
Operation HookedWing
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
|---|---|---|---|---|
T1566.002 | Spearphishing Link | Initial Access | Monitor inbound emails containing links to *.github.io, *.vercel.app, *.on-fleek.app, or *.netlify.app with URL fragments matching #[email]@[domain] pattern. Alert on lures referencing "OPEN IN PDF", "Sign in", "Please find below in Pdf", or French equivalents (restriction-de-compte). | Email gateway logs, Proofpoint/Mimecast URL rewriting telemetry, M365 Defender for Office 365, Sysmon EID 1, EDR browser process telemetry |
T1583.001 | Acquire Infrastructure: Domains | Resource Development | Detect newly observed domains with Let's Encrypt certificates valid ~3 months, names mimicking DocuSign/Newmax/Microsoft, or hosting /genl/ directories with list.txt, error_log, and pseudo-random PHP filenames (e.g., djjejjeennemme.php, hfhfjmreneeeneneme.php). | Passive DNS, Certificate Transparency logs, urlscan.io, SOCRadar threat intelligence, web crawler / asset discovery tools |
T1584.006 | Compromise Infrastructure: Web Services | Resource Development | Hunt for github.io repositories containing index.html with preloader_container_stef identifier, srv.js files exposing window.stef.srv_loc, and Google-color preloader SVGs (Pulse-1s-200px.svg). Alert on subdomains containing microsoft, office365, pdf, document, excel, onedrive, drive, mail with year suffixes. | GitHub API monitoring, Public Code Repos search (SOCRadar), web reputation services, threat intel feeds |
T1059.007 | Command and Scripting Interpreter: JavaScript | Execution | Detect JavaScript executing window.location.href.split parsing URL fragments for # and @ symbols, fetch calls with Base64-encoded paths starting with L2dlbm (decoded: /genl), and DOM injection via getEl__("#docBody").innerHTML. | Browser EDR telemetry, JavaScript runtime monitoring, browser isolation logs, network proxy logs with TLS inspection |
T1546 | Event Triggered Execution | Persistence | Identify github.io repositories that have been dormant but show recent commits to srv.js only (without HTML/asset changes), indicating C2 reactivation. Monitor for repository name patterns matching prior Operation HookedWing waves. | GitHub commit history monitoring, OSINT pivoting, threat intelligence platforms |
T1027 | Obfuscated Files or Information | Defense Evasion | Detect Base64 strings decoding to /genl/ paths, the stef namespace, and PHP filenames with .php extensions following pseudo-random consonant-vowel patterns. Alert on atob() calls combined with fetch() to externally-loaded srv_loc variables. | Web proxy logs, EDR JavaScript inspection, YARA rules on web responses, SSL/TLS inspection |
T1036 | Masquerading | Defense Evasion | Alert on landing pages displaying organization names dynamically via <p id='child_preloader'> elements, fake Microsoft Outlook preloaders, or Microsoft AAD clones loading CSS from aadcdn.msauth.net while hosted on non-Microsoft domains. | Web proxy logs, browser DOM inspection, phishing detection sandboxes (urlscan.io, ANY.RUN) |
T1556 | Modify Authentication Process | Defense Evasion | Detect web pages presenting "Account does not exist. Email is invalid" or similar error messages prior to user input, and forms containing the hidden field auth_status_ or counter logic incrementing on submit. | DOM analysis tools, browser EDR, phishing analysis sandboxes |
T1056.003 | Input Capture: Web Portal Capture | Credential Access | Monitor outbound POST requests with form fields em-field, em-field2, pwd-field, pidt-field, ocdt-field, icdt-field, oldt-field, aldt-field, auth_status_, __winHref, UrlDom_main to non-allowlisted domains. | Web proxy logs (decrypted), DLP solutions, SWG/CASB form-data inspection, EDR network telemetry |
T1598 | Phishing for Information | Credential Access | Detect submissions of corporate credentials to external *.php endpoints under /genl/, /hl/, /zm/ paths. Correlate browser sessions visiting github.io with subsequent POSTs to compromised legitimate domains (e.g., HostGator-hosted sites in Pakistan, Brazil, Chile, Senegal). | DLP logs, secure web gateway, browser EDR, network flow analysis |
T1185 | Browser Session Hijacking | Collection | Monitor for browser-side requests to api.ipdata.co?api-key= from sessions that did not originate from legitimate geolocation-dependent applications, particularly when followed by POSTs containing IP/lat/long hidden fields. | Web proxy logs, DNS query logs, EDR network telemetry, browser isolation logs |
T1041 | Exfiltration Over C2 Channel | Exfiltration | Alert on HTTP POST requests to URIs containing /genl/, /hl/, /zm/, /inde-s.php, /result.php, /New.php, or /login.php?[long_token]. Detect outbound traffic patterns where a single submission contains both email and password fields plus geolocation metadata. | Web proxy logs, NetFlow/Zeek, EDR network monitoring, TLS inspection logs |
T1102 | Web Service | Command and Control | Detect anomalous GET requests to *.github.io/*/srv.js followed by fetch chains to third-party domains, and traffic to known Operation HookedWing C2 domains (more than 22 distinct C2 servers identified). Alert on requests retrieving list.txt from publicly indexed directory listings. | Proxy logs, DNS logs, threat intel-enriched SIEM rules, IOC feeds (SOCRadar) |
T1071.001 | Application Layer Protocol: Web Protocols | Command and Control | Detect HTTPS sessions where the Host header is a github.io subdomain but where JavaScript subsequently initiates POSTs to unrelated, low-reputation domains hosting /genl/ or similar paths. Hunt for User-Agent strings paired with geoiptool.com referrer in collected logs. | TLS inspection logs, web proxy, EDR network telemetry, JA3/JA4 fingerprinting |