{ "type": "Domain", "indicator": "cross-checking.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cross-checking.com", "alexa": "http://www.alexa.com/siteinfo/cross-checking.com", "indicator": "cross-checking.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3015771757, "indicator": "cross-checking.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "60afece345be6dfd2a66ea3c", "name": "Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns", "description": "Volexity, a security firm, has identified and identified a phishing campaign targeting government agencies across the United States and Europe that is believed to be related to APT29.", "modified": "2021-07-02T00:00:45.508000", "created": "2021-05-27T19:02:59.218000", "tags": [ "cobaltstrike", "apt29", "dark halo", "lnk file", "usaid", "europe", "malware", "NOBELIUM" ], "references": [ "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", "https://github.com/microsoft/mstic/blob/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv" ], "public": 1, "adversary": "APT29", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CobaltStrike", "display_name": "CobaltStrike", "target": null }, { "id": "FreshFire", "display_name": "FreshFire", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 327, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 19, "FileHash-MD5": 42, "FileHash-SHA256": 74, "FileHash-SHA1": 62, "domain": 21, "URL": 5, "YARA": 3 }, "indicator_count": 226, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "1793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-01T08:53:34.200000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "IPv4": 1630, "IPv6": 2, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 20034, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c257c4178a74335a9eb520", "name": "Test Pawn Storm", "description": "Description Test", "modified": "2024-04-18T18:00:09.467000", "created": "2024-02-06T16:01:08.781000", "tags": [ "information stealer", "cve-2023-23397", "test2", "test3", "test4", "test5" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/l/pawn-storm-uses-brute-force-and-stealth-against-high-value-targets-/iocs-pawn-storm-uses-brute-force-and-stealth-against-high-value-targets.txt" ], "public": 1, "adversary": "Test Adversary2", "targeted_countries": [ "United States of America", "Central African Republic", "Taiwan", "Afghanistan", "\u00c5land Islands" ], "malware_families": [ { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": "#AGGR:AutoIt/Banload", "display_name": "#AGGR:AutoIt/Banload", "target": "/malware/#AGGR:AutoIt/Banload" }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" } ], "industries": [ "Defense", "Energy", "Transportation", "Finance", "Chemical", "Aerospace", "Construction" ], "TLP": "white", "cloned_from": "65c2068e125ab9c038a7f362", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jpattotx2", "id": "225675", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 16, "FileHash-SHA256": 20, "domain": 189, "hostname": 1482, "YARA": 1, "URL": 23 }, "indicator_count": 1754, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://isc.sans.edu/diary/rss/26862", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/l/pawn-storm-uses-brute-force-and-stealth-against-high-value-targets-/iocs-pawn-storm-uses-brute-force-and-stealth-against-high-value-targets.txt", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://cert.gov.ua/article/37704", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://istrosec.com/blog/apt-sk-cobalt/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://asec.ahnlab.com/en/31811/", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://cert.gov.ua/article/619229", "https://asec.ahnlab.com/en/34549/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://isc.sans.edu/diary/28636", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "Verification failure observed in automated verification handlers during sandbox replay.", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://isc.sans.edu/diary/27308", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://isc.sans.edu/diary/rss/28752", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://isc.sans.edu/diary/rss/27618", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", "https://github.com/microsoft/mstic/blob/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://securelist.com/apt-luminousmoth/103332/", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf" ], "related": { "alienvault": { "adversary": [ "APT29" ], "malware_families": [ "Freshfire", "Cobaltstrike" ], "industries": [ "Government", "Ngo" ] }, "other": { "adversary": [ "Threat", "Test Adversary2" ], "malware_families": [ "Hades", "Threat", "Trickbot", "Kronos", "Conti", "Gootloader", "Gold blackburn", "Matanbuchus", "Socgholish", "Cozybear", "Credomap", "Ryuk", "Netsupport", "Fancybear", "Frp", "Bumblebee", "Beacon", "Cobalt strike", "Primary threat", "Bazarloader", "Threat analysis", "Nbtscan", "Win32.bitcoinminer", "Microbackdoor", "Elf", "Win32.agent", "Stellarparticle", "Handleref", "Plugx", "Avoslocker", "\"prepending (enc) ransomware\" (not an official name)", "Raspberry robin", "Ransomhub", "Shadowpad", "Doorme", "Win api", "Pcap", "Grimplant", "Cyclops", "Apt29", "Generic.933739", "#aggr:autoit/banload", "Immortal stealer", "Shadow chaser", "Socgholish netsupport", "Beaconloader", "Darkside", "Graphsteel" ], "industries": [ "Military", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Transport", "Pharmaceutical", "Media", "Legal", "Energy", "Financial", "Aviation", "Manufacturing", "Finance", "Industrial", "Chemical", "Diplomatic", "Transportation", "Government", "Defense", "Aerospace", "Telecommunications", "Technology", "Banking", "Academics", "Construction", "Gas", "Foreign affairs", "Logistics", "Political" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "60afece345be6dfd2a66ea3c", "name": "Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns", "description": "Volexity, a security firm, has identified and identified a phishing campaign targeting government agencies across the United States and Europe that is believed to be related to APT29.", "modified": "2021-07-02T00:00:45.508000", "created": "2021-05-27T19:02:59.218000", "tags": [ "cobaltstrike", "apt29", "dark halo", "lnk file", "usaid", "europe", "malware", "NOBELIUM" ], "references": [ "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", "https://github.com/microsoft/mstic/blob/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv" ], "public": 1, "adversary": "APT29", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CobaltStrike", "display_name": "CobaltStrike", "target": null }, { "id": "FreshFire", "display_name": "FreshFire", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 327, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 19, "FileHash-MD5": 42, "FileHash-SHA256": 74, "FileHash-SHA1": 62, "domain": 21, "URL": 5, "YARA": 3 }, "indicator_count": 226, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "1793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-01T08:53:34.200000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "IPv4": 1630, "IPv6": 2, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 20034, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c257c4178a74335a9eb520", "name": "Test Pawn Storm", "description": "Description Test", "modified": "2024-04-18T18:00:09.467000", "created": "2024-02-06T16:01:08.781000", "tags": [ "information stealer", "cve-2023-23397", "test2", "test3", "test4", "test5" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/l/pawn-storm-uses-brute-force-and-stealth-against-high-value-targets-/iocs-pawn-storm-uses-brute-force-and-stealth-against-high-value-targets.txt" ], "public": 1, "adversary": "Test Adversary2", "targeted_countries": [ "United States of America", "Central African Republic", "Taiwan", "Afghanistan", "\u00c5land Islands" ], "malware_families": [ { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": "#AGGR:AutoIt/Banload", "display_name": "#AGGR:AutoIt/Banload", "target": "/malware/#AGGR:AutoIt/Banload" }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" } ], "industries": [ "Defense", "Energy", "Transportation", "Finance", "Chemical", "Aerospace", "Construction" ], "TLP": "white", "cloned_from": "65c2068e125ab9c038a7f362", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jpattotx2", "id": "225675", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 16, "FileHash-SHA256": 20, "domain": 189, "hostname": 1482, "YARA": 1, "URL": 23 }, "indicator_count": 1754, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cross-checking.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cross-checking.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180403.632866 }