IOC Radar
TLP:WHITE3 IOCs

FishMonger Uses TCP, UDP, and WebSocket C2 Channels in SprySOCKS Windows Attacks

CP
Cyber Press
Published June 17, 2026Original Report

Threat Actors

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYAPT36INFRASTRUCTUREunknownCAPABILITYunknownVICTIMunknown
Adversary(1)
Infrastructure
Capability
Victim

Attack Flow8 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1190
1/8
Exploit Public-Facing Application
ActionExploit public-facing servers
Attackers likely gain initial access by exploiting known vulnerabilities in unpatched public-facing servers.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise3

TypeIndicatorConfidenceScoreFirst Seen
CVECVE-2023-24932
exploitintel-blogvulnerability
Medium
51
Jun 18, 26
SHA1955bfc3dcc867256f9f46a606deb0779fa3416d8
file-hashintel-blogloader
Medium
53
Jun 18, 26
SHA144dc4a08c5eb0972c8e18b0e01284e06f09006bb
file-hashintel-blogloader
Medium
53
Jun 18, 26

IOC Relationship Graph

IOC Relationship Graph3 total IOCs
CVESHA1
SHA12CVE1Actors1REPORTFishMonger Uses TCP, UDP, APT36
scroll to zoom · drag to pan · click IOC to open