{ "type": "URL", "indicator": "https://teamworks455.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://teamworks455.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3426106107, "indicator": "https://teamworks455.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "625d3e91bf052b8b9579adc6", "name": "Notorious cybercrime gang\u2019s botnet (ZLoader) disrupted", "description": "Today, we\u2019re announcing that Microsoft\u2019s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.", "modified": "2022-04-18T10:46:31.997000", "created": "2022-04-18T10:33:52.636000", "tags": [ "zloader", "ursnif", "raccoon", "zloader 2" ], "references": [ "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/" ], "public": 1, "adversary": "", "targeted_countries": [ "Philippines" ], "malware_families": [ { "id": "Zloader", "display_name": "Zloader", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Zloader 2", "display_name": "Zloader 2", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1587.002", "name": "Code Signing Certificates", "display_name": "T1587.002 - Code Signing Certificates" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1560.003", "name": "Archive via Custom Method", "display_name": "T1560.003 - Archive via Custom Method" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Cryptocurrency", "Insurance", "Banks", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 263, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 20, "FileHash-SHA256": 12, "domain": 31, "URL": 5, "CVE": 2, "email": 1, "hostname": 1 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 386657, "modified_text": "1504 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-31T06:03:25.904000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 18402, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "625bbaffc1c053af253db33c", "name": "ESET takes part in global operation to disrupt Zloader botnets | WeLiveSecurity", "description": "Zloader is one of the world\u2019s most dangerous banking trojan families, and ESET researchers have been closely monitoring its activity and evolution since it was announced and advertised in underground forums.", "modified": "2022-04-17T07:00:15.032000", "created": "2022-04-17T07:00:15.032000", "tags": [ "zloader", "zbot", "cobalt strike", "hodi", "adi", "nka", "ky", "ursnif", "hnlq", "ao", "phm", "phl", "adum", "hogn", "atera agent", "figure", "aitb", "eset research", "command", "eset", "microsoft", "november", "rc4 key", "june", "silent", "february", "loader", "darkside", "raccoon", "april", "teamviewer", "execution", "android" ], "references": [ "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Australia", "Japan", "Canada", "United States of America" ], "malware_families": [ { "id": "Zloader", "display_name": "Zloader", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "KY", "display_name": "KY", "target": null }, { "id": "NKA", "display_name": "NKA", "target": null }, { "id": "ADI", "display_name": "ADI", "target": null }, { "id": "HODI", "display_name": "HODI", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HOGN", "display_name": "HOGN", "target": null }, { "id": "ADUM", "display_name": "ADUM", "target": null }, { "id": "PHL", "display_name": "PHL", "target": null }, { "id": "PHM", "display_name": "PHM", "target": null }, { "id": "AO", "display_name": "AO", "target": null }, { "id": "HNLQ", "display_name": "HNLQ", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Cryptocurrency", "E-Commerce", "Banks", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "CVE": 2, "FileHash-MD5": 8, "FileHash-SHA1": 17, "FileHash-SHA256": 7, "domain": 29, "email": 1, "hostname": 2 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 357, "modified_text": "1506 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://cert.gov.ua/article/619229", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://asec.ahnlab.com/en/31811/", "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://isc.sans.edu/diary/rss/27618", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://isc.sans.edu/diary/rss/26862", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://cert.gov.ua/article/703548", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://isc.sans.edu/diary/28636", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/27308", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://cert.gov.ua/article/37704", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://asec.ahnlab.com/en/34549/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://isc.sans.edu/diary/rss/28752", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Zloader 2", "Raccoon", "Ursnif", "Zloader" ], "industries": [ "Banks", "Financial", "Cryptocurrency", "Insurance" ], "unique_indicators": 82 }, "other": { "adversary": [ "Threat" ], "malware_families": [ "Ursnif", "Raspberry robin", "Phm", "Cobalt strike", "Ransomhub", "Gootloader", "Shadow chaser", "Ryuk", "Zloader", "Socgholish", "Microbackdoor", "Win32.bitcoinminer", "Doorme", "Elf", "Hnlq", "Threat analysis", "Adum", "Primary threat", "Matanbuchus", "Trickbot", "Nka", "Threat", "Generic.933739", "Avoslocker", "Zbot", "Hodi", "Handleref", "Beacon", "Plugx", "Beaconloader", "Kronos", "Fancybear", "Ao", "Hogn", "Bumblebee", "Darkside", "Win32.agent", "Phl", "Credomap", "Grimplant", "Bazarloader", "Conti", "Gold blackburn", "Pcap", "Cyclops", "Netsupport", "Hades", "Ky", "Graphsteel", "Shadowpad", "Nbtscan", "Socgholish netsupport", "Adi", "Win api", "Cozybear", "Frp", "Stellarparticle", "Apt29" ], "industries": [ "Telecommunications", "Aviation", "Industrial", "Manufacturing", "Political", "E-commerce", "Defense", "Diplomatic", "Foreign affairs", "Banking", "Energy", "Media", "Aerospace", "Logistics", "Transportation", "Academics", "Transport", "Military", "Legal", "Banks", "Government", "Technology", "Financial", "Gas", "Pharmaceutical", "Cryptocurrency" ], "unique_indicators": 20041 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/teamworks455.com", "whois": "http://whois.domaintools.com/teamworks455.com", "domain": "teamworks455.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "625d3e91bf052b8b9579adc6", "name": "Notorious cybercrime gang\u2019s botnet (ZLoader) disrupted", "description": "Today, we\u2019re announcing that Microsoft\u2019s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.", "modified": "2022-04-18T10:46:31.997000", "created": "2022-04-18T10:33:52.636000", "tags": [ "zloader", "ursnif", "raccoon", "zloader 2" ], "references": [ "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/" ], "public": 1, "adversary": "", "targeted_countries": [ "Philippines" ], "malware_families": [ { "id": "Zloader", "display_name": "Zloader", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Zloader 2", "display_name": "Zloader 2", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1587.002", "name": "Code Signing Certificates", "display_name": "T1587.002 - Code Signing Certificates" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1560.003", "name": "Archive via Custom Method", "display_name": "T1560.003 - Archive via Custom Method" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Cryptocurrency", "Insurance", "Banks", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 263, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 20, "FileHash-SHA256": 12, "domain": 31, "URL": 5, "CVE": 2, "email": 1, "hostname": 1 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 386657, "modified_text": "1504 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-31T06:03:25.904000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 18402, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "625bbaffc1c053af253db33c", "name": "ESET takes part in global operation to disrupt Zloader botnets | WeLiveSecurity", "description": "Zloader is one of the world\u2019s most dangerous banking trojan families, and ESET researchers have been closely monitoring its activity and evolution since it was announced and advertised in underground forums.", "modified": "2022-04-17T07:00:15.032000", "created": "2022-04-17T07:00:15.032000", "tags": [ "zloader", "zbot", "cobalt strike", "hodi", "adi", "nka", "ky", "ursnif", "hnlq", "ao", "phm", "phl", "adum", "hogn", "atera agent", "figure", "aitb", "eset research", "command", "eset", "microsoft", "november", "rc4 key", "june", "silent", "february", "loader", "darkside", "raccoon", "april", "teamviewer", "execution", "android" ], "references": [ "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Australia", "Japan", "Canada", "United States of America" ], "malware_families": [ { "id": "Zloader", "display_name": "Zloader", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "KY", "display_name": "KY", "target": null }, { "id": "NKA", "display_name": "NKA", "target": null }, { "id": "ADI", "display_name": "ADI", "target": null }, { "id": "HODI", "display_name": "HODI", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HOGN", "display_name": "HOGN", "target": null }, { "id": "ADUM", "display_name": "ADUM", "target": null }, { "id": "PHL", "display_name": "PHL", "target": null }, { "id": "PHM", "display_name": "PHM", "target": null }, { "id": "AO", "display_name": "AO", "target": null }, { "id": "HNLQ", "display_name": "HNLQ", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Cryptocurrency", "E-Commerce", "Banks", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "CVE": 2, "FileHash-MD5": 8, "FileHash-SHA1": 17, "FileHash-SHA256": 7, "domain": 29, "email": 1, "hostname": 2 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 357, "modified_text": "1506 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://teamworks455.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://teamworks455.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780309175.0625095 }