{ "type": "Domain", "indicator": "lestemps.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lestemps.ru", "alexa": "http://www.alexa.com/siteinfo/lestemps.ru", "indicator": "lestemps.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3752945500, "indicator": "lestemps.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "65577650d407d04f0fdd28f2", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter", "description": "The LitterDrifter worm is written in VBS and has two main functionalities: automatic spreading over USB drives, and communication with a broad, flexible set of command-and-control servers. These features are implemented in a manner that aligns with the group\u2019s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets. LitterDrifter seems to be an evolution of a previously reported activity tying Gamaredon group to a propagating USB Powershell worm.", "modified": "2023-11-17T14:18:55.874000", "created": "2023-11-17T14:18:55.874000", "tags": [ "litterdrifter", "gamaredon", "wmi query", "spreader", "deobfuscoder", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Ukraine" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 445, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "domain": 49 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 386545, "modified_text": "926 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05294ec73e9cc40ac24b29", "name": "IOC - Gamaredon\u2019s infection chain: Spoofed emails, GammaDrop and GammaLoad", "description": "Investigating Gamaredon\u2019s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails \u2013 spoofed or sent from compromised government accounts \u2013 deliver persistent, multi-stage VBScript downloaders that profile the infected system.", "modified": "2026-05-14T01:45:50.814000", "created": "2026-05-14T01:45:50.814000", "tags": [ "cloudflare", "primary c2", "ssl cert", "sha1", "domains", "gammadrop", "appdata", "malicious rar", "gammaload", "temp", "malicious arj", "gammaload ddns", "malicious", "gammadrop c2" ], "references": [ "https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "hostname": 11, "FileHash-SHA1": 5, "domain": 219, "FileHash-MD5": 4, "FileHash-SHA256": 120 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b1891db33ea97b2529059", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research", "description": "The LitterDrifter worm, developed by the Russian espionage group Gamaredon, propagates over USB drives and maintains a broad command and control channel to a wide set of command-and-control servers.", "modified": "2023-12-20T08:03:19.872000", "created": "2023-11-20T08:28:01.056000", "tags": [ "litterdrifter", "gamaredon", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "check point", "ukraine", "c2 channel", "service", "spreader" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "Spreader", "display_name": "Spreader", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 49 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655a102424da86a335d7be58", "name": "LitterDrifter: A New USB Propagating Worm from Gamaredon", "description": "Russian state-sponsored hackers are using a USB worm to spread sensitive information to targets in Ukraine, according to security firm Check Point. and a series of reports from around the world, including one from Ukraine.", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-19T13:39:48.407000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "litterdrifter", "ukraine", "gamaredon", "check point", "ncscc", "certua", "remcos rat", "service", "usb propagating", "aqua blizzard", "june", "february", "twitter", "remcos", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "c2 channel", "spreader" ], "references": [ "https://thehackernews.com/2023/11/russian-cyber-espionage-group-deploys.html", "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine", "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Italy", "Greece", "Romania", "Azerbaijan" ], "malware_families": [ { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "Spreader", "display_name": "Spreader", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 49 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6558c8007f49876fccbcf8fd", "name": "LitterDrifter - A New USB Propagating Worm from Gamaredon", "description": "", "modified": "2023-12-18T14:02:38.834000", "created": "2023-11-18T14:19:44.825000", "tags": [ "litterdrifter", "gamaredon", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "check point", "ukraine", "c2 channel", "service" ], "references": [ "November 18th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3600 - LitterDrifter - A New USB Propagating Worm from Gamaredon.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 20, "FileHash-SHA256": 29, "domain": 51, "email": 2, "hostname": 1 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6557ca1915f8b5f0be54d377", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research", "description": "", "modified": "2023-12-17T20:00:37.884000", "created": "2023-11-17T20:16:25.208000", "tags": [ "litterdrifter", "gamaredon", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "check point", "ukraine", "c2 channel", "service" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 49 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655c32423ac43d6ed245a21f", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter", "description": "", "modified": "2023-11-21T04:29:54.338000", "created": "2023-11-21T04:29:54.338000", "tags": [ "litterdrifter", "gamaredon", "wmi query", "spreader", "deobfuscoder", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Ukraine" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "655b0eab376c6e3ba726a11f", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "domain": 49 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "922 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b66f3564ed4a18e04a121", "name": "20231120_LitterDrifter_IOCs", "description": "the following IOCs are infrastructure that has been observed in relation to a recently identified worm that is comprised of two main primary components which include its spreading module and its C2 module though the telegram both of which seem to indicate the following was designed to support a larger scaler collection operation", "modified": "2023-11-20T14:02:27.991000", "created": "2023-11-20T14:02:27.991000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ITSecurity@iwm.org.uk", "id": "178568", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 49 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "923 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b0eab376c6e3ba726a11f", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter", "description": "", "modified": "2023-11-20T07:45:47.258000", "created": "2023-11-20T07:45:47.258000", "tags": [ "litterdrifter", "gamaredon", "wmi query", "spreader", "deobfuscoder", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Ukraine" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "65577650d407d04f0fdd28f2", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "domain": 49 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "923 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/", "November 18th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3600 - LitterDrifter - A New USB Propagating Worm from Gamaredon.pdf", "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/", "https://thehackernews.com/2023/11/russian-cyber-espionage-group-deploys.html" ], "related": { "alienvault": { "adversary": [ "Gamaredon" ], "malware_families": [ "Litterdrifter", "Deobfuscoder" ], "industries": [] }, "other": { "adversary": [ "Gamaredon" ], "malware_families": [ "Litterdrifter", "Spreader", "Remcos", "Deobfuscoder" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "65577650d407d04f0fdd28f2", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter", "description": "The LitterDrifter worm is written in VBS and has two main functionalities: automatic spreading over USB drives, and communication with a broad, flexible set of command-and-control servers. These features are implemented in a manner that aligns with the group\u2019s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets. LitterDrifter seems to be an evolution of a previously reported activity tying Gamaredon group to a propagating USB Powershell worm.", "modified": "2023-11-17T14:18:55.874000", "created": "2023-11-17T14:18:55.874000", "tags": [ "litterdrifter", "gamaredon", "wmi query", "spreader", "deobfuscoder", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Ukraine" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 445, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "domain": 49 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 386545, "modified_text": "926 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05294ec73e9cc40ac24b29", "name": "IOC - Gamaredon\u2019s infection chain: Spoofed emails, GammaDrop and GammaLoad", "description": "Investigating Gamaredon\u2019s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails \u2013 spoofed or sent from compromised government accounts \u2013 deliver persistent, multi-stage VBScript downloaders that profile the infected system.", "modified": "2026-05-14T01:45:50.814000", "created": "2026-05-14T01:45:50.814000", "tags": [ "cloudflare", "primary c2", "ssl cert", "sha1", "domains", "gammadrop", "appdata", "malicious rar", "gammaload", "temp", "malicious arj", "gammaload ddns", "malicious", "gammadrop c2" ], "references": [ "https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "hostname": 11, "FileHash-SHA1": 5, "domain": 219, "FileHash-MD5": 4, "FileHash-SHA256": 120 }, "indicator_count": 363, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b1891db33ea97b2529059", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research", "description": "The LitterDrifter worm, developed by the Russian espionage group Gamaredon, propagates over USB drives and maintains a broad command and control channel to a wide set of command-and-control servers.", "modified": "2023-12-20T08:03:19.872000", "created": "2023-11-20T08:28:01.056000", "tags": [ "litterdrifter", "gamaredon", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "check point", "ukraine", "c2 channel", "service", "spreader" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "Spreader", "display_name": "Spreader", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 49 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655a102424da86a335d7be58", "name": "LitterDrifter: A New USB Propagating Worm from Gamaredon", "description": "Russian state-sponsored hackers are using a USB worm to spread sensitive information to targets in Ukraine, according to security firm Check Point. and a series of reports from around the world, including one from Ukraine.", "modified": "2023-12-19T13:01:12.394000", "created": "2023-11-19T13:39:48.407000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "litterdrifter", "ukraine", "gamaredon", "check point", "ncscc", "certua", "remcos rat", "service", "usb propagating", "aqua blizzard", "june", "february", "twitter", "remcos", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "c2 channel", "spreader" ], "references": [ "https://thehackernews.com/2023/11/russian-cyber-espionage-group-deploys.html", "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine", "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Italy", "Greece", "Romania", "Azerbaijan" ], "malware_families": [ { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "Spreader", "display_name": "Spreader", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 49 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6558c8007f49876fccbcf8fd", "name": "LitterDrifter - A New USB Propagating Worm from Gamaredon", "description": "", "modified": "2023-12-18T14:02:38.834000", "created": "2023-11-18T14:19:44.825000", "tags": [ "litterdrifter", "gamaredon", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "check point", "ukraine", "c2 channel", "service" ], "references": [ "November 18th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3600 - LitterDrifter - A New USB Propagating Worm from Gamaredon.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 20, "FileHash-SHA256": 29, "domain": 51, "email": 2, "hostname": 1 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6557ca1915f8b5f0be54d377", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research", "description": "", "modified": "2023-12-17T20:00:37.884000", "created": "2023-11-17T20:16:25.208000", "tags": [ "litterdrifter", "gamaredon", "ip address", "c2 module", "deobfuscoder", "spreader module", "wmi query", "check point", "ukraine", "c2 channel", "service" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 49 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655c32423ac43d6ed245a21f", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter", "description": "", "modified": "2023-11-21T04:29:54.338000", "created": "2023-11-21T04:29:54.338000", "tags": [ "litterdrifter", "gamaredon", "wmi query", "spreader", "deobfuscoder", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Ukraine" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "655b0eab376c6e3ba726a11f", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "domain": 49 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "922 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b66f3564ed4a18e04a121", "name": "20231120_LitterDrifter_IOCs", "description": "the following IOCs are infrastructure that has been observed in relation to a recently identified worm that is comprised of two main primary components which include its spreading module and its C2 module though the telegram both of which seem to indicate the following was designed to support a larger scaler collection operation", "modified": "2023-11-20T14:02:27.991000", "created": "2023-11-20T14:02:27.991000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ITSecurity@iwm.org.uk", "id": "178568", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 49 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "923 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655b0eab376c6e3ba726a11f", "name": "Malware Spotlight - Into the Trash: Analyzing LitterDrifter", "description": "", "modified": "2023-11-20T07:45:47.258000", "created": "2023-11-20T07:45:47.258000", "tags": [ "litterdrifter", "gamaredon", "wmi query", "spreader", "deobfuscoder", "geopolitical conflict" ], "references": [ "https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "United States of America", "Viet Nam", "Chile", "Poland", "Germany", "Hong Kong", "Ukraine" ], "malware_families": [ { "id": "Deobfuscoder", "display_name": "Deobfuscoder", "target": null }, { "id": "LitterDrifter", "display_name": "LitterDrifter", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "65577650d407d04f0fdd28f2", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "domain": 49 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "923 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lestemps.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lestemps.ru", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242137.7956502 }