SHA1MediumSignal 95/100
d25340ae8e92a6d29f599fef426a2bc1b5217299
Location
VietnamFirst Seen
Aug 15, 2021
Last Seen
Jun 7, 2026
Found in 13 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
95%
Signal Score
95 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
13 reports95% confidence
13
Source reports
95%
Confidence score
Category tags
a serviceabcdabuseacceptaccessaccess falconaccess ta0001access ta0006accountaccount discoveryaccount profilingaccount securityaccount takeoveracidrainacintactive relatedactive scanactive scanningad environmentad groupadaptivebeeaddress rangeadfindadministratoradult contentaes keyafghanistanafricaagentagent teslaahnlabahnlab securityai securityaitbalbaniaalbanianalexalexaalexa topalfperalienvault_ransomwarealiveall octoseekallegatoallocation typeamadeyamericaamsi telemetryanalysis dateanalysis ob0001analysis ob0002analyzeanchoranchordnsandroidanomalyanunakanydeskanydesk remoteapacheapache tomcatapi abuseapi blogapi callapi hashapi hashingapnicapnic whoisappdataappeappearanceappleapple iosapplication compromiseapplication developmentapplied researchaptapt 27apt groupapt groupsapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearin whoisarmeniaartefactsfolderartemisasciiascii textascii valueascii85asecasec analysisasiaasnone unitedassociated urlsasyncratateraatera agentatomatomicattackattack overviewauroraauthentication bypassauthentication flawautoitautorunav detectionav evasionav infoavastavast win32ave mariaavg win32avosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbandoobangladeshbankbankerbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbehaveslike.yahloverbelarusbelowbetabotbeyondbianlianbinderbitcoinbitsblackcatblacklist httpblacklist httpsblacknet ratblacknet threatsblackshadesblisterbloat-ablobblockchainbluenoroffblueskyboatlaunchbodybokbotbondatbookmark serverboommicbotmasterbotnetbotnet activitybotnetworkbountybreachbrian sabeybridgebrowserbrowser data theftbrute forcebubblebughatchbuildbuildnobumblebee c2bumblebee dllbundledburkinabyovdbypassc activityc communicationc serverc2c2 communicationc2 datac2 domainc2 dropboxc2 ipc2 profilec2 serverc2 trafficca idca x3cac-block44cacblock44caesarcampocampo loadercanadacanada flagcanada hostnamecanthroidcaploadercapturecarbon spidercashcatalog treeccus asnas8075cec listcentercenterallcerbercertcertificate sniffingchachachamelgangchanitorchaoschaprochatchimerachinachina chopperchina cobaltchinese-speaking cybercrimechiselchm filechromecidrcisacisa kevcisco securecisco taloscisco threatcisco umbrellacitadelck idck matrixck techniqueclassclassloadercleanercleanupclickclick-based attackclosecloudcmc threatcmstpcn extractioncnamazon rsacnamecnc checkincnc servercndst rootcnisrg rootcnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecode executioncode injectioncode integrity bypasscoinminercollections kpcolor1cometcommandcommand & controlcommand and controlcommand decodecommand executioncommand linecommand-line executioncommand_and_controlcommentcommercial bankingcommoncommunication protocolcommunication technologiescommunity scorecompilecompromised application cryptominingcomspecconceptconduitconficonfigconfluence dataconsolecontcontactcontacted urlscontagious interview campaigncontentcontent discoveryconticonti affiliateconti gangconti groupcontributorscontrolcontrol ta0011cookiecookie stealingcookie valuecopycopy md5copy sha1copy sha256corecore impactcortex xdrcount blacklistcountrycountry namecovewarecovid19cp1250creation datecredential accesscredential brute forcecredential brute forcingcredential harvestingcredential stealercredential stealer activitycredential stuffingcredential theftcritical riskcrlfcrlf linecrowdstrikecrphcry killcryptercrypto scamcrypto-miningcryptocurrencycryptocurrency miningcryptocurrency threatscryptographycryptojackingcryptominercryptominingcs loadercsc corporatectrltcubacuba ransomwarecus cnr3cus oamazoncustomerloadercutwailcvsscybercyber espionagecyber espionage solutionscyber stalkingcyber threatcyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsdapatodarkdark cometdarkcometdarkgatedarkhoteldarkshelldarksidedarkwebdatadata accessdata breachdata centerdata copyingdata encryptiondata exfiltrationdata exposuredata harvestingdata riskdata store exposuredata theftdata transferdatabase securitydatopdatoploaderdaumdaveshelldbatloaderdc serverdclocalddeddosde indicatorsdead hostdeadeyedecoydecryptdeep scandef condefender controldefenderspynetdefensedefense evasiondefraydefray777delf.nbxdelphidemodenis legezodesktopdetectdetect-debug-environmentdetection listdetections typedev0537development attdevelopment labsdevelopment methodologiesdevicedevicerasacd cdevnulldevopsdexterdfdownloaderdfir reportdfir teamdgadiavoldiceloaderdidier stevensdigital certificatedigital certificatesdigital signaturedircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdnspionagedockdocs pricingdocument access attemptdoesndomaindomainsdomaiqdonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdosya klasrdownerdownldrdownloaderdownragedpiawaredridexdriverdropboxdropbox loaderdroppeddropperdrops cobaltdrops peduckdukedumpduqudustpandworddynamic dnse-signature securityearth wendigoeasyeasylookedge webengineedr agentedr hooksedreppedsaideducationefnoegregoregregor payloadelectronic health recordselfelf malwareeliteelseemerging threatemissary pandaemmenhtal loaderemojiemotetemotet campaignemotet coreemotet emotetemotet epochemotet payloademotet runempireenableencoderencpkencryptencryptionendpoint1energyengineeringenglishenjoyenterprise targetsenterpssessionentriesentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploitet infoet toreuropeeurope/asiaevasion ob0006evasion ta0005evasiveevasive techniquesevil corpevilnumexcelexe sizeexecutable fileexfiltrationexitexitendififexotic lilyexpert perspectiveexpiredexploitexploit availableexploit_sourceexploitation activityexploited spywareexploits & vulnerabilitiesexport functionexport viewextortionextracted filesf httpsfailfake error pagesfalconfalcon completefalcon sandboxfali contactedfali maliciousfalsefastfaux#elevatefeaturefeelfeodo trackerficker stealerfigurefilefile-hashfilejustfileless malwarefilerepmalwarefilesfiles cfiles domainfiles locationfillerfin7finalfinancefindfinspyfireeyefirstfirst detectionfirst seenfishmasterfivehandsflexfloxiffooterfoozerforceforeign affairsforensics evasionformformatfortunefoundfrancefrom karakurtfrontfrpftp brute forcefueryfull pathfunctionfusioncoreg o2gap analysisgasgategate variantgatinggaussgeckogen:heur.ransom.hiddentearsgeneratorgenericgeneric malwaregeneric.933739germanyget httpget requestgetchilditemgetoperandvaluegetvhdgetvmghost ratghostenginegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgozigozi malwaregrabffgrantedaccessgrapeloadergrepgriffongroup policygroupexchangegrouprevilgroupuchebkacguardguidguloaderhackhackerhackermanhackinghacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandlehandoverharpyharvesterhashhasheshatching triagehavocheaderheadlineshealth care and social assistancehealth information technologyhealthcare information systemshellhellohello packethellokittyhelpheurhidehidedrvhighesthikithillhilotihistorical sslhistoricalandnewhithivehoneymytehong konghookhookshospital managementhosthostnamehoudinihta filehtmlhtml documenthtml filehtml internethtml objecthttphttp brute forcehttp c2http gethttp methodhttp posthttp scannerhttp traffichttpshttps traffichumanhuntershupigonhwinithlwhwp supporthybridhydraianaiana webicedidicedid malwareicedid payloadicefogiceidicmpida proidentity & access exploitationidleiframeigosiis workeriit appil fileil messaggioil845images evidenceimmigrationimpactimpact ob0008impact ta0040importin the wildincident ipincident responseindia-chinaindicatorindonesiainfectionidinfoinformation stealer activityinformation stealinginformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinitial compromiseinitial contactinitial infectioninjectinjection activityinjectorinnovation managementinput validation bypassinstallinsurance carriers and related activitiesintelinternet stormintro contiintrusion detectioninvalid pointerinvalid-signatureinvasion of privacyinvestigation servicesinvestigationsiobitiocioc510iocindicatoriocsiosiot securityipcountiphone unlockeripnnoysrdi tripv4ipv4 addipv4 internetipxo llcisitemiso fileiso filesystemiso imageissuerissuer cusissuer orgit infrastructureitaliaitw nameja3ja3sjames haughomjan rubnjanskyjapanjapan unknownjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejs userjsonjson objectjssloaderk netsvcskarakurtkaspersky icskazakhstankazuarkeep alivekernelkerrdown samplekey algorithmkey identifierkey infokeybasekeyloggerkeyplugkeys nothingkgs0khalesikhtmlkillkls0knightknown torkoadickoreankovterkportscankrakenkronosland driverslapsuslaterlateral movementlatinlazagnelazarus grouplearnlearn morelegallegezolemon duckleviathanlf linelifelightlimelinodelinuxlinux agentlinux errorlinux systemlivelivingllmnr querylnk filelnklnklnklnkloaderlocallockbitlockbit blacklockylog4jlog4shelllogiclogmeinlogo analysislokiloki pwslokibotlolbinslong-sleepslooklowfilpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothlumma stealerm02 validitym2 etmac catalinamac osmacawmachinescalemachomacosmacosx errormacromagia dokumentmagicmagika htmlmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious activitymalicious filemalicious linksmalicious powershell activitymalicious red teammalicious sitemalicious softwaremalicious urlmalspammalvertizingmalwaremalware deliverymalware descriptionsmalware distributionmalware distribution sitemalware downloadmalware emotetmalware hostmalware infectionmalware loader activitymalware noradmalware signingmalware sitemalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremarkmarkmonitormaskmatanbuchusmatches nomatrixmatsnumazemaze ransomwaremcafeemd5mediamedical servicesmediummedremeetingmegamemory oc0002memory patternmespinozametametadata analysismetasploitmeterpretermethodmethodologymetromexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmillionmimemimicratmindminermining payloadmining poolminiuser avatarmiraimisc attackmitre attmmm dmobile carriersmobile networksmobile threatmodelmodified filesmodule stompmoneromonero minermonero miningmongoliamonitormonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovedmovement ta0008movingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemsilmsil downloadermssqlmssql processmssql servermtb descriptionmuddywatermulti-platform cryptomining campaignmultiplemustang pandamwdbmyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filename responsename serversname tacticsname verdictnanocore ratnarilamnation-state activitynativenativezonenbtscannebulanecursneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetwire rcnetworknetwork analysisnetwork cncnetwork enumerationnetwork forensicsnetwork namenetwork probingnetwork protocolnetwork ratnetwork scanningnetwork securitynetwork trafficnetwork_trafficnetwormnevernewsnextnexusngrokngrok tunnelnids malwarenightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernjratnltestno datano expirednobeliumnode tcpnode trafficnonamenoname057north americanotepadnsantdsntlmntlm hashnumbernvcontainernymaimo2 o2ob0001 defenseob0005 defenseob0013 fileoc0001 memoryocean lotusoceanlotusodigicert incoffensivenimoilrigoletololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopen threatopenfieldopenpgp publicopenpgp secretopensopenssloperaoperating systemoperating system securityoperation olalampooperation pawnoperationsopsecor filefullnameoracle weblogicorionos credential dumpingos versionoveroverlayownerp4bnzr0palo altopandaparent pidpartpasspassive dnspasswordpassword attackpassword stealingpatchpathpath traversalpatient carepatternpattern matchpawn stormpayloadpayload deliverypayload downloadpayloadbinpayment idpaypalpcappdf documentpdf reportpe filepe headerpe resourcepe yandexpeexepersistence mechanismpersistence mechanismsperuphasephishphishingphishing attackphishing paypalphishing sitephotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpng imagepoisonpoliceponypoortryportpos softwareposhc2possible reconnaissancepostpost bodypost methodpostgresqlpostgresql dbpotential scanpowerpowershellpowershell executionpowershell ratpredatorprefecturepremiumpresent decpresent febpresent janpresent julpresent seppress enterprevent freeprimary threatpriorprism_objectprism_settingprivacyprivate ipsprivilege escalationprobeprocess hackerprocess injectionprocess oc0003process_creationproduct developmentprojectprojector libraprophetprophet spiderprotectprotocol exploitationprotocol-deviproxyproxyshellpsexecpsrppublicpuffstealerpulse pulsesputtypykspapymafkapysapysa ransomwarepythonpython scriptpython userpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquality assurancequasarquasar ratquesto certquietexitr&d strategyraasraccoonradarradminragnarlockerraindrop loaderramnitrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionreadread cread filesreaves6 minreconrecon iprecon villagereconnaissancereconnaissance activityrecord valueredirectorredirectorsredlineredline stealerredline stealer infectionref4578 paymentreferrefreshregistry keysregistry manipulationregistry_modificationregszregwriterelated nidsrelatedtoremcomremcosremcosratremote accessremote access trojanremote servicesremovable mediaremoverenamereportreportsrequestresearchresearch & developmentresearch groupresearch methodologyresearchedresolved ipsresource abuseresource hijackingresourceloaderrestartreturn addressrevenge ratrevenge-ratreverse dnsrevilrevilcontiritarmndrprobinhoodrobotorollcoastrootrootkitrostpayrozenarozmiarrsarubeusrubyrultazorun registryrunningratrussiarussia unknownrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafe sitesafetykatzsagesalitysamplessamsung magic appssandboxsandbox reportscalescams & fraudscan analysisscan behavioralscan endpointsscannerscheduled taskscientific researchscoutscriptscripting attacksscrollseadukesearchsearch liveseatbeltsecurexsecurity bypasssecurity groupsseensegoe uisekhmetsekurselectsend bugsend feedbackserbiaserverserver exploitationserver helloserversserviceservice mainservice scanservice workerset currentsettings readsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshowshownshutsiblings domainsignsignature evasionsignedsigned driver abusesilentsilent breaksilent trinitysilentbreaksilk roadsimdasitesizeskynetsleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsmbexecsmokeloadersmtp brute forcesmtp serversnakesneaky serversnortsnort ipsnowsoarsocgholish netsupportsocial engineeringsocial media securitysocssodinokibisofacysoftethersoftware architecturesoftware developmentsoftware engineeringsoftware exploitsoftware exploitationsoftware integritysoftware testingsoftware updatesolarstormsolarwindssolimbasomniasophossourceimagesouth africasouth americasouth koreaspainspamspammerspanspan tdsparklinggoblinsparkratspawnspawnsspear phishingspeedsphwspidersprite spiderspyeyespyrixkeyloggerspywaresql injectionsql serverssdeepssh attackssl certificatessl_certificatesslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestatesstatic enginestatusstdoutstealersteamstellarparticlestoneboatstopstopvmstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsubject publicsublime editorsubmission pathsummarysuncryptsupernovasupply chainsupply chain attacksuspicsvchostswedishswiftswrortsyssys filesyscallsysdigsysmonsystem disruptionsystem oc0001system oc0008systembcsyswhispers2szdrft1003t1003.001t1005t1008t1010t1012t1016t1018t1020t1021t1021.001t1021.002t1027t1027.001t1027.002t1027.003t1027.009t1027.010t1030t1031t1036t1036.003t1036.006t1040t1041t1045t1046t1047t1048t1053t1053.005t1055t1055.001t1055.002t1055.004t1055.012t1055.013t1056t1056.001t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1060t1068t1069.001t1070t1070.004t1071t1071.001t1071.002t1071.004t1076t1077t1078t1078.003t1080t1081t1082t1083t1086t1087t1089t1091t1095t1105t1110t1110.002t1112t1113t1114t1115t1119t1120t1124t1129t1133t1134t1134.001t1134.002t1135t1140t1143t1176t1189t1190t1195t1199t1203t1204t1204.001t1204.002t1213t1213.001t1218.003t1222t1480t1486t1490t1491t1496t1496.001t1497t1497.001t1499t1499.001t1499.002t1499.003t1518t1539t1543t1543.003t1546t1547t1547.001t1547.009t1548t1553t1554.001t1554.003t1555t1555.003t1559t1560t1560.001t1560.003t1562t1562.001t1563t1564t1564.001t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1569t1571t1573t1574t1574.001t1574.002t1574.009t1583t1584t1587.001t1588t1588.002t1589t1589.002t1590t1590.001t1592t1592.004t1595t1595.001t1595.002t1595.003t1598t1598.003t1608t1608.001t1609t1610t1614t1614.001ta0004 defenseta0007 lateralta0009 commandta471ta551ta578ta800tag counttaggingtalostargettargeted attacktargeted attackstargeted malware campaigntargetimagetargeting databasetask managertcp connectionstcp portteamteam topteamt5teamt5 teamt5techtechnology researchtelecomtelecom servicestelecommunicationstelnet threattemptencenttheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat intelligence feedthreat reportthreat researchthreat responsethreat roundupthreat scorethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktimestamp inputtinbatipstitletldstls clienttls servertoolstor c++tor c++ clienttor directorytor knowntor nodetor relayroutertor2minetorrentlockertotaltouchtracingtrackertraffictransferxl urltransferxl urlstravelextrellotrend microtrend visiontrial falcontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertriid pliktrinidad and tobagotrinitytriton fork campaigntrojantrojan malwaretrojandroppertrojanspytrojanxtru teamtrumptrusttsara brashearsttl valuettpstulachturkishturlatvrattwittertycoontypetype nametype win32typeof windowuac bypassuac0056ubuntuudp port scanukraineunauthorizedunauthorized access attemptunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381undetected dns8undetected vxunicode textunified accessunionunitunitedunited statesunreliable subdomainsunruyunsafeunsigned driverunusual portunvdwlupdaterurisurlcampourlsurls httpurlshxxpursnifusb malwareusb propagationuse sectionuseruser executionuserpcnameutf8 textuuid variantuuidsuwagav3 serialvalidvaporragevariantvaronisvaronis threatvatetvaultvawtrakvba macrovbs scriptverifyvhashvia-torvidarvietnamviewvincssvirtoolvirutvision onevitrovmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevuln-drivervulndrivervulnerabilitiesvulnerabilityvulnerability scanvulnerablevulnerable driver exploitationw32.bloat-awacatacwaf rulewanacrypt0rwannacrywcrywdigestweb application attackweb application exploitationweb contentweb trafficweblogic accesswebshellwebshell_simple_backdoorwells fargowhaszwherewhois parentwhois recordwhois serverwhois siblingswhois whoiswin32 exewin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows errorwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinring0 driverwinring0-syswinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewrite cwriteswscriptwsusx.509x00x00nx509 certificatex509v3 subjectxcnfexll filexmrxmrigxor algorithmsxorkeyxpcmdshellxss attackxtunnelxyzcampobb hxxpyahxzyandexyanluowangyarayara rulez bardzoz85 ascii85z85 httpszbotzbot typezdb zeuszenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv
Activity Timeline
Jun 7Jun 7
Threat Activity Heatmap
· Peak: 2026-06-07LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
95
SIGNAL
Signal Score
95%
Confidence
13
Reports
First seenAug 15, 2021
Last seenJun 7, 2026
VirusTotal
Not checked
WHOIS
- description
- SHA1 of 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
- references
- https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining, Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 "Broken Seal" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions., Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91), Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare’s transit layer for resilience and to reduce direct exposure of origin infrastructure., Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 "Fail-Closed" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure, Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 → high (suggests packing/encryption), .reloc 6.66 → possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess, Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem., MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's "Broken Seal" exploit bypasses., As of Feb 13 (early AM) — Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13), Verification failure observed in automated verification handlers during sandbox replay., The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls—including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation—are implemented to validate a high-interaction user environment prior to execution., Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal., Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171., SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138., SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff — Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload)., nationalgrid.com — Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level., eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade., Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat, The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30–.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr, My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all., https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7, 20.99.186.246 exploit source, fp2e7a.wpc.2be4.phicdn.net, https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found), https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker), http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper), init.ess.apple.com (malicious code script), https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found ), https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators, VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection, Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246, IPv4 45.12.253.72. command_and_control, Hostname: ddos.dnsnb8.net command_and_control, IPv4 95.213.186.51 command_and_control, Hostname: www.supernetforme.com command_and_control, IPv4 103.224.182.246 command_and_control, IPv4 72.251.233.245 command_and_control, IPv4 63.251.106.25 command_and_control, IPv4 45.15.156.208 command_and_control, IPv4 104.247.81.51 command_and_control, http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing), https://downloaddevtools.ir/ (phishing), happylifehappywife.com, apples.encryptedwork.com (Interesting in the blacknet), https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker), https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker), https://www.apple.com/shop/browse/open/country_selector (exploit), www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!, http://init-p01st.push.apple.com/bag (malicious web creator), opencve.djgummikuh.de (CVE dispensary), Maltiverse Research Team, URLscan.io, Deep Research, Hybrid Analysis, URLhaus Abuse.ch, Cyber Threat Coalition, ThreatFox Abuse.ch, https://vtbehaviour.commondatastorage.googleapis.com/1eed4d0238b82b2e324d7d111c5c1d73ebe6245932530779ba17000d935a1dcf_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778127990&Signature=juBkVQLRUAcpV3F0HxZfnt9d%2Bg7bPLCUSVJeI43MQxda0Suv1G9OYQjsG8Cp0h%2F7aNgbQkkpbcnGE6YBOAtbcw8u44jv6DrpLVFR01Q8rKKAhLAw8r5Bl9QIcS6%2F%2FxFlBhqvsBbEnxJqHbI3lvfHymEgYHSfpSduh63E5h55Dmd9DxKaaOu5Xo8AsR9Q3Kbn2Xl%2Flsyt6YeakFhL37TBmDLoJMzseRa1QjWE%2BdyPIxvp6JiGBm, https://vtbehaviour.commondatastorage.googleapis.com/1eed4d0238b82b2e324d7d111c5c1d73ebe6245932530779ba17000d935a1dcf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778128024&Signature=gmdTh4HdtQiM8x8q0MGvrguSweTXZQieJBVP4J1PhKBEJGfTBHIvjf70jGQzFATJrPKHohftu2h77Mju%2FOECsYFwG6EpyNURMRQmAWdBuSeFcukzPuu%2BRcpPD8%2F8OlF9MmSvuZ9%2BJH0VytZEzn7barm2PIK%2F%2Fvi%2FAUNG93W%2FqjZI0cifFE%2FSxo%2F%2Ffd%2BGqHPECcrTMo8s5P99DChh5a75CMJadFVvZBtPrCNVezJ0PK3flE, IOCs.2026.pdf, https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/, https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g, https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/, https://blog.talosintelligence.com/manjusaka-offensive-framework/, https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html, https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/, https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html, https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/, https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/, https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/, https://cert.gov.ua/article/703548, https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/, https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824, https://cert.gov.ua/article/619229, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/, https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html, https://blog.talosintelligence.com/avoslocker-new-arsenal/, https://isc.sans.edu/diary/rss/28752, https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html, https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/, https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions, https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis, https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee, https://thehackernews.com/2022/05/malware-analysis-trickbot.html, https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux, https://asec.ahnlab.com/en/34549/, https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664, https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md, https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf, https://isc.sans.edu/diary/28636, https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/, https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html, https://blog.talosintelligence.com/mustang-panda-targets-europe/, https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/, https://security.macnica.co.jp/blog/2022/05/iso.html, https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/, https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt, https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf, https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/, https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/, https://thedfirreport.com/2022/04/25/quantum-ransomware/, https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/, https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html, https://www.varonis.com/blog/hive-ransomware-analysis, https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/, https://vanmieghem.io/blueprint-for-evading-edr-in-2022/, https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/, https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/, https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html, https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI, https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/, https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/, https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64, https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf, https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire, https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/, https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448, https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/, https://www.arashparsa.com/catching-a-malware-with-no-name/, https://cert.gov.ua/article/37704, https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/, https://thedfirreport.com/2022/03/07/2021-year-in-review/, https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/, https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage, https://cyber.wtf/2022/03/23/what-the-packer/, https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes, https://asec.ahnlab.com/en/31811/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/, https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489, https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike, https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/, https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/, https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue, https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/, https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/, https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/, https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html, https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks, https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/, https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1, https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/, https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/, https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/, https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf, https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf, https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/, https://istrosec.com/blog/apt-sk-cobalt/, https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/, https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/, https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/, https://securelist.com/apt-luminousmoth/103332/, https://isc.sans.edu/diary/rss/27618, https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads, https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass, https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/, https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/, https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/, https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise, https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/, https://www.cisa.gov/news-events/analysis-reports/ar21-148a, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a, https://www.lac.co.jp/lacwatch/report/20210521_002618.html, https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf, https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/, https://thedfirreport.com/2021/05/12/conti-ransomware/, https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/, https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/, https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/, https://blog.talosintelligence.com/lemon-duck-spreads-wings/, https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/, https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff, https://isc.sans.edu/diary/27308, https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c, https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures, https://www.qurium.org/alerts/targeted-malware-against-crph/, https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware, https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811, https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout, https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/, https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md, https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060, https://thedfirreport.com/2021/01/31/bazar-no-ryuk/, https://www.security.com/threat-intelligence/solarwinds-raindrop-malware, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618, https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html, https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/, https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/, https://isc.sans.edu/diary/rss/26862, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf, https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware, https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/, https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/, https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/, https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/, https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md, https://thedfirreport.com/2020/10/08/ryuks-return/, https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/, https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/, https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf, https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos, https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/, https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims, https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/, https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/, https://blog.talosintelligence.com/building-bypass-with-msbuild/, https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html, https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf, https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A, https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html, https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf, https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/, https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf, https://contagiodump.blogspot.com/2014/11/onionduke-samples.html, https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/, https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/, https://wallpapers-nature.com/tsara-brashears/urlscan-io, alohatube.xyz, https://www.anyxxxtube.net/search-porn/tsara-brashears/, http://alohatube.xyz/search/tsara-brashears, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, ww.google.com.uy, https://alohatube.xyz/search/tsara-brashears, https://wallpapers-nature.com/%20tsara-brashears/urlscan-io, https://polling.portal.gov.bd/js/npc.script.js, polling.portal.gov.bd, https://polling.portal.gov.bd/js/npop.script.js, http://watchhers.net/index.php, https://brandyallen.com/2022/11/23/sexy, m.pornsexer.xxx.3.1.adiosfil.roksit.net, http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc, http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf, https://twitter.com/PORNO_SEXYBABES, https://alohatube.xyz/search/sex-mom-dog-animal, https://www.colorfulbox.jp/, Any.run, OTX AlienVault, Urlscan, UrlVoid, http://emrd.gov.bd/dead.php, http://titasgas.portal.gov.bd/dead.php, http://mincom.gov.bd/dead.php, http://cabinet.gov.bd/dead.php, IOCs.2026.csv, https://www.trellix.com/blogs/research/technical-deep-dive-the-monero-mining-campaign/, https://www.virustotal.com/graph/embed/g69f2d0341bbf4c7180124cd0049e52603943cb3158b24298b9bd2a4e34d990fa?theme=dark, https://attack.mitre.org/groups/G1004/, https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-053, https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_, https://www.upwind.io/feed/from-compromise-to-detection-uncoveri, Emmenhtal.pdf, https://www.virustotal.com/graph/g736feb8dbbcf434eb4a78390f31efb61660cab3446bb439a999a50c145e1c476, https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#iocs-77, https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload, https://www.virustotal.com/graph/g5a0bc9a038944a6ea070c21e8ee06450c88bcd9ac0a34037af5c1a80a272fd72, https://www.virustotal.com/graph/g9155e32765e8465eb4c422d9abc5dcc8c830fa9dc83e40a99c0b1c6fb56e098c, https://loldrivers.io/, https://www.loldrivers.io/js/chart.min.js, https://www.loldrivers.io/js/bundle.7cd1a644ff4540d19bfa43f193df74afce746a0213920f45d73bf720542f682d81b6ad0320242744d332512cfb63eac5790fab1a240d6e6c8cb89f25fcacfbd7.js, https://www.loldrivers.io/favicons/browserconfig.xml, https://www.esentire.com/blog/when-samsungs-magic-turns-tragic-a-tale-of-unauthorized-mining, https://www.virustotal.com/graph/ga649a1ebd0c841fc98eb823d48c7ae66049b03b801ee46acab79396bb3b0a1c7, https://whois.domaintools.com/129.128.133.9, https://www.virustotal.com/graph/embed/g82613254dfa143e290983c01, https://viz.greynoise.io/ip/129.128.133.9, https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/, https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/Drivers/loldrivers_only_hashes_list.csv, https://asec.ahnlab.com/en/86221/, https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/, https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine, https://myurologyclinic.com/ret/GU7oiR/[email protected]?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved), https://attack.mitre.org/techniques/T1568/002/, http://www.junefabrics.com/android/activate.php, Backdoor.PcClient, POD 18447 for Cox.xls, https://apps.apple.com/us/app/gambinos-pizza/id1500338496, https://www.hallrender.com/attorney/brian-sabey/ • www.hallrender.com • https://www.hallrender.com/wp-json/oembed, 1.download.windowsupdate.com [HiddenTear], https://tulach.cc/ • tulach.cc • thedevilsback.golf • nextcloud.tulach.cc [phishing], https://gronthoghor.com/xoe/qbot.zip •, Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ • www.metrobyt-mobile.com
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 4 years ago · Last seen 23 days ago
Appeared in 13 threat reports