Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 29 threat intelligence reports and summarized their key findings, along with the relevant metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber ThreatsLink: https://www.recordedfuture.com/research/reddelta-chinese-state-sponsored-group-targets-mongolia-taiwan-southeast-asiaSummary: The Insikt Group reported that the Chinese state-sponsored hacking group RedDelta has been active in targeted cyber operations from July 2023 to December 2024, primarily focusing on countries such as Mongolia, Taiwan, and Vietnam. Using customized PlugX backdoors, RedDelta conducted spearphishing campaigns with lure documents relevant to their targets, including discussions on local political candidates and national events. Notably, they compromised the Mongolian Ministry of Defense and attempted to breach the Communist Party of Vietnam, while expanding their focus to include countries like Malaysia and Japan. RedDelta has evolved its tactics, utilizing various file types for delivery and leveraging cloud services for command-and-control traffic, aligning its activities with Chinese strategic interests and demonstrating a pattern of targeting governmental and diplomatic entities within its historical geographic priorities.Threats: red_delta_group dllsearchorder_hijacking_technique dll_hijacking_technique nim_loader plugx_rat spear-phishing_technique gamaredon_groupIndicators of compromise:-------------------------ip: 115[.]61[.]168[.]143, 115[.]61[.]168[.]170, 115[.]61[.]168[.]229, 115[.]61[.]169[.]139, 115[.]61[.]170[.]105, 115[.]61[.]170[.]70, 182[.]114[.]108[.]91, 182[.]114[.]108[.]93, 182[.]114[.]110[.]11, 182[.]114[.]110[.]170, 103[.]79[.]120[.]92, 45[.]83[.]236[.]105, 116[.]206[.]178[.]67, 45[.]133[.]239[.]183, 116[.]206[.]178[.]68, 103[.]238[.]225[.]248, 45[.]133[.]239[.]21, 103[.]238[.]227[.]183, 103[.]107[.]104[.]37, 107[.]148[.]32[.]206, 167[.]179[.]100[.]144, 116[.]206[.]178[.]34, 149[.]104[.]2[.]160, 207[.]246[.]106[.]38, 45[.]76[.]132[.]25, 155[.]138[.]203[.]78, 144[.]76[.]60[.]136, 38[.]180[.]75[.]197, 107[.]155[.]56[.]15, 107[.]155[.]56[.]87, 202[.]91[.]36[.]213, 107[.]155[.]56[.]4, 149[.]104[.]12[.]64, 154[.]205[.]136[.]105, 223[.]26[.]52[.]208, 45[.]128[.]153[.]73, 96[.]43[.]101[.]245, 45[.]135[.]119[.]132, 161[.]97[.]107[.]93, 103[.]107[.]105[.]81, 103[.]107[.]104[.]4, 103[.]107[.]104[.]57, 154[.]90[.]47[.]123, 147[.]78[.]12[.]202domain: abecopiers[.]com, alicevivianny[.]com, aljazddra[.]com, alphadawgrecords[.]com, alvinclayman[.]com, antioxidantsnews[.]com, armzrace[.]com, artbykathrynmorin[.]com, atasensors[.]com, bkller[.]com, bonuscuk[.]com, bramjtop[.]com, buyinginfo[.]org, calgarycarfinancing[.]com, comparetextbook[.]com, conflictaslesson[.]com, councilofwizards[.]com, crappienews[.]com, createcopilot[.]com, cuanhuaanbinh[.]com, dmfarmnews[.]com, electrictulsa[.]com, elevateecom[.]com, epsross[.]com, erpdown[.]com, estmongolia[.]com, financialextremed[.]com, finasterideanswers[.]com, flaworkcomp[.]com, flfprlkgpppg[.]shop, getfiledown[.]com, getupdates[.]net, glassdoog[.]org, globaleyenews[.]com, goclamdep[.]net, goodrapp[.]com, gulfesolutions[.]com, hajjnewsbd[.]com, hisnhershealthynhappy[.]com, homeimageidea[.]com, howtotopics[.]com, importsmall[.]com, indiinfo[.]com, infotechtelecom[.]com, inhller[.]com, instalaymantiene[.]com, iplanforamerica[.]com, irprofiles[.]com, itduniversity[.]com, ivibers[.]com, jorzineonline[.]com, kelownahomerenovations[.]com, kentscaffolders[.]com, kerrvillehomeschoolers[.]com, kxmmcdmnb[.]online, lebohdc[.]com, linkonmarketing[.]com, loginge[.]com, lokjopppkuimlpo[.]shop, londonisthereason[.]com, looksnews[.]com, maineasce[.]com, meetviberapi[.]com, mexicoglobaluniversity[.]com, mobilefiledownload[.]com, mojhaloton[.]com, mongolianshipregistrar[.]com, mrytlebeachinfo[.]com, myynzl[.]com, newslandtoday[.]net, normalverkehr[.]com, nymsportsmen[.]com, oncalltechnical[.]com, onmnews[.]com, pgfabrics[.]com, pinaylizzie[.]com, profilepimpz[.]com, quickoffice360[.]com, redactnews[.]com, reformporta[.]com, richwoodgrill[.]com, riversidebreakingnews[.]com, rpcgenetics[.]com, sangkayrealnews[.]com, shreyaninfotech[.]com, smldatacenter[.]com, spencerinfo[.]net, starlightstar[.]com, tasensors[.]com, techoilproducts[.]com, thelocaltribe[.]com, tigermm[.]com, tigernewsmedia[.]com, tophooks[.]org, truckingaccidentattorneyblog[.]com, truff-evadee[.]com, tychonews[.]com, unixhonpo[.]com, usedownload[.]com, vanessalove[.]com, versaillesinfo[.]com, vopaklatinamerica[.]com, windowsfiledownload[.]com, xxmodkiufnsw[.]shop, 365officemail[.]com, 7gzi[.]comurl: https://getfiledown[.]com/utdkt, https://versaillesinfo[.]com/brjwcabz, https://lifeyomi[.]com/trkziu, https://lebohdc[.]com/uleuodmm, https://cdn7s65[.]z13[.]web[.]core[.]windows[.]net, https://edupro4[.]z13[.]web[.]core[.]windows[.]net, https://elevateecom[.]com/deqcehfg, https://vabercoach[.]com/uenic, https://artbykathrynmorin[.]com/lczjnmumhash: - sha256=397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c, - sha256=49abaa2ba33af3ebde62af1979ed7a4429866f4f708e0d8e9cfffcfa7a279604, - sha256=3e6772aca8bb8e71956349f1ea9fecda5d9b9cfa00f8cdbf846c169ab468a370, - sha256=f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6, - sha256=e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67, - sha256=471e61015ff18349f4bf357447597a54579839336188d98d299b14cff458d132, - sha256=7c741c8bcd19990140f3fa4aa95bb195929c9429fc47f95cf4ab9fad03040f7b, - sha256=1efe366230043521c1f55cc049117a65acd1a29f4470446ad277f57c4f3a2feb, - sha256=7a2994a6b61ee8ac668e41e622edfa7ae7e06b66d80c2a535f5822bc98058c33, - sha256=364f38b48565814b576f482c1e0eb4c8d58effcd033fd45136ee00640a2b5321, - sha256=d4b9f7c167bc69471baf9e18afd924cf9583b12eee0f088c98abfc55efd77617, - sha256=dbe26b8c3a75f2a78e1a47e021e5ed0087dd8433a667ab8238385529239f108e, - sha256=71e462aaca0f2d8c8a685756b070d017c796de6ac22021a79d922f2f182d4fb0, - sha256=2cd4fb94268ba063b1a5eea7fe87e794fecf46c0f56c2aaa81e8c9052bb4f5f2, - sha256=38b2852a8dfadac620351c7bea674c29cc5aa89d051fb7acfb8d550df00d4403, - sha256=34e915d93b541471a9f7e747303f456732cd48c52e91ef268e32119ea8c433c0, - sha256=507aa944d77806b3f24a3337729b52168808e8d469e5253cbf889cdaabb5254e, - sha256=976ffe00ca06a4e3d2482815c2770086e7283025eeecad0a750001dedaa2d16a, - sha256=c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1, - sha256=c2d259056163788dce3a98562bb3bcba3a57a23854104e58a8d0fe18200d690b, - sha256=62adbe84f0f19e897df4e0573fc048272e0b537d5b34f811162b8526b9afaf32, - sha256=67c23db357588489031700ea8c7dc502a6081d7d1a620c03b82a8f281aa6bde6, - sha256=b6f375d8e75c438d63c8be429ab3b6608f1adcd233c0cc939082a6d7371c09bb, - sha256=a7735182b7f9f2c10af3f8d2d10634c344d984f6e53e7a3787e4d3d756a7a0a0, - sha256=53bafcf064d421341c582d93108e84df2f0e284c2b0a4dc2deb9099aa953bf5a, - sha256=7a16ba2f0d2c4f7779b67e41f8196ddc6652ca7b61607696ed154df83c8d7b9c, - sha256=749d8980d80966480c85c112a10e1be3d391c1f4673977e880fa461edc2cbf18, - sha256=2220a9297876d7ffb5ad8da4d35ed7b2c8746129f66056e81c4f74a6bb224fd7, - sha256=3ced0837225b635f2ed63e4f72f95933d804e089a21eb8022407a74d772bb94f, - sha256=f1f58fda25e2a6dde9cab4faf02f7246d2a8ab2c96b4b055deea4093eee9d0e6, - sha256=77f813a461b4f1f1c765d951f0bf04668d96efea72cb8ecfb594ea2e36153cf8, - sha256=dc155cb86f5240c2c39c851e006e39cb33ed9b52e0633cbcdcc2164a47a93e22, - sha256=5400fda058d7a13c27e9c95453634e4fee9a421023e0d4482f3eacc198caa928, - sha256=367a98647dea14345e258bc01dfb77b46d1a895e91b5d088cf949de34db13f59, - sha256=f1812ca5170af2401d501561d2a3036379752d22111b10f9ac570587364c82aa, - sha256=e1c85c49982339770189f7947b5bfeb926bc3e4e1d1c63655cb0f8cfdc82a647, - sha256=f2b04c3c764c85c0bedb434b55304d26d067662cd47e620e219657a0007c9fe0, - sha256=c25b3a3d7779cb89772454a756ce48ed3744cf233564d309b6f8d19bd8e26fa4, - sha256=1bde2b050117d7f27e55a71b4795476decace1850587a17d6cf6fd3fc030ff1a, - sha256=73451742de056d3d06f7c42904651439198df449115f7adb08601b8104bec6fb, - sha256=651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859, - sha256=f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5, - sha256=288e79407daae7ae9483ef789d035d464cf878a611db453675ba1a2f6beb1a03, - sha256=ee9c935adae0d830cdc0fccd12b19c32be4f15dffcf454a9d807016ce59ff9a9, - sha256=1a37289c70c78697b85937ae4e1e8a4cebb7972c731aceaef2813e241217f009, - sha256=83946986b28fd8d04d59bab994cd2dc48e83b9711a8f453d8364c2ad27ea0254, - sha256=ade0b5cfedfa73252ec72deee7eb79e26380e2e50b47efcfe12350c9a255bb66, - sha256=b63f51537957572c43c26fc8e9088361978ee901df4b8e67d48843c4fb7c027b, - sha256=557f04c6ab6f06e11032b25bd3989209de90de898d145b2d3a56e3c9f354d884, - sha256=095855cf6c82ae662cce34294f0969ca8c9df266736105c0297d2913a9237dd1, - sha256=abd5a09ec75ff36df87ece894cab441ef7f021f5bdd8ba55d00b8ed8aac03ab4, - sha256=7b8dbfe66d16ad627d3864bd5d396b98a86c75aa4a3d87067a03221d73a560c1, - sha256=52ba1bd4d40202c24cb896a355f094dbe0dc6e211f5ddd5b59f0c39b99203172, - sha256=b02b2c0a9209f20dab4efbc458160f5a9efdb81b6474ec10bb727295a86d825a, - sha256=7f382a8b19613d078e4b78b677cb7592cab7c17577638e7ecad0a4952c6f4055, - sha256=aafff72a8c4ad7be37b25e3686a28a11f1d29a0acc771cac1974e17c176c5ed1, - sha256=16dd782942b25aa2eb61bc7de36820444b9f55846c815e249a942b52c61be6b5, - sha256=d674025113d350438a11439d56db111881de887fea41b2d168c6c2b8d8c22014, - sha256=ca963057e69914d7e6c40aa7c43b393a1516f6dfdd2abfed12ddaa21fc2cfcce, - sha256=96085a217f0841bae3fe77ecf60785a5cf4051748e90c818cf6160f7fd00b12e, - sha256=bde73773529ec32161fb8a675b50678771bf317a83f3dd8d0c47f54bdc665722, - sha256=94ad60e87518ac2f655be1b0297e0109da3ef0ae733357206e3e87712c5dfba7, - sha256=908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8, - sha256=a5cd617434e8d0e8ae25b961830113cba7308c2f1ff274f09247de8ed74cac4f, - sha256=4ac2a633904b0da3ac471776ecbaded91e1f3a5107630fafde76868cace46051, - sha256=75e849cc96c573fdfe0233b4d9a79c17fb4c40f15c0b6c0d847c461a30f1cbe8, - sha256=d188e877066f0932440d4cd8e8e2e856d7b92d40b475b7c0f0c996b34a2847a4, - sha256=37c7bdac64e279dc421de8f8a364db1e9fd1dcca3a6c1d33df890c1da7573e9f, - sha256=6e07e37618f57ac1930865e175d49ef1bf85aa882ffbd30538f55f64d024085b, - sha256=58a73d445f6122c921092001b132460bb6c1601dc93ecfaabe5df2bf0fef84de, - sha256=9afddc7ff0a75975748e5dc7d81eee8cd32be79ca32edfebd151a376563e7d4b, - sha256=9333cc552193cfe9122515e3d7b210de317c297f1c09da5180b3a7f006d94fe4, - sha256=3552708726f50ee949656e66a4a10da304bae088fa1b875bfab9e182b6ec97f7, - sha256=5dae5254493df246c15e52fd246855a5d0a248f36925cecee141348112776275, - sha256=b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93, - sha256=d27c5d38c2f3e589105c797b6590116d3ec58ad0d2b998d2ea92af67b07c76b1, - sha256=282fc12e4f36b6e2558f5dd33320385f41e72d3a90d0d3777a31ef1ba40722d6, - sha256=80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72, - sha256=0b152012c1deab39c6ed7fe75a27168eaaec43ae025ee74d35c2fee2651b8902, - sha256=0c7ee8667f48c50ea68c9ad02880f0ff141a3279bd000502038a3a187c7d1ede, - sha256=49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f, - sha256=c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205, - sha256=30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19, - sha256=2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99, - sha256=a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129, - sha256=2232cd249be265d092ea923452f82aae28f965b48897fe6f05a7cd4495fcd96e, - sha256=aaad74fbf1b3f499aa2be9f5a86f0d6427c2d807c27532090671295a2b5d67e0, - sha256=6e37ad572f1e7d228c8c0c7cb1ef2d966d16d681669587cfb80e063106d77a6e, - sha256=6ac4b0fd81e317615e0935e83874ef997b7bff3aff2f391405a2e22161f4fd45, - sha256=dd2d8fb565b18065bde545da16f67f31036b4d45dec5b82caa74e30a617e85e8, - sha256=945f7ca6ce890f6cd1813b0ed1912ef25ed4a5f11da0fe97c20fe443bd4489a1, - sha256=042045687882ec8dc2d61e26e86e56620c4a1e694b46f9ce814b060cb0cf4bb5, - sha256=5479927c78faed415853c3ba3798dfff93d4047a17c3c4d87f7dc1ce8289395c, - sha256=d8981d4cbca9b99828a9459e4abfbbe20a221bfc59fc0f2a6d6a751c363b26c4, - sha256=c6bd2c31ebaa8d51964c49a22bc796aa506e594d6f1b1043b01d0baf58836172, - sha256=df3e5c62fa7086eec23c04cb52a17d64aa0b4f252551c8a65c599291a7cee61f, - sha256=2c791775e66a77fe72aa826823f554bfe9a41525c6c1c14798cf56a42925db31, - sha256=74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1, - sha256=1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292, - sha256=54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd, - sha256=8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c, - sha256=d0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc, - sha256=ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5, - sha256=6784b646378c650a86ba4fdd4baaaf608e5ecdf171c71bb7720f83965cc8c96f, - sha256=00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437, - sha256=eae187a91f97838dbb327b684d6a954beee49f522a829a1b51c1621218039040, - sha256=c1f27bed733c5bcf76d2e37e1f905d6c4e7abaeb0ea8975fca2d300c19c5e84fTitle: Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted InfrastructureLink: https://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strikeSummary: A research team identified two Cobalt Strike servers on the Huawei Cloud network in Hong Kong, with one configured for command and control communication. A malicious file, flagged as a Cobalt Strike beacon and written in Golang, utilized Visual Studio Code dev tunnels for evasion tactics, collecting system details and indicating alignment with Cobalt Strike version 4.5. Further analysis linked the activities to an IP address hosted on Microsoft Azure, revealing a sophisticated trend in which threat actors repurpose legitimate infrastructure to conduct unauthorized actions, with associations to known Chinese APT campaigns.Threats: cobalt_strike geacon digital_eye_campaign red_delta_group pirate_panda_group dev_tunnels_toolIndicators of compromise:-------------------------ip: 189[.]1[.]231[.]190, 20[.]197[.]80[.]108domain: url: https://189[.]1[.]231[.]190:1001/sugrec, https://lcjp4gwb-1001[.]asse[.]devtunnels[.]ms/_/passApi/js/wrapper[.]js, https://lcjp4gwb-1001-inspect[.]asse[.]devtunnels[.]mshash: - sha256=c717d8b26de612e15015cd55940215be336963b6062196f9d847912b98582627Title: Recruitment Phishing Scam Imitates CrowdStrike Hiring ProcessLink: https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-processSummary: On January 7, 2025, CrowdStrike identified a phishing campaign that exploited its recruitment branding, targeting job seekers through emails designed to appear as part of a hiring process. The phishing emails directed recipients to a malicious website where they were prompted to download a fake "employee CRM application," which is actually a downloader for the XMRig cryptominer. The malicious executable, written in Rust, implements various evasion techniques to avoid detection and downloads the XMRig miner from GitHub if certain system conditions are met.Threats: xmrig_minerIndicators of compromise:-------------------------ip: 93[.]115[.]172[.]41, 93[.]115[.]172[.]41:1300domain: cscrm-hiring[.]comurl: https://cscrm-hiring[.]com/cs-applicant-crm-installer[.]zip, http://93[.]115[.]172[.]41/private/aW5zdHJ1Y3Rpb25zCg==[.]txthash: - sha256=96558bd6be9bcd8d25aed03b996db893ed7563cf10304dffe6423905772bbfa1, - sha256=62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b, - sha256=7c370211602fcb54bc988c40feeb3c45ce249a8ac5f063b2eb5410a42adcc030email:Title: Banshee: The Stealer That Stole Code From MacOS XProtectLink: https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotectSummary: Check Point Research has been closely monitoring a new version of the macOS stealer, Banshee, associated with Russian-speaking cyber criminals, since September. This malware, targeted specifically at macOS users, evaded detection for over two months until its source code was leaked on XSS forums, revealing advanced string encryption techniques, akin to those used in Apple's Xprotect antivirus. Despite the original stealer-as-a-service operation halting following the leak, Banshee continues to be distributed through phishing websites, utilizing tactics such as malicious GitHub repositories and deceptive offerings of cracked software. The malware is designed to extract sensitive information, including credentials from browsers and cryptocurrency wallets, while employing anti-analysis techniques to evade detection, highlighting a growing threat to macOS users amid rising cyber criminal focus on this platform.Threats: banshee_stealer lumma_stealerIndicators of compromise:-------------------------ip: 41[.]216[.]183[.]49domain: authorisev[.]site, contemteny[.]site, dilemmadu[.]site, faulteyotk[.]site, forbidstow[.]site, goalyfeastz[.]site, opposezmny[.]site, seallysl[.]site, servicedny[.]siteurl: http://41[.]216[.]183[.]49/api/send, https://github[.]com/ArvendraChhonkar/todo/releases/download/macosandwindows/Project_v1[.]2[.]0[.]zip, https://github[.]com/ArvendraChhonkar/todo/releases/download/macosandwindows/install_setup_v1[.]2[.]0[.]dmg, https://api7[.]cfd/testet123t/Telegram[.]dmg, http://api7[.]cfd/testet123t, https://coincapy[.]com/zx, https://fotor[.]software/MediaKIT, https://fotor[.]software/MacOS/Collaboration, https://steamcommunity[.]com/profiles/76561199724331900hash: - sha256=cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb, - sha256=1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416, - sha256=d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be, - sha256=00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93, - sha256=ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038, - sha256=d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2, - sha256=3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab, - sha256=b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114email:Title: How Cracks and Installers Bring Malware to Your DeviceLink: https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.htmlSummary: Cyber threat actors are leveraging platforms like YouTube and social media to distribute malicious fake software installers that direct users to harmful websites, exploiting the trust users have in these platforms. Utilizing reputable file hosting services to obfuscate their malware’s origin, these threats often employ password protection and encoding to evade detection in security environments. The Lumma info stealer exemplifies the trend of deceptive installers, which are disguised as legitimate applications, thereby facilitating the theft of sensitive data such as credentials and personal information from infected systems. In their operations, cybercriminals utilize various tactics to bypass security defenses, including disguising malicious files and misleading potential victims through seemingly genuine software installation tutorials.Threats: lumma_stealer raccoon_stealer privateloader mars_stealer amadey penguish vidar_stealer dll_sideloading_technique process_injection_technique revil rugmiIndicators of compromise:-------------------------ip: domain: simple-updatereport3[.]comurl: http://194[.]116[.]215[.]195/File[.]exe, http://185[.]215[.]113[.]202/tema/rana[.]exe, http://147[.]45[.]44[.]104/revada/66f45ebb9b495_crypted_20240925215808[.]exe#1, http://176[.]113[.]115[.]33/thebig/noode[.]exe, http://147[.]45[.]44[.]104/lopsa/66f18e5598f87_kaloa[.]exe, http://147[.]45[.]44[.]104/yuop/66f3de8e8f1c5_lyla334[.]exe#lyla, http://147[.]45[.]44[.]104/prog/66f42472a1351_vfdsgfsda[.]exe, https://bitbucket[.]org/kcatelin/jameson/downloads/easyfirewall[.]exe, http://176[.]111[.]174[.]109/kurwa, http://185[.]215[.]113[.]37/0d60be0de163924d/sqlite3[.]dll, http://147[.]45[.]44[.]104/prog/66f4248154c67_sgdfgs[.]exe, http://147[.]45[.]44[.]104/lopsa/66ea645129e6a_jacobs[.]exe, http://45[.]155[.]249[.]117/search/?q=67e28dd86509fa2e4758fe197c27d78406hash: - sha1=f0745f349387f91cd3e586f5806362ba4047c452, - sha1=469ed7d853d590e90f05bdf77af114b84c88de2c, - sha1=980d42c5f646dfbaa7d6ec8d764f35176f1d0c1b, - sha1=559179b4e2508b0d813fe8ab95b337b8ca7010c1, - sha1=ea2dd0f24f380288f7ddec30f6bb56e139a7de4d, - sha1=b771dd2692706996956a2def154755d41866ec6e, - sha1=93f70a0a1c850bd12e814d113720dd0732daf286, - sha1=27b45865e79e48634533d3971ddf2a0164c4f3bb, - sha1=7d713406a470e2d34ec2b44a353fc6f0a700ebf3, - sha1=2bff6fd096b95b1591259d223f7a0ced2bb1c79f, - sha1=92d1bf1f367b38d4e858fff9ba49ba0af9c6331e, - sha1=b0c69327cf2fa32f59e6660b1d2940cc1ea8ccdd, - sha1=a33b2fc8560ae87aa120fc3a9829f5b28034e70b, - sha1=1af9c47cebcd26a7bfbff7b40b02a6da7391fe12, - sha1=b14aadd4a664faf9111f8e4888121d802c339d04, - sha1=2af2ee421ae26a98f9775bfe46821ffb47b406d3, - sha1=54707cf003933f529c71c70deefba54e401093e5, - sha1=f79925dbb1b132647265ee0033f68918b9f23b7f, - sha1=2100e96043b56b97601f55d51d9c66ea6ba859d1, - sha1=456bafcf7442595a1b4cd94112d61eb987dc5968, - sha1=4d2c9d9b09226524868760263c873edc664456a9email:Title: EAGERBEE, with updated and novel components, targets the Middle EastLink: https://securelist.com/eagerbee-backdoor/115175Summary: The EAGERBEE backdoor has been identified in deployments targeting ISPs and governmental entities in the Middle East, incorporating a service injector and various plugins for executing commands and managing network connections. Key components include "tsvipsrv.dll," which embeds the backdoor into running services, and "dllloader1x64.dll," which collects system information while communicating with a command-and-control server. In East Asia, EAGERBEE was linked to breaches exploiting the ProxyLogon vulnerability in Exchange servers, involving the use of webshells and legitimate Windows services to facilitate its operation, with connections drawn between EAGERBEE and the CoughingDown group through shared code and C2 infrastructure.Threats: eagerbee coughingdown_group dll_hijacking_technique proxylogon_exploit netstat_toolIndicators of compromise:-------------------------ip: 45[.]90[.]58[.]103, 185[.]82[.]217[.]164, 62[.]233[.]57[.]94, 82[.]118[.]21[.]230, 194[.]71[.]107[.]215, 151[.]236[.]16[.]167, 5[.]34[.]176[.]46, 195[.]123[.]242[.]120, 195[.]123[.]217[.]139domain: www[.]socialentertainments[.]store, www[.]rambiler[.]comurl: hash: - md5=f96a47747205bf25511ad96c382b09e8, - md5=183f73306c2d1c7266a06247cedd3ee2, - md5=9d93528e05762875cf2d160f15554f44, - md5=c651412abdc9cf3105dfbafe54766c44, - md5=26d1adb6d0bcc65e758edaf71a8f665d, - md5=cbe0cca151a6ecea47cfaa25c3b1c8a8, - md5=35ece05b5500a8fc422cec87595140a7Title: Gayfemboy: A botnet that spreads using Four-Faith Industrial Routers 0DAYLink: https://blog.xlab.qianxin.com/gayfemboySummary: The Gayfemboy botnet, initially captured by XLab in February 2024, has evolved from a Mirai derivative into a sophisticated cyber threat, leveraging over 20 vulnerabilities, including a 0day vulnerability in Four-Faith Industrial Routers. By November 2024, the botnet comprised more than 15,000 active nodes, primarily across the US, China, Iran, Russia, and Turkey, and actively targeted various industries worldwide. XLab's efforts to analyze and monitor the botnet led to retaliatory DDoS attacks from Gayfemboy, resulting in significant disruptions to XLab's services when the botnet launched attacks reaching up to 100Gbps.Threats: gayfemboy mirai upx_tool ghostnetIndicators of compromise:-------------------------ip: 123[.]249[.]103[.]79, 123[.]249[.]109[.]227, 123[.]249[.]111[.]22, 123[.]249[.]116[.]30, 123[.]249[.]116[.]81, 123[.]249[.]126[.]147, 123[.]249[.]64[.]207, 123[.]249[.]68[.]177, 123[.]249[.]82[.]162, 123[.]249[.]82[.]229, 123[.]249[.]87[.]110, 123[.]249[.]90[.]104, 123[.]249[.]90[.]23, 123[.]249[.]91[.]159, 123[.]249[.]94[.]157, 123[.]249[.]99[.]231, 124[.]71[.]235[.]245, 176[.]97[.]210[.]250, 178[.]211[.]139[.]105, 178[.]211[.]139[.]196, 178[.]211[.]139[.]241, 185[.]16[.]39[.]37, 193[.]32[.]162[.]34, 193[.]34[.]214[.]123, 193[.]42[.]12[.]166, 194[.]50[.]16[.]198, 198[.]98[.]51[.]91, 198[.]98[.]54[.]234, 209[.]141[.]32[.]195, 209[.]141[.]51[.]21, 37[.]114[.]63[.]100, 45[.]128[.]232[.]200, 45[.]142[.]122[.]187, 45[.]142[.]182[.]126, 45[.]145[.]41[.]175, 45[.]148[.]10[.]230, 45[.]95[.]147[.]211, 5[.]181[.]188[.]158, 70[.]36[.]99[.]15, 77[.]90[.]22[.]10, 77[.]90[.]22[.]35, 94[.]156[.]10[.]163, 94[.]156[.]10[.]164, 95[.]214[.]53[.]211, 95[.]214[.]54[.]53, 101[.]42[.]158[.]190, 101[.]43[.]141[.]112, 107[.]189[.]28[.]60, 108[.]233[.]83[.]51, 152[.]32[.]237[.]129, 203[.]23[.]159[.]152, 209[.]141[.]32[.]148, 209[.]141[.]35[.]56, 209[.]141[.]55[.]38, 209[.]141[.]57[.]222, 65[.]175[.]140[.]164domain: meowware[.]ddns[.]net, itns[.]neturl: hash: - sha1=3287158c35c93a23b79b1fbb7c0e886725df5faa, - sha1=ba9224828252e0197ea5395dad9bb39072933910, - sha1=fe72a403f2620161491760423d21e6a0176852c3Title: CERT-AGID Computer Emergency Response TeamAGID. Compromised PECs: Vidar Exploits New Obfuscation MethodLink: https://cert-agid.gov.it/news/pec-compromesse-vidar-sfrutta-un-nuovo-metodo-di-offuscamentoSummary: The Vidar cyber campaign, detected on January 6, 2025, targets Italian users through the exploitation of compromised PEC mailboxes for malware distribution, showcasing advanced tactics and a high level of sophistication. Key elements of this campaign include the use of 148 second-level domains generated by a Domain Generation Algorithm (DGA), the implementation of intricate obfuscation techniques within a JavaScript file, and the strategic delay of URL activation to hinder detection efforts. Moreover, the attackers frequently rotated IP addresses, domains, and sender boxes every few minutes to further complicate defense mechanisms and evade security systems.Threats: vidar_stealerIndicators of compromise:-------------------------ip: domain: londhall[.]com, maisonreinzo[.]com, libcodes[.]com, losangelesrecoverycenter[.]com, mamabambam[.]com, ajiejaigbagfkha[.]top, lilikoibakehouse[.]com, lugomirski[.]com, livingolive[.]com, likeycomparte[.]com, luminarybooking[.]com, madeinturkistan[.]com, makethedjlookgood[.]com, loborika[.]com, libadah[.]com, lohaluna[.]com, livefrombeyond[.]com, maitecc[.]com, linhlongcity[.]com, londoncourant[.]com, liquidacions[.]com, lovesnextmeeting[.]com, lifestyleunfiltered[.]com, luminacreate[.]com, maakview[.]com, locksleyarchery[.]com, maemark[.]com, localdoormart[.]com, magicgaragedoorsma[.]com, maddoxnsilva[.]com, lifesafetyconnection[.]com, madinathadiza[.]com, lindadesollaprice[.]com, localgeomedia[.]com, lucalvry[.]com, lockreport[.]com, livgreatgivelocal[.]com, magicsoulciety[.]com, luxuryboatsrental[.]com, madewithprecision[.]com, lookitop[.]com, lincolncounsel[.]com, luxuryhomeslisting[.]com, locallastmile[.]com, lovelyjojo[.]com, makemoneyonlinefromanywhere[.]com, llqualityproducts[.]com, loanolicious[.]com, littlehillpodcast[.]com, gajaechkfhfghal[.]top, ligaciclismove[.]com, livewellmedpeds[.]com, makemoreadschallenge[.]com, ighnjnueuelll[.]top, makegeargreatagain[.]com, llmwhitepaper[.]com, luxuryhotelsindia[.]com, localbizjournal[.]com, luckyf68[.]com, lures4u[.]com, lwagpod[.]com, madeincaribbean[.]com, localfarmhands[.]com, lovabot[.]com, makinarabia[.]com, livingwifcovid[.]com, lifestyleleftovers[.]com, luckydirect[.]com, mag-mount[.]com, mag12v[.]com, limsrep[.]com, lozasmokiwater[.]com, madebylukas[.]com, lumicfish[.]com, lushspacare[.]com, magnifiqueetjolie[.]com, kcehmenjdibnmni[.]top, machuma[.]com, libertyvilleilfirst[.]com, lovetomarch[.]com, madebyhunters[.]com, magiclanternprints[.]com, luongycutuan[.]com, longtailhashtags[.]com, link4905[.]com, luxuryhotelsmonaco[.]com, mallorquinhouses[.]com, malattire[.]com, life-ar[.]com, loverevisited[.]com, m0ment0[.]com, localsiteai[.]com, lionintweed[.]com, longcovidpeer[.]com, lightcolorlive[.]com, macrosecrets[.]com, livbr[.]com, liquiddome[.]com, lilgreenheart[.]com, libmcrx[.]com, light4consulting[.]com, loverbrandapparel[.]com, lflorek[.]com, maguslod[.]com, majobsnearme[.]com, livingyourvisionnow[.]com, magcovermaker[.]com, love-bed[.]com, liquidfinishes[.]com, loginshow[.]com, lifeofclean[.]com, lucasclarkel[.]com, luxurylivestyle[.]com, longevityvo2max[.]com, loujor[.]com, localidealist[.]com, bfhdkgmmhdbikgj[.]top, iblaehgffmflamn[.]top, llmedium[.]com, madresconectadas[.]com, lingualuminis[.]com, lithiumpulse[.]com, litomusicstore[.]com, jjdgdeffjimfgne[.]top, louisvillehipkneeinstitute[.]com, luckytencasino[.]com, lugochan[.]com, londoninstituteuk[.]com, luke418business[.]com, lulareviews[.]com, liverpoolmercury[.]com, maiertim[.]com, loans-advisor[.]com, littlehoneyshawaii[.]com, lmbtrack[.]com, lhmpud[.]com, littlejohndaly[.]com, localhearing[.]com, lucindabakkenwhite[.]com, lighthouserealestateinvestmentgroup[.]com, lumixbooks[.]com, liveoutlets[.]com, lewisblackman[.]com, mallorybarnes[.]com, localseoknowhow[.]com, maguspiano[.]com, lwc-wine[.]com, louisvillekneehipinstitute[.]com, luxoillubricants[.]com, luminakinetics[.]com, magic-of-making-up-course[.]com, littlemainecabin[.]com, majesticheightsfarms[.]com, madeinwoodside[.]com, mainailsupply[.]comurl: https://wv4vagrhyh34g0cbp6dvh6dd0vuy4mumq8yk6[.]lighthouserealestateinvestmentgroup[.]com/WSk67HCO1J, http://bfhdkgmmhdbikgj[.]top/m3yq5re71lhtr[.]php, http://ighnjnueuelll[.]top/1[.]php?s=mints13, http://gajaechkfhfghal[.]top/crzx4ovu3nhtr[.]phphash: - sha1=bd3904b39af0f8eceaa680e5db144ed5e43e95e1, md5=600d743e346702c13d31f6e546804d04, sha256=5f84510eafe6cc002c5916ca29b264af48aaed7b85d8225dd13373fdb9c0c24dTitle: Cyberhaven Extension Compromise: TLS Certificate Links Hidden InfrastructureLink: https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructureSummary: The Cyberhaven incident in December 2024 featured a phishing attack that compromised a Google Chrome extension, leading to the upload of a malicious version—24.10.4—on the Chrome Web Store for approximately 24 hours. This compromised extension was capable of exfiltrating cookies and session data from various websites, indicating a targeted effort potentially linked to a broader campaign focusing on Facebook advertising accounts, reminiscent of tactics used by the group known as Savvy Seahorse, as detailed by Infoblox. The investigation uncovered two command-and-control servers and identified one domain, moonsif.store, associated with prior malicious activities, suggesting active preparations by the threat actors for more extensive operations beyond the initial attack on Cyberhaven. While similarities to established threat groups exist, further analysis is warranted to confirm direct links or attribute responsibility for the Cyberhaven incident to specific actors.Threats: savvy_seahorse_actorIndicators of compromise:-------------------------ip: 149[.]28[.]124[.]84, 149[.]248[.]2[.]160, 45[.]76[.]225[.]148, 45[.]32[.]69[.]11, 140[.]82[.]45[.]42, 80[.]240[.]21[.]36, 140[.]82[.]50[.]201, 136[.]244[.]113[.]231, 155[.]138[.]253[.]165, 108[.]181[.]190[.]53domain: cyberhavenext[.]pro, api[.]cyberhaven[.]pro, admin[.]tkv2[.]pro, moonsif[.]store, wakelet[.]ink, plutonile[.]com, ultrablock[.]pro, locallyext[.]ink, tinamind[.]info, pieadblock[.]pro, proxyswitchyomega[.]pro, vidnozflex[.]live, dearflip[.]pro, stagingx[.]plutonile[.]com, ext[.]bardaiforchrome[.]live, savgptforchrome[.]pro, gptdetector[.]live, searchgptchat[.]info, gpt4summary[.]ink, savegptforyou[.]live, massdevelopment[.]us[.]com, zhgift[.]com, youtubeadsblocker[.]live, searchcopilot[.]co, okta-onslove[.]com, www[.]remiwantnun[.]com, chatgptextent[.]pro, auth-wisp-systems[.]com, blockadsonyt[.]vip, geminiaigg[.]pro, wareinnovator[.]merseine[.]com, savechatgpt[.]site, searchaiassitant[.]info, check[.]aethir[.]us, www[.]checker[.]aethir[.]us, adskiper[.]net, extensionbuysell[.]com, ytadblocker[.]com, aiforgemini[.]com, extensionpolicyprivacy[.]com, geminiforads[.]com, app[.]adskiper[.]net, blockforads[.]com, linewizeconnect[.]com, policyextension[.]info, checkpolicy[.]site, yeowauto[.]skygst[.]net, savegptforchrome[.]com, chatgptforsearch[.]com, bardaiforchrome[.]live, google[.]forbarai[.]com, search[.]forbarai[.]com, vafera[.]rubrically[.]eu, internetdownloadmanager[.]pro, goodenhancerblocker[.]site, fadblock[.]pro, wildwestgaming[.]net, bo[.]jackblack[.]io, dev[.]jackblack[.]io, demo-3[.]wildwestgaming[.]net, admin[.]www333[.]online, api[.]bonuspg77[.]online, hb333[.]online, www[.]bonuspg77[.]online, www[.]www333[.]onlineurl: hash: - sha256=714936fff8b5a1fdfb793470a8b8bc0096dd1ffcf4ec2154826196b043f5ef69email:Title: The Hunt for RedCurlLink: https://www.huntress.com/blog/the-hunt-for-redcurl-2Summary: In mid to late 2024, Huntress discovered suspicious activities linked to the APT group RedCurl within several Canadian organizations, with these activities dating back to November 2023. The group, known for cyberespionage, focused on extracting data without ransom demands, targeting industries such as retail, finance, tourism, and consulting, while employing evolving techniques to evade detection. Notable tactics included the use of a 7zip binary executed from suspicious locations, scheduled tasks involving Windows Program Compatibility Assistant, PowerShell for file downloads, and the utilization of malware known as RedLoader, which employed obfuscation methods to maintain stealth.Threats: red_wolf_group lolbin_technique rpivot_tool redloader blacksuit_ransomwareIndicators of compromise:-------------------------ip: 188[.]130[.]207[.]253, 104[.]21[.]37[.]229, 23[.]254[.]224[.]79, 193[.]176[.]158[.]30, 104[.]21[.]22[.]32, 172[.]67[.]182[.]51, 103[.]139[.]238[.]168domain: mainsts-01[.]cn[.]alphastoned[.]pro, alphastoned[.]pro, bora[.]teracloud[.]jp, cdn[.]wgroadcdn[.]workers[.]dev, sup[.]wgsphere[.]workers[.]devurl: hash: - sha256=574a55706697d7e0109cf920ae6e0047cd7a802c9ad457e3b68e7802f3f902ef, - sha256=6d85ad9e14a23ed6bf700f636273b30f53c54267d0f624c8ff7bc0008f7db4f7, - sha256=c75048a4933c3061f6cd02c8ca96ed524166fce4cc4b9e0c7ea6ac8295dc3c47, - sha256=1935692d1c4492f99c969d11d81481aea736f3899b1f55af9c8f6cf6ca9b839c, - sha256=904669bd897dbb99561ef080d9818ff4bc9c106aa476d25b992439cdea4d1b0b, - sha256=9bdf91507fb4f3772a6d66a78f0f1f44075eefba4af65094c374f9d72e25bade, - sha256=ff3706e94d9b769f78e4271928382426cb034b11c5a0f6a8ffea35726cc03692, - sha256=01d94de4d104f6df121f97bae9cbbfada5a9cd4c3af0e1c403271d8284815cad, - sha256=9d667de8a99e757176cea1aa0af0d81972005d4abf3b7aff942d8c30fb151e35, - sha256=5a8314cbdccc7362a100b9db92b05597dad37c13b4cbb7b0fd1ef58d625dd454, - sha256=4af2c0c6087f9410cf57af4cf7eb09b5a3038bb78f4e50625402e32ad9662e66email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Incident Report: RedDelta Espionage Campaign Targeting Asia Pacific Entities
## Executive Summary
The Chinese state-sponsored group RedDelta conducted targeted cyber operations against Mongolia, Taiwan, and Vietnam between July 2023 and December 2024, utilizing customized PlugX backdoors delivered via spearphishing. The campaign successfully compromised the Mongolian Ministry of Defense and targeted high-level political entities, demonstrating an alignment with Chinese strategic interests. Response actions are unknown, but the group leveraged advanced techniques including DLL search order hijacking and cloud services for C2.
## Incident Details
- Discovery Date: Unknown/Reported (Active period July 2023 - December 2024)
- Incident Date: Activity spans July 2023 to December 2024
- Affected Organization: Mongolian Ministry of Defense (Confirmed Compromise)
- Sector: Government, Political
- Geography: Mongolia, Taiwan, Vietnam, Malaysia, Japan
## Timeline of Events
### Initial Access
- Date/Time: Initial activity reported from July 2023
- Vector: Spearphishing campaigns
- Details: Attackers used lure documents tailored to target interests (local political candidates, national events) to deliver malware payloads.
### Lateral Movement
- Details: Not explicitly detailed, but assumed typical for PlugX RAT usage following initial compromise.
### Data Exfiltration/Impact
- Impact: Espionage and intelligence gathering targeting governmental and diplomatic entities.
- Specific Success: Compromise of the Mongolian Ministry of Defense.
### Detection & Response
- Detection: Reported by The Insikt Group.
- Response Actions: Not detailed in the provided summary.
## Attack Methodology
- Initial Access: Spearphishing with tailored lure documents.
- Persistence: Likely established via customized PlugX backdoors.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Utilization of DLL search order hijacking technique and leveraging cloud services for C2 traffic concealment.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed.
- Collection: Implicit intelligence gathering aligned with state interests.
- Exfiltration: Not explicitly detailed.
- Impact: Compromise of sensitive government networks.
## Impact Assessment
- Financial: Not available.
- Data Breach: Sensitive government and diplomatic data likely targeted or accessed.
- Operational: Operational disruption to the Mongolian Ministry of Defense following confirmed compromise.
- Reputational: Potential security fallout for organizations targeted across the region.
## Indicators of Compromise
- Network indicators (Defanged):
- IP Addresses: `115[.]1[.]231[.]190`, `20[.]197[.]80[.]108`
- Domains Used for C2 Hosting/Traffic: `.com`, `.gov` (context on specific domains/subdomains redacted)
- File indicators: Customized PlugX backdoors, potentially utilizing Nim Loader components.
- Behavioral indicators: Use of DLL search order hijacking for execution/persistence.
## Response Actions
- Containment measures: Not detailed.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed.
## Lessons Learned
- State-sponsored actors continuously evolve their toolsets (e.g., customized PlugX variants) to maintain persistence and evasion.
- Spearphishing remains a highly effective initial access vector when tailored to specific governmental or political topics.
- Attackers are increasingly using legitimate cloud infrastructure to host C2 traffic, complicating traditional network detection.
## Recommendations
- Implement enhanced email filtering and comprehensive user training focused on targeted spearphishing lures related to sensitive domestic and political issues.
- Actively monitor and block known infrastructure IPs/domains associated with the RedDelta group.
- Implement strict application control and monitoring for behavior associated with DLL search order hijacking techniques across critical assets.
- Review and harden network defenses around critical governmental networks, specifically those related to defense and foreign policy.