Full Report
Last week we analysed 25 threat intelligence articles and compiled a concise summary of each along with the pertinent metadata that was extracted. You can find below a short summary of 10 of them, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg softwareLink: https://www.ctfiot.com/221918.htmlSummary: APT-C-26, known as Lazarus, is an advanced persistent threat group actively targeting financial institutions and cryptocurrency exchanges using sophisticated techniques such as phishing, direct network attacks, and ransomware. Recently, they exploited the IPMsg installer, embedding malicious code that triggers a DLL file to connect with a remote control server for backdoor access and data theft. Their communications protocol involves sending and verifying payloads, with the attack linked to the previously used domain cryptocopedia.com, indicating a continuation of their established tactics.Threats: lazarus_groupIndicators of compromise:-------------------------ip: 5[.]6[.]18[.]0domain: cryptocopedia[.]comurl: https://cryptocopedia[.]com/upgrade/latest[.]asp, https://cryptocopedia[.]com/explorer/search[.]asphash: - md5=a7b23cd8b09a3ce918a77de355e9d3e5Title: Advancing Through the Cyberfront, LegionLoader Commander.Link: https://trac-labs.com/advancing-through-the-cyberfront-legionloader-commander-6af38ebe39d4Summary: LegionLoader, also known as Satacom or CurlyGate, is a downloader malware first identified in 2019 that has evolved to deliver various malicious payloads, particularly through deceptive installer websites. Discovered by Mandiant, it spreads a malicious Chrome extension and has recently transitioned to delivering different stealers alongside its extensions, communicating with a command-and-control server via an MSI binary. The malware employs intricate techniques such as API hammering for evasion, process hollowing injection into the explorer.exe process, and dynamically generating communication sequences while leveraging registry keys to extract encryption keys, ultimately allowing for the retrieval and execution of additional payloads with customizable configurations.Threats: legionloader cursedchrome_tool lumma_stealer rhadamanthys stealc api_hammering_technique process_hollowing_technique riseprostealer process_injection_technique dll_sideloading_techniqueIndicators of compromise:-------------------------ip: domain: dns-beast[.]comurl: https://gulbur[.]com/1488/236[.]bin, https://1blob[.]monster/pidaras/170[.]exe, https://2j[.]tel/WCorprIIFShash: - sha256=079fb5014960ae886daa979650af571ea6787ca45f5ccefe312104dedbc0df3d, - md5=7140d3852c128c498cb8edb657ae1880Title: Inside FireScam : An Information Stealer with Spyware CapabilitiesLink: https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilitiesSummary: The CYFIRMA report analyzes FireScam, an advanced Android malware masquerading as a Telegram Premium app, which is distributed through a phishing website on GitHub.io. This information-stealing malware employs a multi-stage infection process, utilizing a dropper APK to conduct extensive surveillance by monitoring notifications, messages, and user activity on infected devices. FireScam utilizes sophisticated evasion techniques, including obfuscation and sandbox detection, leverages Firebase for command-and-control communication and data exfiltration, and targets specific Android API levels, posing a significant global threat by exploiting common app popularity.Threats: firescam dexguard_toolIndicators of compromise:-------------------------ip: domain: s-usc1b-nss-2100[.]firebaseio[.]comurl: https://rustore-apk[.]github[.]io/telegram_premium, https://androidscamru-default-rtdb[.]firebaseio[.]com, https://firebaseinstallations[.]googleapis[.]com/v1/projects/androidscamru/installations, https://s-usc1b-nss-2100[.]firebaseio[.]com/[.]ws?ns=androidscamru-default-rtdb&v=5&ls=*hash: - md5=5d21c52e6ea7769be45f10e82b973b1e, sha256=b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b, - md5=cae5a13c0b06de52d8379f4c61aece9c, sha256=12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1Title: Phishing Attack Compromises Cyberhaven s Chrome Extension, Impacts Thousands — What You Need to KnowLink: https://socradar.io/phishing-attack-cyberhaven-chrome-extensionSummary: On December 24, 2024, a phishing attack targeted a Cyberhaven employee, leading to the compromise of the company's Chrome extension. The attacker used credentials obtained through a deceptive email, which appeared to be from the Google Chrome Web Store Developer Support team, to publish a malicious update that stole cookies and authentication tokens from users over the following days. Investigations revealed that this attack also affected other popular extensions, impacting a total of around 600,000 users and indicating a large-scale phishing campaign that has been active since at least April 2023.Threats: cyberhaven_breach_campaignIndicators of compromise:-------------------------ip: 149[.]28[.]124[.]84, 149[.]248[.]2[.]160domain: cyberhavenext[.]pro, api[.]cyberhaven[.]prourl: hash: - sha256=ddf8c9c72b1b1061221a597168f9bb2c2ba09d38d7b3405e1dace37af1587944, - sha1=ac5cc8bcc05ac27a8f189134c2e3300863b317fb, - sha1=0b871bdee9d8302a48d6d6511228caf67a08ec60Title: Tycoon 2FA: Analyzing and Hunting Phishing-as-a-Service DomainsLink: https://www.validin.com/blog/tycoon_2fa_analyzing_and_hunting_phishing-as-a-service_domainsSummary: The text provides an in-depth analysis of the Tycoon 2FA phishing campaign, discovered through a phishing sample submitted on Any Run. It outlines how the Tycoon 2FA platform functions as a Phishing-as-a-Service tool targeting two-factor authentication through sophisticated techniques such as JavaScript manipulation. Analysts employed tools like Validin to trace over 800 domains linked to the campaign, utilizing DNS history to correlate these domains and fingerprinting server responses to identify 1332 unique second-level domains associated with the attack. The comprehensive examination reveals the campaign's intricate infrastructure and the methods employed by cybercriminals to enhance the effectiveness of their phishing attempts.Threats: tycoon_2faIndicators of compromise:-------------------------ip: domain: disruptgive[.]com, mvz[.]nvkhytoypg[.]ru, nvkhytoypg[.]ru, kristinachildress[.]com, cargoallrisk[.]co[.]uk, nudelaw[.]com, chsworks[.]org, virtualyouporn[.]com, zigzaglyf[.]store, thehouseofknowledge[.]in, hygge-health[.]com, vipvendingco[.]com, reginawoodard[.]org, miloclemen[.]nl, shiftssocial[.]com, garagedekho[.]com, carolinefwinstel[.]org, kennettcreative[.]com, aussys[.]co[.]in, evencomfier[.]com, vibrant-stylez[.]com, pacificarch[.]ca, bioventureinstitute[.]com, expletivebrand[.]com, dirtygnome[.]au, catherinesaunders[.]co[.]uk, emotionalhealingmadesimple[.]com, dcweightloss[.]org, venezuelanadventure[.]com, homestagingboss[.]com, staydrye[.]com, tajaman[.]com, artbeermarketplace[.]com[.]co, easysocial[.]ai, omalidesigns[.]com, darlarealtor[.]com, fcpweb[.]org, findbankownedlistings[.]com, nonnomtruck[.]com, nolongerdreaming[.]info, bloomtherapeutics[.]co[.]uk, mountdoravintage[.]com, pot[.]direct, detroitdigitalservices[.]com, tytalbotfunding[.]com, nationalchristianplayfestival[.]com, mydemoacademy[.]com, betheshield[.]com, passportchargesystems[.]com, passportchargesystem[.]com, squadcargo[.]com, airzenhospitality[.]com, nateschlein[.]com, aliensinthestars[.]com, beachcowgirl[.]co, motherknowsmess[.]com, keycoraldesigns[.]com, wispsales[.]com, pls-corp[.]net, med101diagnostic[.]com, caitlynstrickland[.]com, brentlewis[.]org, rg-pg[.]com, socialwise[.]ai, indiepublishingtoolkit[.]info, techwithtune[.]com, l-spectrum[.]com, movecrypto[.]com, sprinkleoflights[.]com, blissbarbeauty[.]com, realamericandressing[.]com, stagingheros[.]com, vintagepastor[.]org, stinsonpictures[.]com, rewardfabric[.]com, disciplebetter[.]org, rentchinesefood[.]com, drcharliegoetschel[.]com, ultimateeyevitamins[.]com, qualitykinghomeinspections[.]com, craveitsolutions[.]com, stevenlenney[.]com, iwcaindustries[.]com, downsizeassist[.]co[.]nz, happyvalleycbdoil[.]com, toddderby[.]org, koparkinsons[.]com, xeetech[.]co, cleverdisarrayphotography[.]com, web10[.]host, freecondopriceanalysis[.]com, nationalchristianplayfestival[.]net, allsecuredcapital[.]com, middlebeast[.]co, betheshield[.]net, bestwayglobalconnect[.]com, comparebl[.]com, manninginvestmentgroup[.]com, cbvchurch[.]net, candidandkin[.]co, thesobarlife[.]com, affordablesouthla[.]com, letmetrythatforyou[.]com, mouseandfern[.]com, elpoderdelaaventura[.]com, sunshinestateinvestigations[.]com, eannphotography[.]com, monsterblacks[.]com, projectaspi[.]co, laurenlaravia[.]com, djcustomhome[.]com, induschain[.]com, zigzaglyf[.]com, embassyatlantahub[.]com, cynthiatrent[.]com, minimebot[.]com, pissbook[.]com, benjisboards[.]net, liriolis[.]com, hideamask[.]com, embassyofatlanta[.]com, weserveyourealty[.]com, navarrehomes4sale[.]com, pooppatrol[.]co, vivaloe[.]com[.]br, seppieisthenewmanager[.]com, counterpepe[.]com, sfxbr[.]org, chandlerclarke[.]com, 360pornbible[.]com, bottlesandsmoke[.]com, ilstproductions[.]com, kenfong[.]com, playmeout[.]com, wrenchestorichesbook[.]com, arisedrone[.]pro, candidandkin[.]com, charahsol[.]com, jesusknowhim[.]com, socialwisesystem[.]com, alissonaguiar[.]com, fycas[.]org, jerseyshorewines[.]com, firearmsforlife[.]com, jennaherrera[.]com, theempoweredphotographer[.]com, localgamenights[.]com, go-koi[.]com, silverangelshome[.]com, chiefnme[.]com, awalterappraiser[.]com, passportchargersystem[.]com, nonnomtrux[.]com, colettecrowley[.]com, itmpost[.]info, tengusupply[.]com, talatstudio[.]com, letustrythatforyou[.]info, projectaspi[.]net, skyahbusinessconsulting[.]com, dietonbudget[.]com, thenujudo[.]org, magicandmartinis[.]ca, landtosky[.]art, watchservicenow[.]com, alcalainternational[.]com, nurse2[.]com, briancberger[.]com, burghdogs[.]com, caseygoetschel[.]com, uzerreviews[.]com, igfirehose[.]com, relentlessplaybook[.]com, floridacoastalrealtors[.]com, brickzillaxxx[.]com, wellnessevaluation[.]com[.]au, braddavidson[.]ca, leoneclark[.]net, usawasabi[.]io, comalcountycouture[.]com, goosenotes[.]com, hanukkahgame[.]com, usateastar[.]com, phrescue[.]org, calvaryartists[.]com, vr360fitness[.]com, arisedroneprofessionals[.]com, nuclearenergytruth[.]org, blackguysfuckgirls[.]com, c3studio[.]agency, bonghornsbakehouse[.]net, rarelyflawless[.]com, contractapplication[.]com, sherriescreations[.]com, khlobugraces[.]com, boringoldme[.]co[.]uk, kenmorekidsdentist[.]info, calvarylouisville[.]org, mainetruckrepair[.]com, physicanwebdesign[.]com, thenarrowroadbook[.]com, dirtyelves[.]com, platinumsoirees[.]net, guppygangfarms[.]com, calvarychurchbouldervalley[.]net, gratefultrekking[.]com, smallgreenfootprint[.]com, paytonfong[.]com, tribalwearnyc[.]com, bucketsandbunches[.]com, ellieschenck[.]com, blairconnell[.]com, mrsingerisland[.]com, dixon[.]capital, ssbuildingcompany[.]com, claudiarosenthalsoprano[.]com, back-to-school[.]info, guardinfresh[.]com, becomeastagerboss[.]com, servicedaccommodationfurniturepacks[.]co[.]uk, lederstein[.]com, kantipurtravels[.]com, vistainfosys[.]com, wakeupcartoons[.]com, superiorlove[.]net, glittergirlmedia[.]com, seendancing[.]info, 365proti[.]com, fordataservices[.]com, golfballni[.]co[.]uk, idatalabz[.]com, serenajeong[.]com, hotmalesfuck[.]com, rosesikes[.]com, lash-ly[.]com, trugenius[.]com, rchobbyhub[.]com, brentwoodnsteel[.]shop, avighnatechno[.]com, ivetterodriguez[.]com, stagingheros[.]mobi, madlymini[.]com, aiyzel[.]com, yournotablenotarynj[.]com, solefyre[.]com, delcoquizzo[.]com, dirtygnome[.]com[.]au, maineventpartyrentalinc[.]com, studiothreellc[.]com, protectyoursoul[.]org, gigadelphia[.]com, uzerapproved[.]com, divitiaeadvisors[.]com, chatwithjenna[.]com, lenavetstudio[.]com, demoacademy[.]in, boomers-cloud[.]shop, truth4ourtimes[.]org, specialtyventure[.]com, nopartleftbehind[.]com, participationchamps[.]com, paradamar[.]com[.]br, happymover[.]net, maisha[.]live, blackasmilk[.]com, kkcgllc[.]com, compassioncrowd[.]com, awakenmagics[.]com, blessedbeyondproperties[.]com, hempselandgretel[.]com, raystownrental[.]com, novoinsights[.]com, platinum-remodeling[.]com, hooraybespokegoods[.]com, 7travel[.]co[.]uk, seetaorecordings[.]com, mkonlinestoreinvestments[.]com, avenuebookcentre[.]com, baratope[.]com, nolongerdreaming[.]org, nguyennguyen[.]us, isbitcoinreal[.]org, athirdoftheword[.]org, blueshipcorp[.]com, wispadviser[.]com, yourgmc[.]com, oliveandviolet[.]com, zoomwithhenna[.]com, iglesiariverside[.]org, lipisoftinc[.]com, zenhikeflorida[.]com, nikolajchristensen[.]com, superiorlove[.]org, fuditoken[.]info, ponderosawaterfront[.]com, nursezrus2[.]com, oaklandandmacombhomes[.]com, kensingtonkarma[.]com, thesearemytales[.]net, likesold[.]com, ashleyraejohnson[.]com, sub9triathlete[.]com, brentwoodnsteel[.]com, ecosystems[.]digital, cremaeda[.]com, moverszoom[.]co[.]uk, lilakahn[.]com, snapshark[.]com, aflygirl[.]net, imlending[.]info, oncgroup[.]us, iwcindustries[.]com, gracehall-wyldes[.]co[.]uk, verito[.]io, chelseastephens[.]com, ocpga[.]com, sugarmapledaddy[.]com, levelupcyclehouse[.]com, fortunepillarsfinancial[.]com, harrogaterental[.]com, becomeconsistent[.]com, davidscatterday[.]com, bentstrings[.]com, holymackerelptown[.]com, growflexmarketing[.]com, boomers-cloud[.]info, ritikakhandpurmd[.]com, theaudioastronaut[.]com, breakawake[.]com, kreatorpreneurship[.]com, yourchicagomortgagepro[.]com, kitiojo[.]com, stockmarketminute[.]com, modencapital[.]com, bsideshairstudio[.]com, bootyfuckers[.]net, sprinkleoflight[.]com, koni-usa[.]com, letsmakeitright[.]net, movesfitnesszoom[.]co[.]uk, eduardobronstein[.]com, mydirtyhouseboy[.]com, seetransfuck[.]com, momsprerolls[.]com, proverbs[.]plus, letustrythatforyou[.]com, fuegosupreme[.]com, itsdarby[.]com, rei-heroes[.]com, travelografo[.]com, poderdelaaventura[.]com, katherineanddan2023[.]com, brodleys[.]com, newburymadison[.]com, lexpride[.]org, lovejewl[.]com, elpoderdelaaventuravzla[.]com, kwwdreschool[.]com, kingdomtoys[.]in, shopviva[.]com[.]br, veganlifemarket[.]com, mekmanagement[.]com, scenecaresidence-officials[.]com, zoomersfitness[.]co[.]uk, publishingtoolkit[.]store, bioventurecoach[.]com, garagewale[.]services, magadoodles[.]com, urohealthlabs[.]com, indiepublishingtoolkit[.]org, ginvitational[.]com, themagnoliagiftcompany[.]com, casaimport[.]ca, chappellarchitecture[.]com, sunraiconsulting[.]com, jfingerworks[.]com, a3rdoftheword[.]info, seendancing[.]org, kkconsultinggroupllc[.]com, usawasabi[.]com, myinsagentnow[.]com, soulsisterssunday[.]com, valoinvestments[.]com, rootz305[.]com, shophandyhelpers[.]com, murphyminna[.]com, moldremovalgurusct[.]com, calvarychurchlouisville[.]com, eyesontheguy[.]com, tryflexmarketing[.]com, leizetheday[.]com, hmofurniturepacks[.]com, yuhiyanagisawa[.]com, homestagingclientsonrepeat[.]com, diversityunscripted[.]com, bigoldicks[.]com, rentinginbrooklyn[.]com, kelmeteam[.]com, momshelpingmomsofkidswithautism[.]com, easingwoods[.]com, litio[.]digital, suttondirtworks[.]com, miocello[.]se, wellspringfamilyinstitute[.]net, induschain[.]io, hibernatehostels[.]com, mpmysfoundation[.]com, virtlraces[.]com, thenujudo[.]com, goldenexcellenceinc[.]com, boyplusgirl[.]org, sevenexpeditions[.]com, morphnow[.]com, silvertravertinepavers[.]com, janetyoung[.]nl, 1240zionroad[.]com, zacharyein[.]com, atlvintage[.]com, indiepublishingtoolkit[.]net, rebvolf[.]org, cauzcolony[.]com, seppielovesroblox[.]com, richnerdart[.]com, rewardslabs[.]io, mindbytescoaching[.]com, alltogether123[.]com, 7figurestager[.]com, prestonhome[.]co, elchalten[.]eu, headrushshampoobar[.]com, lowerpeco[.]com, mkidk[.]dk, greenertextiles[.]com, 911-beauty[.]com, roarables[.]com, cloudnineconcierge[.]co, mascotgrooming[.]com, katiitornick[.]com, luminarepublishing[.]com, confidentchoices[.]com, drinkdeuxmoi[.]com, themagnoliagift[.]co, alo[.]social, spencer[.]doctor, alternativemagic[.]world, newlifechrist[.]com, cigarcitycomics[.]com, lipsoftinc[.]com, bookworkstudio[.]net, angiescatalog[.]com, willjohnson[.]net, twoboysandabeagle[.]com, allsecuredcapital[.]net, truearthskincare[.]com[.]au, thayerprops[.]com, fm-fo[.]com, teamrelentlesstraining[.]com, gofigurepodcast[.]com, alludehealth[.]com, minimebot[.]ai, intellifact[.]ca, srqlifestylerealty[.]com, poderdelaaventura[.]org, 7club[.]co[.]uk, bennettsbroncos[.]com, nothingshouldbenoticed[.]com, backtohealthnutrition[.]com, figuresfinancial[.]com, howdoichangemylife[.]com, charlesgoetschel[.]com, griffonacademie[.]com, mefithq[.]com, finksair[.]net, tourplot[.]com, yourenotmypeople[.]com, junepinkney[.]com, beyoundareds[.]com, midiafonte[.]com, ashevillecitykombucha[.]com, wispdealer[.]com, movesfitnesslive[.]com, mintmomentum[.]com, teacurl[.]com, phillyana[.]info, tikitimeoc[.]com, tidfilm[.]com, blackedking[.]com, commoncauz[.]org, wildcatmerch[.]com, levelupcyclehouse[.]net, calvarychurchlouisville[.]info, paterbrothers[.]com, radfordadditions[.]com, shopwithbelinda[.]com, give1get5[.]com, thevancouverscene[.]ca, ulzzanggang[.]com, bookworksstudio[.]com, hairku[.]org, moyamathison[.]com, besttravertinepavers[.]com, magnoliagift[.]co, garnetroseyoga[.]com, drguberman[.]org, integrone[.]com, maestosagallery[.]com, basicelectronicguide[.]us, mywishcraft[.]com, myfigures[.]ai, tangicogifts[.]com, afyonmarblepavers[.]com, cedillosbookdesign[.]com, guiltysociety[.]com, aansuya[.]com, pinevalleyinv[.]com, boringoldme[.]com, murphylanecompanies[.]com, moneyforjunkcarsnewyork[.]com, wonderkochavi[.]info, seanangst[.]com, thehimnetwork[.]com, peytonames[.]org, kengharue[.]com, rentinginparkslope[.]com, prestonhomecare[.]com, express-feet[.]com, disruptgiv[.]com, gcgetconnected[.]com, xn--sn-store-jsb[.]com, web10[.]online, carsluv[.]com, wishcraft[.]co[.]in, notmytempo[.]band, rentinparkslope[.]com, freshfollow[.]net, nuclearenergytruth[.]com, wispbroker[.]net, sewmags[.]com, alloregroup[.]com, middlebeast[.]info, extremeelectrician[.]com, thisishowwedidthat[.]com, go2boco[.]com, mattbabz[.]com, utaggme[.]com, prolific-mastermind[.]com, bonghornsbakehouse[.]org, thoroughlyenjoyable[.]com, sigmadatasystem[.]com, yilmazv[.]com, silverangelshomes[.]com, aspiproject[.]com, goodthingsgoodvibes[.]com, theprestonreport[.]com, itryout[.]org, lisforliving[.]com, mydirtyhandyman[.]com, asequiblesurla[.]com, n60uk[.]com, artbeermarketplace[.]com, usa-sprouts[.]com, polestardetails[.]com, iasamx[.]com, easingwood[.]net, funstuffapps[.]com, timforlines[.]net, marianslove[.]org, houserentalx[.]com, praisetemplecog[.]com, sapsolutionsservices[.]com, gypset-honey[.]com, woweducate[.]net, go2boco[.]org, seventhsignature[.]com, seendancing[.]us, blueshirt[.]us, breathofangels[.]com, vsrvu[.]com, griffonacademie[.]ca, shredboardshop[.]com, aking[.]nyc, meetingwithliv[.]com, mefithq[.]co[.]uk, cbvchurch[.]com, middlebeast[.]biz, stepbystepmiami[.]com, sharifgifts[.]ca, hedgewitchholistics[.]com, akgproperties[.]com, moneyyoutube[.]com, dirtymoneyproductions[.]com, ppc-overwatch[.]com, shopthebuttons[.]com, seattlepickleballleague[.]com, jbcarpetcleaners[.]com, seeflexmarketing[.]com, chiropraxiscare[.]com, caraconnell[.]com, raystownwatersports[.]com, ispadviser[.]com, solepurposesaratoga[.]com, aibao[.]me, katlawmanphotography[.]co[.]uk, anjalithakkar[.]com, virtualjizz[.]com, meerafoods[.]com, spotlightthem[.]com, catengage[.]com, makemoneyhannah[.]com, boomers-cloud[.]co, unknownempire[.]ca, kayjoplinphotography[.]com, brentwoodnsteel[.]info, ausatechnology[.]com, louisvillelove[.]net, neverendingfilmcompany[.]com, emercionavarro[.]com, draditisharma[.]com, yaritzacreative[.]com, seehimrimmed[.]com, bowlofchina[.]com, tooppo[.]com, golfspiff[.]com, lodescom[.]com, calvarychurchbouldervalley[.]org, howtostage101[.]co[.]uk, plantedfirmly[.]com, simpnproperties[.]com, web10[.]live, grassdoor[.]co, yogalab[.]fitness, seventhsign[.]org, prolificmethod[.]com, visionheadconsulting[.]com, divinesolesaratoga[.]com, ateliermaisonbysb[.]com, myinnergamecoach[.]com, carsrus[.]us, elephantintheroomproductions[.]net, waitguard[.]com, theakinagency[.]com, calvarylouisville[.]info, gestaodoconhecimento[.]org, defined-ink[.]com, custombusinessreports[.]com, louisdethanhoffer[.]ca, letmemakeit[.]com, takitoli[.]com, blackstarlingrevue[.]com, nolongerdreaming[.]net, luxetravertinepavers[.]com, elitelanguages[.]com, francinethepug[.]com, teamrelentless2022[.]com, businessfundingformulas[.]com, whynot-us[.]com, wagyuandme[.]com, galefitgroup[.]com, fucktruckx[.]com, bjorn-christensen[.]com, pterradactyl[.]com, veritodb[.]com, myfirstdrink[.]co, empoweredphotograp-her[.]com, stonekeystorage[.]com, choicesff[.]com, twiceasmuchfun[.]com, costofdoingbusinesscalculator[.]com, mlabpathology[.]com, crowdcompassion[.]com, allsecurecapital[.]com, windenjewelry[.]com, projectartitude[.]com, pad-share[.]com, inventorenyc[.]com, estereovidadarien[.]live, insteader[.]app, soflobrewfest[.]com, virtlracing[.]com, ivyleagueluxury[.]com, calvaryarts[.]org, themagicalbeardcompany[.]info, kathyychang[.]com, jrkmiami[.]com, sewerrepairutah[.]com, dannyandbritt[.]com, sdstonecraftandtile[.]com, middlebeast[.]org, assistaway[.]com[.]au, movesfitnesszoom[.]com, verintsys[.]com, zainpryor[.]com, bglawnservices[.]com, isp-brokers[.]com, toddderby[.]net, getstraighttothepoint[.]com, ateacherthings[.]com, homefromhomecarehomes[.]com, timplux[.]com, osaicmerch[.]com, ispacquisitions[.]com, mylifeinspanglish[.]com, phillyforgives[.]com, insightfultalent[.]com, kelandsean[.]com, cds-visuals[.]net, sfp[.]services, scanlean[.]com, barrelheadsowensboro[.]com, nursetoo[.]com, seehimondemand[.]com, nutechenterprise[.]com, paradamar[.]com, jessicahayesconcertphotos[.]com, fitwithprachi[.]com, nicktaffs[.]ca, bayouavape[.]com, stephaniebaier[.]com, gypset-lifestyles[.]com, wisptrader[.]com, earthheadsalon[.]com, weareflexmarketing[.]com, coldbrunyc[.]com, raghasoftware[.]com, americanwealthllc[.]com, lemmemakeit[.]com, blchkr[.]com, kira[.]clothing, toptravertinepavers[.]com, noticednovella[.]com, boringoldyou[.]co[.]uk, personalinertia[.]com, enlight[.]social, artistandtheangler[.]com, physicianwebdesigns[.]com, lisaporras[.]com, armoruppe[.]com, landtosky[.]com, hoardingexpertsmo[.]com, postreme[.]com, bronzedbarbie[.]com, useflexmarketing[.]com, scalewithsocialchallenge[.]com, fostercsw[.]com, australianlinencollection[.]com[.]au, roolsjean[.]com, mysobar[.]com, mysundayset[.]com, patricktwantstofuckyou[.]com, basicelectronicguide[.]com, karmawinzz[.]com, thespectrumofhope[.]com, myfirstdrink[.]club, obicwx6d[.]bioventureinstitute[.]com, hocv8wcp[.]bioventureinstitute[.]com, wreathsbysierra[.]com, esphousingsolutions[.]com, drivenbidata[.]net, drivenbydata[.]io, somerset[.]drivenbydata[.]io, fb-marketplace-item3392376122[.]drinkdeuxmoi[.]com, arabstreetwears[.]com, underconstruction[.]world, callaloocaftans[.]com, hershconcepts[.]net, nolaplaytherapy[.]com, afterlifeaid[.]com, 6figurestager[.]com, zingstoks[.]com, movingaccountants[.]com, aerotape[.]com[.]au, datrans[.]in, meymeze[.]com, midtown-modern-officials[.]scenecaresidence-officials[.]com, cindyinspires[.]co[.]uk, hostmaster[.]loveseat[.]studio, ww16[.]loja[.]reiscell[.]com, ghostmule[.]com, travertinepaverssouthflorida[.]com, benjaminmalone[.]com, thesearemytales[.]com, makekindnesscontagious[.]com, wellsfar[.]auth[.]verif[.]integrone[.]com, plusharizonaliving[.]com, stkabob[.]com, liv-mb-officials[.]scenecaresidence-officials[.]com, support[.]lipisoftinc[.]com, thestonepavershop[.]com, rbcroyalbank[.]anatomyofacomeback[.]com, surveys[.]getnerdyhr[.]com, donnyisback[.]com, openmicstudios[.]net, geneworx[.]life, gr[.]iwcindustries[.]com, dan[.]movecrypto[.]com, 1[.]serenajeong[.]com, travertineboutique[.]com, libsiofficial[.]com, geneworx[.]info, seehimfucking[.]com, theflexmarketing[.]com, airluxeservices[.]com, globalstoneinstitute[.]info, blog[.]shopviva[.]com[.]br, knab-nl[.]shopviva[.]com[.]br, om[.]rewardslabs[.]io, uxbury[.]com, eyesontheguys[.]com, rochesterpondsupplies[.]com, yy87lk[.]bjorn-christensen[.]com, ximcar[.]bjorn-christensen[.]com, wellsfargosecureurl[.]jerseyshorewines[.]com, nochetravertinepavers[.]com, wu[.]kl4es[.]hamzahmahmood[.]com, secureregionss[.]com[.]ilstproductions[.]com, team5k[.]com, geneworx[.]org, travelinspanglish[.]com, ausatech[.]au, astorsoflondon[.]com, shadowcatfacepainting[.]com, anzelparis[.]com, virtualwomensevent[.]com, sap[.]sprinkleoflight[.]com, 100kg8vftme[.]worldquant[.]kpjon[.]maromjbu[.]phillyana[.]info, nocetravertinepavers[.]com, verifyuser[.]authentication[.]login[.]modencapital[.]com, volkany[.]com, dropbox[.]modencapital[.]com, passportchargersystems[.]com, apps[.]alo[.]social, chqh[.]team5k[.]com, blakecortright[.]us, participationchamp[.]com, jdyoung[.]kpwfaberjbu[.]phillyana[.]info, 100kgzaa5gd[.]jdyoung[.]kpwfaberjbu[.]phillyana[.]info, slatersellsgoof[.]com, sundip[.]com, officecorrected[.]modencapital[.]com, fho6vk[.]charlesgoetschel[.]com, ivbqno[.]charlesgoetschel[.]com, sandiegolandteam[.]com, hp[.]riddleelectric[.]com[.]soulsisterssunday[.]com, haveibeenwagnerd[.]com, verve-pr[.]com, pay[.]vibrant-stylez[.]com, drivenbidata[.]co, nvdcsadmin[.]org, mbo00[.]com, maelstrom0[.]com, e6mbo0[.]com, angs0[.]com, vega101[.]com, lithe121[.]com, galow21[.]com, gzpyc1[.]com, seren1[.]com, quintessen1[.]com, mignoter1[.]com, clementas1[.]com, ubiqauitous1[.]com, muvaffakiyet1[.]com, iconoclast1[.]com, af5x1[.]com, 9mnx1[.]com, teferruatqf12[.]com, nemonic22[.]com, subterfuge2[.]com, nexorable2[.]com, euvre2[.]com, azimusth2[.]com, rn7n2[.]com, bouillon2[.]com, k7kq2[.]com, r04ar2[.]com, perfidious2[.]com, impecunious2[.]com, sycophant2[.]com, flavescent2[.]com, 6ugt63[.]com, mk2nc3[.]com, isparate3[.]com, sycophante3[.]com, kaphobi3[.]com, rgoq3[.]com, onorous3[.]com, rendipit3[.]com, m2xt3[.]com, mht304[.]com, quixotic4[.]com, labyrinth4[.]com, zzfo4[.]com, ql8d05[.]com, udopseu65[.]com, ffeeb85[.]com, avarice5[.]com, hantriaf5[.]com, magnanim5[.]com, cacophon5[.]com, abngation5[.]com, vakjo5[.]com, obsequious5[.]com, mkanat5[.]com, rendipit5[.]com, 0eqy5[.]com, amboya6[.]com, atsaikhan6[.]com, parathyro6[.]com, stikrar6[.]com, nefarious6[.]com, kviu6[.]com, ellifluou6[.]com, r40447[.]com, m8tj87[.]com, myopic7[.]com, legance7[.]com, rchipelag7[.]com, i0th7[.]com, 8270k7[.]com, ternity28[.]com, w1t4b8[.]com, gj03h8[.]com, slrh8[.]com, 9sbn8[.]com, ycnrw8[.]com, panacea9[.]com, ineffable9[.]com, wu4f9[.]com, obfuscation9[.]com, ntowar9[.]com, pericliter9[.]com, sagacious9[.]com, fastidious9[.]com, zleu9[.]com, pocryph2a[.]com, l3l8a[.]com, j0h9a[.]com, desbulusca[.]com, whionablea[.]com, sesquipea[.]com, antyligha[.]com, pueldmadia[.]com, sespolpitia[.]com, voranixia[.]com, b09cla[.]com, ardaumfla[.]com, bin4tgla[.]com, ewsaustraila[.]com, allaeima[.]com, ndincoma[.]com, equiltisma[.]com, watetiona[.]com, bgxptmloa[.]com, oio0scra[.]com, achrokera[.]com, it2ua[.]com, irenitywa[.]com, livonexa[.]com, vorynexa[.]com, jarotexa[.]com, co8za[.]com, t2c00b[.]com, parwolab[.]com, chfietrab[.]com, vhzqjfhbb[.]com, andackerb[.]com, enfamxb[.]com, iocomopyb[.]com, z9hpac[.]com, sheadmortic[.]com, ketnplc[.]com, regandirc[.]com, alnucresc[.]com, nr3xc[.]com, 3kf2d[.]com, ckentrylad[.]com, taleyad[.]com, lucretiadd[.]com, ialeahed[.]com, thoroughd[.]com, rkhanaid[.]com, qi6kd[.]com, nt8ihand[.]com, 2f9od[.]com, 1vesd[.]com, yxnc2e[.]com, eiluae-ae[.]com, ablevenbe[.]com, iatrivvbe[.]com, kirkpllace[.]com, cquiesce[.]com, enpros-de[.]com, nemzondde[.]com, ranteliege[.]com, diskarghthe[.]com, s7kwje[.]com, elicerome[.]com, utleatere[.]com, tershire[.]com, estershire[.]com, ockisise[.]com, dacremuse[.]com, someolate[.]com, ivermarte[.]com, lonoreste[.]com, spelewave[.]com, onfundradve[.]com, ny4yze[.]com, n1b6f[.]com, sineaf[.]com, turpitudef[.]com, respousilif[.]com, chuylerf[.]com, schuylerf[.]com, siasetzsf[.]com, sobrietyf[.]com, 5ja27g[.]com, bleburnag[.]com, dwomatag[.]com, altnqbodg[.]com, herichig[.]com, yjhgenhmg[.]com, nistriong[.]com, engontiog[.]com, okbeaunch[.]com, rchavitch[.]com, iandendeh[.]com, luxentleh[.]com, sanguineh[.]com, turnpigh[.]com, ablamongh[.]com, logrowsph[.]com, nacyceish[.]com, ilisivish[.]com, imicanith[.]com, baylandhaelth[.]com, raterinth[.]com, ioxommouh[.]com, y7b0i[.]com, trisk1ai[.]com, bvaci[.]com, inghtyphi[.]com, lainegili[.]com, edistrami[.]com, grawyadmoni[.]com, okzvrmpoi[.]com, se2pi[.]com, gs5ri[.]com, hartateri[.]com, dendeveri[.]com, oyvysi[.]com, 5jbl2j[.]com, nhhmzipaj[.]com, ecomporidej[.]com, 6kwmj[.]com, l57i1k[.]com, i2vs1k[.]com, sadnvik[.]com, dgeckk[.]com, rzmoljfok[.]com, ryefusisk[.]com, p7b6xk[.]com, p5xxk[.]com, sc7e3l[.]com, optimumportal[.]com, vb09cl[.]com, olonel[.]com, x44gl[.]com, xbyhiqbjl[.]com, lamperll[.]com, lhostimpl[.]com, accessdnsl[.]com, jfuuiewtl[.]com, godisetryl[.]com, oameream[.]com, granousecom[.]com, matenom[.]com, nageolum[.]com, h4wvm[.]com, b770xm[.]com, chedsolym[.]com, shrdihan[.]com, goldeniewan[.]com, lismuden[.]com, hyrfamen[.]com, radsomen[.]com, wilhelsen[.]com, irsonighten[.]com, w2agn[.]com, upt-in[.]com, ormonywain[.]com, iventorewin[.]com, pr2rjn[.]com, naturdon[.]com, acophon[.]com, ormoncion[.]com, erobsion[.]com, diercusn[.]com, wsktzwzao[.]com, qxggjlqbo[.]com, nateleybo[.]com, asmingescho[.]com, dx9no[.]com, hnuousagro[.]com, llifluo[.]com, ellifluo[.]com, bughtswo[.]com, ovioneryo[.]com, undegenarp[.]com, ralvinetp[.]com, 4nriup[.]com, wescorn-group[.]com, honeorthrup[.]com, tw6yasup[.]com, aymightyp[.]com, itmatityp[.]com, b6o2q[.]com, w4u7q[.]com, urj7z9q[.]com, inexcracq[.]com, rescindq[.]com, h4chq[.]com, 6nzjq[.]com, eclarberq[.]com, tdgojspxq[.]com, jfbyilnyq[.]com, rbkz7r[.]com, q39r[.]com, valcondunar[.]com, flor9war[.]com, landoradebalthazar[.]com, onmmder[.]com, tionarfer[.]com, hicaner[.]com, ergletyper[.]com, pakrer[.]com, nailater[.]com, dymascorter[.]com, nimogr[.]com, manathshr[.]com, rcestershir[.]com, rophequir[.]com, nestervir[.]com, x1n2jr[.]com, lpelr[.]com, p185mr[.]com, b6zmr[.]com, mqz7or[.]com, etemenonfor[.]com, pitionor[.]com, trichvor[.]com, iquitorr[.]com, scurrilousr[.]com, enjuatothur[.]com, apheonsur[.]com, zszwjnuzr[.]com, wl23s[.]com, aguawkyas[.]com, acerbzcs[.]com, qxvqvfxds[.]com, viewsharedonlinefiles[.]com, altyrovares[.]com, itherites[.]com, hiaroscur0is[.]com, nachronis[.]com, boatonseris[.]com, aenesis[.]com, lrwks[.]com, solipsisms[.]com, tiortans[.]com, ubfijxpps[.]com, lablesups[.]com, gardners-builders[.]com, wnt0pers[.]com, allpreviewaccess[.]com, oncenatss[.]com, singlelights[.]com, krrmhqwts[.]com, suareptitious[.]com, etertious[.]com, schievous[.]com, ngologis42t[.]com, gc35t[.]com, djohroat[.]com, ramaterat[.]com, hrodetorat[.]com, rasweect[.]com, pulchr7it[.]com, eutenant[.]com, trenchaent[.]com, logablent[.]com, loginmicrosoftonlinedocument[.]com, tumpirent[.]com, orematent[.]com, ablemeast[.]com, jegast[.]com, aplorywast[.]com, califragilist[.]com, mqis1u[.]com, umpiredau[.]com, spesplecu[.]com, urvelindu[.]com, prenticeu[.]com, dx69gu[.]com, gligandiu[.]com, cracsiu[.]com, capriciou[.]com, lidociou[.]com, gccvxgmou[.]com, iaphanou[.]com, ob5riqu[.]com, sqxmrcmv[.]com, anathemv[.]com, nrjuhdnxv[.]com, stolidw[.]com, striancurdw[.]com, layfusairw[.]com, ezbadzsw[.]com, alendevyw[.]com, f7d2x[.]com, mf67x[.]com, bdienzelsex[.]com, ssneqyhgx[.]com, d2gzx[.]com, bicepheady[.]com, keystonestratgy[.]com, ocf0asky[.]com, wordownspy[.]com, urg7yary[.]com, uphtsury[.]com, plagompsy[.]com, hds1z[.]com, zxpydekz[.]com, fo4nz[.]com, projectzdocu[.]co, newprojectz[.]co, adobedownloader[.]info, screencloud[.]us, diveristysafety[.]net, weedage1[.]ru, nemone2[.]ru, naseberries2[.]ru, tichodrome4[.]ru, bema25[.]ru, 16eujl5[.]ru, floccinau5[.]ru, ceiba6[.]ru, eggnog8[.]ru, ogatenumba[.]ru, vackendfa[.]ru, emptiabia[.]ru, explorrussia[.]ru, clegatema[.]ru, ecoshoa[.]ru, travlra[.]ru, morsentutra[.]ru, avqfjiosa[.]ru, flogalata[.]ru, okzsva[.]ru, cuoza[.]ru, logiclrab[.]ru, omenaleyvab[.]ru, innolakb[.]ru, quantumdhub[.]ru, enterszcainmenthub[.]ru, hxkqckxb[.]ru, neaketiac[.]ru, calagalac[.]ru, inktadc[.]ru, ivesonmec[.]ru, netcorec[.]ru, amitensenc[.]ru, nuelitionc[.]ru, infodsync[.]ru, yzvufnxc[.]ru, forterlad[.]ru, retcorybd[.]ru, nehbfumzybd[.]ru, sasdqcd[.]ru, ddsewfgd[.]ru, spaghettid[.]ru, uattuordecilld[.]ru, gadgetorld[.]ru, omeandod[.]ru, cybervizbe[.]ru, brazrice[.]ru, ecomrknce[.]ru, auiesce[.]ru, dilatede[.]ru, nathijande[.]ru, mwfe[.]ru, digitalfoarge[.]ru, wheaduble[.]ru, tyamile[.]ru, mdernstyle[.]ru, zofilane[.]ru, kolivane[.]ru, komivane[.]ru, toviline[.]ru, quivoline[.]ru, komerine[.]ru, qonirine[.]ru, womitrine[.]ru, domisine[.]ru, fomitine[.]ru, womitine[.]ru, melovine[.]ru, shoponxine[.]ru, nomirone[.]ru, xenirone[.]ru, ksjldmgoe[.]ru, acultope[.]ru, siqe[.]ru, maxqhere[.]ru, tolevire[.]ru, bemilore[.]ru, mystyletore[.]ru, xentore[.]ru, xaggeratre[.]ru, eappease[.]ru, smmercse[.]ru, pedsterse[.]ru, eresavite[.]ru, pixelhwave[.]ru, diitalwave[.]ru, eceropheve[.]ru, nfajnbaf[.]ru, ffcwygff[.]ru, hbqcbhff[.]ru, lgtirvif[.]ru, brazenf[.]ru, brenspinf[.]ru, riardensf[.]ru, jlyagjtf[.]ru, sabletylowf[.]ru, technoogyf[.]ru, ethamoskag[.]ru, fprdiryg[.]ru, lctach[.]ru, globaltch[.]ru, langagepath[.]ru, andefelai[.]ru, glwjxubi[.]ru, sispadregi[.]ru, enumpialki[.]ru, denoryli[.]ru, capencumni[.]ru, julfolusi[.]ru, gwckpfsj[.]ru, rykejhvj[.]ru, njwrmyzj[.]ru, enomoneak[.]ru, wvebtrek[.]ru, tdamvyjk[.]ru, venmink[.]ru, mjgqigqk[.]ru, untleystel[.]ru, zdiypqil[.]ru, teousickl[.]ru, bairtercol[.]ru, eidqljnhrtl[.]ru, xypxjknhkyl[.]ru, fqqydm[.]ru, ceativebloom[.]ru, tchbloom[.]ru, canceyerm[.]ru, njium[.]ru, rltionium[.]ru, volitran[.]ru, inexpartan[.]ru, xtogen[.]ru, lysighthen[.]ru, triloxen[.]ru, hanytimin[.]ru, lantecomin[.]ru, ewunblnn[.]ru, debgsgon[.]ru, digitaryision[.]ru, pureinszovation[.]ru, uissantion[.]ru, hijon[.]ru, velitron[.]ru, qemitron[.]ru, gqznlcrn[.]ru, enthealfo[.]ru, fzrodcgo[.]ru, tartmoro[.]ru, nevvo[.]ru, rvitethip[.]ru, acyclonkp[.]ru, dogqqklp[.]ru, rwoyymop[.]ru, pownskyerp[.]ru, plarazityp[.]ru, twrwdjaq[.]ru, eihowwsq[.]ru, iaryacear[.]ru, dzpvwobr[.]ru, worlwrxplorer[.]ru, rbodiater[.]ru, madisever[.]ru, eductionir[.]ru, velimor[.]ru, brolivor[.]ru, ldpdljrr[.]ru, ebias[.]ru, boastunds[.]ru, nbeesds[.]ru, musicibes[.]ru, novaidustries[.]ru, ewayeles[.]ru, arthemiles[.]ru, lutriongues[.]ru, arishonis[.]ru, nextgenrrolutions[.]ru, innovtesolutions[.]ru, ralsolutions[.]ru, dadhyxns[.]ru, khfscqs[.]ru, matmasters[.]ru, coolheadedness[.]ru, olistraket[.]ru, buynomarket[.]ru, pixelshiaft[.]ru, cdecraft[.]ru, gngt[.]ru, tiamashit[.]ru, ymincoit[.]ru, lumentavit[.]ru, musinvelt[.]ru, ygnitpmt[.]ru, ectordent[.]ru, ambitagent[.]ru, onflusiont[.]ru, iousetypt[.]ru, feshstart[.]ru, dgitalnest[.]ru, etowaftou[.]ru, mindleaqu[.]ru, ppqdzrru[.]ru, ditilantu[.]ru, ulskfynv[.]ru, shaceshrov[.]ru, edectalaw[.]ru, rnareaudw[.]ru, abeanethw[.]ru, studyow[.]ru, xemilax[.]ru, tolirax[.]ru, domirax[.]ru, homirax[.]ru, velsax[.]ru, xkztyuax[.]ru, solivax[.]ru, zomirex[.]ru, bemorex[.]ru, zyaix[.]ru, pivonix[.]ru, micox[.]ru, phondpoidy[.]ru, laisgwfy[.]ru, eotishmory[.]ru, ealacrity[.]ru, rlqponawiuy[.]ru, pdfremittanceqrcodeattach[.]su, cluratom[.]su, micrologsystemout365serversystemdatalogvectify[.]suurl: https://mvz[.]nvkhytoypg[.]ru/9SIt8chash: - md5=1dacabac954305393d5bbe24713cb281, - sha1=3c0af39ecb3753c5fee3b53d063c7286019eac3bTitle: Understanding The Chrome Extension Threat Campaign — Beyond CyberhavenLink: https://www.hunters.security/en/blog/chrome-extension-threat-campaignSummary: A recent campaign targeting Chrome extension developers has raised alarms within the cybersecurity community, involving tampered legitimate browser extensions uploaded to the Chrome Web Store. Cyberhaven was initially targeted through a phishing attack that tricked an employee into granting OAuth consent, enabling the upload of a malicious extension with credential theft capabilities. Subsequent investigations by Hunters' Team Axon uncovered that attackers used phishing emails impersonating Google to deceive developers, allowing them to upload compromised extensions.Threats: cyberhaven_breach_campaignIndicators of compromise:-------------------------ip: 149[.]28[.]124[.]84, 149[.]248[.]2[.]160, 108[.]61[.]23[.]192, 136[.]244[.]115[.]219, 137[.]220[.]48[.]214, 140[.]82[.]45[.]42, 140[.]82[.]50[.]201, 144[.]202[.]101[.]155, 144[.]202[.]123[.]86, 149[.]248[.]44[.]88, 149[.]248[.]56[.]63, 149[.]28[.]117[.]236, 149[.]28[.]71[.]39, 155[.]138[.]253[.]165, 45[.]32[.]231[.]212, 45[.]32[.]69[.]11, 45[.]76[.]225[.]148, 45[.]77[.]5[.]196, 74[.]220[.]199[.]9, 80[.]240[.]21[.]36domain: bookmarkfc[.]info, vpncity[.]live, castorus[.]info, parrottalks[.]info, primusext[.]pro, censortracker[.]pro, uvoice[.]live, iobit[.]pro, moonsift[.]store, yujaverity[.]info, wayinai[.]live, readermodeext[.]info, policyextension[.]info, yescaptcha[.]pro, internxtvpn[.]pro, wakelet[.]ink, linewizeconnect[.]com, bardaiforchrome[.]live, blockadsonyt[.]vip, chataiassistant[.]pro, chatgptextension[.]site, chatgptextent[.]pro, cyberhavenext[.]pro, dearflip[.]pro, geminiaigg[.]pro, goodenhancerblocker[.]site, gpt4summary[.]ink, locallyext[.]ink, proxyswitchyomega[.]pro, savegptforyou[.]live, savgptforchrome[.]pro, searchcopilot[.]co, tinamind[.]info, tkv2[.]pro, videodownloadhelper[.]pro, vidnozflex[.]live, youtubeadsblocker[.]live, checkpolicy[.]site, extensionbuysell[.]com, extensionpolicy[.]net, extensionpolicyprivacy[.]com, cyberhaven[.]pro, adskiper[.]net, aeromexi[.]co, aiforgemini[.]com, api[.]searchcopilot[.]co, apple-ads-metric[.]com, artseasy[.]com, barefootcontractor[.]com, blockforads[.]com, businessforai[.]com, capitalizerutc[.]com, chatgpt[.]forassistant[.]com, chatgptforsearch[.]com, com-freeapps[.]com, ext[.]businessforai[.]com, fadblock[.]pro, geminiforads[.]com, gosiridersite[.]com, gptdetector[.]live, gptforads[.]info, gptforbusiness[.]site, graphqlnetwork[.]pro, internetdownloadmanager[.]pro, liseng1998app[.]top, lltvmarkets[.]com, okta-onsolve[.]com, openaigptforgg[.]site, pieadblock[.]pro, plutonile[.]com, remiwantnun[.]com, savechatgpt[.]site, savegptforchrome[.]com, searchaiassitant[.]info, searchgptchat[.]info, seasonaldroughtwatch[.]site, seasonalweatherdatapro[.]site, seasonalweatheroutlookpro[.]site, seasonalweatherstatspro[.]site, seasonalwindtracker[.]site, taskthebox[.]net, tkpartner[.]pro, ultrablock[.]pro, upwordwave[.]com, ytbadblocker[.]comurl: hash: - sha1=ac5cc8bcc05ac27a8f189134c2e3300863b317fb, - sha256=91ff6f07b3f2347da00b5ec9907d0b7753cca9c442cc9c0692c1c6aba1b90318, - sha256=b53007dc2404dc3a4651db2756c773aa8e48c23755eba749f1641542ae796398, - sha256=0e05fa617531e9c49b9e377b6715c21c909a8dd998cdd68fad09fc463f1dd2ba, - sha256=ddf8c9c72b1b1061221a597168f9bb2c2ba09d38d7b3405e1dace37af1587944, - sha256=a8d3027be48f61ae6174d067e59e89b7ec47ae19420470248733d8c4b75fda52, sha1=0b871bdee9d8302a48d6d6511228caf67a08ec60Title: dmpdump. PUBLOAD Likely Delivered to Thailand via GrimResource MSCLink: https://dmpdump.github.io/posts/PUBLOAD_GrimResourceSummary: A malicious Microsoft Management Console (MSC) file titled "Invitation Letter.msc," detected on December 20, 2024, from Thailand, employs the GrimResource technique to perform various harmful actions, including disabling Task Manager and User Account Control (UAC) notifications. This MSC file establishes persistence for a file named jisucommon.exe, which is repurposed for DLL hijacking to load a malicious version of FileAssociation.dll, containing embedded shellcode that creates a socket connection to a remote server (45.150.128.212) on port 443. The shellcode enables the execution of additional payloads and collects system information while showcasing a sophisticated evasion methodology and a potential intent for espionage or further malicious activities, underscored by a mocking element in the malicious DLL's PDB path.Threats: pubload grimresource_technique dll_hijacking_techniqueIndicators of compromise:-------------------------ip: 45[.]150[.]128[.]212:443, 185[.]62[.]57[.]118domain: url: http://185[.]62[.]57[.]118/jisu[.]RARhash: - sha256=5b18f8b379cb32945ef7722b7ec175f5d24e7c468f6f5d593c51610f6b87f21f, - sha256=51a180669443596d313f27f9d4a59eff8b79856d9656828935b55cfcd2e234de, - sha256=381b0dac4c410ebaa37ee1172461a84bea87e9b0c32648556f42b9d510afe8cd, - sha256=d0cf78977f2b744ae3fd88da6532c3ff08af2961f553a7469e7416445d4f4432Title: ClickFix Campaign: Fake Google Meet Alerts Spread Malware Across Windows and macOSLink: https://socradar.io/clickfix-campaign-fake-google-meet-alerts-malwareSummary: The ClickFix campaign employs social engineering tactics to distribute malware across Windows and macOS systems by presenting fake Google Meet error messages that mislead users into downloading malicious files or executing harmful PowerShell commands. This cross-platform threat effectively targets various systems by exploiting user trust, leading to the installation of information-stealing malware like Lumma Stealer and DarkGate, which can compromise sensitive data including login credentials and cryptocurrency wallets. Discovered through the analysis of these deceptive tactics, the ClickFix campaign highlights the increasing sophistication of cybercriminals in leveraging reputable platforms to facilitate malware distribution.Threats: clickfix_technique lumma_stealer darkgate spear-phishing_techniqueIndicators of compromise:-------------------------ip: domain: severdops[.]ddns[.]net:8120url: hash: - sha256=2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe, - sha256=92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138, - sha256=94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5Title: Dark Web Profile: Gamaredon APTLink: https://socradar.io/dark-web-profile-gamaredon-aptSummary: Gamaredon APT, a Russian cyber espionage group linked to the Federal Security Service (FSB), has been active since 2013, primarily targeting Ukraine's government, military, and critical infrastructure sectors. Initially associated with the geopolitical unrest in 2014, Gamaredon's tactics have evolved to include phishing campaigns using themes like COVID-19, and their operations have extended to NATO-aligned entities. The group employs custom tools and strategies including spear-phishing, weaponized USB drives, and the exploitation of legitimate services for Command-and-Control communication, consistently aligning their activities with Russia's strategic interests.Threats: gamaredon_group litterdrifter spear-phishing_technique gammaload pterolnk gammadrop gammasteel pteropsdoor pterodoc pterosand pterodash pterotemplate fastflux_technique hidcon junk_code_technique ultra_vnc_tool rtf_template_inject_techniqueIndicators of compromise:-------------------------ip: domain: who-int[.]infourl: hash:Title: Clipboard hijacker tries to install a TrojanLink: https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojanSummary: Cyber criminals have begun employing clipboard hijacking as a tactic to deceive users into executing malicious scripts, adapting to advancements in software security. A recent incident showcased a script designed to download Lumma Stealer, a malware-as-a-service tool aimed at information theft, specifically targeting cryptocurrency wallets, browser extensions, and two-factor authentication details. This trend highlights the growing complexity of cyber threats and the challenges faced by threat intelligence analysts in countering these increasingly sophisticated methods.Threats: lumma_stealerIndicators of compromise:-------------------------ip: domain: solve[.]jenj[.]orgurl: https://solve[.]jenj[.]org/awjxs[.]captcha?u=25330553-e0c1-4aea-99ed-f76df7024daahash:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
Executing analysis based on the provided context:
# Tool/Technique: Weaponized IPMsg Installer / Lazarus Backdoor Access
## Overview
This entry details the attack activities attributed to APT-C-26 (Lazarus), specifically focusing on the exploitation of a legitimate software installer (IPMsg) to deploy malicious code, resulting in backdoor access and data theft targeting financial institutions and cryptocurrency exchanges.
## Technical Details
- Type: Malware (Implied Backdoor/RAT deployed via infected installer)
- Platform: Not explicitly specified, but likely Windows given the nature of common exploit delivery vectors and the target sector.
- Capabilities: Backdoor persistence, establishing remote control, data exfiltration.
- First Seen: Recent, as described in the contemporary analysis.
## MITRE ATT&CK Mapping
Since the primary mechanism is the deployment of a malicious payload via a legitimate installer, the mapping focuses on Initial Access and Execution.
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (If a compromised website delivered the installer) / T1566 - Phishing (Mentioned as a general TTP)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Executing the downloaded/acquired IPMsg installer)
- T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking (Implied by the triggering of a malicious DLL file)
## Functionality
### Core Capabilities
- Delivery of a remote access backdoor via a weaponized IPMsg software installer.
- The malicious code is triggered upon execution of the compromised installer.
- Establishing a persistent connection to a remote control server.
### Advanced Features
- Exploitation of a legitimate software installer (IPMsg) to bypass security scrutiny.
- Use of custom or established communication protocols for "sending and verifying payloads."
- Data theft operations targeting sensitive financial data.
## Indicators of Compromise
- File Hashes:
- MD5: a7b23cd8b09a3ce918a77de355e9d3e5
- SHA256: 079fb5014960ae886daa979650af571ea6787ca45f5ccefe312104dedbc0df3d
- File Names: Not explicitly listed, but associated with the IPMsg installer execution leading to DLL loading.
- Registry Keys: Not available in context.
- Network Indicators:
- Domain: cryptocopedia[.]com
- URLs:
- https://cryptocopedia[.]com/upgrade/latest.asp
- https://cryptocopedia[.]com/explorer/search.asp
- IP Addresses: 5.*.*.* (Partial range)
- Behavioral Indicators: Execution of the IPMsg installer triggering unexpected DLL loads or C2 beaconing.
## Associated Threat Actors
- APT-C-26 (Lazarus Group)
## Detection Methods
- Signature-based detection: Using provided file hashes against endpoint detection systems.
- Behavioral detection: Monitoring processes for unusual DLL loading initiated by legitimate application installers or unexpected network connections originating from those processes.
- YARA rules: Could be developed based on the embedded malicious code structure within the DLL or installer.
## Mitigation Strategies
- Application Whitelisting: Restrict execution of unknown or unverified installers, even if they appear legitimate (like IPMsg).
- Network Monitoring: Block or alert on traffic destined for known C2 infrastructure, such as cryptocopedia[.]com.
- User Education: Train staff on spear-phishing and social engineering tactics used to trick users into running weaponized software installers.
## Related Tools/Techniques
- Previous activities linked to the domain cryptocopedia[.]com suggest a common infrastructure pool used by Lazarus.
- Phishing and direct network attacks (as generally mentioned for the group).