process, establishing command and control (C2) communications with multiple domains.\n\nThe attack began with extensive reconnaissance activities approximately one hour after the initial access, utilizing built-in Windows commands to enumerate hosts and domains. Subsequent actions included establishing a BackConnect session for remote access via VNC, and accessing an unattend.xml file to extract plaintext domain administrator credentials.", "modified": "2025-10-30T12:03:46.504000", "created": "2025-09-30T12:18:27.178000", "tags": [ "strong", "cobalt strike", "brute ratel", "latrodectus", "backconnect", "dfir labs", "userprofile", "command", "domain", "lunar spider", "icedid", "metasploit", "june", "psexec", "ratel", "powershell", "accept", "execution", "lsass", "sliver", "contact", "virustotal", "double", "keyhole", "later", "persistence", "bypass", "model", "atomic", "config", "error", "manipulation", "write", "over", "shell", "click", "facebook" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 18, "domain": 21, "hostname": 3 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dba3ab432f0677e115bb03", "name": "IOC - From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "description": "The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.", "modified": "2025-10-30T09:01:54.969000", "created": "2025-09-30T09:32:27.216000", "tags": [ "domains", "lsassa backdoor", "cobalt strike", "backconnect ip", "brute ratel", "ratel ip", "metasploit ip", "bruteratel" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68de1fcc5cdf036525a7f6f0", "name": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "description": "", "modified": "2025-10-29T16:03:07.232000", "created": "2025-10-02T06:46:36.319000", "tags": [ "cobalt strike", "backconnect", "credential-harvesting", "javascript", "cobalt-strike", "data-exfiltration", "brute-ratel", "lateral-movement", "latrodectus", "brute ratel c4" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "Lunar Spider", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "BackConnect", "display_name": "BackConnect", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "68dab5b611126784770068b5", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "FileHash-SHA1": 13, "CVE": 1, "FileHash-MD5": 10, "URL": 16, "domain": 17, "hostname": 3 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://isc.sans.edu/diary/rss/28752", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://isc.sans.edu/diary/rss/27618", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://cert.gov.ua/article/703548", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://asec.ahnlab.com/en/31811/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://isc.sans.edu/diary/27308", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://cert.gov.ua/article/619229", "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://asec.ahnlab.com/en/34549/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/apt-luminousmoth/103332/", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://istrosec.com/blog/apt-sk-cobalt/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://isc.sans.edu/diary/rss/26862", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://isc.sans.edu/diary/28636", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/" ], "related": { "alienvault": { "adversary": [ "Lunar Spider" ], "malware_families": [ "Cobalt strike - s0154", "Brute ratel c4", "Backconnect", "Latrodectus" ], "industries": [] }, "other": { "adversary": [ "Threat", "Lunar Spider" ], "malware_families": [ "Primary threat", "Handleref", "Threat analysis", "Trickbot", "Bazarloader", "Netsupport", "Kronos", "Win32.bitcoinminer", "Darkside", "Stellarparticle", "Ransomhub", "Matanbuchus", "Doorme", "Socgholish netsupport", "Fancybear", "Bumblebee", "Frp", "Microbackdoor", "Gold blackburn", "Cyclops", "Socgholish", "Threat", "Cobalt strike - s0154", "Graphsteel", "Win api", "Conti", "Shadowpad", "Cobalt strike", "Raspberry robin", "Win32.agent", "Beacon", "Plugx", "Avoslocker", "Latrodectus", "Apt29", "Pcap", "Elf", "Cozybear", "Brute ratel c4", "Nbtscan", "Gootloader", "Backconnect", "Hades", "Shadow chaser", "Generic.933739", "Credomap", "Ryuk", "Grimplant", "Beaconloader" ], "industries": [ "Gas", "Energy", "Aerospace", "Defense", "Banking", "Political", "Diplomatic", "Technology", "Media", "Pharmaceutical", "Financial", "Legal", "Academics", "Foreign affairs", "Logistics", "Industrial", "Government", "Military", "Transportation", "Aviation", "Transport", "Manufacturing", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68dab5b611126784770068b5", "name": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "description": "A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.", "modified": "2025-10-29T16:03:07.232000", "created": "2025-09-29T16:37:10.253000", "tags": [ "cobalt strike", "backconnect", "credential-harvesting", "javascript", "cobalt-strike", "data-exfiltration", "brute-ratel", "lateral-movement", "latrodectus", "brute ratel c4" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "Lunar Spider", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "BackConnect", "display_name": "BackConnect", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "FileHash-SHA1": 13, "CVE": 1, "FileHash-MD5": 10, "URL": 16, "domain": 17, "hostname": 3 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-31T06:03:25.904000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 18402, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dbca938e8e29bf9cd560d8", "name": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion .", "description": "In May 2024, an intrusion attributed to the Lunar Spider threat actor commenced when a user executed a malicious JavaScript file disguised as a tax form. This file, associated with the Lunar Spider group, contained obfuscated code that triggered the download of an MSI installer, which subsequently deployed a Brute Ratel DLL file using the Windows utility rundll32. Upon execution, the Brute Ratel loader injected Latrodectus malware into the explorer.exe process, establishing command and control (C2) communications with multiple domains.\n\nThe attack began with extensive reconnaissance activities approximately one hour after the initial access, utilizing built-in Windows commands to enumerate hosts and domains. Subsequent actions included establishing a BackConnect session for remote access via VNC, and accessing an unattend.xml file to extract plaintext domain administrator credentials.", "modified": "2025-10-30T12:03:46.504000", "created": "2025-09-30T12:18:27.178000", "tags": [ "strong", "cobalt strike", "brute ratel", "latrodectus", "backconnect", "dfir labs", "userprofile", "command", "domain", "lunar spider", "icedid", "metasploit", "june", "psexec", "ratel", "powershell", "accept", "execution", "lsass", "sliver", "contact", "virustotal", "double", "keyhole", "later", "persistence", "bypass", "model", "atomic", "config", "error", "manipulation", "write", "over", "shell", "click", "facebook" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 18, "domain": 21, "hostname": 3 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dba3ab432f0677e115bb03", "name": "IOC - From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "description": "The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32.", "modified": "2025-10-30T09:01:54.969000", "created": "2025-09-30T09:32:27.216000", "tags": [ "domains", "lsassa backdoor", "cobalt strike", "backconnect ip", "brute ratel", "ratel ip", "metasploit ip", "bruteratel" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68de1fcc5cdf036525a7f6f0", "name": "From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion", "description": "", "modified": "2025-10-29T16:03:07.232000", "created": "2025-10-02T06:46:36.319000", "tags": [ "cobalt strike", "backconnect", "credential-harvesting", "javascript", "cobalt-strike", "data-exfiltration", "brute-ratel", "lateral-movement", "latrodectus", "brute ratel c4" ], "references": [ "https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" ], "public": 1, "adversary": "Lunar Spider", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "BackConnect", "display_name": "BackConnect", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "68dab5b611126784770068b5", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "FileHash-SHA1": 13, "CVE": 1, "FileHash-MD5": 10, "URL": 16, "domain": 17, "hostname": 3 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "avtechupdate.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "avtechupdate.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780248496.6487138 }