Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 45 threat intelligence reports and compiled a concise summary of each report, accompanied by the relevant extracted metadata. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Investigating Iranian Intrusion into Strategic Middle East Critical InfrastructureLink: https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdfSummary: The intrusion into a critical infrastructure network in the Middle East, attributed to the Iranian state-backed group Lemon Sandstorm, highlights a significant cyber threat evolving from May 2023 to February 2025. The breach, which began in May 2021, was uncovered following unusual activities on a Microsoft Exchange server and involved a range of tactics, including credential theft and the use of multiple malware backdoors, such as Havoc and HanifNet. The adversaries executed sophisticated strategies for long-term access and evasion, including web shell deployments, lateral movement via RDP, and credential harvesting with tools like Mimikatz, alongside efforts to regain access through targeted phishing campaigns, despite remediation efforts by the victim organization.Threats: fox_kitten_group havoc hanifnet hxlibrary neoexpressrat plink_tool ngrok_tool meshcentral_tool systembc credential_harvesting_technique remoteinjector_tool credinterceptor_tool psexec_tool reversesocks5_tool darkloadlibrary recshell dropshell mimikatz_tool bohrium_group netstat_tool shadow_copies_delete_technique vssadmin_tool nanodump_tool credential_dumping_technique netcat_tool angry_ip_scanner_tool lolbin_technique discordgo redline_stealer cobra anydesk_tool unc1878_group netpass_tool process_injection_technique advanced-port-scanner_tool putty_tool W64/Injector.D!6Btr W32/Agent.D49str!tr W64/Injector.D!bttr powershell_shell_tool netscan_tool winpeas_tool W64/Agent.06D9!tr W64/Agent.2EBC!tr W64/Agent.0B8D!tr hacc2_toolIndicators of compromise:-------------------------ip: 194[.]213[.]188[.]182, 95[.]179[.]217[.]91, 104[.]238[.]191[.]185, 45[.]66[.]249[.]200, 144[.]202[.]84[.]43, 199[.]247[.]8[.]233, 201[.]174[.]232[.]77, 20[.]74[.]232[.]77, 85[.]237[.]211[.]226, 154[.]47[.]17[.]157, 5[.]255[.]100[.]203, 64[.]176[.]165[.]17, 185[.]174[.]101[.]116, 95[.]179[.]196[.]58, 45[.]147[.]230[.]159, 194[.]213[.]18[.]182, 162[.]33[.]178[.]234, 64[.]176[.]65[.]17, 66[.]155[.]198[.]44, 51[.]255[.]100[.]203, 45[.]177[.]220[.]3, 13[.]126[.]63[.]42, 13[.]232[.]22[.]61, 13[.]232[.]27[.]141, 13[.]233[.]205[.]122, 3[.]6[.]98[.]240, 185[.]186[.]244[.]66, 146[.]70[.]233[.]3, 154[.]47[.]171[.]57, 185[.]174[.]101[.]16, 89[.]41[.]216[.]206, 151[.]236[.]22[.]79domain: hewlettpackardupdates[.]info, cdn[.]update[.]net, apps[.]gist[.]githubapp[.]net, gupdate[.]net, appstgs[.]com, connect[.]mozilla[.]one, schema[.]postman[.]sh, cluster[.]amazonaws[.]work, encomerrit[.]com, supportskype[.]com, amazonas[.]work, cluster[.]amazonas[.]work, githubapp[.]net, update[.]net, s3[.]amazonas[.]work, encomerri[.]com, appstg[.]com, apps[.]gst[.]githubapp[.]net, cdn[.]update4[.]net, savock[.]comurl: https://docs[.]google[.]com/document/export?format=txt&id=1gSrK2dZ1Ti0j4fG7BtbzSE7A_sm8riV5UHDOvKZGbko, https://docs[.]google[.]com/document/export?format=txt&id=13njrS8e3Yb3hVrksQ9SoALsOCgBCphtLC4RGe-EsyerQ, https://docs[.]google[.]com/document/export?format=txt&id=1_DCxIushx-ChOL4N_P2Pi74Dpq3_9CJKzn17leRrj3M, http://savooks[.]com, https://savoooks[.]com, https://docs[.]google[.]com/document/export?format=txt&id=1zg3DwBgkRUajyhd1s-P29Jn5odnimr36j3_xz8Ff8UVc, https://docs[.]google[.]com/document/export?format=txt&id=1ywJBwB5vc4uUSA3a1ebzUb0zd93bdED2yhs-xbK7vvc, https://appsgts[.]com:443, https://s3[.]solarcom[.]ch/gist[.]githubusercontent[.]com/resources/logo[.]png, https://drive[.]usercontent[.]google[.]com/download?id=1VKmqdpSlWL1IcCr9qvQOABx2Kf7Bbe&export=view, https://gitlab[.]com/core-view/mmocr-ref-manual/-/raw/main/MM0077B2[.]png, https://raw[.]githubusercontent[.]com/Ocr-text2image-mos/mmocr_ref/refs/heads/main/demo/resources/mmocr-logo[.]png, https://social1[.]zerotier[.]app:443/agent[.]ashx, http://supportskype[.]comhttp://supportskype[.]com, https://docs[.]google[.]com/document/export?format=txt&id=1YrwJBv85vc4uuSAiebzUb0zd93iibEDZyh-xbK7wC, https://docs[.]google[.]com/document/export?format=txt&id=1Zg3Dw8qRkUAyhdiS-P2Jnso6tmir36j3_xsE8fUko, https://docs[.]google[.]com/document/export?format=txt&id=1gk5Cr4ZT01jYq678b7SZrA[.]sm8nYSiUHDkC2K0k, https://docs[.]google[.]com/document/export?format=txt&id=13njS8ey3hJYvHvHSQOSALsOQbC8ntL14rG-EysreO, https://docs[.]google[.]com/document/export?format=txt&id=1-DLcxTshux-Cb0L4N-P2p2T4Dk2y9YKClnL7eRjPM, https://social[.]zerotier[.]app:443/agent[.]ashx, https://drive[.]usercontent[.]google[.]com/download?id=1Vkzmqds5LWT1tCEQqvQOABk2X7fBbeExpor&view, https://gitlab[.]com/ocr-view/mmocr-ref-manual/-/raw/main/M0077f82[.]png, https://raw[.]githubusercontent[.]com/Ocr-text2image-mos/mmocr_ref/ref/heads/main/demo/resources/mmocr-logo[.]png, https://3[.]solarcom[.]ch/gist[.]github[.]io/resources/logo[.]pngemail:Title: TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacksLink: https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/Summary: ESET researchers have analyzed a lateral movement tool named Spellbinder, used by a China-aligned threat actor known as TheWizards, to launch adversary-in-the-middle (AitM) attacks. This tool employs IPv6 SLAAC spoofing to navigate compromised networks and intercept legitimate software update traffic, particularly from Chinese software systems, redirecting it to malicious servers. The analysis revealed that following these attacks, a downloader is deployed to install a modular backdoor called WizardNet, which can bypass Windows security mechanisms and enables communication with a command-and-control server. TheWizards has targeted regions such as the Philippines, Cambodia, UAE, and China since 2022, operating in coordination with other cyber threat entities including a Chinese supplier of malware.Threats: slaac_spoofing_technique thewizards_group aitm_technique spellbinder wizardnet rozena darknights mango moonshine darknimbus earth_minotaur_group badbazaar process_injection_technique polymorphism_techniqueIndicators of compromise:-------------------------ip: 43[.]155[.]116[.]7, 43[.]155[.]62[.]54, 111[.]13[.]100[.]92, 43[.]135[.]35[.]84, 103[.]243[.]181[.]120domain: hao[.]com, vv[.]ssl-dns[.]com, mkdmcdn[.]com, assetsqq[.]com, ssl-dns[.]comurl: http://43[.]155[.]62[.]54:81/app/minibrowser11_rpl[.]zip, http://43[.]155[.]62[.]54:81/app/plugin-audiofirstpiece[.]mlhash: - sha1=da867188937698c7769861c72f5490cb9c3d4f63, - md5=da73153c76b6f652f9b2847531d1c367, - md5=a961766c1b2e5133d589be1cf47e3338, - sha1=4db38a097ae4d5e70b2f51a8ee13b0c1ee01a2a1, - sha1=0cba19b19df9e2c5ebe55d9de377d26a1a51b70a, - sha1=1a8147050af6f05dea5fbca1ae1ff2ffd2b68f9c, - sha1=5b70a853d8e989ad102d639fbf7636b697313abcemail:Title: Venom Spider Uses Server-Side Polymorphism to Weave a Web Around VictimsLink: https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/Summary: Arctic Wolf Labs has uncovered a sophisticated cyber campaign orchestrated by the financially motivated threat group Venom Spider, which is targeting corporate HR departments through spear-phishing emails that exploit job search platforms. The campaign delivers malicious resumes designed to install a backdoor known as More_eggs, capable of executing various harmful activities such as credential theft and data exfiltration. The infection process involves sending phishing emails that lure victims into downloading compromised resumes, utilizing advanced techniques like CAPTCHA bypassing and time-delay execution to evade detection. Furthermore, Venom Spider's network infrastructure has become more complex, employing cloud services and anonymously registered domains to avoid scrutiny, thereby underscoring the persistence and evolving methods of this threat actor.Threats: venom_spider_group polymorphism_technique more_eggs spear-phishing_technique magecart_group lolbin_technique terraloaderIndicators of compromise:-------------------------ip: 208[.]109[.]231[.]95domain: municipiodechepo[.]org, ryanberardi[.]com, doefstf[.]ryanberardi[.]com, dtde[.]ryanberardi[.]com, tool[.]municipiodechepo[.]orgurl: http://doefstf[.]ryanberardi[.]com/ikskck, https://tool[.]municipiodechepo[.]org/id/243149, http://doefstf[.]ryanberardi[.]com, http://dtde[.]ryanberardi[.]com, http://dtde[.]ryanberardi[.]com/ikskck, https://beta[.]w3[.]org[.]kz/release/info, https://host[.]moresecurity[.]kz/host/info, https://developer[.]master[.]org[.]kz/api/v1, https://ssl[.]gstatic[.]kz/ui/v2, https://report[.]monicabellucci[.]kz/295693495/info, https://cast[.]voxcdn[.]kz/yui/yui-min[.]js, https://blog[.]jasonlees[.]com/latestnews/info, https://contactlistsagregator[.]com/j2378745678674623/ajax[.]php, https://onlinemail[.]kz/version44/info, https://stats[.]wp[.]org[.]kz/license[.]txt, https://api[.]incapdns[.]kz/v1hash: - md5=ec103191c61e4c5e55282f4ffb188156, sha256=f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016, - md5=c16aa3276e4bcbbe212d5182de12c2b7, sha256=bd49b2db669f920d96008047a81e847ba5c2fd12f55cfcc0bb2b11f475cdf76f, - md5=ebb5fb96bf2d8da2d9f0f6577766b9f1, sha256=2fef6c59fbf16504db9790fcc6759938e2886148fc8acab84dbd4f1292875c6c, - sha256=0af266246c905431e9982deab4ad38aaa63d33a725ff7f7675eb23dd75ca4d83, md5=2da2f53ffd9969aa8004d0e1060d2ed1, - sha256=f873352564a6bd6bd162f07eb9f7a137671054f7ef6e71d89a1398fb237c7a7b, md5=17158538b95777541d90754744f41f58, - sha256=184788267738dfa09c82462821b1363dbec1191d843da5b7392ee3add19b06fb, md5=46f142198eeeadc30c0b4ddfbf0b3ffd, - sha256=ccb05ca9250093479a6a23c0c4d2c587c843974f229929cd3a8acd109424700d, md5=b1e8602e283bbbdf52df642dd460a2a2email:Title: Weaponized Words Uyghur Language Software Hijacked to Deliver MalwareLink: https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/Summary: In March 2025, members of the World Uyghur Congress were targeted by a spearphishing campaign that exploited a compromised version of the Uyghur language text editor, UyghurEditPP, to deploy Windows-based malware for remote surveillance. The attack, attributed to state-affiliated actors from the Chinese government, began as early as May 2024 and utilized social engineering techniques tailored to the Uyghur community. The malware, which acts as a trojanized Windows Forms application, enables remote command execution and transmits system information to designated command and control servers. This incident highlights the ongoing threat of digital transnational repression against the Uyghur diaspora, posing significant implications for their advocacy efforts and overall well-being.Threats: fake_uyghureditpp_campaign spear-phishing_technique i-soon_leak_campaign typosquatting_techniqueIndicators of compromise:-------------------------ip: 95[.]179[.]132[.]219, 45[.]32[.]174[.]44, 149[.]28[.]146[.]29, 139[.]180[.]130[.]141domain: tengri[.]ooguy[.]com, anar[.]gleeze[.]com, gheyret[.]com, gheyret[.]net, uheyret[.]com, wanar[.]gleeze[.]comurl: https://tengri[.]ooguy[.]com/gheyret/Updatehash: - sha256=70af9a31d4470502a39d71ca566d604317a5ecbf9181a64379c9ee761e2f95ab, - sha256=a9e76af3f3b04b9dd65e2e4dec8d5b00f8f67b420809da8b742651cc86e4270f, - sha256=94a87dadeaac24bbc26c85d032b86a45cfd131516666e8e5d888f78986d1e993email:Title: Uncovering MintsLoader With Recorded Future Malware Intelligence HuntingLink: https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-huntingSummary: MintsLoader is a malicious software loader that has been active since February 2024, primarily used in phishing and drive-by download campaigns to deploy various secondary payloads, including the remote access trojan GhostWeaver and the infostealer StealC. It employs a sophisticated multi-stage infection process, starting with heavily obfuscated JavaScript that invokes a PowerShell script, which uses a time-dependent domain generation algorithm (DGA) for command-and-control communication, making detection difficult. The threat actor group TAG-124, also known as LandUpdate808, is linked to MintsLoader, utilizing bulletproof hosting services to enhance resilience against countermeasures.Threats: mintsloader ghostweaver stealc boinc_tool tag-124_group landupdate808_group socgholish_loader asyncrat clickfix_technique kongtuke_group unc4108_groupIndicators of compromise:-------------------------ip: domain: sesraw[.]comurl: http://gibuzuy37v2v[.]top/1[.]php?s=mints13hash: - sha256=fb0238b388d9448a6b36aca4e6a9e4fbcbac3afc239cb70251778d40351b5765email:Title: Rolling in the Deep(Web): Lazarus TsunamiLink: https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/Summary: In fall 2024, HiSolutions uncovered a cryptocurrency theft linked to the "Contagious Interview" campaign attributed to North Korean threat actors, revealing the use of sophisticated malware named Tsunami Framework. Researchers Luca Di Domenico and Alessio Di Santo detailed the malware’s modular architecture, which includes credential stealers and cryptocurrency miners, alongside deployment methods utilizing a malicious loader called BeaverTail that connects through third-party domains. The analysis highlighted the employment of a Python-based launcher and various persistence mechanisms, including manipulation of system settings and scheduled tasks, to enable ongoing operations and data theft through modules designed to gather sensitive information, including credentials and specific file types, with command and control facilitated via the TOR network and Pastebin.Threats: lazarus_group tsunami_botnet contagious_interview_campaign tsunami_framework invisibleferret chromiumstealer ethereumminer exodusstealer geckostealer secretfilestealerIndicators of compromise:-------------------------ip: 23[.]254[.]229[.]101domain: url: http://23[.]254[.]229[.]101/cat-videohash: - sha256=ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527, - sha256=3769508daa5ee5955c7d0a5493b0a159e874745e575ac6ea1a5b544358132086, - sha256=28660b81fd4898da3b9a861af716dc2ed60dd6a6eb582782e9d8451b1f257630, - sha256=a2ae1da09f7508ff34bd9acc672b3cf456e053bb46d4aa3cd283a7f263e37acb, - sha256=e9571e21150d7333bfada0ef836adad555547411a2b56990da632f64d0262ef8, - sha256=3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770, - sha256=b25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d, - sha256=bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed, - sha256=f96744a85419907e7c442b13beeefb6f985f3905a992dfefee03820ec6570fea, - sha256=2883b1ae430003f3eff809f0461e18694ee1e2bc38c98f9eff22a50b5043a770, - sha256=94186315edde9ab18d6772449bb0b33a37490c336fccbc81bc7a6b6b728232b1, - sha256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5email:Title: Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian GovernmentLink: https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/Summary: The Pakistan-linked APT group Transparent Tribe (APT36) has been identified as conducting targeted phishing campaigns against Indian government and defense personnel, particularly using documents themed around the "Pahalgam Terror Attack." Discovered shortly after the April 22, 2025 attack, the group employed fake domains that mimic legitimate agencies like the Jammu & Kashmir Police to harvest credentials from government email accounts. A notable phishing document authored by "Kalu Badshah" included malicious payloads, including the Crimson RAT malware, which facilitates data exfiltration and system manipulation. This operation reflects APT36's established pattern of exploiting sensitive geopolitical issues to mislead and gather intelligence against Indian military and governmental entities.Threats: transparenttribe_group crimson_rat qilin_ransomware ppam_dropper spear-phishing_techniqueIndicators of compromise:-------------------------ip: 93[.]127[.]133[.]58, 37[.]221[.]64[.]134, 78[.]40[.]143[.]189, 45[.]141[.]58[.]224, 78[.]40[.]143[.]98, 84[.]54[.]51[.]12, 45[.]141[.]58[.]33, 104[.]129[.]27[.]14domain: kashmirattack[.]exposed, jkpolice[.]gov[.]in[.]kashmirattack[.]exposed, iaf[.]nic[.]in[.]ministryofdefenceindia[.]org, email[.]gov[.]in[.]ministryofdefenceindia[.]org, email[.]gov[.]in[.]departmentofdefenceindia[.]link, email[.]gov[.]in[.]departmentofdefence[.]de, email[.]gov[.]in[.]briefcases[.]email, email[.]gov[.]in[.]modindia[.]link, email[.]gov[.]in[.]defenceindia[.]ltd, email[.]gov[.]in[.]indiadefencedepartment[.]link, email[.]gov[.]in[.]departmentofspace[.]info, email[.]gov[.]in[.]indiangov[.]download, indianarmy[.]nic[.]in[.]departmentofdefence[.]de, indianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org, email[.]gov[.]in[.]indiandefence[.]work, email[.]gov[.]in[.]drdosurvey[.]infourl: https://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home, https://iaf[.]nic[.]in[.]ministryofdefenceindia[.]org/publications/default[.]htm, https://jkpolice[.]gov[.]in[.]kashmiraxxack[.]exposed/service/home, https://email[.]gov[.]in[.]ministryofdefenceindia[.]org/service/home, https://email[.]gov[.]in[.]departmentofdefenceindia[.]link/service/home, https://email[.]gov[.]in[.]departmentofdefence[.]de/service/home, https://email[.]gov[.]in[.]indiangov[.]download/service/home, https://indianarmy[.]nic[.]in[.]departmentofdefence[.]de/publications/publications-site-main/index[.]html, https://indianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org/publications/publications-site-main/index[.]htm, https://email[.]gov[.]in[.]briefcases[.]email/service/home, https://email[.]gov[.]in[.]modindia[.]link/service/home, https://email[.]gov[.]in[.]defenceindia[.]ltd/service/home, https://email[.]gov[.]in[.]indiadefencedepartment[.]link/service/home, https://email[.]gov[.]in[.]departmentofspace[.]info/service/home, https://email[.]gov[.]in[.]indiandefence[.]work/service/homehash: - md5=c4fb60217e3d43eac92074c45228506a, - md5=172fff2634545cf59d59c179d139e0aa, - md5=7b08580a4f6995f645a5bf8addbefa68, - md5=1b71434e049fb8765d528ecabd722072, - md5=c4f591cad9d158e2fbb0ed6425ce3804, - md5=5f03629508f46e822cf08d7864f585d3, - md5=f5cd5f616a482645bbf8f4c51ee38958, - md5=fa2c39adbb0ca7aeab5bc5cd1ffb2f08, - md5=00cd306f7cdcfe187c561dd42ab40f33, - md5=ca27970308b2fdeaaa3a8e553c86cd3e, - md5=d946e3e94fec670f9e47aca186ecaabe, - md5=e18c4172329c32d8394ba0658d5212c2, - md5=2fde001f4c17c8613480091fa48b55a0, - md5=c1f4c9f969f955dec2465317b526b600, - md5=026e8e7acb2f2a156f8afff64fd54066, - md5=fb64c22d37c502bde55b19688d40c803, - md5=70b8040730c62e4a52a904251fa74029, - md5=3efec6ffcbfe79f71f5410eb46f1c19e, - md5=b03211f6feccd3a62273368b52f6079demail:Title: Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and JapanLink: https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.htmlSummary: In March 2025, the APT group Earth Kasha, associated with APT10, executed a targeted espionage campaign against government agencies and public institutions in Taiwan and Japan using spear-phishing techniques. This operation utilized a new version of the ANEL backdoor and a dropper called ROAMINGMOUSE, which leveraged macro-enabled Excel files within email attachments to initiate infections. The campaign was characterized by the use of compromised legitimate accounts to distribute phishing emails with enticing subjects and links, alongside sophisticated evasion techniques that adjusted behavior based on the presence of security software. Additionally, the second-stage backdoor NOOPDOOR demonstrated enhancements, including support for DNS over HTTPS and a domain generation algorithm for obscuring command and control communications, reflecting the group's evolving tactics since at least 2017.Threats: mirrorface_group spear-phishing_technique anel stone_panda_group sharphide_tool noopdoor roamingmouse anelldr dll_sideloading_technique noopldrIndicators of compromise:-------------------------ip: 172[.]233[.]73[.]249, 172[.]105[.]62[.]188, 192[.]46[.]215[.]56, 139[.]162[.]38[.]102domain: srmbr[.]net, kyolpon[.]comurl: hash: - sha256=1e0a7737a484699d035c0568771c4834c0ff3fb9ba87aded3c86705e10e9bb0e, - sha256=2110b9a4c74d1c8be1aed6ebcff2351cad3d16574026fe4697a9c70810fb1d9e, - sha256=488201c08219f5cbd79d16702fb909d4e8ad8fa76819a21e0f262e2935e58dd2, - sha256=517ef26be8b9fb1af0e9780b244827af4937ad2fa4778a0bd2d9c65502ce54e1, - sha256=63e813b5bf94bdec9ce35c9d7311f76c3a35728d158ade0a6487fc99c73dcf31, - sha256=69e2a259e0136b61a3acad3f8fad2c012c75c9d8e26e66a3f0af1e7c23506b5c, - sha256=6edf72495e03ca757fa55beb2ea02492f2e7a4b85ca287a9d08bbe60e390c618, - sha256=705e5f1245e59566895b1d456aee32d4bff672a6a00f2cd390d7d50c12316dee, - sha256=712b81f1a82b9ea9a304220ed87c47c329392c2ce040ed3bff936fe33456acff, - sha256=72ece359a3c6f286d174b9cccc7c963577749e38e28f5ecf00dd4c267478a693, - sha256=75d6f82962f380f7726142490068879240c3c507427f477cf25268b524c30339, - sha256=7b61ed1049ba5f5b8d9725f32cff1ef1e72ef46e2a1dd87bd2b33e73e7333f44, - sha256=8cdcd674a0269945dd4c526b5868efb6df8854a127fd5449e57e89905511391d, - sha256=9569c4044f8cf32bc9a0513ed7c4497bb6ab71b701c53e58719ef259b3716751, - sha256=9c24b60574f39b0565442a79a629a2944672f56acca555e81275e5079382d98b, - sha256=9e4c155f4d096d9a0529e83fd21197f3dba20cc4eef48045fd018334384dd513, - sha256=a12a34d329ccc305dca2306e2d698945f1413c013fe99d4bb069db2127f47806, - sha256=a14c9ae22ca8bdb4971a03f61b2bcc5f140abb51c6922ab7c92ea09ee14dd3bd, - sha256=a347e1efbfca3722c9e8cc86eba3b288f7e4fae9d386f2a8969faffb125a74c5, - sha256=ac8c36075ac0085c7d1e96b3fc08c15a151373186e564486dd91d2e49b2dd287, - sha256=ad050545b65ecbb2178f678c654d84d14986a77051897927e56b5c2893c33608, - sha256=b56aa48721cd1119a9e06ed9c2f923a1dda5f9aa079dc0e4fd66ab37e33649e8, - sha256=cb0848d79d2eef76e1d4ff602e0844d03b614d4c25a1b5e3f0ae5c33ea5500b9, - sha256=cf6ed83d7dcc13f500486044d1af606ceb12c387568ccbb498e01cc7d8005dbd, - sha256=e123fa2abf1a2f12af9f1828b317d486d1df63aff801d591c5e939eb06eb4cfc, - sha256=e5b99572581df7a5116511be3f03b9f1a90611235b8288d9f59141876adb1ef1, - sha256=eeec3a94500ecd025ecdd559e15e4679e26c1347e534944721abe416b49f3871, - sha256=f502102c5c598d5b9e24f689a3b09b1d2f6702226049a573c421b765867391b3, - sha256=fc8c574088af4f74cf84c5c04d522bb1665f548cb17c6192552eb9b783401009, - sha256=362b0959b639ab720b007110a1032320970dd252aa07fc8825bb48e8fdd14332, - sha256=78f7b98b1e6f089f5789019dab23ac38f77c662fd651ee212d8451ee61b2fc0c, - sha256=7fb4c9f041d4411311437e12427aaf09d369bc384faa2de4b5bc8ae36a42190e, - sha256=4f3ec89d5ea0a513afa3f49434f67b7e1540a4a8a93d078def950bd94d444723email:Title: Operation Deceptive Prospect: RomCom Targeting UK Organisations through Customer Feedback PortalsLink: https://www.bridewell.com/insights/blogs/detail/operation-deceptive-prospect-romcom-targeting-uk-organisations-through-customer-feedback-portalsSummary: In March 2025, the cyber threat campaign "Operation Deceptive Prospect," attributed to the Russian-based RomCom threat actor (also known as Storm-0978), was uncovered. This group, active since at least 2022 and focused on espionage and financially motivated operations, exploited customer feedback portals of UK companies in various sectors through social engineering tactics, delivering phishing emails with links to malicious documents. The campaign employed advanced techniques for malware delivery, including a multi-stage redirection process and the use of an executable disguised as a PDF file signed with a compromised certificate. RomCom has a history of exploiting critical vulnerabilities, such as a CVE in Microsoft Word and a zero-click attack in Mozilla Firefox, and their sophisticated operations suggest a blend of cybercrime and state-oriented espionage objectives.Threats: deceptive_prospect_campaign void_rabisu_group spear-phishing_technique underground_ransomware cuba_ransomware peapod snipbot com_hijacking_technique romcom_ratIndicators of compromise:-------------------------ip: 45[.]95[.]18[.]138, 77[.]91[.]76[.]176, 185[.]117[.]91[.]134, 77[.]239[.]101[.]131, 213[.]139[.]205[.]220, 193[.]42[.]39[.]159domain: gdrive-share[.]online, 1dv365[.]live, 1dv365[.]drive, opn[.]to, gcloud-drive[.]com, 1dvstorage[.]com, cloudedrive[.]com, datadrv1[.]com, onelivedrv[.]com, drivepoint[.]pub, drshare[.]online, cloudly[.]live, 1dcloud[.]live, drivenc[.]pub, onestorelink[.]live, 1day[.]live, 1drv365[.]online, my-drive365[.]pub, 365msdrv[.]live, my1drv[.]live, data-dv[.]live, ondv[.]live, onedrweb[.]live, 1dv[.]online, sharedrive[.]pub, drivehost[.]live, dvcloud[.]live, cloud1dv[.]comurl: hash: - sha256=8183f4b75cbe318a34846b0d8bb9caf219b4b2686d14a531090b6550398cbbca, - sha256=4055e3a45d63778dfc5775ae6e512fb3991df1dadf91630a26ed5747e350f75f, - sha256=b7d48c6982fa1ce21ac9bf4a0a95e109ec2b92176a05556deb920600fb21d57b, - sha256=3191542dc4c94d5b9f85e00aa60c6d0e48f42ad936e8dbba714962564141e2bd, - sha256=58d5fffdf41da83b0eef0ea3dd208f371cef87e118cfde4976b83de9158083d1, - sha256=c77c73fdb66fb0e8720979adcc36081bc6cf8defbfb0adb9c3ec19188a922320, - sha256=99e6daaa559dc0f812dfd03aa68a8a862cfb5779fa734c6c9e7d7d6ad1286b03, - sha256=e48bcdb4af6e2f8945adba74a1dc4c7657c75344afc2b487a0373440bb200748, - md5=37b1151994483cd67441c44382804318, sha256=8b683ed0d1cd0139093e21889be077d0e4e50e7adaf638b56e2077df5c6eda4bemail: a-z+//[.]a-z+0-9- 6@yahoo[.]com, 0-9- 6@yahoo[.]com, brain[.]welch381761@yahoo[.]com, kajzer[.]david962701@yahoo[.]com, calvertadam317304@yahoo[.]comTitle: Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate AnalysisLink: https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/Summary: In December 2024, a sophisticated multi-layered phishing attack was detected, utilizing deceptive emails that masquerade as order release requests to spread malware, including variants of Agent Tesla, Remcos RAT, and XLoader. The attack initiates with phishing emails containing malicious attachments; when the attached archive is executed, it launches a JavaScript encoded file that functions as a downloader for a remote PowerShell script. The PowerShell script, which carries a Base64-encoded payload, installs either .NET or AutoIt compiled executables that facilitate malware injection into system processes, showcasing a strategy to enhance resilience and evade detection by employing various complexities in the execution flow.Threats: agent_tesla formbook remcos_rat process_injection_technique snake_keylogger dotnet_reactor_toolIndicators of compromise:-------------------------ip: domain: url: ftp://ftp[.]jeepcommerce[.]rs, https://files[.]catbox[.]moe/rv94w8[.]ps1, https://files[.]catbox[.]moe/gj7umd[.]ps1hash: - sha256=00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5, - sha256=f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd, - sha256=d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2, - sha256=550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8, - sha256=61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49, - sha256=7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25, - sha256=8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994, - sha256=c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2email: kel-bin@jeepcommerce[.]rsThis article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
The provided context contains summaries of multiple threat intelligence reports. As the instruction is to summarize threat actor information based on the provided description, and the description contains summaries for at least two distinct threat activities (one involving Lemon Sandstorm and another involving a complex phishing campaign), I will focus on the actor explicitly named and attributed in the first relevant summary.
# Threat Actor: Lemon Sandstorm
## Attribution & Identity
Attributed to the **Iranian state-backed group Lemon Sandstorm**.
## Activity Summary
Involved in an intrusion targeting a **critical infrastructure network in the Middle East**. The breach began in May 2021, was uncovered between May 2023 and February 2025 following unusual activity on a Microsoft Exchange server. The actor demonstrated efforts to regain access through targeted phishing campaigns even after the victim organization attempted remediation.
## Tactics, Techniques & Procedures
- Credential theft
- Use of multiple malware backdoors (Havoc, HanifNet)
- Web shell deployments
- Lateral movement via RDP
- Credential harvesting using tools like Mimikatz
- Targeted phishing campaigns for re-entry
## Targeting
- Sectors: Strategic Middle East Critical Infrastructure
- Geography: Middle East
- Victims: Unspecified critical infrastructure network
## Tools & Infrastructure
- **Malware families used**: Havoc, HanifNet, (Other mentioned threats: fox\_kitten\_group, bohrium\_group, unc1878\_group—Note: These may be related groups or tools, but Havoc and HanifNet were explicitly used by Lemon Sandstorm in this incident).
- **Infrastructure (C2, domains, IPs)**:
- IPs: 194\[.\]213\[.\]188\[.\]182, 95\[.\]179\[.\]217\[.\]91, 104\[.\]238\[.\]191\[.\]185, 45\[.\]66\[.\]249\[.\]200, 144\[.\]202\[.\]84\[.\]43, 199\[.\]247\[.\]8\[.\]233, 201\[.\]174\[.\]232\[.\]77, 20\[.\]74\[.\]232\[.\]77, 85\[.\]237\[.\]211\[.\]226, 154\[.\]47\[.\]17\[.\]157, 5\[.\]255\[.\]100\[.\]203, 64\[.\]176\[.\]165\[.\]17, 185\[.\]174\[.\]101\[.\]116, 95\[.\]179\[.\]196\[.\]58, 45\[.\]147\[.\]230\[.\]159, 194\[.\]213\[.\]18\[.\]182, 162\[.\]33\[.\]178\[.\]234, 64\[.\]176\[.\]65\[.\]17, 66\[.\]155\[.\]198\[.\]44, 51\[.\]255\[.\]100\[.\]203, 45\[.\]177\[.\]220\[.\]3, 13\[.\]126\[.\]63\[.\]42, 13\[.\]232\[.\]22\[.\]61, 13\[.\]232\[.\]27\[.\]141, 13\[.\]233\[.\]205\[.\]122, 3\[.\]6\[.\]98\[.\]240, 185\[.\]186\[.\]244\[.\]66, 146\[.\]70\[.\]233\[.\]3, 154\[.\]47\[.\]171\[.\]57, 185\[.\]174\[.\]101\[.\]16, 89\[.\]41\[.\]216\[.\]206, 151\[.\]236\[.\]22\[.\]79
- Domains: hewlettpackardupdates\[.\]info, cdn\[.\]update\[.\]net, apps\[.\]gist\[.\]githubapp\[.\]net, gupdate\[.\]net, appstgs\[.\]com, connect\[.\]mozilla\[.\]one, schema\[.\]postman\[.\]sh, cluster\[.\]amazonaws\[.\]work, encomerrit\[.\]com, supportskype\[.\]com, amazonas\[.\]work, cluster\[.\]amazonas\[.\]work, githubapp\[.\]net, update\[.\]net, s3\[.\]amazonas\[.\]work, encomerri\[.\]com, appstg\[.\]com, apps\[.\]gst\[.\]githubapp\[.\]net, cdn\[.\]update4\[.\]net, savock\[.\]com
- URLs (C2 communication/payload hosting): https://docs\[.\]google\[.\]com/document/export?format=txt&id=1gSrK2dZ1Ti0j4fG7BtbzSE7A\_sm8riV5UHDOvKZGbko, https://docs\[.\]google\[.\]com/document/export?format=txt&id=13njrS8e3Yb3hVrksQ9SoALsOCgBCphtLC4RGe-EsyerQ, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1\_DCxIushx-ChOL4N\_P2Pi74Dpq3\_9CJKzn17leRrj3M, http://savooks\[.\]com, https://savoooks\[.\]com, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1zg3DwBgkRUajyhd1s-P29Jn5odnimr36j3\_xz8Ff8UVc, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1ywJBwB5vc4uUSA3a1ebzUb0zd93bdED2yhs-xbK7vvc, https://appsgts\[.\]com:443, https://s3\[.\]solarcom\[.\]ch/gist\[.\]githubusercontent\[.\]com/resources/logo\[.\]png, https://drive\[.\]usercontent\[.\]google\[.\]com/download?id=1VKmqdpSlWL1IcCr9qvQOABx2Kf7Bbe&export=view, https://gitlab\[.\]com/core-view/mmocr-ref-manual/-/raw/main/MM0077B2\[.\]png, https://raw\[.\]githubusercontent\[.\]com/Ocr-text2image-mos/mmocr\_ref/refs/heads/main/demo/resources/mmocr-logo\[.\]png, https://social1\[.\]zerotier\[.\]app:443/agent\[.\]ashx, http://supportskype\[.\]comhttp://supportskype\[.\]com, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1YrwJBv85vc4uuSAiebzUb0zd93iibEDZyh-xbK7wC, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1Zg3Dw8qRkUAyhdiS-P2Jnso6tmir36j3\_xsE8fUko, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1gk5Cr4ZT01jYq678b7SZrA\[.\]sm8nYSiUHDkC2K0k, https://docs\[.\]google\[.\]com/document/export?format=txt&id=13njS8ey3hJYvHvHSQOSALsOQbC8ntL14rG-EysreO, https://docs\[.\]google\[.\]com/document/export?format=txt&id=1-DLcxTshux-Cb0L4N-P2p2T4Dk2y9YKClnL7eRjPM, https://social\[.\]zerotier\[.\]app:443/agent\[.\]ashx
## Implications
Lemon Sandstorm poses a significant, long-term cyber threat, specifically targeting strategic infrastructure in the Middle East. Their focus on achieving long-term persistence and actively attempting to regain access post-remediation indicates a dedicated, state-level commitment to ongoing espionage or disruption capabilities against high-value targets.
## Mitigations
- Strengthen controls around Microsoft Exchange servers to prevent initial web shell or credential exploitation.
- Enhance network monitoring for RDP lateral movement initiated from unusual sources or accounts.
- Implement robust credential hygiene and regularly audit for harvested credentials.
- Proactively monitor for indicators related to known Lemon Sandstorm malware like Havoc and HanifNet.
---
*(Note: Information on the second actor/campaign, involving Agent Tesla/Remcos RAT, was excluded as the prompt asked for a summary of "threat actor information" based on the context, and Lemon Sandstorm was the first specifically named and attributed entity.)*