Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 75 threat intelligence reports and compiled a brief summary of each, along with the pertinent metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: OtterCookie Malware Analysis and DistributionLink: https://any.run/cybersecurity-blog/ottercookie-malware-analysis/Summary: OtterCookie is a newly identified malware associated with the Lazarus Group, a North Korean state-sponsored threat actor, targeting credentials, cryptocurrency wallets, and sensitive data from the tech and financial sectors. Disguised as legitimate freelance coding tasks and utilizing clean-looking Node.js repositories, OtterCookie employs sophisticated obfuscated JavaScript to evade detection, triggering malicious code download through simulated errors on set-up Node.js servers. After exploiting various data types, the malware exfiltrates the gathered information to a U.S. command-and-control server and subsequently downloads a remote access trojan, InvisibleFerret, to maintain persistent access. This malware demonstrates a creative approach to deployment and showcases the Lazarus Group's ongoing campaign against cryptocurrency-related assets.Threats: ottercookie lazarus_group invisibleferret beavertail contagious_interview_campaign dev_popper_campaign anydesk_tool credential_dumping_techniqueIndicators of compromise:-------------------------ip: 144[.]172[.]101[.]45, 135[.]181[.]123[.]177domain: chainlink-api-v3[.]cloudurl: http://144[.]172[.]101[.]45:1224, http://chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e, https://bitbucket[.]org/0xhpenvynb/mvp_gamba/downloads, http://chainlink-api-v3[.]cloud/apihash: - sha256=aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1, - sha256=071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9, - sha256=486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d, - sha256=ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687email:Title: Activity of the Phamtomcore group in May 2025Link: https://www.f6.ru/blog/traces-of-phantomcore/Summary: Phantomcore is a cyber threat group targeting organizations in Russia and Belarus, known for its evolving attack methodologies. On May 5, 2025, they employed malicious email newsletters containing executable attachments disguised as ZIP archives, which included the Phantomecore.greqbackdoor v.2, capable of communicating with a command and control (C2) server. Additionally, earlier in 2024, they unveiled a variant called "Semple Phantomrat," functioning as a dropper for remote access tools, indicating the group's sophisticated operational structure characterized by coordinated domain registrations and multiple C2 servers. This ongoing evolution in their malware capabilities suggests that Phantomcore is likely to enhance its exploitation and evasion tactics moving forward.Threats: phantomcore_group phantomcore phantomrat phantomdl sliver_c2_tool statrat procmon_tool upx_toolIndicators of compromise:-------------------------ip: 195[.]133[.]32[.]194, 195[.]58[.]54[.]39domain: wheelprom[.]ru, ugroteches[.]ru, jaudyoyh[.]ru, sauselid[.]ru, linualsut[.]ru, supportsecure[.]ru, supportsecurity[.]ru, 24windows[.]ru, bazartop[.]ru, java-stat[.]ru, updatesioa[.]ru, updatecanonical[.]ru, rawgithubcontent[.]ru, syncpulse[.]ru, airgrupdate[.]ru, mastersync[.]ru, updateapi[.]ru, update54[.]ruurl: https://stat-dashgd[.]ru, https://24windows[.]ru, https://bazartop[.]ru, https://stat-dashgd[.]ru/main-stat/test-connect[.]php, https://stat-dashgd[.]ru/main-stat/visiting-downloads, https://stat-dashgd[.]ru/main-stat/visiting-log[.]php, https://stat-dashgd[.]ru/main-stat/statistics[.]php, http://195[.]58[.]54[.]39:80/command, http://195[.]58[.]54[.]39:80/init, http://195[.]58[.]54[.]39:80/check, http://195[.]58[.]54[.]39:80/connecthash: - md5=55b31d3ae389473e6aee7a9a41e21bd2, - md5=e3493bced3a25d0bf61980cb797afca5, - md5=16f97ec7e116fe3272709927ab07844e, - md5=8c9617ddc6d371264a7026777e3cdcc9, - md5=08d40cc89db9fc3423c299bca7639690, - md5=57384d60dab044887d741150fe03fa52, - md5=d7185eae76afdd78f8cadaf81dd88ba1, - md5=a18f173d63df0ed0677182a747f81c52, - md5=57384d60dab0448887411150fa03fa52, - md5=cd3440cf9f20faa30a743d8408eb9217, - md5=5f8b1dbc51da577d606bcabd42e40876, - md5=1bca485be5a9d976dea5cb372859f30b, - md5=225a32915439dd0056520093b68a0704, - md5=6bb56e264b343c4b81ea1c99769f4905, - md5=6b674a4a15a44f730094081a5d226f91, - md5=a0846758c1852d141f657dd6a01adcce, - md5=43651c96ed10637b5c0e454c32e4809a, - md5=5437e08743347bca0430689341198e57, - md5=a15a559d3a3324afedeff4d17547cfea, - md5=4e167675c52ee7428bf0ba90f59b1a8femail:Title: The Bitter End: Unraveling Eight Years of Espionage AnticsPart OneLink: https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-oneSummary: TA397 is a state-backed threat actor likely associated with Indian intelligence, actively targeting governmental and defense entities in Europe and Asia, particularly those related to China and Pakistan. The group's operations primarily utilize spearphishing emails for initial access, leveraging methods that include exploiting scheduled tasks to deploy malware, such as Kugelblitz and various RATs. They have adapted their tactics over time, notably using diverse file types for executing malicious commands and downloading payloads, while maintaining a distinct operational fingerprint recognizable through specific infrastructure patterns and timestamps reflecting Indian Standard Time. Their campaigns exploit vulnerabilities like CVE-2024-43572 and indicate a high level of sophistication in espionage techniques, suggesting a collaborative framework among Indian state-backed actors focused on national security and diplomatic concerns.Threats: bitter_group spear-phishing_technique artradownloader grimresource_technique wmrat miyarat havoc kugelblitz bdarkrat mysterious_elephant_group apt59_group orpcbackdoorIndicators of compromise:-------------------------ip: 72[.]18[.]215[.]108domain: woodstocktutors[.]com, princecleanit[.]com, utizviewstation[.]com, ottawadesignlab[.]com, jacknwoods[.]com, trkswqsservice[.]com, warsanservices[.]com, headntale[.]comurl: http://46[.]229[.]55[.]63/svch[.]php?li=%computername%[.][.]%username%, http://95[.]169[.]180[.]122/vbgf[.]php?mo=%computername%--%username%, http://inizdesignstudio[.]com/lk[.]php?xm=$env:computername*$env:username, http://trkswqsservice[.]com/turf[.]php?xm=$env:COMPUTERNAME*$env:USERNAME, http://woodstocktutors[.]com/jbc[.]php?fv=$env:COMPUTERNAME*$env:USERNAME, https://princecleanit[.]com/dprin[.]php?dr=%computername%, https://utizviewstation[.]com/dows[.]php?cb=$env:COMPUTERNAME*$env:USERNAME, https://www[.]headntale[.]com/lchr[.]php?ach=%computername:~0, https://www[.]mnemautoregsvc[.]com/GIZMO/flkr[.]php?sa=COMPUTERNAME**USERNAME, http://173[.]254[.]204[.]72/dune64[.]log, https://www[.]utizviewstation[.]com/urf[.]php?mn=%computername%, http://utizviewstation[.]com/msuitl[.]tar, https://www[.]utizviewstation[.]com/urf[.]php?mn=%username%hash: - sha256=1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1, - sha256=7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67, - sha256=b56385dc93cc8f317ce499539b0d52aa0b3d8b6a8f9493e1ee7ba01765edd020, - sha256=80b3a71138c34474725bbb177d8dec078effb7d8f4b19bf2e7a881b01ec7d323, - sha256=cdddbd65dbb24d3b9205e417cc267007bfd0369c316f70d2749887b9f02e949b, - sha256=1fbf95ccf1193e84d0e4f8c315816dd2aec56edb11ef1e7b28667360ca7e5ccd, - sha256=5a39f10d2e4c1cae1b52baff0cf8b3e397da2e69cb90e1bac138e8d437cbea41, - sha256=cc65fac9151fa527bc4b296f699475554ee2510572b8c16d5ef4b472a4cb9ffc, - sha256=680c99915d478ed8d9f1427b3deb2ebd255a6ec614ad643909ab4c01f52905ae, - sha256=c9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682email:Title: BladedFeline: Whispering in the darkLink: https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/Summary: ESET researchers have uncovered a cyberespionage campaign attributed to BladedFeline, an Iran-aligned APT group active since at least 2017, targeting Kurdish and Iraqi government officials. The campaign employs various malware tools, including Whisper, a backdoor that logs into Microsoft Exchange webmail accounts, and PrimeCache, an IIS module that executes commands through segmented requests. BladedFeline's activities are characterized by the development of sophisticated malware and backdoors, with historical ties to the Kurdistan Regional Government and potential connections to the OilRig group, indicating a strategic objective to influence regional geopolitics through espionage.Threats: bladedfeline_group oilrig_group primecache whisper_backdoor shahmaran slippery_snakelet laret_tool pinar_tool spearal rdat videosrv_tool timestomp_technique credential_dumping_technique siamesekitten_group plink_tool olala_tool danabot shark marlin mango oilforcegtx europium_group dnspionage powerexchangeIndicators of compromise:-------------------------ip: 178[.]209[.]51[.]61, 185[.]76[.]78[.]177domain: olinpa[.]com, zaincell[.]storeurl: http://178[.]209[.]51[.]61:8000/wincapsrv[.]exehash: - sha1=272cf34e8db2078a3170cf0e54255d89785e3c50, - sha1=f28d8c5c2283019e6ed788d20240abc8554cadb5, - sha1=562e1678ec8fdc1d83a3f73eb511a6dda08f3b3d, - sha1=be0ad25b7b48347984908175404996531cfd74b7, - sha1=01b99ff47ec6394753f9ccdd2d43b3e804f9ee36, - sha1=1c757accbc2755e83e530dda11b3f81007325e67, - sha1=37859e94086ec47b3665328e9c9baf665cb869f6, - sha1=3d21e1c9dfba38ec6997ae6e426df9291f89762a, - sha1=4954e8a8a23b48ec55f1fff3a4703331e9fa2d6c, - sha1=66bd8db40f4169c7f0fca3d5d15c978efe143cf8, - sha1=73d0faa475c6e489b2c5c95bb51dede4719d199e, - sha1=bb4ffcdbfad40125080c13fa4917a1e836a8d101, - sha1=e8e6e6afef3f574c1f5228bdb28abb34f8a0d09aemail:Title: IBM X-Force Threat Analysis: DCRat presence growing in Latin AmericaLink: https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-americaSummary: In May 2025, the cyber threat actor group Hive0131 carried out phishing campaigns in Colombia by posing as the Judiciary of Colombia. These campaigns involved emails with malicious PDF attachments or embedded links to Google Docs that led to the download of a ZIP file containing a benign file alongside a malicious JavaScript payload. This payload, known as VMDetectLoader, utilized PowerShell to execute further malicious actions, including process hollowing to inject the payload DCRat into legitimate processes. The attack strategy relied on techniques to evade detection and maintain persistence, while IBM X-Force noted that various groups in the region engage in malware-as-a-service (MaaS), with an increasing trend in targeting banking trojans for financial gain.Threats: dcrat vmdetectloader hive0131_group process_injection_technique process_hollowing_technique hive0148_group hive0149_group hive0153_group adwind_rat sambaspy quasar_rat njratIndicators of compromise:-------------------------ip: domain: url: https://archive[.]org/download/new_ABBAS/new_ABBAS[.]jpg, https://tinyurl[.]com/2ypy4jrz?id=5541213d-0ed8, https://docs[.]google[.]com/uc?export=download&id=1aJuQtm8YUqZv12E-atslt_GvBWZ, http://paste[.]ee/d/jYHEqBJ3/0, https://archive[.]org/download/new_ABBAS/new_, https://ia601205[.]us[.]archive[.]org/26/items/new_hash: - sha256=4ce1d456fa8831733ac01c4a2a32044b6581664d311b8791bb2efaa2a1d01f17, - sha256=6a632d8356f42694adb21c064aa9e8710b65adddfdf2209d293ded12fe3d46a7, - sha256=1603c606d62e7794da09c51ca7f321bb5550449165b4fe81153020021cbce140, - sha256=ceb88c09069b5ddc8ca525b7f2e26c4852465bc0ed7c665df39c646287a2f17e, - sha256=0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7, - sha256=db21cc64fb7a7ed9075c96600b7e7e7007a0df7cb837189c6551010a6f828590, - sha256=3c95678d140825b56e04298ce6238ce22b34611d2582ac736c909296ca137ed1, - sha256=7c3fbea63b7cdf013ef26831bb1850c80f4bfad0103328de106b3d5491372ccf, - sha256=b16588e0e2c6a0c8ff080ded57abe8159008d040aea78b2e801c17ce79f05863email:Title: The Golden Eye Dog (APT-Q-27) group recently used the “Silver Fox” Trojan to steal secretsLink: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515029&idx=1&sn=41ca43a966c86bed0a8229ada062a316Summary: The hacker group Golden Eye Dog, identified as APT-Q-27, has been targeting the gambling and dog-pushing sectors through advanced attack methods, including remote control, cryptocurrency mining, and DDoS attacks. Their malware utilizes techniques like watering hole attacks to distribute Trojans and incorporates sophisticated programming languages such as .NET, C++, Go, and Delphi. A notable aspect of their malware is a Shellcode configuration file, Config.ini, which loads a Portable Executable to access functionalities from a DLL known as "VFPower." Recent attacks have involved deploying malicious packages posing as Todesk, implanting the Winos4.0 Trojan, and establishing communication with a command and control server through various IP addresses and ports. The malware's obfuscation techniques, such as using OLLVM, and behaviors that allow it to manipulate antivirus exclusions illustrate the group's sophisticated capabilities and persistence in compromising systems.Threats: golden_eyed_dog_group silver_fox_group raindrop_tool miuuti_group watering_hole_technique todesk_tool winos ollvm_toolIndicators of compromise:-------------------------ip: 120[.]89[.]71[.]226, 120[.]89[.]71[.]226:909090911885218853, 134[.]122[.]207[.]5:909090911885218853, 120[.]89[.]71[.]226:9090, 134[.]122[.]207[.]5:9090, 27[.]124[.]4[.]150:46097domain: kln[.]lefp8nhk[.]comurl: https://tt[.]opwejg[.]cn/tophash: - md5=31594c105ab3325fa1e8a3b49b850084, - md5=fcd3e77e71977c3a12b4f6508ffe21b4, - md5=fa62fa418888f896af1b6194d01360b8, - md5=2d1f5a2c32172820cc95f28815058bf0, - md5=6b6b099a82f4b49f9cf262d7a3ba2a52, - md5=b331d84df0eae1d9cfe53800ca974db4, - md5=7afaf7619cf0f8085ec590f26beaa9af, - md5=a413e74da935c2fb6b7e26c7dfadd9ec, - md5=096aa3ef6a91a94bb90b026ef01ae872, - md5=af347beff0b595a61530e04bbb426e1demail:Title: ViperSoftX Targeting Cryptocurrency UsersLink: https://asec.ahnlab.com/ko/88265/Summary: The Ahnlab Security Intelligence Center (ASEC) has reported on the VIPERSOFTX threat actors, who are specifically targeting domestic users to distribute malware, primarily aimed at cryptocurrency theft. VIPERSOFTX employs various techniques, including the use of PowerShell scripts to install additional malicious payloads and the Quasar RAT for remote access, alongside other malware such as PureCryPter and Purehvnc. Their tactics include disguising malware as legitimate software, along with distribution via torrent sites and malicious emails, while utilizing clipboard manipulation to intercept and alter cryptocurrency wallet addresses, enhancing their capability for data theft and compromise of sensitive user information.Threats: vipersoftx quasar_rat tesseract_stealer purecryptor purehvnc_tool clipbankerIndicators of compromise:-------------------------ip: 136[.]243[.]132[.]112, 160[.]191[.]77[.]89, 185[.]245[.]183[.]74, 212[.]56[.]35[.]232, 89[.]117[.]79[.]31domain: url: http://136[.]243[.]132[.]112/ut[.]exe, http://136[.]243[.]132[.]112:881/3[.]exe, http://136[.]243[.]132[.]112:881/APPDATA[.]exe, http://136[.]243[.]132[.]112:881/a[.]ps1, http://136[.]243[.]132[.]112:881/firefoxtemp[.]exehash: - md5=064b1e45016e8a49eba01878e41ecc37, - md5=0ed2d0579b60d9e923b439d8e74b53e1, - md5=0efe1a5d5f4066b7e9755ad89ee9470c, - md5=197ff9252dd5273e3e77ee07b37fd4dd, - md5=1ec4b69f3194bd647639e6b0fa5c7bb5email:Title: How Threat Actors Exploit Human Trust: A Breakdown of the ‘Prove You Are Human’ Malware SchemeLink: https://dti.domaintools.com/how-threat-actors-exploit-human-trust/Summary: The report details a malicious cyber campaign that utilizes deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to mislead users into executing harmful PowerShell scripts. The discovered PowerShell scripts initiate a multi-layered download process that ultimately installs the NetSupport RAT (Remote Access Trojan) on victims' systems. Specifically, one technique involved mimicking CAPTCHA verification on the fake Docusign site, which executes a clipboard poisoning attack to trick users into running malicious commands. The campaign has characteristics aligned with the threat actor cluster SocGholish and demonstrates sophisticated obfuscation tactics to evade detection while employing known legitimate software as a vehicle for malicious activities.Threats: netsupportmanager_rat fakecaptcha_technique socgholish_loader carbanak_group storm-0408_groupIndicators of compromise:-------------------------ip: 185[.]209[.]21[.]241, 91[.]211[.]249[.]44, 95[.]215[.]204[.]156, 194[.]26[.]232[.]180, 170[.]130[.]55[.]203, 212[.]86[.]115[.]52domain: gitcodes[.]org, tradingviewtool[.]com, tradingviewtoolz[.]com, docusign[.]sa[.]com, 0xpaste[.]com, aitradingview[.]app, aitradingview[.]dev, batalia-dansului[.]xyz, battalia-dansului[.]com, betamodetradingview[.]dev, betatradingview[.]app, betatradingview[.]dev, charts-beta[.]dev, codepaste[.]io, dans-lupta[.]xyz, dev-beta[.]com, devbetabeta[.]dev, devchart[.]ai, developer-ai[.]dev, developerbeta[.]dev, developer-beta[.]dev, developer-mode[.]dev, developer-package[.]dev, developer-update[.]dev, devmodebeta[.]dev, devmode-beta[.]dev, devtradingview[.]ai, devtradingview[.]net, dev-update[.]dev, docusign[.]za[.]com, docusimg[.]sa[.]com, docusingl[.]sa[.]com, docusingle[.]sa[.]com, gitcodes[.]app, gitcodes[.]io, gitcodes[.]net, gitpaste[.]com, givcodes[.]com, hubofnotion[.]com, jeffsorsonblog[.]dev, loyalcompany[.]net, mhousecreative[.]com, modedev[.]ai, modedeveloper[.]ai, modedeveloper[.]com, modedevs[.]ai, nsocks[.]net, oktacheck[.]it[.]com, pasteco[.]com, pastefy[.]com, pastefy[.]net, pastefy[.]pro, tradingviewai[.]dev, tradingview-ai[.]dev, tradingviewbeta[.]dev, tradingview-beta[.]dev, tradingviewdev[.]com, tradingviewindicator[.]dev, tradingviewtradingview[.]dev, updatebeta[.]appurl: https://tradingviewtool[.]com/info2[.]php, https://tradingviewtool[.]com/info3[.]php, http://mhousecreative[.]com, http://170[.]130[.]55[.]203:443/fakeurl[.]htm, https://oktacheck[.]it[.]com/s[.]php, https://loyalcompany[.]net/s[.]php, https://hubofnotion[.]com/steps[.]php, https://raw[.]githubusercontent[.]com/MIGS2023/000/main/sihost[.]exe, https://raw[.]githubusercontent[.]com/MIGS2023/000/main/svchost[.]exe, https://cdn[.]discordapp[.]com/attachments/1212800072570241127/1213022984775106570/Netflix[.]scr?ex=65f3f1b5&is=65e17cb5&hm=a8b4797b7e82709d835f1e24a0118e83d76c69be8338e340c7b850c20f07034d&, https://cdn[.]discordapp[.]com/attachments/1212800072570241127/1213022984775106570/Spotify[.]scr?ex=65f3f1b5&is=65e17cb5&hm=a8b4797b7e82709d835f1e24a0118e83d76c69be8338e340c7b850c20f07034d&hash: - sha256=254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd, - sha256=3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7, - sha256=431b0b19239fc5e0eeaee70cd6e807868142e8cd0b2b6b1bd4a7a2cc8eb57d15, - sha256=ab8fdde9fb9b88c400c737d460dcbf559648dc2768981bdd68f55e1f98292c2a, - sha256=b2daa2b5afb389828e088ec8b27c0636bdad94b2ef71dcf8034ee601cb60d8d6, - sha256=58874c0dc26a78cdc058f84af9967f31b3c43173edc7515fa400e6ef8386205f, - sha256=b258de3b7ef42b4f4bfb0fb5ffe7c55df6aef01cc591abe34a70d1ff82130cd5, - sha256=e9fe19455642673b14c77d18a1e7ed925f23906bf11237dfafd7fb2cba1f666d, - sha256=1a128f6748d71d02c72ba51268be181143405830a4e48dfa53bf3d6ed3391211, - sha256=89043d2817d1bb4cb57ed939823dca0af9ae412655a6c75c694cb13d088efe5a, - sha256=8ffacc942d1c3f45e797369a1f4cbd5dcd84372abf979b06220236d5a5cea649, - sha256=b3e879b5952988fb0c656240365db8f01198f9d83cd2a3ec0e2a8ee172e20a11, - sha256=c6907acabf2edf0be959c64a434e101963f7c18dcf79f116e0ce6b5ced5dd08c, - sha256=07576e1db7e7bd0f7d2c54b6749fdd73c72dba8c2ba8ab110b305cfc10c93c80, - sha256=80b274871e5024dfa9e513219fe3df82cc8fe4255010bd5d04d23d5833962c10, - sha256=d7fadf7ef45c475bd9a759a771d99ccf95edfa8a0c101ce2439a07b66c2e5c72, - sha256=f9a241a768397efb4b43924fbd32186fcb1c88716fff3085d3ddcdd322d3404femail:Title: TTPs of Cyber Partisans activity aimed at espionage and disruptionLink: https://ics-cert.kaspersky.com/publications/reports/2025/06/05/ttps-of-cyber-partisans-activity-aimed-at-espionage-and-disruption/Summary: Cyber Partisans, a hacktivist group, has been linked to sophisticated cyberattacks in Russia and Belarus, utilizing a novel backdoor known as Vasilek that bypasses traditional command-and-control servers by communicating via a Telegram group. Discoveries made by Kaspersky ICS CERT indicate that the attackers employ phishing techniques, such as disguising malware as legitimate software installations, along with advanced tools like DNSCat2 for remote control and Pryanik for destructive wiper attacks. Their methods include credential harvesting, execution of payloads in memory to avoid detection, and the use of various proxies and tunneling utilities to obscure their network traffic, highlighting an escalation in the complexity and danger of cyber-hacktivist operations in politically sensitive environments.Threats: cyber_partisans_group dnscat2_tool vasilek pryanik byovd_technique zemana_tool credential_stealing_technique mimikatz_tool powersploit metasploit_tool remcom_tool psexec_tool it_army_group c0met_group zapchast kryptikIndicators of compromise:-------------------------ip: 103[.]219[.]153[.]203domain: w[.]3a01[.]net, c[.]0ce[.]org, p[.]7cp[.]org, gov-by[.]com, f[.]91j[.]org, in[.]vmware[.]org[.]mx, 3a01[.]net, 0ce[.]org, 7cp[.]org, 91j[.]org, vmware[.]org[.]mx, p-society[.]orgurl: hash: - md5=7c730289b150582d65622fee14daf1de, - md5=a0d7545dcd71267d2d051a4646f91feb, - md5=b3f91a4bfcd2eeb346e323b5cbef2833, - md5=d9f7489a2cb324db909ce49548e1db79, - md5=021c89550f2cc0067891693c0b2301e6, - md5=13f9be1c7501154e82626d883219b0f1, - md5=a4120003348feda59ed2a3b278e149bd, - md5=b78859eb6fd560548e1a99356d14fbb5, - md5=c19970454202aff1d5ac289b0c0752da, - md5=cc9e931fc7bfe857284bf2ec661399ee, - md5=ce338924524961f9553c49b3c2d6ebde, - md5=749b194b2746479157048e08f36c0b05, - md5=d1a8081ff646a83666c7aa69204c17a5, - md5=0216931a3ed18710fd0cc247e9b98454, - md5=0368ccd16376517659b6ba0a63a33086, - md5=043a1ae4cb4fd6b2e46d70091fdfda80, - md5=0ab6d6546094d93817e45390f77b840a, - md5=1192d60f12ac800deb3bb94a326e2efc, - md5=1606ff3ca7201b1edd99a4885ad74479, - md5=18769f7d5ae7182135873ea29b586608, - md5=1f024f1bcf190dab60fae70f0760f92c, - md5=28408044f467fd6033e8e9272cf4ad0c, - md5=2ba3ce248489f54233fe66d232b8b399, - md5=2ffd44af4277e78c0dccf0deb722fa71, - md5=3559069687b0f9982f29dced5fed40b6, - md5=39e2604706eb137ff70619e21511f602, - md5=3b627d73ede057ba29e3707736382fd7, - md5=457e261456ba5ac6be9ef9ed4f46518e, - md5=45da308f63b3675e8d0eb4d440d54319, - md5=46d785cd365e0b1514d156ab6ebc8c20, - md5=4a5eb4bcd4ca4e024dcb608d5e0c2ddd, - md5=5047c19c15df7a356e76959f7921d09a, - md5=513af4462f64719bd7861a2daff8e15d, - md5=56090eeef953847d3e4d59729242ec24, - md5=5b88416749cdfe192393144efae82492, - md5=5ca2662b8de5cc7d56a8e425ef59fbdd, - md5=5e29f706db2ff0bfa9be481960d52b0c, - md5=5f0e6a992521661aa30f627981c89cfd, - md5=60290ea2d6149ba5678a8f1fb7abd1e1, - md5=6ada80a78d15c39b6511d435389a0c32, - md5=6cb10d35e6884089cb192e3ab09bf921, - md5=718df1e53b6b208ac46cf135251661df, - md5=74d7fd33236d1024adad272c27fa4a04, - md5=7524640b6c66411c9f7a4494fa9aca1c, - md5=7ee9a254ac0f571c6889793af4cfcd3b, - md5=89ed6d4ef883a6b6c095cbb2ccfd774e, - md5=916b54455ccb7673fb28469b08b3340b, - md5=99634f5a23db7af8827affd095c5e0c0, - md5=9a102379c85547c543ca4b4a8fab99ec, - md5=9b5e70fa77ffdc845ac96eae7f013bb0, - md5=9f61eabee7fede49beeb7da793fe4025, - md5=a268c3d5cac25d9c03a2960e4ec6f756, - md5=a402859d74bccdeb1e074d1ef837bf70, - md5=a5b2129462c6d78521f544a37f8ca21f, - md5=a681fe14bc71b14a91000fa8065153bf, - md5=a70af2db482b8bc2c442b5e55ab6f91b, - md5=a7ee2be8288fcdae91b5e4022b95ad3a, - md5=addbb3dea38c7f114d9b55ac473af9bd, - md5=bac437d80cd0c65a7937681a9bf5a5e0, - md5=be47583211df677350e13ef82198d2d5, - md5=c060237a1c8d2dccefd46f99209312b9, - md5=c8c7128b536acfb2a1531b0cb016f1ce, - md5=ce3cb372fc86a1bf8b8965f941903909, - md5=e596f7165f9792e9b201e00585ed3694, - md5=e5d80bf63b2d4da0e6b1e91b4dc0e35a, - md5=e6f319da7d9230850974e0b2fa664450, - md5=ed03d170568479661bbe47d3b72aabb6, - md5=f82207c8ca5c44ff3f3d3341c5b01f4c, - md5=fb966f7055bcdf8d21ce32e4dd71317c, - md5=fce38ab03134ad9c4b63845fa456c3e2, - md5=ff230f470b3e77cf63cb17bc7a2745bb, - md5=6470c04186bd618d612ff765b4234c61, - md5=eef8bb0e23f4633ca53d3ac767294b20, - md5=a31f4e073c5700f3195b52caaa950971, - md5=21a558d7fc3934055302b8a0da78f830, - md5=952fc71a3b89bb6e6bb191a66eb4ca12, - md5=f72e9453c6b9044fbe5bac9b5ee4e65f, - md5=05c17f58b31dbeb2c15d44d1a460a3e0, - md5=0633ed1e19ad9e1c6212c1f326e03d73, - md5=8ce8df9ca659d0678f0236cb13fe8505, - md5=bf33354d4d1edd928617b68365c2df02, - md5=9bbbc01ee96d575dcfc2137fd319a379email:Title: DarkEngineLink: https://connect.cybercx.com.au/dark-engineSummary: CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts.Threats: darkengine_campaign seo_poisoning_technique fakecaptcha_technique yanb kongtuke_group landupdate808_group tag-124_group clickfix_technique lumma_stealer netsupportmanager_rat danabot asyncrat darkgate asylum_ambuscade_group rhysida interlock socgholish_loaderIndicators of compromise:-------------------------ip: 91[.]212[.]166[.]120, 104[.]21[.]94[.]28, 91[.]215[.]85[.]161, 172[.]67[.]128[.]13, 67[.]217[.]228[.]193, 216[.]245[.]184[.]27, 45[.]61[.]136[.]41, 64[.]95[.]12[.]237, 162[.]33[.]178[.]84, 64[.]95[.]13[.]196, 45[.]61[.]136[.]12, 162[.]33[.]177[.]142, 45[.]61[.]136[.]171, 31[.]41[.]244[.]8, 67[.]217[.]228[.]133, 193[.]149[.]176[.]230, 64[.]94[.]85[.]252, 45[.]61[.]136[.]204, 67[.]217[.]228[.]77, 72[.]5[.]43[.]132, 170[.]130[.]55[.]183, 64[.]95[.]12[.]235, 64[.]190[.]113[.]105, 64[.]52[.]80[.]133, 67[.]217[.]228[.]70, 89[.]185[.]80[.]113, 81[.]19[.]140[.]131, 193[.]32[.]176[.]12, 81[.]19[.]140[.]215, 62[.]133[.]61[.]197, 89[.]185[.]80[.]150, 81[.]19[.]140[.]206, 145[.]249[.]115[.]49, 89[.]185[.]80[.]99, 147[.]45[.]179[.]55, 5[.]181[.]3[.]219, 147[.]45[.]178[.]85, 91[.]219[.]23[.]193, 185[.]193[.]89[.]95, 194[.]87[.]31[.]237, 194[.]113[.]37[.]213, 193[.]242[.]184[.]213, 5[.]8[.]19[.]19, 5[.]187[.]2[.]70, 185[.]18[.]55[.]174, 64[.]190[.]113[.]86, 45[.]61[.]136[.]89, 45[.]61[.]136[.]67domain: wpengene[.]com, wqenqine[.]comurl: https://wgenpene[.]com, https://wpingene[.]com, https://manaqerwp[.]com, https://wpiengen[.]com, https://wepeingine[.]com, https://manaqewp[.]com, https://wpenqene[.]com, https://wpenqein[.]com, https://wpengenj[.]com, https://wpenginl[.]com, https://wqengene[.]com, https://wpengquine[.]com, https://wpnginin[.]com, https://wgenqine[.]com, https://wqengine[.]com, https://wqengines[.]com, https://wp-enqine[.]com, https://wpengnes[.]com, https://wpenginea[.]com, https://wpenginas[.]com, https://wpengina[.]com, https://wepeingine[.]com/?gad_source=1&gclid=REDACTED, https://cwcstudios[.]com/ads[.]php, https://laceyanns[.]com/ads[.]php, https://carofh2o[.]com/ads[.]php, https://geomii[.]com/ads[.]php, https://vistapi[.]com/ads[.]php, https://eafincas[.]com/ads[.]php, https://example[.]com/4e2j[.]js, https://adwwworks[.]com/4a3a[.]js, https://anichind[.]com/4f5f[.]js, https://ensmingers[.]com/5e2e[.]js, https://itrtruck[.]com/5r3e[.]js, https://itrtruck[.]com/6y4r[.]js, https://chproduct[.]com/4e2e[.]js, https://xcitetv[.]com/4f6t[.]js, https://frederichoms[.]com/4e2j[.]js, https://digiscap[.]com/4re2[.]js, https://anncrman[.]com/4r2w[.]js, https://aimpes[.]com/6t4g[.]js, https://alapige[.]com/3j9m[.]js, https://jimriehls[.]com/5t3e[.]js, https://uhaknews[.]com/4e2q[.]js, https://mrdltd[.]com/5q2g[.]js, https://vickmarine[.]com/3w1s[.]js, https://mtowner[.]com/5t4r[.]js, https://fjcad[.]com/5t6y[.]js, https://waxworkx[.]com/4e7u[.]js, https://skatkat[.]com/5r4y[.]js, https://rajjas[.]com/4e6y[.]js, https://webproinc[.]com/3e5e[.]js, https://kkmic[.]com/4e6t[.]js, https://opticna[.]com/4e1w[.]js, https://calbbs[.]com/5gt5[.]js, https://pushcg[.]com/webanalyzer[.]js, https://uhaknews[.]com/4e2qJ[.]js, https://uhaknews[.]com/stat[.]php, http://reichel[.]top/sign/in, https://wqeinqene[.]com, https://wqenqene[.]comhash: email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
This summary focuses on the threat actors explicitly detailed in the provided excerpts, namely Lazarus Group (associated with OtterCookie) and Phantomcore.
# Threat Actor: Lazarus Group (associated with OtterCookie)
## Attribution & Identity
State-sponsored threat actor originating from North Korea. Associated with the malware family "OtterCookie" and the subsequent deployment of "InvisibleFerret" RAT.
## Activity Summary
The group is actively running a campaign (implied by the mention of `contagious_interview_campaign` and `dev_popper_campaign`) utilizing the newly identified **OtterCookie** malware. This malware targets credentials, cryptocurrency wallets, and sensitive data.
## Tactics, Techniques & Procedures
- Deception: Disguising malware distribution as legitimate freelance coding tasks.
- Deployment Method: Utilizing clean-looking Node.js repositories.
- Evasion: Employing sophisticated obfuscated JavaScript to bypass detection.
- Execution Flow: Triggering malicious code download via simulated errors during Node.js server setup.
- Post-Exploitation: Downloading and installing the **InvisibleFerret** Remote Access Trojan (RAT) for maintaining persistent access.
- Activity: Credential dumping observed.
## Targeting
- Sectors: Technology and Financial sectors.
- Geography: Targeting based on asset type (cryptocurrency-related) and sector focus.
- Victims: Not specifically named, but implied to be entities holding sensitive data and crypto assets.
## Tools & Infrastructure
- Malware families used: OtterCookie, InvisibleFerret (RAT).
- Infrastructure (C2, domains, IPs):
- IP: `144[.]172[.]101[.]45`, `135[.]181[.]123[.]177`
- Domain: `chainlink-api-v3[.]cloud`
- URLs: `http://144[.]172[.]101[.]45:1224`, `http://chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e`, `https://bitbucket[.]org/0xhpenvynb/mvp_gamba/downloads`
## Implications
The Lazarus Group continues to pivot its focus toward high-value financial targets, specifically cryptocurrency assets, employing creative social engineering (freelance coding scenarios) combined with sophisticated anti-analysis techniques like JavaScript obfuscation in a Node.js environment.
## Mitigations
- Heightened scrutiny of setup procedures involving Node.js environments, especially those sourced externally or disguised as development tasks.
- Specific monitoring for indicators associated with OtterCookie and InvisibleFerret activity.
- Enhanced protection and segmentation for cryptocurrency wallet access and sensitive data stores.
***
# Threat Actor: Phantomcore
## Attribution & Identity
A cyber threat group whose specific national ties are not explicitly stated, but activity is focused on Russia and Belarus. They show evolving attack methodologies.
## Activity Summary
Observed activity in May 2025 involved using malicious email newsletters containing executable attachments disguised as ZIP archives. Earlier in 2024, they used a variant named "Semple Phantomrat," which functioned as a dropper for remote access tools.
## Tactics, Techniques & Procedures
- Initial Access: Malicious email newsletters with executable attachments masquerading as ZIP archives.
- Malware Deployment: Utilizing **Phantomecore.greqbackdoor v.2**.
- Dropper Usage: Using "Semple Phantomrat" as a dropper for RATs.
- Operational Sophistication: Characterized by coordinated domain registration and management of multiple C2 servers.
## Targeting
- Sectors: Organizations within their operational focus area.
- Geography: Russia and Belarus.
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: Phantomecore.greqbackdoor v.2, Semple Phantomrat (dropper), Sliver C2 tool, StatRAT.
- Infrastructure (C2, domains, IPs):
- IPs: `195[.]133[.]32[.]194`, `195[.]58[.]54[.]39`
- Domains: `wheelprom[.]ru`, `ugroteches[.]ru`, `jaudyoyh[.]ru`, and numerous others.
- URLs: C2 communications observed at `http://195[.]58[.]54[.]39:80/command` and various URLs hosted on their registered domains.
## Implications
Phantomcore is an evolving threat demonstrating a willingness to update its malware toolkit (v.2 backdoor and dropper usage) and maintain a robust infrastructure presence, suggesting a persistent and adaptive focus on their regional targets.
## Mitigations
- Email security training focused on identifying malicious attachments disguised as archives, particularly in newsletters.
- Network monitoring for outbound connections to the listed suspicious C2 domains, especially those ending in `.ru`.
- Emphasizing detection for the Phantomecore backdoor and utilization of tools like Procmon wrapped/obfuscated by UPX.
***
*Note: The third entry regarding TA397 was truncated in the provided source material and could not be fully summarized.*