Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 51 threat intelligence articles and prepared a concise summary of the findings, including the relevant extracted metadata. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Cobalt Strike and a Pair of SOCKS Lead to LockBit RansomwareLink: https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomwareSummary: A recent cyber intrusion began with a user unknowingly executing a malicious file disguised as a legitimate Windows Media Configuration Utility, which served as a Cobalt Strike beacon. The threat actor moved laterally within the network, deploying proxy tools on domain controllers, extracting credentials, and establishing persistence through various methods, including scheduled tasks. Despite initial failed attempts to exfiltrate data via FTP using Rclone, the attacker successfully transferred data using Mega.io before deploying LockBit ransomware to encrypt files across all Windows hosts in the network on the eleventh day of the attack. The threat actor employed advanced techniques to evade detection—modifying Windows Defender settings, leveraging PowerShell for reconnaissance and execution, and utilizing process injection to maintain access and achieve their malicious goals.Threats: cobalt_strike lockbit rclone_tool ghostsocks systembc metasploit_tool sliver_c2_tool nltest_tool seatbelt_tool sharpview_tool bitsadmin_tool process_injection_technique credential_stealing_technique ntdsutil_tool winrm_tool credential_dumping_techniqueIndicators of compromise:-------------------------ip: 159[.]100[.]14[.]254, 185[.]236[.]232[.]20:445, 38[.]180[.]61[.]247, 195[.]2[.]70[.]38, 91[.]142[.]74[.]28, 93[.]115[.]26[.]127, 31[.]172[.]83[.]162:443, 159[.]100[.]14[.]254:443, 93[.]115[.]26[.]127:21, 46[.]21[.]250[.]52:21domain: accessservicesonline[.]com, compdatasystems[.]com, user[.]compdatasystems[.]com, retailadvertisingservices[.]com, qaz[.]im, temp[.]shurl: https://accessservicesonline[.]com/setup_wm[.]exehash: - md5=a0e9f5d64349fb13191bc781f81f42e1, - md5=8ed408107f89c53261bf74e58517bc76, - md5=303951d4c50efb2e991652225a6f02b1, - sha1=1ac66fcc34c0b86def886e4e168030dae096927c, sha256=2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4, - sha256=44cf04192384e920215f0e335561076050129ad7a43b58b1319fa1f950f6a7b6, sha1=c59cbd309b3393cb08a1133364ed11000fdd418d, - sha256=ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175, sha1=450d54d5737164579416ca99af1eb3fa1d4aaff9, - sha256=b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63, sha1=bf2b396b8fb0b1de27678aab877b6f177546d1c5, - sha1=bf2b396b8fb0b1de27678aab877b6f177546d1c5, md5=6505b488d0c7f3eaee66e3db103d7b05, - md5=671b967eb2bc04a0cd892ca225eb5034, sha1=ab1777107d9996e647d43d1194922b810f198514, sha256=b79bb3302691936df7c3315ff3ba7027f722fc43d366ba354ac9c3dac2e01d03, - sha1=1ac66fcc34c0b86def886e4e168030dae096927c, md5=03af38505cee81b9d6ecd8c1fd896e0e, - sha1=5263a135f09185aa44f6b73d2f8160f56779706d, sha256=18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88, md5=0f7b6bb3a239cf7a668a8625e6332639, - md5=ea327ed0a3243847f7cd87661e22e1de, sha1=450d54d5737164579416ca99af1eb3fa1d4aaff9, - sha1=bba1bc3ebf07ca3c4e2442f0ba9ea18383ce627b, md5=57f791f7477b1f7a1b3605465d054db8, sha256=d8b2d883d3b376833fa8e2093e82d0a118ba13b01a2054f8447f57d9fec67030, - md5=6e91c474d90546845b1f3f9e7a33411a, sha256=3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9, sha1=9352236ad6fe8835979cf11ba5033f8f2fef0f19, - sha1=c59cbd309b3393cb08a1133364ed11000fdd418d, md5=0aa05ebc3b6667954898cfccc4057600, - md5=2800a10c4afae44978d906b2abaed745, sha1=84019de427aef1f1e4f32b579767bee6d0bd1e64, sha256=c1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835, - sha256=7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d, md5=d9adb3dd6df169e824b2867a2b8cba89, sha1=b077ea03b207cc8b8b48b9b4f9a58dabbd39f678, - sha1=5de1f72ffeea1ecbd287b0ca8ddb2c5264d9acb5, sha256=59c9d10f06f8cb2049df39fb4870a81999fd3f8a79717df9b309fadeb5f26ef9, md5=71c8c1a0056fd084bc32a03d9245ad10, - md5=573a213191985c555dd7e8de5f0a9cae, sha1=aa19a1648d680c3bfbee7dcc3df41ce98af8e121, sha256=ba9b879fdc304bd7f5554528fb8e858ef36ad4657fedfefb8495f43ce73fc6f1, - sha256=10ce939e4ee8b5285d84c7d694481ebbdf986904938d07f7576d733e830ed012, md5=4457256150386acec794e9e8ee412691, sha1=c6d54322a17e754150e61f7caa91226a84b0b774, - sha1=da6771fbbcfaf195b80925cefc880794d62d61bf, md5=6d44c5fb49258f285769e50830fc59af, sha256=3af3f2d08aa598ab4f448af1b01a5ad6c0f8e8982488ebf4e7ae7b166e027a8b, - sha256=578a2ac45e40a686a5f625bbc7873becd8eb9fe58ea07b1d318b93ee0d127d4e, sha1=956e020206c4dc4240537d07be022e86ed918ed1, md5=40852fde665eb9119fcc565bd68de680, - sha1=4a1e667e0c3550f4446903570adbe7776699d4ca, sha256=791157675ad77b0ae9feabd76f4b73754a7537b7a9a2cc74bd0924d65be680e1, md5=996ad32c7ae2190b7fa7876df0d7b717, - md5=90f9044cfee2c678fe51abd098bdfe97, sha256=c4863cc28e01713e6a857b940873b0e5caedfd1fcb9b2a8d07ffb4c0c48379d5, sha1=e3619582f4d81ca180dee161bbe49d499b237119, - sha256=9bcaad9184b182965923a141f52fb75ddd1975b99ab080869896cee5879ecfad, sha1=45337ae989cd62d07059f867ce62ff6b6fc90819, md5=b254f8f03e61bd9469df66c189d79871, - sha1=ccc6b5bf9591fa9a3d57fd48ee0c9c49a6d22da9, md5=4794accd22271a28547fb3613ee79218, sha256=53828f56c6894a468a091c8858d2e29144b68d5de8ff1d69a567e97aac996026email:Title: New TorNet backdoor seen in widespread campaignLink: https://blog.talosintelligence.com/new-tornet-backdoor-campaignSummary: Cisco Talos has identified an ongoing malicious campaign led by a financially motivated threat actor that has been targeting users in Poland and Germany since July 2024. The campaign leverages phishing emails, often impersonating financial institutions and logistics companies, to distribute various payloads, including Agent Tesla, Snake Keylogger, and a newly discovered backdoor named TorNet, which is deployed via PureCrypter malware. The malicious emails contain compressed attachments that, when opened, execute a .NET loader that downloads and runs the encrypted PureCrypter malware, which is designed to evade detection through sophisticated techniques such as disconnecting compromised devices from their networks and utilizing the TOR network for anonymized command and control communications. The TorNet backdoor employs further evasion methods, including encoding communication and executing arbitrary .NET assemblies, heightening the threat landscape.Threats: tornet agent_tesla snake_keylogger purecryptor dotnet_reactor_tool eziriz_tool process_injection_techniqueIndicators of compromise:-------------------------ip: 104[.]168[.]7[.]37domain: italzformendinggallores[.]duckdns[.]org, humblecrazeforeal8897[.]accesscam[.]org, sertiscoppersail432[.]freeddns[.]org, moristaetdfertal9002[.]ddnsgeek[.]com, paradoncalleke5689[.]camdvr[.]org, greeslieforreallcul5672[.]casacam[.]net, blissfulzerooooos690[.]ddnsfree[.]com, www[.]blissfulzerooooos690[.]ddnsfree[.]comurl: https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Sjydgbr[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Guwasd[.]dat, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Fwudzwsfsp[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Dyvfi[.]dat, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Iicivjzqdma[.]mp3, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Dewsmwflw[.]vdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Xlkythleoq[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Zerwfilj[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Sfrnotlay[.]mp3, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Jovjvwp[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Vmoeykn[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Wyvmy[.]wav, http://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj[.]vdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Gikwomjv[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj[.]vdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Qecvodcnuz[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Hlynogyqp[.]dat, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Uvkoiguq[.]dat, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Awtvbihi[.]vdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Oqjhea[.]mp3, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Ztpcwfowiiu[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Bonhowau[.]mp4, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Qcqvzdtpln[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Jlhwfgnnyms[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Otmaq[.]mp4, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Elxrh[.]vdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Rxmjavdc[.]mp3, http://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Elxrh[.]vdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Cfyenm[.]mp4, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Bibyep[.]mp4, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Lcrakntjck[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Atcbgl[.]mp4, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Rspfqdltykq[.]mp3, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Fxsovxc[.]pdf, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Bnvqyotgu[.]mp3, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Rmtafnw[.]mp3, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Lmshcchh[.]wav, https://sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Ibesc[.]wav, https://cud-senegal[.]org/post-postlogin/Oojhwcym[.]wav, https://cud-senegal[.]org/post-postlogin/Cpoewtupeck[.]mp4, https://cud-senegal[.]org/post-postlogin/Nrileknnlgv[.]vdf, https://cud-senegal[.]org/post-postlogin/Izevzxvwkpf[.]pdfhash: - sha256=3b4e709768d7cd0cb895de74267f45a6ef6565ebed445393878f17ae02a983e3, - sha256=9d33726fc1d39fdc0426c70ed0cfb515e15f50d39c46d8ff38025b4faf8811dc, - sha256=75d2d368d735fca2bad0155510cb4a927f7f246ea72299395990027264056521, - sha256=84570dac910557d0d8217db746c9a8fd4a27cd3db89135731c7f3584b37df533, - sha256=7ce9af599857827317a444c5a63a08929ec97765bc2624076f4834f323a41da2, - sha256=e9ab4772ba6de2db9add3d4bbd3ce0f2dd899f16399b57fd2a539769e6ee973a, - sha256=2f9c2e0bef460a7623954d65f10e6e5993c01d25e6f2905a5dc911639ca2ea75, - sha256=dc513e35a6d96933e7af2b300782a32131d31445a6d1e2bbca9604128c92e7c6, - sha256=57543fd3673c9595a73c836b153faf68e23938662c5a4b6675205734b688ae95, - sha256=898d0451bd52c466d2284091be928f8ec1ced2184b205d903a04a747e67763ea, - sha256=53e7b3b72695a1eaea7146ec3cbd05d0ce2a1eba87f035ae07849feb4f59ec63, - sha256=bff0ec65af8b2bb37fcc5202f823b5877ebdcc8efbd32e08f309cbcb4dc2570c, - sha256=6774a822d9c66951be95341d50c1f876a9373fefef52f68f29eaae4efc621817, - sha256=c32d97fb9a1681a7bea3f417abde0264a2332221e317c8543e337baac9307c67, - sha256=075737b17ba72aed5f45d227bf91dd5744914308e1468717a8f3100a0cca8156, - sha256=a85423a1a37f604e492ee58920178080f0da306750a356ddfe1b695c12becd07, - sha256=4a5b8442dc2b34a270acdcd8a14cce573d59dc0922c9e49cda8fe2dd8e4a3862, - sha256=80b80e15f605f0b8740e1989e505280394d746e8a8ee37cdb9b009d745e42da0, - sha256=4280eb4cfa0445a40d8e1dfafdc0eb24613f3536c5959270ef0079034b30e653, - sha256=2f1cb29e47c5b07fba3070d6a5339b00d2f3075eb7717438cf5cf53679793919, - sha256=252d9ed583bbd2e5d75ae5167feb393bd50b44933594f9586aaf5d9987cf78ec, - sha256=edac6216665f1c8b0a09158abdd5e7fab63a386a1c9ad31ddd5ee92a6aa811fc, - sha256=13ac538c8c6696a59f890677cf451db77b7c33539da1d380640ce549b2b70ca4email:Title: UAC-0063: Cyber Espionage Operation Expanding from Central AsiaLink: https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asiaSummary: Bitdefender Labs has raised alarms about an ongoing cyber-espionage campaign led by the threat group UAC-0063, which is specifically targeting high-value entities such as government institutions and diplomatic missions in Central Asia and Europe. This group has employed sophisticated techniques, including the use of weaponized Microsoft Word documents to deliver malware such as HATVIBE, alongside tools like PyPlunderPlug and keyloggers like LOGPIE for data exfiltration. Analysis indicates that UAC-0063 maintains persistent operations with a focus on infrastructure and ongoing document weaponization, while similarities exist between their tactics and those of Russian groups like APT28, no definitive link has yet been established.Threats: ghostwriter_group hatvibe pyplunderplug logpie downex downexpyer cherryspy fancy_bear_group zebrocy supply_chain_technique pyarmor_toolIndicators of compromise:-------------------------ip: 109[.]230[.]199[.]99, 103[.]140[.]186[.]126domain: errorreporting[.]net, retaildemo[.]info, lanmangraphics[.]com, internalsecurity[.]us, tieringservice[.]com, automation-embedding[.]com, enrollmentdm[.]com, underwearshopfor[.]com, rss-feed-monitoring[.]com, futuresfurnitures[.]com, lookup[.]ink, background-services[.]net, cloud-mail[.]inkurl: https://cloud-mail[.]ink/download[.]phphash: - md5=3d33ac05d0ca473518c784c37bc887a9, - md5=ab5685ebf439f61c554977df1e1cd0c3, - md5=7a2a8c002a5e22c6231885e1ccf82bd1, - md5=2e91803687463201792ca7514fca07fa, - md5=bd7d98bc785beff4f4e5f7d8fc1ac2b4, - md5=363f000702504ab19652dde2fde800e8, - md5=b657d46d69e24b3607a81cacc486e384, - md5=3cf8f57bd07fdd8e06b1630a3f27f330, - md5=8f7dab01610b53398a296192ee600905, - md5=da6d60f86a6c38127260e29fa91c1c8a, - md5=c3288a9d7fe494ae85a70af9f84e4d02, - md5=c1e4340ebe234478a410f757b18a128c, - md5=5d7a77efe12971bea8ae26206131fbb0, - md5=10791a644da7d95ac4884872d8fa576d, - md5=fdf7da11d37ba888fa7078d0f32fdd08, - md5=99d1de711a79eee936cde1ee58bd9adf, - md5=35fee95e38e47d80b470ee1069dd5c9c, - md5=a15e652cf058209c0c0040dfcaf86fec, - md5=afe03893b7a5c589fc31f9ce9ed28a9femail:Title: TAG-124s Multi-Layered TDS Infrastructure and Extensive User BaseLink: https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-baseSummary: The Insikt Group has uncovered the TAG-124 Traffic Distribution System (TDS), which is associated with several threat activity clusters, including LandUpdate808 and Rhysida ransomware. TAG-124 employs a complex infrastructure of compromised WordPress sites, actor-controlled servers, and innovative techniques like the ClickFix method, to distribute malware by injecting malicious JavaScript into these sites, misleading visitors into downloading harmful software disguised as a legitimate Google Chrome update. Multiple threat actors participate in this ecosystem, capitalizing on TAG-124's capabilities to optimize malware distribution and evade detection, while interacting through a network of delivery servers, management servers, and compromised domains that impersonate reputable brands to enhance their attacks.Threats: tag-124_group putty_tool asyncrat landupdate808_group 404tds_group kongtuke_group chaya_002_group clickfix_technique asylum_ambuscade_campaign rhysida interlock ta866_group socgholish_loader ta582_group remcos_rat mintsloader oysterIndicators of compromise:-------------------------ip: 146[.]70[.]41[.]191, 45[.]61[.]136[.]67, 45[.]61[.]136[.]9, 45[.]61[.]136[.]40, 45[.]61[.]136[.]41, 45[.]61[.]136[.]89, 45[.]61[.]136[.]132, 45[.]61[.]136[.]196, 64[.]7[.]198[.]66, 64[.]94[.]85[.]98, 64[.]94[.]85[.]248, 64[.]95[.]11[.]65, 64[.]95[.]11[.]184, 64[.]95[.]12[.]38, 64[.]95[.]12[.]98, 64[.]190[.]113[.]41, 64[.]190[.]113[.]111, 162[.]33[.]177[.]36, 162[.]33[.]177[.]82, 162[.]33[.]178[.]59, 162[.]33[.]178[.]63, 162[.]33[.]178[.]75, 162[.]33[.]178[.]113, 193[.]149[.]176[.]179, 193[.]149[.]176[.]223, 193[.]149[.]176[.]248, 216[.]245[.]184[.]179, 216[.]245[.]184[.]210, 216[.]245[.]184[.]225domain: challinksch[.]com, chalnlizt[.]org, check-googlle[.]com, cihainlst[.]org, io-suite-web[.]com, miner-tolken[.]com, ronnin-v2[.]com, symdilatic[.]com, symbieitc[.]com, symdlotic[.]com, synbioltic[.]com, symbliatc[.]com, symbietic[.]com, comteste[.]com, symdilotic[.]com, v2-rubby[.]com, ambiwa[.]com, gcafin[.]com, discoves[.]com, xaides[.]com, usbkits[.]com, mirugby[.]com, ecrut[.]com, pursyst[.]com, pushcg[.]com, piedsmontlaw[.]com, pemalite[.]com, howmanychairs[.]com, calbbs[.]com, habfan[.]com, iognews[.]com, safigdata[.]com, z-v2-071924[.]kailib[.]com, z-v2-071810[.]kailib[.]com, nyciot[.]com, pweobmxdlboi[.]com, boneyn[.]com, satpr[.]com, coeshor[.]com, mtclibraries[.]com, z-v2-072122[.]kailib[.]com, sdrce[.]com, theinb[.]com, elizgallery[.]com, enethost[.]com, dhusch[.]com, fastard[.]com, franklinida[.]com, nastictac[.]com, dncoding[.]com, djnito[.]com, opgears[.]com, tickerwell[.]com, selmanc[.]com, tibetin[.]com, mercro[.]com, esaleerugs[.]com, tayakay[.]com, ilsotto[.]com, chewels[.]com, sokrpro[.]com, hdtele[.]com, chhimi[.]com, dechromo[.]com, enerjjoy[.]com, dsassoc[.]com, gwcomics[.]com, genhil[.]com, vicrin[.]com, eliztalks[.]com, rshank[.]com, www[.]ecowas[.]int, www[.]pcbc[.]gov[.]pl, www[.]reloadinternet[.]com, towww[.]netzwerkreklame[.]de, selectmotors[.]net, mgssoft[.]com, www[.]lovebscott[.]com, tosustaincharlotte[.]org, evolverangesolutions[.]com, towww[.]pawrestling[.]net, ns1[.]webasatir[.]ir, totrue-blood[.]net, avayehazar[.]ir, cvqrcode[.]lpmglobalrelations[.]com, mktgads[.]com, var[.]ro, gmdva[.]org, www[.]de[.]digitaalkantoor[.]online, elamoto[.]com, fromwinworld[.]es, update-chronne[.]com, sollishealth[.]com, toedveha[.]com, andespumadesign[.]com, downloading[.]bplnetempresas[.]com, 1stproducts[.]com, 3hti[.]com, academictutoringcenters[.]com, adpages[.]com, adsbicloud[.]com, advanceair[.]net, airbluefootgear[.]com, airinnovations[.]com, allaces[.]com[.]au, alumni[.]clemson[.]edu, ambir[.]com, americanreloading[.]com, antiagewellness[.]com, architectureandgovernance[.]com, astromachineworks[.]com, athsvic[.]org[.]au, baseball[.]razzball[.]com, bastillefestival[.]com[.]au, bigfoot99[.]com, blacksportsonline[.]com, blog[.]contentstudio[.]io, bluefrogplumbing[.]com, canadamotoguide[.]com, canadanickel[.]com, capecinema[.]org, careers[.]bms[.]com, careers[.]fortive[.]com, castellodelpoggio[.]com, catholiccharities[.]org, chamonixskipasses[.]com, changemh[.]org, chicklitplus[.]com, clmfireproofing[.]com, comingoutcovenant[.]com, complete-physio[.]co[.]uk, complete-pilates[.]co[.]uk, conical-fermenter[.]com, cssp[.]org, deathtotheworld[.]com, deerfield[.]com, denhamlawoffice[.]com, dev[.]azliver[.]com, development[.]3hti[.]com, digimind[.]nl, dotnetreport[.]com, drcolbert[.]com, dzyne[.]com, earthboundfarm[.]com, eivcapital[.]com, elitetournaments[.]com, ergos[.]com, esfna[.]org, espumadesign[.]com, exceptionalindividuals[.]com, experiencebrightwater[.]ca, firstpresbyterianpaulding[.]com, fractalerts[.]com, fusionstone[.]ca, global-engage[.]com, gobrightwing[.]com, gov2x[.]com, hksusa[.]com, hmgcreative[.]com, hmh[.]org, hoodcontainer[.]com, hospitalnews[.]com, housingforhouston[.]com, houstonmaritime[.]org, hrsoft[.]com, hungryman[.]com, icmcontrols[.]com, ijmtolldiv[.]com, innsbrook[.]com, jewelryexchange[.]com, jodymassagetherapyclinic[.]com, joelbieber[.]com, knewhealth[.]com, lamaisonquilting[.]com, legacy[.]orlandparkprayercenter[.]org, levyso[.]com, luxlifemiamiblog[.]com, magnoliagreen[.]com, magnotics[.]com, manawatunz[.]co[.]nz, mantonpushrods[.]com, michiganchronicle[.]com, michigantownships[.]org, monlamdesigns[.]com, montessoriwest[.]com, movinbed[.]com, my[.]networknuts[.]net, myrtlebeachgolf[.]com, ncma[.]org, oglethorpe[.]edu, oningroup[.]com, orlandparkprayercenter[.]org, outdoornativitystore[.]com, parksaverscom[.]kinsta[.]cloud, peoria[.]org, peridotdentalcare[.]ca, phfi[.]org, pikapp[.]org, prek4sa[.]com, psafetysolutions[.]com, puntademita-rentals[.]com, resf[.]com, retaildatallc[.]com, rhodenroofing[.]com, rm-arquisign[.]com, rvthereyet[.]com, schroederindustries[.]com, sec-group[.]co[.]uk, sixpoint[.]com, slotomoons[.]com, sparkcarwash[.]com, spectralogic[.]com, sramanamitra[.]com, stg-seatrail-staging[.]kinsta[.]cloud, stg-townandcountryplanningassoci-staging[.]kinsta[.]cloud, sustaincharlotte[.]org, teamtoc[.]com, terryrossplumbing[.]com, theawningcompanc[.]mrmarketing[.]us, theepicentre[.]com, theyard[.]com, tristatecr[.]com, true-blood[.]net, tustinhistory[.]com, tysonmutrux[.]com, uk[.]pattern[.]com, unsolved[.]com, vanillajoy[.]ykv[.]ijh[.]mybluehost[.]me, vectare[.]co[.]uk, villageladies[.]co[.]uk, walkerroofingandconstruction[.]com, wildwestguns[.]com, wildwoodpress[.]org, wlplastics[.]com, worldorphans[.]org, www[.]211cny[.]com, www[.]6connex[.]com, www[.]900biscaynebaymiamicondos[.]com, www[.]accentawnings[.]com, www[.]acvillage[.]net, www[.]airandheatspecialistsnj[.]com, www[.]als-mnd[.]org, www[.]americancraftbeer[.]com, www[.]anoretaresort[.]com, www[.]architectureandgovernance[.]com, www[.]atlantaparent[.]com, www[.]atlas-sp[.]com, www[.]atmosera[.]com, www[.]belvoirfarm[.]co[.]uk, www[.]betterengineering[.]com, www[.]bluefoxcasino[.]com, www[.]boatclubtrafalgar[.]com, www[.]bordgaisenergytheatre[.]ie, www[.]brandamos[.]com, www[.]cairnha[.]com, www[.]cdhcpa[.]com, www[.]cds[.]coop, www[.]cgimgolf[.]com, www[.]cheericca[.]org, www[.]conwire[.]com, www[.]cssp[.]org, www[.]dces[.]com, www[.]disabilityscot[.]org[.]uk, www[.]doctorkiltz[.]com, www[.]drivenbyboredom[.]com, www[.]evercoat[.]com, www[.]facefoundrie[.]com, www[.]foxcorphousing[.]com, www[.]genderconfirmation[.]com, www[.]gofreight[.]com, www[.]gunnerroofing[.]com, www[.]hayeshvacllc[.]com, www[.]hksusa[.]com, www[.]hollingsworth-vose[.]com, www[.]hollywoodburbankairport[.]com, www[.]hopechc[.]org, www[.]icmcontrols[.]com, www[.]inboundlogistics[.]com, www[.]infra-metals[.]com, www[.]jasperpim[.]com, www[.]koimoi[.]com, www[.]louisvillemechanical[.]com, www[.]lsbn[.]state[.]la[.]us, www[.]mallorcantonic[.]com, www[.]marketlist[.]com, www[.]mocanyc[.]org, www[.]motherwellfc[.]co[.]uk, www[.]murphyoilcorp[.]com, www[.]myrtlebeachgolfpackages[.]co, www[.]napcis[.]org, www[.]nelsongonzalez[.]com, www[.]netzwerkreklame[.]de, www[.]onthegreenmagazine[.]com, www[.]orthodontie-laurentides[.]com, www[.]pamelasandalldesign[.]com, www[.]parajohn[.]com, www[.]parksavers[.]com, www[.]parmacalcio1913[.]com, www[.]patio-supply[.]com, www[.]perfectduluthday[.]com, www[.]powerlineblog[.]com, www[.]progarm[.]com, www[.]rafilawfirm[.]com, www[.]reddiseals[.]com, www[.]riaa[.]com, www[.]robertomalca[.]com, www[.]sevenacres[.]org, www[.]sigmathermal[.]com, www[.]sisdisinfestazioni[.]it, www[.]spectralink[.]com, www[.]sramanamitra[.]com, www[.]sunkissedindecember[.]com, www[.]sweetstreet[.]com, www[.]system-scale[.]com, www[.]tcpa[.]org[.]uk, www[.]thatcompany[.]com, www[.]the-kaisers[.]de, www[.]thecreativemom[.]com, www[.]thedesignsheppard[.]com, www[.]therialtoreport[.]com, www[.]thetrafalgargroup[.]co[.]uk, www[.]thetruthaboutguns[.]com, www[.]totem[.]tech, www[.]ultrasound-guided-injections[.]co[.]uk, www[.]urbis-realestate[.]com, www[.]vending[.]com, www[.]venetiannj[.]com, www[.]visitarundel[.]co[.]uk, www[.]wefinanceanycar[.]com, www[.]wilsonsd[.]org, www[.]wilymanager[.]com, www[.]wvwc[.]edu, zerocap[.]com, incalzireivar[.]ro, winworld[.]es, dating2go[.]store, micronsoftwares[.]com, mysamsung7[.]shop, nvidias[.]shop, expressbuycomputers[.]shop, amdradeon[.]shop, mobileyas[.]shop, cryptotap[.]site, 527newagain[.]top, abhbdiiaehdejgh[.]top, adednihknaalilg[.]top, anjmhjidinfmlci[.]top, azure-getrequest[.]icu, azurearc-cdn[.]top, azuregetrequest[.]icu, bkkeiekjfcdaaen[.]top, cignjjgmdnbchhc[.]top, ckebfjgimhmjgmb[.]top, cljhkcjfimibhci[.]top, cmcebigeiajbfcb[.]top, cmcuauec[.]top, cryptoslate[.]cc, eebchjechginddk[.]top, ehnediemcaffbij[.]top, ejlhaidjmhcmami[.]top, faybzuy3byz2v[.]top, fpziviec[.]top, futnbuzj3nh[.]top, gbkffjcglabkmne[.]top, gdihcicdghmcldd[.]top, get-azurecommand[.]icu, get-iwrreq[.]top, getazurecommand[.]icu, gnmdjjckbgddaie[.]top, gubyzywey6b[.]top, iadkainhkafngnk[.]top, ikhgijabfnkajem[.]top, ikjfjkkagafbdke[.]top, imfiejalbhhgijl[.]top, kffgkjmjangegkg[.]top, khcjgjmfjgdleag[.]top, kjalcimbfaaddff[.]top, mcajijknegnbbga[.]top, melmejkjaakiakn[.]top, mgjabikgjhhambm[.]top, pretoria24[.]top, rifiziec[.]top, riuzvi4tc[.]top, robnzuwubz[.]top, saighbuzu32uvv[.]topurl: https://wl[.]gl/25dW64, https://update-chronne[.]com/moc[.]txthash: - sha256=7683d38c024d0f203b374a87b7d43cc38590d63adb8e5f24dff7526f5955b15a, - sha256=950f1f8d94010b636cb98be774970116d98908cd4c45fbb773e533560a4beea7, - sha256=7f8e9d7c986cc45a78c0ad2f11f28d61a4b2dc948c62b10747991cb33ce0e241, - sha256=183c57d9af82964bfbb06fbb0690140d3f367d46d870e290e2583659609b19f2, - sha256=22dc96b3b8ee42096c66ab08e255adce45e5e09a284cbe40d64e83e812d1b910, - sha256=9d508074a830473bf1dee096b02a25310fa7929510b880a5875d3c316617dd50, - sha256=28c49af7c95ab41989409d2c7f98e8f8053e5ca5f7a02b2a11ad4374085ec6ff, - sha256=2da62d1841a6763f279c481e420047a108da21cd5e16eae31661e6fd5d1b25d7, - sha256=342b889d1d8c81b1ba27fe84dec2ca375ed04889a876850c48d2b3579fbac206, - sha256=42c1550b035353ae529e98304f89bf6065647833e582d08f0228185b493d0022, - sha256=42d7135378ed8484a6a86a322ea427765f2e4ad37ee6449691b39314b5925a27, - sha256=430fd4d18d22d0704db1c4a1037d8e1664bfc003c244650cb7538dbe7c3be63e, - sha256=43f4ca1c7474c0476a42d937dc4af01c8ccfc20331baa0465ac0f3408f52b2e2, - sha256=46aac6bf94551c259b4963157e75073cb211310e2afab7a1c0eded8a175d0a28, - sha256=4fa213970fdef39d2506a1bd4f05a7ceee191d916b44b574022a768356951a23, - sha256=57e9e1e3ebd78d4878d7bb69e9a2b0d0673245a87eb56cf861c7c548c4e7b457, - sha256=6464cdbfddd98f3bf6301f2bf525ad3642fb18b434310ec731de08c79e933b3e, - sha256=67b5b54c85e7590d81a404d6c7ea7dd90d4bc773785c83b85bcce82cead60c37, - sha256=700f1afeb67c105760a9086b0345cb477737ab62616fd83add3f7adf9016c5e5, - sha256=77dc705cecbc29089c8e9eea3335ba83de57a17ed99b0286b3d9301953a84eca, - sha256=7b8d4b1ab46f9ad4ef2fd97d526e936186503ecde745f5a9ab9f88397678bc96, - sha256=7ea83cca00623a8fdb6c2d6268fa0d5c4e50dbb67ab190d188b8033d884e4b75, - sha256=8d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d78504550927, - sha256=92d2488e401d24a4bfc1598d813bc53af5c225769efedf0c7e5e4083623f4486, - sha256=941fa9119eb1413fdd4f05333e285c49935280cc85f167fb31627012ef71a6b3, - sha256=95b9c9bf8fa3874ad9e6204f408ce162cd4ae7a8253e69c3c493188cb9d1f4da, - sha256=97105ed172e5202bc219d99980ebbd01c3dfd7cd5f5ac29ca96c5a09caa8af67, - sha256=d738eef8756a03a516b02bbab0f1b06ea240efc151f00c05ec962d392cfddb93, - sha256=77bd80e2a7c56eb37a33c2a0518a27deb709068fdc66bd1e00b5d958a25c7ad8, - sha256=ccdf82b45b2ee9173c27981c51958e44dee43131edfbce983b6a5c146479ac33email:Title: Lumma Stealer s GitHub-Based Delivery Explored via Managed Detection and ResponseLink: https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.htmlSummary: The Managed XDR team from Trend Micro uncovered a complex cyber attack that used GitHub's release infrastructure to distribute Lumma Stealer and other malware, including SectopRAT, Vidar, and Cobeacon. Attackers exploited GitHub as a trusted source, enabling users to unwittingly download malicious files that exfiltrated sensitive data and communicated with command and control servers. The investigation noted parallels in the attack methods to the Stargazer Goblin group, such as the use of compromised websites and specific URL patterns for payload distribution, with the Lumma Stealer primarily delivered via seemingly legitimate GitHub links, which were signed by revoked certificates before executing malicious tasks.Threats: lumma_stealer sectop_rat vidar_stealer cobalt_strike stargazer_goblin_group septoprat atlantida process_injection_technique nanophanotool_toolIndicators of compromise:-------------------------ip: 192[.]142[.]10[.]246:80, 84[.]200[.]24[.]26, 192[.]142[.]10[.]246, 91[.]202[.]233[.]18, 5[.]75[.]212[.]196:443domain: ikores[.]sbs, lumdukekiy[.]shopurl: http://192[.]142[.]10[.]246/login[.]php?event=init&id=Y3VjdW1iZXI=&data=MTYgR0JfW29iamVjdCBPYmplY3RdX01pY3Jvc29mdCBCYXNpYyBEaXNwbGF5IEFkYXB0ZXJfdHJ1ZV8xNDAweDEwNTBfV2luZG93cyAxMCBQcm9fMyBtaW51dGVzICgwLjA2IGhvdXJzKV9DOlxVc2Vyc1xCcnVub19ERVNLVE9QLUVUNTFBSk9fQnJ1bm9fV2luZG93c19OVF94NjRfMTAuMC4xOTA0NF9DOlxVc2Vyc1xCcnVub1xBcHBEYXRhXFJvYW1pbmdfQzpcVXNlcnNcQnJ1bm9cQXBwRGF0YVxMb2NhbFxUZW1wX0RFU0tUT1AtRVQ1MUFKT19fSW50ZWw2NCBGYW1pbHkgNiBNb2RlbCA4NSBTdGVwcGluZyA3LCBHZW51aW5lSW50ZWxfQU1ENjRfQzpfNF9DOlxVc2Vyc1xCcnVub1xBcHBEYXRhXExvY2FsXFRlbXBcMnBsRVRXRzM1RXdheU5zRnBXQ01Xcnd2VnJnXFBpY3RvcmUuZXhl, http://84[.]200[.]24[.]26/login[.]php?event=init&id=dW5kZXJza2lydA==&data=MTYgR0JfW29iamVjdCBPYmplY3RdX01pY3Jvc29mdCBCYXNpYyBEaXNwbGF5IEFkYXB0ZXJfdHJ1ZV8xMjgweDk2MF9XaW5kb3dzIDEwIFByb18zIG1pbnV0ZXMgKDAuMDYgaG91cnMpX0M6XFVzZXJzXEJydW5vX0RFU0tUT1AtRVQ1MUFKT19CcnVub19XaW5kb3dzX05UX3g2NF8xMC4wLjE5MDQ0X0M6XFVzZXJzXEJydW5vXEFwcERhdGFcUm9hbWluZ19DOlxVc2Vyc1xCcnVub1xBcHBEYXRhXExvY2FsXFRlbXBfREVTS1RPUC1FVDUxQUpPX19JbnRlbDY0IEZhbWlseSA2IE1vZGVsIDg1IFN0ZXBwaW5nIDcsIEdlbnVpbmVJbnRlbF9BTUQ2NF9DOl80X0M6XFVzZXJzXEJydW5vXEFwcERhdGFcTG9jYWxcVGVtcFwycHBydEJkanpoZjVpVnRUZkFKVDVhTnNSeERcU2NpZWxmaWMuZXhl, http://192[.]142[.]10[.]246/login[.]php?event=init&id=cucumber=&data=16, http://84[.]200[.]24[.]26/login[.]php?event=init&id=underskirt==&data=16, http://91[.]202[.]233[.]18:9000/wbinjget?q=B2E581C85432BD4DF6A59A00CBDA1CB3, https://klipcatepiu0[.]shop/int_clp_sha[.]txt, https://eaholloway[.]com, https://afterpm[.]com, https://github[.]com/down4up, https://enricoborino[.]com, http://sacpools[.]com, https://github[.]com/zabdownload, https://startherehosting[.]net, https://github[.]com/g1lsetup/iln7, https://kassalias[.]com, https://pmpdm[.]com, https://ageless-skincare[.]com/gn, http://github[.]com/yesfound/worked, https://compass-point-yachts[.]com, https://github[.]com/down7/Settingup, https://github[.]com/JF6DEU/vrc121, https://github[.]com/g1lsetup/v2025, https://comicshopjocks[.]com, https://github[.]com/dowwnloader, https://lakeplacidluxuryhomes[.]com, https://github[.]com/magupdate, https://primetimeessentials[.]com, https://github[.]com/kopersparan, https://razorskigrips[.]com, https://github[.]com/mp3andmovies, https://github[.]com/yesfoundhash: - md5=afdc1a1e1e934f18be28465315704a12email:Title: CL-STA-0048: An Espionage Operation Against High-Value Targets in South AsiaLink: https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entitiesSummary: The cyber attack campaign, identified as CL-STA-0048, targets high-value entities in South Asia, with a focus on a telecommunications organization, and is attributed to a China-based threat actor. Using advanced tactics such as Hex Staging for payload delivery, the attackers first attempted to exploit IIS servers before pivoting to an Apache server, eventually deploying a ColdFusion web shell. Key techniques included the use of the PlugX RAT for establishing persistent access, exfiltration of data via DNS, and leveraging tools like SspiUacBypass to escalate privileges, while utilizing Cobalt Strike and Stowaway for additional malicious activities. The campaign poses a significant espionage threat to the region's government and telecom sectors, leveraging vulnerabilities in popular services and employing stealthy communication methods.Threats: cl-sta-0048_campaign cobalt_strike mimikatz_tool plugx_rat sspiuacbypass_tool potato_tool winos dragonrank_group supershell stowaway_tool dll_sideloading_technique badpotato_tool rasmanpotato valleyrat winnti_groupIndicators of compromise:-------------------------ip: 154[.]201[.]68[.]57, 43[.]247[.]135[.]106, 206[.]237[.]0[.]49, 38[.]54[.]30[.]117, 38[.]54[.]56[.]88, 65[.]20[.]69[.]103, 192[.]227[.]180[.]124, 107[.]174[.]39[.]125domain: mail[.]tttseo[.]com, sentinelones[.]com, h5[.]nasa6[.]com, test[.]nulq5r[.]ceye[.]io, web[.]nginxui[.]ccurl: https://h5[.]nasa6[.]com/shellhash: - sha256=336892ff8f07e34d18344f4245406e001f1faa779b3f10fd143108d6f30ebb8a, - md5=d33f351a4aeea5e608853d1a56661059, - sha256=525540eac2d90c94dd3352c7dd624720ff2119082807e2670785aed77746301d, - sha256=af0baf0a9142973a3b2a6c8813a3b4096e516188a48f7fd26ecc8299bce508e1, - sha256=508d6dd6c45027e3cda3d93364980f32ffc34c684a424c769954d741cf0d40d0, - sha256=3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb, - sha256=0f85b67f0c4ca0e7a80df8567265b3fa9f44f2ad6ae09a7c9b7fac2ca24e62a8, - sha256=c5af6fd69b75507c1ea339940705eaf61deadd9c3573d2dec5324c61e77e6098, - sha256=8dfc107662f22cff20d19e0aba76fcd181657255078a78fb1be3d3a54d0c3d46, - sha256=35da93d03485b07a8387e46d1ce683a81ae040e6de5bb1a411feb6492a0f8435, - sha256=a09179dec5788a7eee0571f2409e23df57a63c1c62e4b33f2af068351e5d9e2d, - sha256=edc9222aece9098ad636af351dd896ffee3360e487fda658062a9722edf02185email:Title: Qbot is Back.ConnectLink: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369fSummary: QBot, also known as Qakbot or Pinkslipbot, is a longstanding modular information stealer first identified in 2007, primarily targeting financial information while acting as a loader via Command and Control (C2) servers. Following a law enforcement operation on May 30, 2024, aimed at disrupting QBot operators, indicators suggest a possible resurgence of these threat actors. Recent research by ZScaler unveiled the incorporation of DNS tunneling into Zloader with references to QBot, alongside a new backConnect malware linked to the QBot developers, suggesting connections to ransomware activities, particularly involving the BlackBasta group.Threats: qakbot dns_tunneling_technique z_loader blackbastaIndicators of compromise:-------------------------ip: 80[.]66[.]89[.]100, 146[.]19[.]128[.]138domain: upd5[.]prourl: http://146[.]19[.]128[.]138/pack[.]dat, https://80[.]66[.]89[.]100/pack[.]dat, https://upd5[.]pro/update/qd_x86[.]exehash: - sha256=22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764, - sha256=c8bddb338404a289ac3a9d6781d139314fab575eb0e6dd3f8e8c37410987e4de, - sha256=4b4398f64e574cfdb8de05d388d97ed255e888045f0316808311f51f63212efb, - sha256=7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74, - sha256=98d38282563c1fd09444724eacf5283626aeef36bcb3efa9d7a667db7314d81f, - sha256=bf861f5bd384707e23148716240822208ceeba50c132fb172b784a6575e5e555, - sha256=9cdef45dc9f7c667a54effa9b8187ef128d64ea49c97bdae4e9567d866c63f5a, - sha256=651e49a45b573bb39e21746cb99fcd5d17679e87e04201f4cc6ca10ff2d166e4, - sha256=4cad17ef867f03081eb690b1c16d7f4d5c937c3f20726af0442d7274413e3620, - sha256=a197804c6ae915f59add068e862945b79916c92a508c0287a97db718e72280a3, - sha256=4a6869736864694932556873766f6339346b65696f6a6e376e7331396d30646femail:Title: SparkRAT: Server Detection, macOS Activity, and Malicious ConnectionsLink: https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connectionsSummary: The SparkRAT malware, introduced on GitHub in 2022 by user XZB-1248, is a versatile tool for cyber espionage, particularly against government entities, and is operated using Golang with a web-based interface. It communicates with its command-and-control (C2) server via WebSocket, utilizing HTTP for version checks, and has been linked to recent campaigns attributed to North Korean threat actors targeting macOS users through counterfeit meeting pages. Analysis of a compromised server in Seoul revealed elements associated with North Korea's infrastructure and identified specific malicious files and scripts related to SparkRAT activities.Threats: spark_rat xzb-1248_actorIndicators of compromise:-------------------------ip: 152[.]32[.]138[.]108, 118[.]194[.]249[.]38, 15[.]235[.]130[.]160, 51[.]79[.]218[.]159:8000, 51[.]79[.]218[.]159, 15[.]32[.]138[.]108domain: gsoonmann[.]site, gmnormails[.]site, gmoonsom[.]site, nasanecesoi[.]site, gmoocsoom[.]site, gmcomamz[.]site, namerowem[.]site, gmoosomnoem[.]site, mncomgom[.]site, ggnmcomas[.]site, remote[.]henh247[.]net, updatetiker[.]net, gomncomow[.]site, gooczmmnc[.]site, gnmoommle[.]space, one68[.]top, henho247[.]net, remote[.]henho247[.]net, updatetiker[.]siteurl: https://gmcomamz[.]site:443, http://updatetiker[.]site/dev/client[.]bin, http://one68[.]top/clienthash: - sha256=cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56, - sha256=52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15, - sha256=ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56eemail:Title: Keeping up with the InfostealersLink: https://intelinsights.substack.com/p/keeping-up-with-the-infostealersSummary: The text outlines an investigation by a cyber threat intelligence analyst into infostealer incidents, specifically targeting the IP address 185.215.113.16 and its association with malicious infrastructure connected to AS51381 (1337team Limited). The analyst identifies 20 results linked to various infostealers, including Amadey and Smoke loaders, and discovers that malicious files communicate with multiple ASNs, indicating a broader deployment by threat actors. Further tracking of a specific file, "cajubae," reveals numerous additional IPs from South Korean ASNs and highlights a potential new cluster of malicious infrastructure, including a recurrent domain, niksplus.ru, which may be employing fast flux techniques.Threats: amadey smokeloader redline_stealer lumma_stealer mars_stealer stealc fastflux_techniqueIndicators of compromise:-------------------------ip: 185[.]215[.]113[.]16, 220[.]125[.]3[.]190, 123[.]212[.]43[.]225, 119[.]204[.]11[.]2, 58[.]151[.]148[.]90, 218[.]152[.]239[.]116, 125[.]7[.]253[.]10, 211[.]202[.]224[.]10, 175[.]119[.]10[.]231, 119[.]194[.]160[.]37, 211[.]171[.]233[.]129, 211[.]181[.]24[.]133, 211[.]171[.]233[.]126, 218[.]152[.]239[.]123, 123[.]140[.]161[.]243, 210[.]180[.]252[.]110, 211[.]181[.]24[.]132, 211[.]168[.]53[.]110, 211[.]119[.]84[.]111, 210[.]182[.]29[.]70, 210[.]108[.]43[.]192, 211[.]104[.]254[.]139, 211[.]59[.]14[.]90, 211[.]119[.]84[.]112, 189[.]163[.]178[.]96, 201[.]103[.]179[.]216, 187[.]144[.]133[.]47, 187[.]225[.]144[.]248, 187[.]204[.]66[.]156, 187[.]204[.]206[.]7, 189[.]181[.]23[.]186, 187[.]156[.]113[.]114, 187[.]199[.]194[.]16, 201[.]124[.]5[.]27, 201[.]110[.]232[.]122, 189[.]181[.]30[.]147, 187[.]224[.]115[.]16, 187[.]201[.]7[.]156, 189[.]189[.]172[.]68, 187[.]204[.]55[.]0, 187[.]199[.]191[.]176, 189[.]181[.]53[.]56, 187[.]199[.]183[.]102, 201[.]110[.]241[.]248, 187[.]205[.]255[.]67, 189[.]163[.]98[.]139, 187[.]134[.]57[.]31, 187[.]152[.]17[.]215, 201[.]110[.]217[.]30, 201[.]119[.]104[.]185, 189[.]165[.]174[.]71, 187[.]201[.]114[.]50, 189[.]189[.]229[.]237, 189[.]163[.]142[.]13, 187[.]228[.]55[.]117, 189[.]134[.]97[.]255, 189[.]245[.]27[.]132, 201[.]103[.]66[.]91, 189[.]163[.]10[.]121, 187[.]201[.]135[.]232, 187[.]211[.]202[.]16, 187[.]201[.]173[.]202, 187[.]134[.]41[.]207, 189[.]232[.]12[.]90, 187[.]211[.]34[.]223, 187[.]156[.]38[.]229, 187[.]156[.]79[.]158, 187[.]204[.]80[.]208, 187[.]204[.]100[.]230, 189[.]190[.]189[.]17, 201[.]119[.]33[.]19, 189[.]179[.]37[.]132, 187[.]134[.]42[.]142, 187[.]201[.]131[.]196, 187[.]140[.]17[.]135, 187[.]199[.]187[.]63, 189[.]232[.]1[.]60, 189[.]165[.]166[.]147, 189[.]141[.]147[.]36, 187[.]156[.]64[.]85, 187[.]134[.]80[.]172, 201[.]124[.]243[.]137, 201[.]124[.]224[.]61, 189[.]169[.]23[.]66, 187[.]156[.]151[.]152, 187[.]134[.]40[.]51, 187[.]156[.]82[.]96, 189[.]161[.]121[.]167domain: niksplus[.]ruurl: hash: - sha256=00173630900838da2ccce0ae7fb54f7d8b3138434f63d056c636e0aec4f8e37bemail:Title: Active Exploitation: New Aquabot Variant Phones HomeLink: https://www.akamai.com/blog/security-research/2025/jan/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phonesSummary: The Akamai Security Intelligence and Response Team (SIRT) has identified a new variant of the Mirai-based malware called Aquabotv3, which exploits a command injection vulnerability (CVE-2024-41710) in various Mitel SIP phone models. Discovered in January 2025, Aquabotv3 features a novel "report_kill" function that communicates with its command and control (C2) server when a kill signal is detected on infected devices, marking a significant behavioral change from previous Mirai variants. The malware not only targets the Mitel vulnerability but is also noted for its adaptability in targeting other vulnerabilities, and its operators have promoted Aquabot as a DDoS-as-a-Service offering on platforms like Telegram.Threats: aquabot miraiIndicators of compromise:-------------------------ip: 193[.]200[.]78[.]57, 89[.]190[.]156[.]145, 91[.]92[.]243[.]233, 213[.]130[.]144[.]69, 154[.]216[.]16[.]109, 193[.]200[.]78[.]33, 173[.]239[.]233[.]47, 141[.]98[.]11[.]67, 141[.]98[.]11[.]175, 173[.]239[.]233[.]48, 173[.]239[.]233[.]46domain: dogmuncher[.]xyz, cardiacpure[.]ru, fuerer-net[.]ru, eye-network[.]ru, intenseapi[.]com, cloudboats[.]vip, theeyefirewall[.]su, awaken-network[.]neturl: http://raw2[.]intenseapi[.]com/bin[.]sh, http://files1[.]eye-network[.]ru/vsbepshash: - sha256=597b84ba23e16b24ec17288981bbf65c84b6ba3bb07df6620378a1907692fb86, - sha256=6a070dc9614dbb9a76092258fdc8bd758f69126c73787dc7d2af9aebd436e7ec, - sha256=b41e29e745b69f3e8c11d105e7e050fd9e08ff1e22efd97fd4c239a9095d708b, - sha256=b5d1cf8b222162567f46281e792145774689c205701a02f3723cf6fb13a429de, - sha256=1e74bcd24e30947bd14cef6731ca63f69df060ba3dcac88b2321171335a6e8ef, - sha256=e06c3f5c32aaa422e66056290eb566065afe2ce611fe019f3ba804af939ac1a3email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Main Topic
**Cobalt Strike and SOCKS Proxies Leading to LockBit Ransomware Deployment**
This report details a cyber intrusion that culminated in the deployment of LockBit ransomware after initial deployment via a user executing a malicious file disguised as a Windows Media Configuration Utility, establishing a foothold with Cobalt Strike.
## Key Points
- The initial execution payload established a **Cobalt Strike beacon**.
- Lateral movement involved deploying **proxy tools (SOCKS)** on domain controllers.
- Data exfiltration was achieved using **Mega.io** after initial FTP attempts with Rclone failed.
- The final payload deployed was **LockBit ransomware** across all Windows hosts on the eleventh day.
- The threat actor implemented several evasion techniques, including **modifying Windows Defender settings** and using **process injection**.
## Threat Actors
- Attribution (specific group) is not explicitly named in the summary, but the actors utilize **Cobalt Strike** and deploy **LockBit** ransomware.
## TTPs
- Initial Access: User execution of a file disguised as a legitimate utility.
- Execution: **Cobalt Strike beacon**.
- Persistence: Establishment via **scheduled tasks**.
- Lateral Movement/Defense Evasion: Deploying **proxy tools (SOCKS)**, **modifying Windows Defender settings**, and utilizing **PowerShell** for reconnaissance/execution.
- Credential Access: **Credential stealing/dumping techniques**.
- Exfiltration: Data transfer via **Mega.io**.
- Impact: Deployment of **LockBit ransomware**.
- Techniques mentioned include: **process injection**, **credential stealing**, **credential dumping**.
## Affected Systems
- Windows Hosts (targeted for encryption).
- Domain Controllers (targets for proxy tool deployment).
## Mitigations
- Monitoring for processes leveraging **PowerShell** for reconnaissance and execution.
- Detection mechanisms targeting the use of **process injection** techniques.
- Monitoring for the deployment of proxy tools (like Ghostsocks/SystemBC) on critical infrastructure such as Domain Controllers.
- Reviewing and securing Windows Defender configurations against unauthorized modification.
## Conclusion
This incident highlights a sophisticated, multi-stage attack progression—from initial beaconing via Cobalt Strike, through credential harvesting using proxy tools, to final destructive encryption by LockBit ransomware. Defense-in-depth, especially focused on blocking unauthorized changes to security configurations and monitoring for beacon activity and proxy deployment, is critical against this observed kill chain.
---
# Morning News Roll-up 2025-01-30
## Overview
This roll-up summarizes key threat intelligence findings from the weekly review, covering ransomware operations, new backdoors, cyber espionage, threat infrastructure, and infostealer activity.
## Top Stories
### Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
- Summary: A focused cyber intrusion used a decoy file to deploy Cobalt Strike, followed by lateral movement using SOCKS proxies on domain controllers, culminating in LockBit ransomware deployment. The actor used advanced evasion like modifying Windows Defender settings and process injection.
- Source: hxxps://thedfirreport[.]com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware
### New TorNet backdoor seen in widespread campaign
- Summary: Financially motivated actors targeting Poland and Germany since July 2024 are using phishing via logistics/financial impersonations to deliver Agent Tesla, Snake Keylogger, and a new TorNet backdoor via PureCrypter. TorNet uses the TOR network for C2 and employs network disconnection techniques for evasion.
- Source: hxxps://blog[.]talosintelligence[.]com/new-tornet-backdoor-campaign
### UAC-0063: Cyber Espionage Operation Expanding from Central Asia
- Summary: The UAC-0063 group is targeting Central Asian and European government institutions/diplomatic missions using weaponized Word documents to deploy malware like HATVIBE, PyPlunderPlug, and LOGPIE for data exfiltration. Tactics show some similarity to APT28.
- Source: hxxps://www.bitdefender[.]com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia