TLP:WHITE40 IOCs

Tinker Tailor Soldier: Paper Werewolf’s latest toolkit

BI.ZONE

Published May 13, 2026Original Report

Malware Families

Diamond Model

Adversary

Infrastructure(6)

Capability(1)

Victim

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise40

Type	Indicator	Confidence	Score	First Seen
SHA256	f4a81dc69b87062e61bede3bf9f78b4d5f8df6afd856cacd6f1748370886d002 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	a208308930bf17df50e52cc0dcd14555e853c6da413836b60bf906f73ac94d9c file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	3a4d84886713695f3b3812a0a3733f9ce74b4614c881f9774995c01c61d09cf3 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	eeab4aec6ad3b271c303d927db55de273bbca008ebf00e06898336c6f3010296 aptespionagefile-hash	Medium	53	Jun 2, 26
URL	https://woburneast.com/t2376/dom/fwcookiemanager/bs_afp/872794 exploitintel-blogmalware	High	58	Jun 2, 26
URL	https://ntpsum.online/sum/M8suINj3ZFi22GMAUdCJH639vDrI2G4zdTWm2rpE5plxsr17Eg exploitintel-blogmalware	High	58	Jun 2, 26
SHA256	8ae62e8a521a79e1ddfa4e360d5abce992bb671644ca7473c02dcfa120e575d1 file-hashintel-blogmalware	Medium	53	Jun 2, 26
URL	https://woburneast.com/171751/20020722/1306wicadigi023.pdf aptespionageintel-blog	High	58	Jun 2, 26
SHA256	5454f4811de9b1bf3b0e47cf8bad8e8e915b7379a0f3dffd5d36dcad26bdc03b file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	4100708d2b461def58653a46344ec73aaabf2fafe4a2ebf27855b7b53dc30184 file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	32712a3f7ec72fac4535b47017135a72b4994ee69440eff95221fed673d41fdc exploitfile-hashintel-blog	Medium	53	Jun 2, 26
SHA256	f52d67e5b3e48208073dddd1c22728085a36744fdc91a0ca767cae6db9cdea74 file-hashintel-blogmalware	Medium	53	Jun 2, 26
URL	https://certcalc.online/certificate/calculate/G8OftO2lyUuRHa8wBuqR7wcOfAcirSnrp0PCsA3ST17RjjL7JQ exploitintel-blogmalware	High	58	Jun 2, 26
SHA256	551b705761a0d6015d596f0ce98d3552152e2c226ff57f89a3e315b6bb035956 file-hashintel-blogmalware	Medium	53	Jun 2, 26
URL	https://zeccecard.com/116739/person_image/1167273647/48980/cis8petition/0201787911?asdzq=hostname intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	77e1510002a5b04beadf7e5b7e8a96242849187a053906429e9c6a8d1facc0d1 file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	e5edd8e5efb1ffc1804ac51f88f7401d91f9b0fd8cd3da1ba0a5fab401523446 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	a6e0fc5de3e7ab1c6d0041f43a460bc3f3a02383c683223e684239ff65879140 file-hashintel-blogloader	Medium	53	Jun 2, 26
URL	https://ntptop.online/VaukY9uSiPjpylxpDeTXQgmh0QLy2Q9I8kYY6OFyt0wFqz3yZF/upload intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	6a997b7799f0ccb241219995ea275ffbf99d22a3777b442e7bb7ab907aef3641 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	def336fa0f8dfcc60f85a7a862e07730d0e99052515d1b5f7bbdd435de595aee file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	a4eacfe2fabb1eb5d888dfb5275506c12137cd54f603bc069d7e1767aa5f82f9 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	938dac6227e47fed245ad25d289489d67e574882430652b5fb7b6368e262e873 file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	f3b5fa2d1cca8b4f232e08fb4bb64241f0caac93fc366deda7c23b6b6d7b4905 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	3c3ea0512687ff086c605cb6d331d0d588c39f362ee5bc580059b481410c1585 file-hashintel-blogmalware	Medium	53	Jun 2, 26
URL	https://arrotech.org/pathclass/33205/freehash/katy?user=username intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	7d6d07b42f1b2a0728ae7b7ede14daf195d2b7baa1325065c4877e8db93e2c4f file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	c5645cbd4295278a23c243e79a3f519b9a6ca8b59f7a4afa92c77e6ed737f080 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	7b80c3055432a07680932778e2709e392b6b9dea21157badea76a14a4fc1f93a file-hashintel-blogmalware	Medium	53	Jun 2, 26
URL	https://ntpluck.online/29mNqbkQB96clqjJMRsdVKa94ILLxbFclUe3wf4KSx0rRPtI9M/download/eeab4aec6ad3b271c303d927db55de273bbca008ebf00e06898336c6f3010296 aptespionageintel-blog	High	58	Jun 2, 26
SHA256	8b80626c8a42fe35c5d1fd2e1372fb57cfcf8b9eb969b1580350461389d227cc file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	58f911d183b09ef9d587d1e59a5d17f9273581cee9891f4642e349b4f9f678b1 file-hashintel-blogloader	Medium	53	Jun 2, 26
SHA256	64cda4837fc50bd651078d9a3925d6c8993a3b5426fba19cef16bd02c96e0520 file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	71ad29aeabbbd78b7414541e48064a0bfb9d96b47d7a3a48f53729817fe54ab5 file-hashintel-blogmalware	Medium	53	Jun 2, 26
URL	https://ssltop.online/l402XY5rTBxLPOJDTnqlRCePwy2puTnieDSFVaHEKOyb0Eqh3y/download/32712a3f7ec72fac4535b47017135a72b4994ee69440eff95221fed673d41fdc exploitintel-blogmalware	High	58	Jun 2, 26
SHA256	183a31a1615a18a6a9a86be41d342e4b5b10b0266ac6970ae46dc7e9d194307d file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	4394ff157a86a44e5694ba40c93a982ac17c2f70c727b00efee63528f64b95de file-hashintel-blogmalware	Medium	53	Jun 2, 26
SHA256	ad8c30add66c0043299fac827f1ffa174c786bcff846184cd2c135024c1d340b file-hashintel-blogloader	Medium	53	Jun 2, 26
URL	https://zeccecard.com/116739/person_image/1167273647/48980/cis8petition/0201787911?asdzq</li><li>https://zeccecard.com/grain/duke</li><li>https://arrotech.org/pathclass/33205/freehash/katy</li><li>https://woburneast.com/171751/20020722/1306wicadigi023.pdf</li><li>https://woburneast.com/t2376/dom/fwcookiemanager/bs_afp/872794</li></ul><p>Domains</p><ul><li>ntpluck.online</li><li>ntpsum.online</li><li>ssltop.online</li><li>certcalc.online</li><li>ntptop.online</li><li>zeccecard.com</li><li>arrotech.org</li><li>woburneast.com</li></ul><h3>MITRE intel-blogmalwarenetwork	High	58	Jun 2, 26
SHA256	4b8f437cd41c53a698c430a975fc7074e374712aca4c52fa49a8ab395b184f88 file-hashintel-blogmalware	Medium	53	Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph40 total IOCs

SHA256URL

scroll to zoom · drag to pan · click IOC to open