Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 54 threat intelligence reports and created a concise summary of the findings, along with the relevant metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: What Is The New Steganographic Campaign Distributing Multiple MalwareLink: https://www.seqrite.com/blog/steganographic-campaign-distributing-malware/Summary: The recent cyber threat campaign centers on the distribution of stealer malware, specifically Remcos and AsyncRAT, utilizing a steganographic approach. The infection begins with a phishing email containing a malicious Excel attachment that exploits CVE-2017-0199, leading to the execution of a series of scripts that download and decode hidden malware within a .jpg file. Both malware types follow a similar distribution method, with AsyncRAT disguising its malicious script as a printer management tool to avoid detection; they employ complex techniques for process manipulation and communicate with command and control infrastructures to receive further instructions and deploy additional payloads.Threats: remcos_rat dcrat agent_tesla vipkeylogger asyncrat junk_code_technique steganography_technique process_hollowing_technique process_injection_techniqueIndicators of compromise:-------------------------ip: 148[.]113[.]214[.]176domain: interestedthingsforkissinggirlwithloves[.]duckdns[.]org, freebirdkissingonmylipswithnicefeelings[.]duckdns[.]orgurl: https://watchonlinehotvideos[.]top/omfg[.]jpghash: - sha256=9d66405aebff0080cc5d28a1684d501fa7e183dc8b6340475fc06845509cb466, - sha256=2d4ab87f9ea104075d372f4c211b1fb89adec60208d370b8fb2d748e1a73186c, - sha256=b2e8f720740bbd46f6ae3f450f265ace1044fe232141fbd84f269eafeb290812, - sha256=a582e7e5b3ac37895e7cf484aaa8ea477deb90d99b47b2d9bfc018c604573889, - sha256=f67c6341bfe37f5b05c00a0dda738f472fdabd6ea94ca8dc761f57f11ce12036, - sha256=aed291c023c3514fb97b4e08e291e03f52de91a2a8d311491b4ab8299db0aa0f, - sha256=faed55ed0102b1b2e3d853e8633abecbb9cec6a5f41c630097d8eaeefafba060, - sha256=b8fc29c02005c84131f34de083c2e81cdf615ff405877f9e73400bf35513c053email:Title: Heavy metal: the new Telemancon group attacks industrial organizationsLink: http://f6.ru/blog/telemancon/Summary: In February 2025, F6 specialists identified a threat actor group called Telemancon, responsible for targeting Russian industrial organizations, particularly in the engineering sector, since February 2023. The group employs a custom dropper named TMCDROPPER, which is designed to evade countermeasures, and deploys a backdoor known as TMCSHELL, capable of executing arbitrary PowerShell scripts via a command-and-control server. Additionally, the malware utilizes techniques like certificate pinning, AES-256 encryption for communication, and includes variations with different operational architecture, indicating a sophisticated and evolving threat landscape that warrants ongoing analysis.Threats: telemancon_group tmcdropper tmcshell spear-phishing_technique core_werewolf_group gamaredon_groupIndicators of compromise:-------------------------ip: 45[.]93[.]95[.]105, 45[.]93[.]94[.]195, 45[.]93[.]95[.]91, 188[.]191[.]147[.]222, 83[.]229[.]70[.]5, 45[.]83[.]40[.]225, 212[.]80[.]205[.]9, 178[.]208[.]78[.]11, 185[.]229[.]226[.]223, 212[.]80[.]205[.]31, 212[.]80[.]206[.]103, 212[.]80[.]206[.]210, 83[.]229[.]70[.]226, 83[.]229[.]70[.]231, 83[.]229[.]70[.]6domain: page[.]phurl: https://telegra[.]ph/336750190408-02-05, https://telegra[.]ph/336750190408-02-05-2, https://telegra[.]ph/336750190408-02-05-3, https://telegra[.]ph/427509323253-02-02, https://telegra[.]ph/1821344345856-02-26, https://telegra[.]ph/427509323253-02-02-3, https://telegra[.]ph/791645547103-01-13, https://telegra[.]ph/973163812793-02-06-2, https://telegra[.]ph/166019571712-02-25, https://telegra[.]ph/428609015723-12-15, https://telegra[.]ph/791645547103-01-14, https://telegra[.]ph/427509323253-02-02-2, https://telegra[.]ph/973163812793-02-06, https://telegra[.]ph/904200825856-03-03, https://telegra[.]ph/135239756800-03-02, https://telegra[.]ph/1366278687744-03-01, https://telegra[.]ph/1359266484096-02-28, https://telegra[.]ph/590305414912-02-27hash: - md5=c4b40f9a809cd43d18d7aa3e6ebcc747, - sha256=58f2ced4191c26a203811655de5afb963f56e7e9a49d7b94be1eb8d4f00e8b98, - md5=6a8abc320a0b7d29ba41f088eef2de7f, - sha1=f7b68fa4c5175fb10f68ef40428ee3858cff093a, - md5=dbae64fa6e1d6543fae1f26332c7a5b7, - sha1=617be7440ad5e309fd19a08976f322b68de2a1c9, - sha256=c899bdf6161666013411dee7734875d0f14679ef1c52738d3ded6846046d049d, - sha1=17726064a31ffa3c4ee1811d6cb51c682e79d7dc, - sha256=7d55ccf6d547d3543c74961fa070727c7942642f5e899f006f4667b76eef5afe, - md5=40567288b3166c406b9dced12e61b5b3, - sha1=a29eea596fe9997b051a74ebb5967e0bba96be4b, - md5=2f83f13cc6de29412393b18555824e52, - sha1=a01ff09897fe30f56ce262ab6ea6d176abf1179e, - sha256=7847f3c1551098d989c88e9ef21e8f016f85aa1560a43fd24c3f056b86812ff2, - sha1=697ea8fc323cabd08ad24112f5e576f2b544e238, - sha256=ca1e49572183b62d6f47df2aaa653b85efb12007e277ec3b0f8bb1c7ead78c72, - md5=0ab832ae8d92a1e3f979026e1a9727bf, - sha1=4ddfe7a50843d9b5c150be6b216546aeada5fb69, - sha256=edcee35dba8091b669c3c24b1c9305f764d9f3b0bcd3dc72684c49d685f1fc51, - md5=0b50e7017d1cd50212341da0803bcbb5, - sha1=bd6135177d0618c2e5dcb30d1c687d94d5410a48, - sha256=ab4e31ff784eb12ff59eff839b132458990e2d1d310071bba364161db1426cc3, - md5=ebee9a2bf4d0324190281d5ff419116f, - sha256=ca668005aec1ba623f104144e7ebb9c74d8ca45fe0d9d5b4b1bcbf4cc14caa6e, - md5=5ba98adc42516abcafea3ec8dec4a793, - sha1=da6f8073221c38b423fa4636b66562b2370c68f2, - sha256=6f9a5a4f85afed97fd5c855194657a097fd5359648cb27bc4dd0945d8bdf4d40, - md5=bc06065d788d30962fc6954edc288e82, - sha1=a924b3f10053414b4289febbadee415a99f207ce, - sha256=88a28fbeb14efe5c4cc24e5cd69db33c211137f845c4d02270e58ff1e4c6d241, - md5=ba6173a1035a7e6253d495c58138cd04, - sha1=803a1e25fb8b2859f54111ec5d046bfe1904a2e0, - sha256=2b5672ba6db501d7f3e37ba782098a212f35d4c2ae3be3a08fe5acef0073c670, - md5=6a69ff7f791a4bf20049d4b4e3015654, - sha1=190faf55411ed3daffab7ba8285a79fd24d13576, - md5=c42c2536e3c5162242223bafc45c627f, - sha1=2b96e02ef27115fc0de7d31d473e9dc3cbc592fc, - sha256=21d1c2b9769308aa0c0b7a7f22771a41aa01d4570271a7de01de4ec5e37eb41e, - sha256=1bd80d65ce7a1585487f9e71745ea60bf05abdc674bc3e993ae0e56855cc2134, - md5=dfe39fb36501d39db485424591f9258c, - sha1=59eaa811aeebcea7fc32770ebec90c5074d7fc2f, - sha256=2b6fe73ae65e267f3466b4d7d8476999a7d6b38ad4333186d085a7893e467e98, - md5=836f1ffd45abf3851ed9227f0a4d032a, - sha1=e390f5a1342489c845f4a7d161a3ac5468ef7ce7, - sha256=7c3ea6c3775bb05bbaba75cd488d024c4a2b242a9b95f053c444a8e0ba0de213, - md5=23a921ad7653ebfa0b7b820f76a4653b, - sha1=23a06f39e002ba57bfeec4022e419f135c825244, - sha256=506fa65178a0e70a44b3d4b4ee6d55965096bb57d1d1fa9727b62db1ee1c1b33, - md5=773ba5ebe0161ee8e6eaec2f85e9e486, - md5=16ceee4723197d2ec65f5632e6355b5a, - sha1=1dadf74182bcb202b97b67dfee194cbe1fb2447a, - sha256=85a3560142e9e012295f9b4b806f14da188486c8ba57c00ea3d4cbdc608603b0, - md5=e8b5b3f133743f61269146b515eb57dc, - sha1=ef60f957ece00d41b544e9f7ad077a191e32b958, - sha256=f0fa57f8cfbb4dc218a1d61dbd4b4e670d2abb8319716cbb84561e9b877cca2c, - md5=18983d998bc63ffcc946ea8d7c69dcb7, - sha1=156623f40ca42b6117aa08021b8851596c74891b, - sha256=24a0f259411c6cb4cca7d6ec4242073f7fba4a3d67a52d8fd0c8822aa7a55a1e, - md5=7dde1a843d6ca2cf61ceaf9a5858d018, - sha1=498d53e56aeefe92d3954502d741bd755275655e, - sha256=67e06aa7bf6bd6042f96c81b502f1133d06a7a2e551ba7cd9f9f6a46b954ac1f, - md5=0ca8103419fc6ec8724b429a3f03d9c0, - sha1=6edf169b975b564afd7dd12a7bfc07d7f8867685, - sha256=b9c67f4ea5a94a84bd6c449f0968559bb29664463b55a2e8f1d2e10c01b33b85, - md5=5545400017cca3b155afac51b257f5e1, - sha1=d4981a7347d240eedfa2671c4ec08b6dec45a030, - sha256=373361d3c3a12e436c44d7ed0374582968ad8a1883e1b69af82ad8effbb12ce0, - md5=15335096f35e8446e88a3261b6d9aa76, - sha1=f07a0cb8c2b309d311e96fd1b701a8ca617f14cf, - sha256=2540322b50ceb0aba635d562f45f8ddc231b50593b7d824ee7839c422b19b8a7, - md5=23f45f91b4e2dc052a21c2b36f8dfdaf, - sha1=590532baa9bf1b14229739c79e9f146b5f4c2a40, - sha256=79fd057b9ba0d2c4bdfcb23a7b51cf5692f9c013a0579aa98eaa29cc3a37d1d4, - sha256=ebe3246ac9d9de9b978543419da8cd622314497103c57718ae556e62b0fb7b80, - md5=dbfd96dde35568fa1c7a688c4e45cf52, - sha1=edba6d633ba13cd8933426ea186daa72637ae088, - sha256=936ed687b56a1890926b099b05e044bcb16953a842dd458ae0db84284406da01, - md5=1aab01d233601c854803f502ecdcc3ba, - sha256=697f7f2770c3c9bc2b334190532c96ef374453e23a93b50f67e4923f1410aa7e, - md5=e4a304c1263672a70247ea393dcd680f, - sha1=32a12f50dc72a174464516e88e255a60198f1e18, - md5=8d76242ecc5ab094f650c5c0ed1f1a5d, - sha1=b53842256d3eb86988315ef1e1869919860cd726, - sha256=4607e9ffbeb99acd9a641c44ab037ba06674abdcd26e822c36b4bb984031cf6c, - md5=fcbaaf2fada96844ccbd1da4b6741f7c, - sha1=d49bdeec1aea1d341fe7fd0446f441ee9c36cf8e, - sha256=abc89a5e97d4bbcbe7ee0bafd9d01fbb4e64608c4b142f605f0bc6c100796fdd, - md5=2c2b2f91a14994b9543c6a08d30d1a70, - sha1=29980a6d230cf4dba5223f26822b75c504a99895, - sha256=170b510edb38045e458103a87bf6cafdf1a9e3c1eeb54d248fa0de3951079e8f, - md5=bba840fc5b184a5dfd3802b3f9422972, - sha1=1a99d893be6f25e541f30442009426b28a7fc7ef, - sha256=efe06dd8c55daef52f21c9d0592d82ec3b6e89a4ce9dac659e7df5cfea48c214, - md5=58e7dfa80895967c4cb8aea7852d6c90, - sha1=f3734ff6ab16f9433266f44d6a29534c3cdc4ff3, - sha256=cb7a54bea81a757a6c8645238a11f4fa6de9108b77a00ac3d3b8314032ff5df4, - md5=68bfc6a9b0672fdac73db1261428625b, - sha1=715c5f44c831d042fef10e73178b208f50a2e3b2, - sha256=3a065e9c2132eb61bf25efc83962aa65ac9fe7a9908174fe9c5013015328614f, - md5=550e9230624cdfc53f3d41673a43a815, - sha1=0b9fb43199492b6ee46792a0c5f59bbd1e680b26, - sha256=26d602b8f2eb94b0f991482abc104735237d38be8b1073934311dd90e6efdba7, - md5=c1a977353f0bbbdcb90a96840c266a7a, - sha1=b20c9870bed55cd15a9aabe4d8d38d8716ea3490, - sha256=6a7aeb606ae6c13ad05e101b238978aa93e5601f362891a97b2019fa63a2a544, - md5=c7b250a1826f834b589cb2de39aae107, - sha1=139858ec8777602548ea0d2bc6f889b1a4776dd6, - sha256=19f467a92691537545e98515c2716269fd889e3e876f75533db7d2b2e29e77a4, - md5=4847a4e5e5028fcd05d37340fed53d80, - sha1=f86020ce2f54eb48b7c1edce4b7429ddce8b8825, - sha256=f3832b0eeb620224eb870904841421dd132eb313a5ce1eb1c9d6eaff3b0ce02a, - md5=c930b05ce5b1d74ae035ddfaef8884fd, - sha1=667fe4e8373381f2ccce6ba1218e7a79bdbeb32b, - md5=cccf693f3aebe571a0142d7bcbdb9788, - sha1=291d61e77dbc8d2e9c8fb7dcbb7fd47cf3217af0, - sha256=d65d0f26c2cf63404d62f89c90d169e34d8c9f7fcd15e2f81a3b0185bcaad5ed, - md5=6110592f8ab44cb303e9215f539e4cb3, - sha256=b64ffadd7b626e58edd31bfb20ef213efdfd6b608ab92189959f96cde66a280e, - md5=6c5224f867556d2eeb0e09ddeec36798, - sha1=62dc5686b9f4b37fe8ae626d3e3020c58ff98f01, - sha256=36579bf202a7c8558d73b321064c1adbeffe5aeae42ed4bf0e33c6521075fc91, - md5=df4b850dedbcbbcf3ac772709650845a, - sha1=0603b3d1fccabcbef5b0192b3c874aeaa8990340, - sha256=20fd45dc16c14238ae22762c6e4053dd77937621f0fc785bebbbf672e6ab9ca1, - md5=ee7b88036fceb5ff30d06050b1b80f56, - sha1=6579592dab96754a7feaaaff1b4ed1f9b712bfc0, - sha256=6810fbd2016747eadc83e72ca20c555d04d8aaa4825e1bc7af95873330c7a212, - md5=95c0c7b879e1ec1921af3a1aaa3a8007, - sha1=550fd3128d72a368c02a773f79b4eead5bb2c625, - sha256=d8b07ed5159e8e83ebfbe7d46a8112a654bd6d67b1e12d54fdc53d2b289cde4f, - md5=c46f0a8950084374c00527c6892c49d2, - sha1=a70f51dc2f060d426e3d1e47c44bc23b85277686, - sha256=e124b2c8e7ae7fb601bfe6afabe9cba8a763d596e42f3b39c15d34c54c479fba, - sha1=f4b6c3d0b0005b119510a68e7f580e67a6d9a128, - sha256=446ca724cbc1c7173fc070b76a17e2d4dfee7b73392f203ca04567611b6605cc, - md5=c8bdad227f71285bd0b9311dd97d701d, - sha1=bd76a5031f826ddee6a37313de1ca1608b8289d7, - sha256=54c2511febe53a2a0265e9037f6335be70ae484a7ff8a6691ccb61af55cd669a, - md5=80d9b7c4c6dd6559679a39d5b4ea2a96, - sha1=609fa015d756d8fd429847a8f6aba9d88d0a8f1d, - sha256=c0b5fa20f4791ee9391c92f2fa37fb92e35cfa030dc8287504fd623681f896ef, - md5=39ff13b2824ddd3dfa46f2c8986af78d, - sha1=9766d4810d693a132710f20ea350a3cb243a3ca3, - sha256=c2727900a556df9cc7759fdb98fd33e25e96698b5e82e78cfe56e3a2b12dd3a4, - md5=dbdb46d7ab687c7127c4f316279436a5, - sha1=659e3cafe0e92d077773f7667d2c2463c3a64f53, - sha256=696a0e0c47c4e25babb9e8e39f96c45af44e9e790b5ca42632c710bd8ddc78d6, - md5=36de6bb8cd1440dc59768a61d62f1d07, - sha1=a2d1b62905755b585906798d13d776cd54177845, - sha256=893a5ccc36a6eb0cd62a9a30d193ba1cbc62765a9241596a7f915d2fc5feeeb3email:Title: APT-C-36 Recent ActivitiesLink: https://www.ctfiot.com/231932.htmlSummary: APT-C-36, known as Blind Eagle, has been active since 2018, primarily focusing on espionage and cybercrime against government and financial sectors in Colombia and Latin America. The group utilizes sophisticated social engineering, mainly through phishing emails, and its malware arsenal includes various Remote Access Trojans (RATs) like NjRAT and Remcos, with recent adaptations incorporating a zero-day vulnerability (CVE-2024-43451) exploited shortly after a Microsoft patch. Their campaign in mid-December 2024 resulted in more than 1,600 infections, employing .url files for downloading malware from a WebDAV server, highlighting a shift to more widespread attack methods and an advanced operational approach with a Command & Control server configured to communicate with external sources like GitHub.Threats: blindeagle_group njrat asyncrat remcos_rat heartcrypt purecryptor uac-0194_groupIndicators of compromise:-------------------------ip: 62[.]60[.]226[.]112:80, 191[.]88[.]252[.]140:30204, 191[.]88[.]252[.]140:30805, 191[.]88[.]252[.]140, 177[.]255[.]84[.]37domain: computador12[.]ddns-ip[.]net, venitocamelo25[.]ddns-ip[.]net, asdasdsf[.]con-ip[.]com, usuariofebrero25[.]dedyn[.]io, activistascol25[.]myonlineportal[.]neturl: https://github[.]com/fresas2025/fresa/raw/refs/heads/main/agropecuario[.]exe, https://github[.]com/fresas2025/fresa/raw/refs/heads/main/CON3[.]exe, https://github[.]com/fresas2025/fresa/raw/refs/heads/main/DesignsCornwall[.]exe, https://github[.]com/fresas2025/fresa/raw/refs/heads/main/frutas[.]exe, https://github[.]com/fresas2025/fresa/raw/refs/heads/main/salmon[.]exehash: - sha256=47569431f421ff3ecf20a7898515ef4af78c27f3d53303a57f7c4f4225787191, - sha256=5335603a304e42c6fef4d2fe76cbb92cf1b136d2ec9bea5a648fc002f392f2b1, - sha256=5590b65c4114fc8bb0eecad6cfe83b5efb1c667e57507a2c699812e282563f13, - sha256=82788e1057e5d1634e5aa3d33b15b44899635a93c7da02ec96f6c793031b4dd1, - sha256=a08f11d4a8fd48e6f2dd5a3b1ea281e579f3f04293e67da8adb2ccd7b74acedb, - sha256=cec6dceccc5b3937ab34de1bdd3c66cfa58875459fc5174194c89b5c4fa133d6, - sha256=f7cc357c11576175e97990254bbb03e9764879a47e6dfd1ffcf06fb1dd192aad, - sha256=157f03405b2658baa1ee8f76f4801403ffdeb217df37d8d95e867787608de6e3, - sha256=346530ea86a7fb02e7184736ed67363d736ba4fab6ab70f79129a962e61dd8fa, - sha256=61fb41b9fcf85698908bd772155e7a3e27c8cc33e1ed233b67a3a3063f522b63, - sha256=7234b5f14e83326a2f3db2c5180624c8c30da0495020caa4c80e5d03f14ebb56, - sha256=83cc9395582825c673c7738afbb9f53a95b83aeb21365ad42703bcedf1ded219, - sha256=bf4ce102f2685d5c2e1096de43ea95c8eeaebb7378486ed02541226f1c1ada83, - sha256=e9df6fc0cd0fb856bd15a378653b76b33e9620735474daec01a413a205cf0832, - sha256=2ab78e5d801c37d36d0941f74105bbb49917a89761b104527acc594faf95dc3a, - sha256=4deec3644eb9b38695579cd49eed7628d750d49b8c3ea59ce3e4989a823813bf, - sha256=65d4f56e2813800de90ba1a3cbf13054fa238f233fc7b9db6a8caf1f2f987a90, - sha256=ab9e926e4df55e4791b87167c7af7d58817e9b69b55cbaa8b54ce1ed3b032736, - sha256=dd3706144ba3f88dd1606e7d06e6b0ecc4b848108a5eb6c5612b8912da3bc6c2email:Title: Malware Hidden Behind Google Meet Deception in ClickFix CampaignLink: https://cybersecsentinel.com/malware-hidden-behind-google-meet-deception-in-clickfix-campaign/Summary: The ClickFix campaign, particularly its variant "The Phantom Meet," is a sophisticated social engineering attack led by the threat groups "Slavic Nation Empire" and "Scamquerteo," focusing on infostealer malware such as Stealc, Rhadamanthys, and AMOS Stealer. The attack primarily targets cryptocurrency enthusiasts through phishing emails and compromised websites that present fake Google Meet error messages, prompting users to execute malicious PowerShell commands that install infostealer malware designed to extract sensitive information, including login credentials and cryptocurrency wallet data. The campaign effectively uses advanced obfuscation techniques to evade detection while targeting users on Windows and macOS platforms, with a notable emphasis on potential victims in Poland.Threats: clickfix_technique slavic_nation_empire_group scamquerteo_group amos_stealer stealc rhadamanthysIndicators of compromise:-------------------------ip: 77[.]221[.]157[.]170, 85[.]209[.]11[.]155, 95[.]182[.]97[.]58domain: apunanwu[.]com, battleforge[.]cc, battleultimate[.]xyz, bowerchalke[.]com, cozyland[.]xyz, cozymeta[.]com, cozymeta[.]fun, cozymeta[.]xyz, cozyweb3[.]com, cozyworld[.]io, cphoops[.]com, darkblow[.]com, dekhke[.]com, doculuma[.]com, factoreader[.]com, factorser[.]net, gamascript[.]com, googiedrivers[.]com, kansaskollection[.]com, lastnuggets[.]com, lirelasuisse[.]com, lunacy3[.]com, lunacy4[.]com, mdalies[.]com, mensadvancega[.]com, mishapagerealty[.]com, missingfrontier[.]com, modoodeul[.]com, mor-dex[.]world, mordex[.]blog, mordex[.]digital, mordex[.]homes, mybattleforge[.]xyz, myultimate[.]xyz, ngtmeta[.]io, ngtmetaland[.]io, ngtmetaweb[.]com, ngtproject[.]com, ngtstudio[.]io, ngtstudio[.]online, ngtverse[.]org, night-support[.]xyz, nightpredators[.]com, nightstudio[.]io, nightstudioweb[.]xyz, nor-tex[.]eu, nor-tex[.]pro, nor-tex[.]world, nor-tex[.]xyz, nort-ex[.]eu, nort-ex[.]lol, nort-ex[.]world, nortex-app[.]pro, nortex-app[.]us, nortex-app[.]xyz, nortex[.]blog, nortex[.]digital, nortex[.]life, nortex[.]limited, nortex[.]lol, nortex[.]uk, nortexapp[.]com, nortexapp[.]digital, nortexapp[.]io, nortexapp[.]me, nortexapp[.]pro, nortexapp[.]xyz, nortexmessenger[.]blog, nortexmessenger[.]digital, nortexmessenger[.]pro, nortexmessenger[.]us, pakoyayinlari[.]com, patrickcateman[.]com, phperl[.]com, playbattleforge[.]org, playbattleforge[.]xyz, playultimate[.]xyz, projectcalipso[.]com, riotrevelry[.]com, sleipnirbrowser[.]org, sleipnirbrowser[.]xyz, stonance[.]com, thecalipsoproject[.]com, thewatch[.]com, tooldream[.]live, ultimategame[.]xyz, ultimateplay[.]xyz, us002webzoom[.]us, us003webzoom[.]us, us004web-zoom[.]us, us005web-zoom[.]us, us006web-zoom[.]us, us007web-zoom[.]us, us008web-zoom[.]us, us01web-zoom[.]us, us01web[.]us, us03web-zoom[.]us, us03web[.]us, us050web-zoom[.]us, us055web-zoom[.]us, us07web-zoom[.]us, us08web-zoom[.]us, us08web[.]us, us09web-zoom[.]us, us09web[.]us, us10web-zoom[.]us, us12web[.]us, us15web[.]us, us18web-zoom[.]us, us20web[.]us, us30web-zoom[.]us, us40web-zoom[.]us, us40web[.]us, us45web-zoom[.]us, us4web-zoom[.]us, us500web-zoom[.]us, us505web-zoom[.]us, us50web-zoom[.]us, us50web[.]us, us555web-zoom[.]us, us55web[.]us, us5web-zoom[.]us, us60web-zoom[.]us, us6web-zoom[.]us, us70web-zoom[.]us, us77web-zoom[.]us, us80web-zoom[.]us, us85web-zoom[.]us, us95web-zoom[.]usurl: http://77[.]221[.]157[.]170:3004/server[.]js, http://85[.]209[.]11[.]155/joinsystem, http://95[.]182[.]97[.]58/84b7b6f977dd1c65[.]php, https://carolinejuskus[.]com/f9dfbcf6a999/7cc2f5dc3c76/load[.]51f8527e20dcb05ffd8586b853937a8a[.]php?call=launcher, https://carolinejuskus[.]com/kusaka[.]php?call=launcher, https://googIedrivers[.]com/fix-error, https://meet[.]google[.]com-join[.]us/wmq-qcdn-orj, https://meet[.]google[.]us-join[.]com/ywk-batf-sfh, https://meet[.]google[.]us07host[.]com/coc-btru-ays, https://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa, https://us18web-zoom[.]us/ram[.]exe, https://us18web-zoom[.]us/stealc[.]exe, https://webapizmland[.]com/api/cmdrunedhash: - md5=51f8527e20dcb05ffd8586b853937a8a, - md5=ba0767946d9cac95fd727d7076c7fec1, - md5=e7959e4089c1993045e01cb9c3cbc6a5, - sha1=31c713eabc90f61b44703a8d30e7ced6e2941f23, - sha256=2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe, - sha256=92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138, - sha256=94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5, - sha256=a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773cemail:Title: Lookout Discovers New Spyware for North Korea’s APT37Link: https://www.ctfiot.com/231978.htmlSummary: KoSpy is a newly identified Android spyware attributed to the North Korean group APT37, first discovered in March 2022, and remains active through distribution via third-party app stores, including Google Play and Apkpure. The spyware disguises itself as utility applications, primarily targeting Korean and English-speaking users, and is capable of collecting a wide range of sensitive data such as text messages, call history, location, files, audio recordings, and screenshots. It operates using a dual-layer command and control infrastructure that retrieves configurations from Firebase cloud databases, allowing it to dynamically adapt its functionalities. Analysis from Lookout Threat Lab links KoSpy to prior North Korean cyber activities, including those associated with APT37 and APT43, despite challenges in precise attribution due to shared infrastructure and network anomalies among these groups.Threats: scarcruft_group kospy kimsuky_groupIndicators of compromise:-------------------------ip: 27[.]255[.]79[.]225domain: naverfiles[.]com, mailcorp[.]center, nidlogon[.]com, joinupvts[.]org, resolveissue[.]org, crowdon[.]infourl: https://goldensnakeblog[.]blogspot[.]com/2023/02/privacy-policy[.]htmlhash: - sha1=911d9f05e1c57a745cb0c669f3e1b67ac4a08601, - sha1=cd62a9ab320b4f6be49be11c9b1d2d5519cc4860, - sha1=2d1537e92878a3a14b5b3f55b32c91b099513ae0, - sha1=f08f036a0c79a53f6b0c9ad84fb6eac1ac79c168, - sha1=df39ab90c89aa77a92295721688b18e7f1fdb38d, - sha1=ea6d12e4a465a7a44cbad12659ade8a4999d64d1, - sha1=1cc97e490b5f8a582b6b03bdba58cb5f1a389e78, - sha1=985fd1f74eb617b1fea17095f9e991dcaceec170, - sha1=744e5181e76c68b8b23a19b939942de9e1db1daa, - sha1=062a869caac496d0182decfadc57a23057caa4ab, - sha1=b84604cad2f3a80fb50415aa069cce7af381e249, - sha1=3278324744e14ddf4f4312d375f82b31026f51b5, - sha1=5639fa1fa389ed32f8a8d1ebada8bbbe03ac5171email:Title: Darkwatchman spying for victims in the new wave of a phishing campaignLink: https://rt-solar.ru/solar-4rays/blog/5373/Summary: The resurgence of the Darkwatchman Remote Access Trojan (RAT) has been noted, particularly in Russia, where it employs advanced phishing techniques to infiltrate organizational systems. This JavaScript-based Trojan utilizes a sophisticated delivery method involving a bootloader, named NATIVE Loader, that disguises malicious executable files as PDF documents, allowing it to evade detection while conducting keylogging activities to capture sensitive information. Recent enhancements in its operational techniques include the use of reflective DLL loading to circumvent traditional security measures and employing encrypted communication with command and control servers, indicating an evolution in the threat actor’s methodology to persistently adapt and avoid cybersecurity defenses.Threats: darkwatchman keilger webworm_group stowaway_tool ngc4020_group dameware_tool gorgon_stress_tool crossc2_tool snake_keylogger goblinrat dead_drop_technique obsidium_tool shedding_zmiy_group lifting_zmiy_group c0met_group sliver_c2_tool hardbit glupteba plugx_rat watch_wolf_group pe32_ransomware native_loader dotnet_reactor_tool dynamicwrapperxIndicators of compromise:-------------------------ip: domain: fssp[.]websiteurl: https://4ad74aab[.]online, https://4ad74aab[.]store, https://4ad74aab[.]site, https://4ad74aab[.]fun, https://4ad74aab[.]space, https://4ad74aab[.]shop, https://bc0324ae[.]online, https://bc0324ae[.]store, https://bc0324ae[.]site, https://bc0324ae[.]fun, https://bc0324ae[.]space, https://fb0bf2b1[.]online, https://fb0bf2b1[.]site, https://fb0bf2b1[.]shop, https://fb0bf2b1[.]space, https://fb0bf2b1[.]fun, https://73c9efbb[.]online, https://73c9efbb[.]site, https://73c9efbb[.]shop, https://73c9efbb[.]space, https://73c9efbb[.]fun, https://3365815f[.]online, https://3365815f[.]site, https://3365815f[.]shop, https://3365815f[.]space, https://3365815f[.]fun, https://b697a8b2[.]online, https://b697a8b2[.]site, https://b697a8b2[.]shop, https://b697a8b2[.]space, https://b697a8b2[.]fun, https://560eec58[.]online, https://560eec58[.]site, https://560eec58[.]shop, https://560eec58[.]space, https://560eec58[.]fun, https://efb39ac1[.]online, https://efb39ac1[.]site, https://efb39ac1[.]shop, https://efb39ac1[.]space, https://efb39ac1[.]fun, https://682ad9af[.]online, https://682ad9af[.]site, https://682ad9af[.]shop, https://682ad9af[.]space, https://682ad9af[.]fun, https://05f9bc37[.]online, https://05f9bc37[.]site, https://05f9bc37[.]shop, https://05f9bc37[.]space, https://05f9bc37[.]fun, https://f5c5f942[.]online, https://f5c5f942[.]site, https://f5c5f942[.]shop, https://f5c5f942[.]space, https://f5c5f942[.]fun, https://985eae2a[.]online, https://985eae2a[.]site, https://985eae2a[.]shop, https://985eae2a[.]space, https://985eae2a[.]funhash: - md5=25ac857c6c978af2d7e1256ae7c5d8a3, - sha256=53c8d2f87e9576646d5ed60587147ef16463757ba9128282b63519d6aefaf3ad, - sha1=fe7667f7ea1cdf497c35ba7adad32a5ed790051d, - sha1=d68885090b30429edc60d6004ce95096193c1be8, - sha256=a454fdc612637e229ce1138b7a599ea2936e6ea84b1391adc38b9a5abdb6c805, - sha1=07a4183f4187926ef3af21b994ba8106a75c5b6a, md5=5eb5312a5918660df81830b71243726b, sha256=1918e9aafc580711377e2cd239b9185b571db145b6d830681c87e21561508835, - sha1=6e65f688032121a41a79de85e2f54fd5757f75e7, sha256=0ace41794e85342cbff8adbbd331b8c174b31097276f4c37f858ae805b2384a6, md5=b51d8d8408bf9ef0008ba7a27f6f7825, - sha1=82f81a24d4e3bf50a68f38a5335b53cdb14c45b2, sha256=3306d074c43a4ed9626ae4feafed686cd88e49051dfe690eddefff862d80920d, md5=76040a1ca73559914deb767ce700af7a, - sha256=ef5759af287e095b29b5843f7f5a2cce4539acfd8ac064461d32bf1db5ed5b1f, sha1=16cc6adb30fc07d54a58a55a97e669390392d642, md5=b7a742715078cc7306d9948e2f3aa993, - md5=31bee9b93e6c7527ba03f80d0716cddd, sha1=e9e5c4243b2b923ce2a15040429964561b495589, sha256=d0fc980288bcba28b18d99c345dafe4d407099edbe4819e9ace0de39b13f3d5a, - sha1=3e539466c57251dcd0808d83ac78b4ca6e5c9f8e, md5=e4be68f10f29741f30cb5d4e4ec38392, sha256=f4ce2de745e22fcba3d7ad693d8d845ca0e6f61c113e417a803f8c8fc57e3d19, - sha256=ed13f7bb37a81be356eb20df484a449138b2cd4079d64921b9bc007560adbfca, md5=d497eff1503199df429f69ac18d9b593, sha1=f632b20e6835d1ef89a19c0dbffd10430c8911bc, - md5=b547d3335c8062993b3a84fd52e38a5b, sha1=4caecddfaf4bdacb9bc3c04b3816d8759c5829ab, sha256=f7b011a9e5c9c00b380f9645abd96c1643a0e2628a954dad7a06070c3206b4f2, - md5=9278bc396093243ae052b66ec2c812ba, sha1=67cff229c181561574250c57a069d217c2fce62b, sha256=6dc40233d81640f532a1cbc1feb74d116b034db7c2871f2b0fe0124bcc542d8e, - md5=6b125046464652b48e49964416b6813a, sha256=9eb81233b5448e13d2288f4e15ac515cde0e65458fcb27f27d0c100dcdff35f7, sha1=324bee95ee1097a421c720272fcd0a07ac5aeaeb, - sha256=4645d34288689ad85455b74fbcc350521fead8870a46a87f3fb2e152433e6f0d, md5=4748f83818b0d0c41fe593c38dc2979d, sha1=67a8484332d9350bc351fa3815c1e82670bca3d0, - sha256=f91e55a1af83a0e8c5f7f4c3a47b15ad1be396010d775478064287f99ed1b130, sha1=73427082bae4f56b0f9c47ef982a53942c1b707b, md5=a1d2980c4e98c6f57de07163b8fde797, - sha256=eb6e8fcaccb8400eaded15b14819b58cb804d870d8767362e39a69e55d3e40a2, sha1=9c2db6758c2295bfe4953f11b037d5d85e7a3b1b, md5=4a7b520eb180a50d4712966de8ca9fde, - sha256=e8586bf4bf6dd8ff3426d0ca5f08b9007a2ef2fb6e5bdc8ae3b6efa8c792d945, sha1=02417ba0bd0c8cbb149d8e84e3faf83adae8a703, md5=94de91db58d5271f3c4458b2ef0183a8, - sha1=e221246d97eaec9d0fa1ec68f55792db6a325902, sha256=1fa0161210fd02fdad616bd3c1f140f58b018963e141056e09d70b2b334e1c53, md5=e5f6a7ba7df2e2fc40c1a8fde98ccb8a, - md5=b646f1395e267ae7c00a300abf8f2a1e, sha1=033c30c79c22c1883beefc01b3e6cc09b7f07894, sha256=fb341be26730b0fb9202852ffa0ea8c25b26b7a1aab8950d8bd0c09c8600322a, - md5=e017082a11a467b14b5d53353658290c, sha1=8ef0cbe26e070c15b8ea0dfa651b5a3c16b9c5c5, sha256=5638ab52e17343afe5c35b8208aecb79bc46555390d8ab0df644dbb716886e82, - sha256=66ee7011fdf4052fb960afdba3f30661b4cf29b99142ace75a8896a88d27183e, md5=361e748f9cdef7a1aeea083ace075a64, sha1=653847a64575768a2af15f6fccc4c7c20ee917a0, - sha256=03846249abbc6fac612493843a39c55c8e45cbd795d85cf954d1cafc7602864b, md5=f2e0647ad3c02c943637f448cdb75148, sha1=55c83e4fffa8d14be080cd7cbe6a3b8bb77851c7, - sha256=cc2bb9e2c3fbed49597a10447440c931b520871891d881ae79fe6ec9b55d0b40, sha1=403aeecff4eb02027b59ef11ea843ea5d73db371, md5=84904e08cba761c332a3d66e736cc3dd, - sha1=c744be71875d0f0d27b4f94ea61faff88a02eb73, sha256=23f9b24ea46548ee39e5213d8cae91fa9e08d3fa1adbf317a4a00c85eb04a521, md5=140c148ef7e476e3d3b2772292a4eb9a, - md5=5c0f7b01d27c70902781541bfc4e7c6e, sha1=f3536dade38a80e04a46b6c1d05681d0a78a1674, sha256=db31f11d542541ac56c170ede793851c2859bc940e245ccfbffc0f876df86bff, - md5=e92504236891ef735190f8cedaf2f900, - sha1=eb6702582914183faa026a96d9275356c5ab6ab1, sha256=80b9dc82e46e5cf2487d7d3da7720350e22447d5c489da93456c1ef3e006d931, md5=94b584c71ac40e55f109dffcb9526f22email: mail@fssp[.]websiteTitle: South Korean Organizations Targeted by Cobalt Strike Cat Delivered by a Rust BeaconLink: https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-koreaSummary: Hunt researchers have identified an intrusion campaign targeting South Korean organizations, linked to a web server managed by EDGENAP LTD in Japan that briefly hosted a modified version of the Cobalt Strike tool known as CS Cat. This server, accessible for less than a day, featured a Rust-compiled Windows executable for delivering CS Cat and included multiple open-source tools for identifying web vulnerabilities. The campaign involved systematic reconnaissance of over 1,000 Korean domains, potential SQL injection attempts against various targets, and the extraction of user credentials from a South Korean bulletin board. The Cobalt Strike Cat malware utilized advanced techniques such as 2FA for command-and-control logins and scripted payload delivery through PowerShell, with initial connections establishing compromised beacons on victim systems.Threats: cobalt_strike sqlmap_tool dirsearch_tool malleable_c2_tool marteIndicators of compromise:-------------------------ip: 144[.]48[.]4[.]219:8000, 104[.]167[.]222[.]106domain: t00ls[.]comurl: http://144[.]48[.]4[.]219:80/ahash: - sha256=36ca817200204eae59263031e64971e18a8f1d187c81e858d21e4567885e3040, - sha256=f635f424b967e3df6bec0e6bd4643d5b19bb6e3e3d9c925d91124b80f85e8d1b, - sha256=4b00b7ef72db51bd3c40366e283fc4eed7d613b410fdebaf451bf926fdd427fd, - sha256=bbb6542d8602dfe0b66073266a3606e6804f5b2c67d64266b0ef245220ccc3cc, - sha256=cb884be5f579e4e4917de5d9ae0a9cd3d9c80397b9a1519a8bb1fd5eeb6b882bemail:Title: Operation AkaiRy: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoorLink: https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/Summary: ESET researchers have uncovered a significant increase in cyber-espionage activities by the China-aligned APT group MirrorFace, particularly with their recent campaign, Operation AkaiRy, which marks their first infiltration of a Central European diplomatic institute regarding Expo 2025 in Japan. This operation showcased an evolution in the group's tactics, including the use of a customized version of AsyncRAT and the reintroduction of the ANEL backdoor, which had been dormant since 2018. The attack began with spearphishing emails that tricked recipients into executing malicious commands, utilizing sophisticated techniques like encrypted execution and the use of Visual Studio Code for remote access, indicating a strategic shift towards broader targeting while maintaining a focus on Japanese interests.Threats: akairy_campaign mirrorface_group anel asyncrat anelldr noopdoor facexinjector_tool rubeus_tool spear-phishing_technique dllsearchorder_hijacking_technique process_injection_technique timestomp_technique stone_panda_group lodeinfo uppercut pirate_panda_group red_delta_group mouseover_technique putty_toolIndicators of compromise:-------------------------ip: 45[.]32[.]116[.]146, 64[.]176[.]56[.]26, 104[.]233[.]167[.]135, 152[.]42[.]202[.]137, 208[.]85[.]18[.]4domain: vu4fleh3yd4ehpfpciinnwbnh4b77rdeypubhqr2dgfibjtvxpdxozid[.]onion, u4mrhg3y6jyfw2dmm2wnocz3g3etp2xc5thzx77uelk7mrk7qtjmc6qd[.]onionurl: hash: - sha1=02d32978543b9dd1303e5b020f52d24d5eaba52e, - sha1=2fb3b8099499fee03ea7064812645ac781afd502, - sha1=9b2b9a49f52b37927e6a9f4d6dbb180be8169c5f, - sha1=ab65c08da16a45565dba930069b5fc5a56806a4c, - sha1=875dc27963f8679e7d8bff53a7e6966523bc36bc, - sha1=f5ba545d4a16836756989a3ab32f3f6c5d5ad8ff, - sha1=233029813051d20b61d057ec4a56337e9bec40d2, - sha1=8361f7dbf81093928da54e3cbc11a0fcc2eeb55a, - sha1=1afdce38af37b9452fb4ac35de9fcecd5629b891, - sha1=d2c25af9ee6e60a341b0c93dd97566fb532bfbe8, - sha1=68b72da59467b1bb477d0c1c5107cee8d9078e7eemail:Title: Rilide — An Information Stealing Browser ExtensionLink: https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/Summary: Rilide is a sophisticated information-stealing malware first identified in April 2023, designed to impersonate browser extensions specifically for Chromium-based browsers. It employs multiple delivery mechanisms, primarily using phishing sites and malicious ads to lure victims, including campaigns utilizing PowerPoint files and social media platforms like Twitter. Once executed, Rilide can take screenshots, log passwords, extract cryptocurrency wallet credentials, and interact with messaging platforms, while its Command and Control communications are obscured through blockchain services to facilitate the exfiltration of stolen data.Threats: rilide dead_drop_technique process_injection_technique process_hollowing_techniqueIndicators of compromise:-------------------------ip: 45[.]15[.]156[.]210domain: mmemento-die[.]com, tcl-black[.]com, ashgrrwt[.]click, pupkalazalupka[.]com, extension-login[.]com, extensionsupdate[.]com, nightpredators[.]com, nch-software[.]info, nvidia-graphics[.]top, vinceicgo[.]ru, web-lox[.]com, assets[.]bnbcoinstatic[.]com, blackfox[.]lol, memento-mori[.]comurl: https://blockstream[.]info/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs, https://mmemento-mori[.]com/api/machine/settings, https://mmemento-mori[.]com/api/machine/screenshot-rules, https://tcl-black[.]com/1111[.]bs64, https://bitcoinexplorer[.]org/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066?limit=1, https://api[.]blockcypher[.]com/v1/btc/main/addrs/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/full?limit=1, https://mempool[.]space/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs, https://api[.]bitcore[.]io/api/BTC/mainnet/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs?limit=1, https://mmemento-mori[.]com/api/machine/commands?uuid=31d7f9d7-a0ea-46be-88b7-196bc3e2e5e1, https://Mmemento-Mori[.]com/aper/machine/sign?d=MMEMENTO-MORI[.]com, https://mmemento-mori[.]com/api/machine/injections?uuid=31d7f9d7-a0ea-46be-88b7-196bc3e2e5e1hash: - sha256=76afc4a7ef10d760c3fa42458e8f133f1ed4d76071ab6f4207037f64a4bffab7, sha1=286574e458cddb32032ba4935d7f8e2716cfcf2c, md5=650052f23efde0ed4460b760134db8c6email:Title: Espionage cluster PaperWerewolf engages indestructive behaviorLink: https://bi.zone/eng/expertise/blog/paper-werewolf-sovmeshchaet-kibershpionazh-s-destruktivnymi-deystviyami/Summary: The Paper Werewolf cluster, also known as GOFFEE, has been identified as a cyber threat actively targeting Russian organizations, particularly within the government and energy sectors, since 2022. Their sophisticated attacks leverage phishing tactics involving malicious Microsoft Word attachments with obfuscated macros to install malware, including PowerRAT, which facilitates remote command execution. The attackers employ advanced techniques to disguise their operations, such as using environment variables, deploying a malicious IIS module (Owowa) to capture credentials, and creating redundant access channels with tools like Chisel, highlighting their capability to adapt and evolve their tactics beyond traditional espionage into more disruptive activities.Threats: paper_werewolf_group powertaskel chisel_tool mythic_c2 powerrat owowa gophish_tool qwakmyagent poseidonIndicators of compromise:-------------------------ip: 94[.]103[.]85[.]47, 185[.]244[.]182[.]87, 5[.]252[.]176[.]55, 85[.]198[.]110[.]216domain: disk-yanbex[.]ruurl: hash: - sha256=fa8853aaa156485855b77a16a2f613d9f58d82ef63505be8b19563827089bf52, - sha256=13252199b18d5257a60f57de95d8c6be7d7973df7f957bca8c2f31e15fcc947b, - sha256=8ba4cd7ea29f990cb86291003f82239bfafe28910d080b5b7d3db78e83c1b6f3, - sha256=37b3fa8a3a05e4aedb25eb38d9e4524722f28c21fac9f788f87113c5b9184ef5, - sha256=804cd68f40d0bb93b6676447af719388e95cafd5a2b017a0386eb7de590ebf17email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Tool/Technique: Remcos RAT / AsyncRAT Steganographic Campaign
## Overview
This campaign distributes stealer malware, specifically **Remcos** and **AsyncRAT**, using a steganographic method hidden within a `.jpg` file. The initial access vector is a phishing email delivering a malicious Excel attachment that exploits **CVE-2017-0199**.
## Technical Details
- Type: Malware Family (Remcos, AsyncRAT) / Technique (Steganography, Exploit)
- Platform: Windows (Implied by Excel exploit and typical RAT targets)
- Capabilities: Remote Access, Stealer functionality, Script execution, File download, Anti-detection masking (AsyncRAT disguising script as printer management tool).
- First Seen: Not explicitly mentioned in the summary extracted data.
## MITRE ATT&CK Mapping
*Note: Mappings are based on the described behaviors (phishing, exploitation, file hiding, RAT functionality).*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1190 - Exploit Public-Facing Application
- T1190 - Exploit for Client Application (Refers to CVE-2017-0199 exploitation)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Scripts leading to download)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Steganography)
- T1055 - Process Injection
- T1055.001 - Process Injection: Dynamic-link Library Injection (Implied by process manipulation)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Initial delivery via malicious Excel document exploiting CVE-2017-0199.
- Execution chain involving downloading and decoding malware hidden in a `.jpg` file using steganography.
- Infection results in deployment of Remcos and AsyncRAT.
- AsyncRAT disguises its execution script as a "printer management tool" for evasion.
### Advanced Features
- Use of steganography to hide malicious payloads within image files.
- Complex process manipulation techniques employed by the deployed malware.
- Communication with C2 infrastructure to receive subsequent instructions and deploy secondary payloads.
## Indicators of Compromise
- File Hashes:
- SHA256: `9d66405aebff0080cc5d28a1684d501fa7e183dc8b6340475fc06845509cb466`
- SHA256: `2d4ab87f9ea104075d372f4c211b1fb89adec60208d370b8fb2d748e1a73186c`
- SHA256: `b2e8f720740bbd46f6ae3f450f265ace1044fe232141fbd84f269eafeb290812`
- SHA256: `a582e7e5b3ac37895e7cf484aaa8ea477deb90d99b47b2d9bfc018c604573889`
- SHA256: `f67c6341bfe37f5b05c00a0dda738f472fdabd6ea94ca8dc761f57f11ce12036`
- SHA256: `aed291c023c3514fb97b4e08e291e03f52de91a2a8d311491b4ab8299db0aa0f`
- SHA256: `faed55ed0102b1b2e3d853e8633abecbb9cec6a5f41c630097d8eaeefafba060`
- SHA256: `b8fc29c02005c84131f34de083c2e81cdf615ff405877f9e73400bf35513c053`
- File Names: Not explicitly listed (besides the implied malicious Excel attachment).
- Registry Keys: Not available.
- Network Indicators:
- IP: `148[.]113[.]214[.]176`
- Domain: `interestedthingsforkissinggirlwithloves[.]duckdns[.]org`, `freebirdkissingonmylipswithnicefeelings[.]duckdns[.]org`
- URL: `https://watchonlinehotvideos[.]top/omfg[.]jpg`
- Behavioral Indicators: Exploitation of CVE-2017-0199, hiding data in JPG files, process manipulation.
## Associated Threat Actors
- Not explicitly named for this specific campaign, but associated with stealer malware payloads like Remcos and AsyncRAT.
## Detection Methods
- Signature-based detection for known Remcos/AsyncRAT binaries.
- Behavioral detection monitoring for exploitation attempts using CVE-2017-0199 or unusual script execution following Office document opening.
- Detection of file analysis processes attempting to extract data from JPG files initiated by Office processes.
## Mitigation Strategies
- Patching systems to eliminate the vulnerability associated with CVE-2017-0199.
- Implementing email filtering to block phishing attempts containing malicious Office attachments.
- Enforcing application control to restrict execution of downloaded scripts or binaries.
- Monitoring for execution patterns mimicking "printer management tools" launched suspiciously.
## Related Tools/Techniques
- Remcos RAT
- AsyncRAT
- Junky Code Technique
- Steganography
- Process Hollowing/Injection
***
# Tool/Technique: TMCDROPPER / TMCSHELL
## Overview
**Telemancon Group** utilizes a custom dropper named **TMCDROPPER** to evade countermeasures and deploy a backdoor called **TMCSHELL**. This toolchain targets Russian industrial organizations.
## Technical Details
- Type: Malware (Dropper and Backdoor)
- Platform: Windows (Implied, targeting industrial/engineering sector)
- Capabilities: Evasion techniques, arbitrary PowerShell script execution via C2, AES-256 encrypted communication, certificate pinning.
- First Seen: Telemancon group active since February 2023; TMCDROPPER/TMCSHELL variants observed as of February 2025.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0003 - Persistence** (Implied by backdoor deployment)
- **TA0010 - Exfiltration** (Implied by C2 communication)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication)
- **TA0005 - Defense Evasion**
- T1140 - Deobfuscate/Decode Files or Information (Implied by encryption)
## Functionality
### Core Capabilities
- **TMCDROPPER**: Designed specifically to evade existing security countermeasures.
- **TMCSHELL**: A backdoor capable of receiving and executing arbitrary PowerShell scripts supplied from the C2 server.
### Advanced Features
- Use of **AES-256 encryption** to secure C2 communications.
- Implementation of **certificate pinning** to ensure communication integrity and potentially resist man-in-the-middle attacks.
- Existence of variations in operational architecture, suggesting active development and evolution of the malware.
## Indicators of Compromise
- File Hashes:
- MD5: `c4b40f9a809cd43d18d7aa3e6ebcc747` (Associated file)
- SHA256: `58f2ced4191c26a203811655de5afb963f56e7e9a49d7b94be1eb8d4f00e8b98` (Associated file)
- MD5: `6a8abc320a0b7d29ba41f088eef2de7f` (Associated file)
- SHA1: `f7b68fa4c5175fb10f68ef40428ee3858cff093a` (Associated file)
- MD5: `dbae64fa6e1d6543fae1f26332c7a5b7` (Associated file)
- SHA1: `617be7440ad5e309fd19a08976f322b68de2a1c9` (Associated file)
- SHA256: `c899bdf6161666013411dee7734875d0f14679ef1c52738d3ded6846046d049d` (Associated file)
- SHA1: `17726064a31ffa3c4ee1811d6cb51c682e79d7dc` (Associated file)
- SHA256: `7d55ccf6d547d3543c74961fa070727c7942642f5e899f006f4667b76eef5afe` (Associated file)
- MD5: `40567288b3166c406b9dced12e61b5b3` (Associated file)
- File Names: Not explicitly listed.
- Registry Keys: Not available.
- Network Indicators:
- IP: `45[.]93[.]95[.]105`, `45[.]93[.]94[.]195`, `45[.]93[.]95[.]91`, `188[.]191[.]147[.]222`, `83[.]229[.]70[.]5`, `45[.]83[.]40[.]225`, `212[.]80[.]205[.]9`, `178[.]208[.]78[.]11`, `185[.]229[.]226[.]223`, `212[.]80[.]205[.]31`, `212[.]80[.]206[.]103`, `212[.]80[.]206[.]210`, `83[.]229[.]70[.]226`, `83[.]229[.]70[.]231`, `83[.]229[.]70[.]6`
- Domain: `page[.]ph`
- URL: `https://telegra[.]ph/336750190408-02-05`, etc. (Multiple telegra[.]ph links used for distribution/staging)
- Behavioral Indicators: Evasion techniques employed by the dropper; Command execution via PowerShell received from C2.
## Associated Threat Actors
- Telemancon Group
- Core Werewolf Group (Mentioned as potentially related or a classification note)
- Gamaredon Group (Mentioned as potentially related or a classification note)
## Detection Methods
- Signature detection on known TMCDROPPER/TMCSHELL hashes.
- Network anomaly detection looking for connections to the listed IPs/domains using non-standard protocols or communications encrypted with expected AES-256 patterns.
- Monitoring PowerShell execution activity spawned immediately following initial document execution.
## Mitigation Strategies
- Implement strict egress filtering to limit communication to known C2 infrastructure.
- Apply endpoint detection focusing on unusual process parent-child relationships (e.g., Office spawning shell processes).
- Use advanced endpoint security capable of detecting certificate pinning behaviors.
## Related Tools/Techniques
- Spear-Phishing (Initial delivery vector)
- PowerShell Execution
***
# Tool/Technique: PaperWerewolf Cluster (GOFFEE) Operations
## Overview
The **PaperWerewolf** cluster (also tracked as **GOFFEE**) targets Russian government and energy organizations. They combine traditional cyber espionage with destructive activities, primarily utilizing malicious Microsoft Word macros to deploy malware like **PowerRAT** and employing custom tools for persistence and C2.
## Technical Details
- Type: Threat Actor Operations / Malware Ecosystem
- Platform: Windows (Implied)
- Capabilities: Espionage, credential theft, deployment of backdoors, network tunneling, potential data destruction.
- First Seen: Active since 2022.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Using malicious macros in Word docs)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0005 - Defense Evasion**
- T1036 - Masquerading (Using environment variables)
- **TA0008 - Lateral Movement**
- T1573 - Encrypted Channel (Implied by C2 usage)
- **TA0009 - Collection**
- T1003 - OS Credential Dumping (Via Owowa module)
- **TA0011 - Command and Control**
- Use of Mythic C2 framework elements.
## Functionality
### Core Capabilities
- Initial infection via **phishing** attachments (Microsoft Word) containing **obfuscated macros**.
- Installation and use of **PowerRAT** (Remote Access Trojan) for remote command execution.
- Use of **Chisel** for network access and tunneling.
### Advanced Features
- Deployment of **Owowa**, a malicious IIS module specifically designed for capturing credentials on web servers.
- Creating redundant access channels to maintain foothold.
- Employing environment variables to conceal or aid in operational routines (Defense Evasion).
- Expanding activity beyond pure espionage into destructive actions.
## Indicators of Compromise
- File Hashes:
- SHA256: `fa8853aaa156485855b77a16a2f613d9f58d82ef63505be8b19563827089bf52`
- SHA256: `13252199b18d5257a60f57de95d8c6be7d7973df7f957bca8c2f31e15fcc947b`
- SHA256: `8ba4cd7ea29f990cb86291003f82239bfafe28910d080b5b7d3db78e83c1b6f3`
- SHA256: `37b3fa8a3a05e4aedb25eb38d9e4524722f28c21fac9f788f87113c5b9184ef5`
- SHA256: `804cd68f40d0bb93b6676447af719388e95cafd5a2b017a0386eb7de590ebf17`
- File Names: Not specified, but related to PowerRAT/Owowa components.
- Registry Keys: Not available.
- Network Indicators:
- IP: `94[.]103[.]85[.]47`, `185[.]244[.]182[.]87`, `5[.]252[.]176[.]55`, `85[.]198[.]110[.]216`
- Domain: `disk-yanbex[.]ru`
- Behavioral Indicators: Execution of obfuscated VBA macros; attempts to inject malicious code via IIS using the Owowa module.
## Associated Threat Actors
- PaperWerewolf Cluster (GOFFEE)
## Detection Methods
- YARA rules targeting known PowerRAT code or the specific obfuscation techniques used in the Word macros.
- Monitoring for unusual child processes originating from macro execution chains.
- Detecting web server activity attempting to load non-standard IIS modules (Owowa).
## Mitigation Strategies
- Disable or restrict the execution of embedded macros in Office documents via GPO.
- Harden IIS configurations to prevent the installation of untrusted modules.
- Use IPS/IDS rules to identify Chisel C2 traffic patterns.
## Related Tools/Techniques
- PowerRAT
- Chisel (C2/Tunneling Tool)
- Mythic C2 Framework (Mentioned as related to C2 infrastructure)
- Gophish (Mentioned as related threat component)