Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 62 threat intelligence reports and compiled a concise summary of the findings, along with the relevant extracted metadata. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Fake Zoom Ends in BlackSuit RansomwareLink: https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/Summary: In May 2024, a threat actor executed a sophisticated cyber attack through a fake Zoom installer distributed via a cloned website, which acted as a downloader for several malicious payloads. This attack involved the use of d3f@ckloader to introduce the SectopRAT malware, which facilitated lateral movement and reconnaissance, leading to the deployment of further payloads, including a Cobalt Strike beacon and the BlackSuit ransomware. The attacker employed advanced evasion techniques, such as using genuine-looking files and establishing multiple command and control channels, highlighting an extensive and well-coordinated attack strategy that took place over a span of 194 hours before the ransomware was ultimately unleashed.Threats: blacksuit_ransomware brc4_tool cobalt_strike sectop_rat hijackloader qdoor nltest_tool shadow_copies_delete_technique vssadmin_tool passthehash_technique credential_dumping_technique rubeus_tool connectwise_tool dll_sideloading_technique meterpreter_tool dead_drop_techniqueIndicators of compromise:-------------------------ip: 45[.]141[.]87[.]218, 5[.]181[.]159[.]31, 88[.]119[.]167[.]239, 143[.]244[.]146[.]183, 45[.]141[.]87[.]218:9000, 88[.]119[.]167[.]239:443, 143[.]244[.]146[.]183:443, 5[.]181[.]159[.]31:443domain: zoommanager[.]com, administrative-manufacturer-gw[.]aws-usw2[.]cloud-ara[.]tyk[.]io, provincial-gaiters-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io, megupdate[.]com:443, administrative-manufacturer-gw[.]aws-usw2[.]cloud-ara[.]tyk[.]io:443url: http://78[.]47[.]105[.]28/manual/152/152[.]zip, http://78[.]47[.]105[.]28/manual/152/1522[.]ziphash: - sha256=b837bec967df6748b72c3b43c254532620977d0bbe0fc23e0c178c74516baab9, md5=80110fbb81d0407340b908bb43c815d3, sha1=8d4f2aa315ce17505b8698db22ec2526805645a4, - md5=d98fb34b4fa0f83d02e3272f1cb9c5fc, sha256=f34aad9a56ca9310f40ecbcb075e4be12aaf9ef60fd24893b5e8fb28934cd730, sha1=6c75e2c704f69aaa09cdfd455c7bdbf9336dc7fe, - sha256=ecb0b3057163cd25c989a66683cfb47c19f122407cbbb49b1043e908c4f07ad1, sha1=c5826e9e3c4b1fece4991f269fd4e5307e92bfe2, md5=91f69fa3439f843b51c878688963e574, - sha1=e50d9e3bd91908e13a26b3e23edeaf577fb3a095, sha256=3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef, md5=27304b246c7d5b4e149124d5f93c5b01, - md5=85144918f213e38993383f0745d7e41e, sha1=a6dcdfc8e97616c07549290950e78b145883e532, sha256=e6cfae572f777def856878e36bbacfaa82cb5662fc97c1492e2367a105dddbc9, - sha256=b594b8b91b6967e2fa6946753c8fd3f6ed3592c55c49a0ada7abd41752ae8a41, md5=ffb3755897b8d38ccc70b9c3baa38960, sha1=a25cfdcff675277035fb35add9d273934117e943, - sha256=cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15, md5=d1ba9412e78bfc98074c5d724a1a87d6, sha1=0572f98d78fb0b366b5a086c2a74cc68b771d368, - md5=9bddb0e95a03fdcea4c62210f5818184, sha1=3eb042e449c6097f29fad255d21aac336fae534b, sha256=cb53118ec2d578febfd311bcda298c716f1f543b24f780f2721f45df0bda3dc3, - md5=4b22032954a12677675add0de20d7b94, sha1=5b1e0d72435da7d3a97107cddc655be71769ba53, sha256=a8a88bf91d1280ffa59536a6e50f24fe9c1ef79f68a300ef047d92eec7231d9e, - md5=9fb4770ced09aae3b437c1c6eb6d7334, sha1=fe54b31b0db8665aa5b22bed147e8295afc88a03, sha256=a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3, - sha1=328d5554025757e5ec8e2e9eee2ad97d0e986a59, sha256=b676dbc3e20fa7acb92c1cc0a90132798c482dbf43211793abb937bd43295d42, md5=8477ef317b8974e18ed84ca69b9f6a08, - sha256=58dde623e36fefe8038aa2d579d3d1f5394b96ea3623b3125876137b4ee08d80, md5=eae6cd02784743cde314afb8c533c5cd, sha1=a13061b229a225441f67d2b25ccda139ee21b14e, - sha1=951154980d3ddd4101b8e09b11669cbedc86f979, sha256=3967b38f763b2e58b0679bc0178247b855c68d761187c71c2f1760b6882e473a, md5=c0230d748e61819d9dfad0da03fe6ec8, - sha1=41360d3eae3a71dd60c9ac34788d6863ef4e3e30, sha256=63dcff4bad9576794c3a412cf8dae83b807a138cc09c4de64485bb8ec991cd4b, md5=f91fbe09b593fb1104b30e3343afb392, - md5=5b8ebe43ded7ba460e4827206329375a, sha256=e0f31fe28223b5bd22ce01c6bc1d3a4d3e030b9dc3c98440d11d72e67fdaa453, sha1=df774b96aa6f7ba914e7d6c1e3c448170e2e419eemail:Title: Threat actors leverage tax season to deploy tax-themed phishing campaignsLink: https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/Summary: Recent phishing campaigns targeting Tax Day have exploited financial anxieties to distribute various malicious tools, notably BruteRatel C4 (BRc4), Latrodectus malware, AHKBot, GuLoader, and Remcos. Microsoft attributed these operations to the threat actor Storm-0249, recognized since 2021, which utilized tax-themed emails to lure victims into downloading harmful files. A significant wave of these campaigns occurred from February 12 to 28, 2025, affecting over 2,300 organizations with deceptive emails that led to a RaccoonO365 phishing platform, while a separate effort on March 3, 2025, focused on CPAs, using rapport-building tactics to initiate malware downloads through malicious PDFs and ZIP files. The malicious payloads—including AHKBot and GuLoader—were designed to facilitate sensitive information theft and provide extensive control to the attackers.Threats: brc4_tool latrodectus raccoono365_tool ahkbot cloudeye remcos_rat lookback storm-0249_group bazarbackdoor icedid bumblebee emotet looper screenshotter process_injection_technique api_obfuscation_techniqueIndicators of compromise:-------------------------ip: 181[.]49[.]105[.]59domain: slgndocline[.]onlxtg[.]com, muuxxu[.]com, proliforetka[.]com, shareddocumentso365cloudauthstorage[.]com, historyofpia[.]com, newsbloger1[.]duckdns[.]orgurl: http://rebrand[.]ly/243eaa, http://slgndocline[.]onlxtg[.]com/87300038978, https://rosenbaum[.]live/bars[.]php, https://business[.]google[.]com/website_shared/launch_bw[.]html?f=https://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm, https://acusense[.]ae/umbrella, https://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsmhash: - sha256=9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc, - sha256=bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a, - sha256=9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e, - sha256=0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a, - sha256=4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec, - sha256=a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727, - sha256=a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7, - sha256=165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5, - sha256=3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960, - sha256=fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422email:Title: Unmasking EncryptHub: Help from ChatGPT & OPSEC blundersLink: https://outpost24.com/blog/unmasking-encrypthub-chatgpt-partner-crime/Summary: EncryptHub is a cybercriminal who has transitioned from pursuing a career in IT to engaging in activities such as ransomware and vulnerability research, driven by financial pressures and personal circumstances. Despite attempting to improve his operational security over time, he has exhibited significant weaknesses, including the reuse of weak passwords across multiple accounts and the failure to implement two-factor authentication, alongside maintaining an exposed Command and Control (C2) server. Additionally, EncryptHub has utilized tools like ChatGPT to enhance his malware development and gain insights into vulnerabilities, while simultaneously expressing ambitions to pivot to legitimate cybersecurity work and potentially launch a security business, illustrating a dichotomy between his criminal actions and aspirations for recognition in the cybersecurity field.Threats: encrypthub_group skorikari_actor encryptrat uac_bypass_technique motw_bypass_technique fickle_stealer rhadamanthysIndicators of compromise:-------------------------ip: 206[.]166[.]251[.]99, 193[.]149[.]176[.]228, 45[.]131[.]215[.]16, 82[.]115[.]223[.]231domain: 0xffsec[.]net, eatertoken[.]com, friendlyguys[.]vip, echonex[.]ai, echonex[.]io, vexio[.]me, noexploit[.]neturl: https://vexio[.]io/application/Vexio[.]Meets[.]applicationhash: - sha256=6f346b7dffc0c3872923dd0c3b2ddb7966a10961dba9a69b116e5c3d978fa0fa, - sha256=4af78e2bbaae00130409b0427d8478656262fb5bf4eb356f1314cc1325dec68b, - sha256=6c0d18bb7c2ce6b576c741290f3bf4ee59cbe93bbdee8ac7e4e17cde2194f2c1, - sha256=9ec1696c72ffc7ff55460a982b4ff28c85c94e5b1a427f7b20ba513106a2ee82, - sha256=e7cdffc4c4879069692f09e625276b796a4ad3c890cc4a8012f9fb322292bcec, - sha256=f505b9825e78c0f2fccc4b2e15feeac3abec194f3c7c6992a7a4be7673b95ac3, - sha256=9d4d9fb810b958e6e7565fc58e84ccedbf7318ec504ce55d795f1b4fc01083f5, - sha256=8e3e11641cba6044b76c6f63a7299f44969908ea7a8e5deadc454f7fb51efa1b, - sha256=1f1147b7a5491864eb01724197a1767809bf866b6e5725bc22894edbc844b48f, - sha256=059cf7add3b960b9415b0bc9016fcfb2495792a54b7cdd0c7016f393cce9b7e6, - sha256=582b52418dc3ff3c63cf93962e8948c8d4a5b80885864a9559e8af0ad337b1d7, - sha256=8504dc098b1e1f41cec1b9cc0adb801d2e2063c2c46b0a25d13317d813e65508, - sha256=b154ecdcab89b750554e6cb2c8fe7297e9e974e0a4171866b5a632014f110b81, - sha256=1ab0e72159c4f374618ad923be37aaa04eefa1d03100f1662de0bfebbfd0310d, - sha256=f4f3b0ec89302410ce99ca88691c560eeaefa7261d654a64564fdab2968d3e93, - sha256=cb41b440148b2d24d4877ab09514aa23a4253a17a31967b946053ffcfc87f222, - sha256=92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603, - sha256=b1fa0c62e07f9ad0a625fd1474a197c1d687b985714c3d697981f5fbe4993266, - sha256=2740f00c8d9732b8afaf2ff6b5325fdaa7d58ae0b72568c030076ce068c4d8f7email:Title: From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tacticLink: https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/Summary: The ClickFake Interview campaign, discovered as part of Lazarus's ongoing targeting of the cryptocurrency industry, utilizes deceptive job interview websites to deploy malware, specifically aimed at individuals with less technical expertise. This campaign employs tactics such as the ClickFix method, which entices users to download malicious files disguised as necessary interview software, while utilizing different scripts for Windows and macOS systems to deploy the GolangGhost backdoor. The evolving nature of Lazarus's tactics, which has shifted focus from decentralized finance (DeFi) to centralized finance (CeFi) services, highlights their adaptability and ongoing threat to significant crypto exchanges and financial platforms, indicating persistent risks in the cyber landscape.Threats: clickfake_interview_campaign lazarus_group clickfix_technique golangghost frostyferret contagious_interview_campaign dream_job_campaign sharpknot volgmer pondrat supply_chain_technique bluenoroff_group andariel_group hermit beavertail invisibleferret friendlyferret flexibleferret hackbrowser robinhood go-stealerIndicators of compromise:-------------------------ip: domain: api[.]smartdriverfix[.]cloud, vid-crypto-assess[.]com, assessiohq[.]com, blockassess[.]com, blockchainjobassessment[.]com, blockchainjobhub[.]com, candidateinsightinfo[.]com, coinbase-walet[.]biz, coinbase-walet[.]me, competency-core[.]com, devchallengehq[.]com, evalassesso[.]com, evalswift[.]com, quickskill-review[.]com, jobinterview360[.]com, livehirehub[.]com, talenthiring360[.]com, quickassessio[.]com, quickhire360[.]com, quickinterview360[.]com, eskillprof[.]com, evalvidz[.]com, intervwolf[.]com, vidcruiterinterview[.]com, vidcruitermaster[.]com, vidintermaster[.]com, skillhiretrack[.]com, skillprooflab[.]com, talentcheck[.]pro, talentsnaptest[.]com, talentview360[.]com, test-wolf[.]com, toptalentassess[.]com, ugethired360[.]com, vidassess360[.]com, vidassesspro[.]com, videorecruitpro[.]com, vidhirehub[.]com, zenspiretech[.]com, api[.]camdriverhub[.]cloud, api[.]camdrivers[.]cloud, api[.]camdriverstore[.]cloud, api[.]drivercamhub[.]cloud, api[.]driversnap[.]cloud, api[.]driverstream[.]cloud, api[.]provideodrivers[.]cloud, api[.]vcamdriverupdate[.]cloud, api[.]videocarddrivers[.]cloud, api[.]videodriverzone[.]cloud, api[.]videotechdrivers[.]cloud, api[.]vidtechhub[.]cloud, api[.]webcamdrivers[.]cloud, api[.]webcamwizard[.]cloud, api[.]camdriversupport[.]com, api[.]camera-drive[.]org, api[.]camtechdrivers[.]com, api[.]drivercams[.]cloud, api[.]drive-release[.]cloud, api[.]nvidia-drive[.]cloud, api[.]nvidia-release[.]org, api[.]nvidia-release[.]us, api[.]web-cam[.]cloudurl: https://api[.]smartdriverfix[.]cloud/nvidiadrivers-kp9s[.]update, https://api[.]smartdriverfix[.]cloud/coremedia-kp9s[.]sh, https://api[.]smartdriverfix[.]cloud/nvidiawins-update, http://38[.]134[.]148[.]218:8080, http://154[.]62[.]226[.]22:8080, http://72[.]5[.]42[.]93:8080hash: - sha256=e88700d069a856e1a16c0da317a6f18fa626dd2d46dcbee1a7403d2e2d9ed097, - sha256=bfac94bfb53b4c0ac346706b06296353462a26fa3bb09fbfc99e3ca090ec127e, - sha256=887189269c3594e1a851eb22f7c174a7c28618114b7dbaab6b645f34bd809f5a, - sha256=6289ef57b1772d78da0e54ba4730b6fc79f5ec1620ff63c3abaebea70190eba9, - sha256=0cbbf7b2b15b561d47e927c37f6e9339fe418badf49fa5f6fc5c49f0dc981100, - sha256=ef9f49f14149bed09ca9f590d33e07f3a749e1971a31cb19a035da8d84f97aa0, - sha256=3fec701b5e8486081c7062590f4ff947fcf51246cb067f951e90eb43dad930b4, - sha256=f4b4411e403dd5094eef9c8946522fc9a99cf1676c8de5926b3c343264b126e6, - sha256=d00ca82a32b5e8063492f27dfec225b0888cd6135db3e2af65be3782bbfa16e5, - sha256=6e186ada6371f5b970b25c78f38511af8d10faaeaed61042271892a327099925, - sha256=ba81429101a558418c80857781099e299c351b09c8c8ad47df2494634a5332dc, - sha256=b7b9e7637a42b5db746f1876a2ecb19330403ecb4ec6f5575db4d94df8ec79e8, - sha256=a803c043e12a5dac467fae092b75aa08b461b8e9dd4c769cea375ff87287a361, - sha256=e52118fc7fc9b14e5a8d9f61dfae8b140488ae6ec6f01f41d9e16782febad5f2, - md5=2805e6efa8877f5707d8e6b29610894f, - md5=69bf17d2fb810df08180f0d5b7ce4537, - md5=d583a05680e83b5b4c7ac2d21920384b, - md5=00b7488d87972e9812e94c69385f6839, - md5=ce37c75d35c82f933e14b00f32c25373, - md5=341ba2e57a0f108be75a1515d32a008a, - md5=7978d40bd5ca56021f6c250f564e7e27email:Title: Operation HollowQuill: Malware delivered into Russian R&D Networks via Research Decoy PDFsLink: https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/Summary: Operation HollowQuill is a targeted malicious campaign against the Baltic State Technical University (BSTU), utilizing weaponized decoy documents to infiltrate networks within Russia's academic and defense sectors. The attack initiates with a deceptive RAR file that conceals a .NET dropper and a legitimate-looking PDF, leading to the execution of a Golang-based shellcode loader that employs intricate anti-analysis techniques. The subsequent payload, functioning as a Cobalt Strike beacon, establishes a connection to a command-and-control server while employing domain rotation to evade detection, demonstrating advanced tactics aimed at extracting sensitive defense and aerospace-related information. Key artifacts, such as a Go-build ID, have been identified, which may aid in tracing similar threats in future campaigns, underscoring the sophisticated nature of this operation.Threats: hollowquill_campaign cobalt_strike apc_injection_technique asyncrat ghanarava spear-phishing_techniqueIndicators of compromise:-------------------------ip: domain: phpsymfony[.]com, pariaturzzphy[.]makebelievercorp[.]comurl: https://phpsymfony[.]com/css3/index2[.]shtmlhash: - md5=ab310ddf9267ed5d613bcc0e52c71a08, - md5=fad1ddfb40a8786c1dd2b50dc9615275, - md5=cac4db5c6ecfffe984d5d1df1bc73fdbemail:Title: The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced TechniquesLink: https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.htmlSummary: Earth Alux, a Chinese-linked advanced persistent threat (APT) group, has been active since the second quarter of 2023, significantly targeting critical sectors in the Asia-Pacific and Latin American regions, including government and technology. They employ sophisticated cyberespionage techniques, notably the VARGEIT backdoor, which facilitates covert data collection through methods such as DLL sideloading and multi-channel communications via the Microsoft Graph API. Initial access is often achieved by exploiting vulnerable services, using web shells like GODZILLA, and sophisticated backdoor variants like COBEACON, employing advanced evasion techniques for persistence. The group has modified its tactics for stealth, such as executing their persistence installer RAILSETTER via benign processes, and tests its methods using open-source tools from the Chinese community to enhance their stealth capabilities. Various tools and payloads are predominantly aimed at Windows 64-bit systems, with specific hashes associated with their operations, reflecting their robust command and control strategies.Threats: earth_alux_group vargeit godzilla_webshell cobalt_strike dll_sideloading_technique timestomp_technique railload railsetter masqloader rsbinject lolbas_technique zeroeye_tool virtest_toolIndicators of compromise:-------------------------ip: 8[.]218[.]222[.]216domain: www[.]upload-microsoft[.]com, store[.]azure-clouds[.]com, google[.]otp[.]us[.]kgurl: hash: - sha256=00a41c8272d405ba85ae9d0e435e3030033e8a032f3d762367d0a57d41524f3a, - sha256=0d3ec88b0bfa5530e45dec75dfbea7ae683bdea91105b5f90a787beaabd1ef27, - sha256=0f6fe5d0ee754d581d4a8d989e83272b121d0125bd3c77e57a6b14db23f425ab, - sha256=13e0aef0ab6d218e68c5c5b6008872eb73104f161c902511aec3df5bce89136e, - sha256=16509adf92b1ac3097452affd8dda640936c8a40272592b978db3698487df5fa, - sha256=19bcca292814942f2fe8d142a679cc6a97fa6cbf77a0c98873146e918013bb5c, - sha256=1c8c14251710fbdef994d9ccf1d3507cf0ef5cd6c7d3495af2adfe7f97cc0dc2, - sha256=1c93ba375016bcb41b915b78eb4ab023ecf456e240823a1d6d2b5297b3523956, - sha256=245fdb5e35b6f51b26d4cf3999a40dde13987240f9bf565fe03a1f6adb9da9b2, - sha256=281fc3aff361f202a41f4aff84a5f61e5728fd8ea0c1219a8bca540a959a4ee2, - sha256=28517bff286ade02b81da52f9fcddcb9764023ae7035bc593d081fdd2a8c85d9, - sha256=2971a53769745c107a89eeb5f48e3b3e9680d371bf06b028c7769c961e6f9e55, - sha256=3129bfad321be526f231c64aac10d7d8f416dc14cab11c1bbc57252c75823959, - sha256=3b7c29489c1feaafc587eac0ffcca79964259c9687d86a5cce5ea70261f7439b, - sha256=3f0157cfb493df1cd051cc87364c7bdbe3719927335b76b7c567b369ab47b3be, - sha256=41410a8aa4a4fcd811ef67ba023e263f4cd6667039b01547d23a3eb758d97b96, - sha256=43e5c3d6182ab6d9d71b5892c5087b4ef4b3093126bcdf4ebcef0b15e04e0c03, - sha256=442446fbc012847a12448398b619837614498bb611968e64166f0e9040c311db, - sha256=455510fe663775e09a2d0bbfdc4c8ec2e26665e10f9599b05dc59ea460f06ac8, - sha256=47ea0392ec123e3949b9ae2638b9078cd5efd4da942e38f149ccfb74d8e70123, - sha256=4be6f5e76ea02ae348b26fc32a0dabe009d05b701e53270cf40ca50fa76197b0, - sha256=529e691a9d60b8ae0c64de82402e76c112df3bc27be5f2e94ee58252a67804a1, - sha256=52c8eacbcc8906036894a3a11cb4181d454c3a4f685500a799263cdcf6c6d88e, - sha256=5502735d81accb96c58300d1e21765b8b53a4749aad68e513b2558ed79f83cc4, - sha256=5518b542afd9d456ee8dea4dec3e0e8a98a42982b33f8f629d3d8edeca0dbf4d, - sha256=55b4e3814a349c9de4c99237f62d42787a6fef64b809db9cf52cfe0602cac01e, - sha256=5872da9dfd5ed3c0b9e0a05466a56c6ac6966012b5b3e14ac43a1225ba5e6bb2, - sha256=5aaca0994795ba7da0f10cd393ac32cc1e78c9afd4e9d09bbbe430f168c0eebe, - sha256=5c829480c4563f736c8f6a4a2987fc4cd3fc330804db82cd98217d0110531b6e, - sha256=5d358bcd0acb999fdec332f0a2d1fe51952542f0836b9618ab18f253597d244c, - sha256=5dcd5cb720a40692b7e49540a42f1d12e831aaab369d9fe31a66b0433b825264, - sha256=62d71b61af750ad3b763d98504a174a1949a359a4cb4f6ce2795b7b3240919eb, - sha256=67dddc4ce777df1baa19acb1c3535eb01a54f24516a85312bafe4cba11d74483, - sha256=681e9aab60b1c64dacbc7c8574d294333b9cd4494ec683b0c780866c3e1e7d40, - sha256=762525805afe6a0891275ebc2ae1f067e9aad8f310afc0b1ad800cc980ed8b55, - sha256=7654e7f7076f07e76ae478c1df65f1711918ad4f36c45f520cc46cdcb1128cc2, - sha256=7ad44f7e1f78ee83f20da498584ec7138c2514580ddfe62698be7587ae2678e1, - sha256=83968575244ab2e44a5b94423bb1cacd10bb293ddcbbddbc2fc117f9335b6e78, - sha256=846be29c140850fd9524339acd67eac4b84bc59ed056544356d199226452ea88, - sha256=85f9bac9eefb5fbc1e51508ce12cda10a69d8bde82952891081b19d6833297ab, - sha256=86e2d56761fb4dc16c7b0cd8da241c9899af851f5df751ffc67a2d68062e71f4, - sha256=86f5f088cf997766e52860b57506ba0923454a63bee39e4e3de2fb98c4fee240, - sha256=8b0023248bc037631b26694f34d7bc8163e2d5f5919fe61f3dbc1354f87d6792, - sha256=8c89362d4bed8bd2f0fbffc450bca4e7666fc7a3e88ec56a5dd149593fd697ec, - sha256=91034c01e800b116095eecdb073a5262852fc2c788f9fcd09259d6c09ce88ac6, - sha256=9366ece5ff9082145184adb2e91053d5e0d68d4d9f9a9f054aad68b8e7368443, - sha256=9b5e6c2f287ea7931bb27f63111ef0035265bc27751f01bd6c7f3dd3395bbaf5, - sha256=9d9f40c6c2dc14118452f7f1b56346e60a8681fb83300e4292576e635b37f9c8, - sha256=9f94bb59bfc32958a15cd8e225f270802bd9e14929e5d0f4f488842710a361ea, - sha256=a042157e7460f6c28c984a1c1f3803521a556c67e26411854e497685ef436325, - sha256=a14e226a50c12e637e8b280ad688e5637db752c72d0f8b2bac5f2d3d487e1c21, - sha256=a79679d8f9551810504ff316465fb289d1ac64dc52bcaabd70267217d33d603c, - sha256=a845cb84ea11f0fa7a982407705e892f58d7cb407eadc5329416464cccdd6a23, - sha256=a9804fa05845707f094fe91668a5c3792f2441d371816b46fbe636953fc5787d, - sha256=ab6145f1ea6c8a682bea289cef06c0f27fa076b8f88a89a2631167541fc835e9, - sha256=ac70d98af57d9e3da9ee485a4ab1badbb28e89d15c4ef2df521423881a147e43, - sha256=afd83d598843f93f7cad02bbe8467da2f257b5344600090034bb795844f05bdc, - sha256=b0a42d1c5a07bbe317a034e204c0eb64ae5d99e3dfbfbd9b3b098caea4b19f96, - sha256=b32dd5d549bcf4b674b4e7cf5481064b38ea614c666b158afedc7084b715c1fa, - sha256=b8accaa144c035c670fb3c2bf580d2fb64ab562c89835f7e30b044a8711cb5e5, - sha256=b8e1a46146c09ef54b802a6989b485ef5982a86228a24ec0839ec5af7b42e648, - sha256=b92452a6c2cd13193a6df88278c31c85008acf448655c18389c84b353026d15e, - sha256=b9fefe3946d0c9e000262a10b184090da45925f24b7dfc9d25abe63bc55ca7ed, - sha256=ba0105c8fa99b8f3a82c32d20e94031f22e277286b738db529e763955df248dc, - sha256=bd0dbf799e98137238ae38f134c7af82d7ff673c0a418044add0220211d98a27, - sha256=be01089ad2c2e7af32677ec0a7a9a541dee1cb149639d60fb7b7e9b641d2ccdb, - sha256=c0d1deb30fd3507455dae99aabf1cc23638b2bcf1908099e08081ee2691a24b0, - sha256=c56c88ce8e45a9caa043f1f4831442f09bae6f1a083910f772afc1e27be3b606, - sha256=c6a28c9cac9c4b5ef57998bdc7a7f430fff7c9ac819fef278f8350751b6edaab, - sha256=cd385806117ebe1504af4669671b4c0a252faec873e1402aaebeb413fdd58556, - sha256=d31eb16688d1b36652e87d43ad5755d139eedd74b500ddcee97a5545d8d1fe7b, - sha256=d34947e11879598b85d9baa703cb96a83d7c3ccb53868ab86ff9a2f37dc91459, - sha256=d692c85da91bb5e5724f520ca392b68eee144a3719a7441c779c8ce73d3b25dc, - sha256=d83a837910305567acfd49d2d416fc4b113f080e31730c9b0abefa4b01192a40, - sha256=ded42e37f05950374496824ce3f4d540a45e97be35ed6d7ddcfcf12a7b2cd46f, - sha256=dfbb857e6383789545c719c99d878a678a0aeae2a6a1c8f44e87b7aa478fc354, - sha256=e03062caa13400df3d60efb1aa2b0f19dcf65fefc38d4bc9931c0918b5dc4865, - sha256=e299b865cdb0fdd9605e3c5e9d00fb473c77af4ed213775d594cc0fe91b8dd3a, - sha256=e3465c996e149b218d95a4b109e6e3ff268e8d63aafa73d4855750b33c66a33c, - sha256=e6141757775ce9747b12f21cc7f8411e5ab4916649f38738f4e93b2ca7cc274a, - sha256=ee8385313e03890c6862f70c94f2c5a3e9cd09764fcac4488fabc5ce9613228a, - sha256=f0cd90b42969706d1a78e75608aded6d5ac8610f36cab8f8be7160c5cbf485a5, - sha256=f92493bf2b46873feee38ea2dac69ff830637983d569b64ee87e75f7fe08de88, - sha256=fd1720b11ddd7ae226889deca9a6532df676a4991f0209c0a3d6d7be52276dcf, - sha256=fd3637392404c3ed169a4999f6a05274715109f9fa028be9ad9ce7853d983d54email:Title: Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstreamLink: https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/Summary: In January 2025, the Qilin ransomware group, tracked by Sophos as STAC4365, targeted a Managed Service Provider (MSP) using a phishing attack that impersonated a legitimate authentication alert from the ScreenConnect Remote Monitoring and Management tool. The attackers utilized sophisticated techniques, including a phishing framework named Evilginx, to capture administrative credentials and time-based one-time passwords, which allowed them to authenticate as the MSP's super administrator. Once inside, they installed a new instance of ScreenConnect, executed network enumeration, and exfiltrated data while employing tools to exploit vulnerabilities, specifically CVE-2023-27532, to compromise customer backups. The ransomware ultimately deployed exhibited advanced capabilities, including disabling system services and modifying logs, illustrating a tailored approach to their attack.Threats: qilin_ransomware screenconnect_tool qilin_group supply_chain_technique evilginx_tool aitm_technique credential_harvesting_technique flowerstorm_tool connectwise_tool msp_remote_tool winrm_tool shadow_copies_delete_techniqueIndicators of compromise:-------------------------ip: 186[.]2[.]163[.]10domain: cloud[.]screenconnect[.]com[.]ms, account[.]microsoftonline[.]com[.]ec, cloud[.]screenconnect[.]is, cloud[.]screenconnect[.]com[.]so, cloud[.]screenconnect[.]com[.]bo, cloud[.]screenconnect[.]com[.]cm, cloud[.]screenconnect[.]com[.]am, cloud[.]screenconnect[.]com[.]ly, cloud[.]screenconect[.]com[.]mx, cloud[.]screenconnect[.]uk[.]com, cloud[.]screenconnect[.]de[.]com, cloud[.]screenconnect[.]com[.]se, cloud[.]screenconnect[.]jpn[.]com, cloud[.]screenconnect[.]com[.]ng, cloud[.]screenconnect[.]com[.]ph, cloud[.]screenconnect[.]com[.]vc, cloud[.]screenconnect[.]cl, cloud[.]screenconnect[.]gr[.]com, cloud[.]screenconect[.]eu, cloud[.]screenconnect[.]co[.]com, cloud[.]screenconnect[.]us[.]com, cloud[.]iscreenconnect[.]com, cloud[.]screenconnect[.]appurl: https://b8dymnk3[.]r[.]us-east-1[.]awstrack[.]me/L0/https:%2F%2Fcloud[.]screenconnect[.]com[.]ms%2FsuKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410, https://cloud[.]screenconnect[.]com[.]ms/suKcHZYV/1/010001948f5ca748-c4d2fc4f-aa9e-40d4-afe9-bbe0036bc608-000000/mWU0NBS5qVoIVdXUd4HdKWrsBSI=410hash: email:Title: You will always remember this as the day you finally caught FamousSparrowLink: https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/Summary: The FamousSparrow APT group has developed two undocumented versions of its backdoor, SparrowDoor, leveraging a sophisticated execution scheme that utilizes DLL side-loading through a legitimate executable. Initial access to target networks, including those in the U.S. financial sector and a Mexican research institution, was achieved via webshells on outdated IIS servers, although the specific exploits used remain unclear. The new iterations of SparrowDoor feature enhanced code quality and support for parallel command execution, allowing improved communication with multiple command and control servers, and they also display similarities to previously identified backdoors like CrowDoor. Additionally, the group has shown a tendency to utilize an MFC-based loader similar to ShadowPad and has recently targeted governmental sectors in Central America, indicating ongoing operational activity despite previous assessments of inactivity.Threats: ghostemperor_group sparrowdoor dll_sideloading_technique crowdoor shadowpad lsass_dumper_tool dumplsass_tool spark_rat hemigate powerhub_tool badpotato_tool process_injection_technique credential_dumping_technique proxylogon_exploit process_hollowing_technique cshell impacket_toolIndicators of compromise:-------------------------ip: 27[.]102[.]113[.]240, 43[.]254[.]216[.]195, 216[.]238[.]106[.]150, 103[.]85[.]25[.]166, 45[.]131[.]179[.]24domain: amelicen[.]com, amelicen[.]howurl: hash: - sha1=c26f04790c6fb7950d89ab1b08207ace01efb536, - sha1=d78f353a70adf68371bc10cf869b761bd51484b0, - sha1=baed2895c80eb6e827a6d47c3dd7b8efb61ed70b, - sha1=f35ce62abeedfb8c6a38ceac50a250f48c41e65e, - sha1=a91b42e5062fef608f285002debaff9358162b25, - sha1=0dc20b2f11118d5c0cc46b082d7f5dc060276157, - sha1=ef189737fb7d61b110b9293e8838526dce920127, - sha1=cc350ba25947b7f9ec5d11ea8269407c0fd74095, - sha1=db1591c6e23160a94f6312ca46da2d0bb243322c, - sha1=d6d32a1f17d48fe695c0778018c0d51626db4a3b, - sha1=5df3c882db6be14887182b7439b72a86bd28b83f, - sha1=aa823148eea6f43d8eb9bf20412402a7739d91c2email:Title: Shifting the sands of RansomHubs EDRKillShifterLink: https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/Summary: In 2024, ESET researchers identified RansomHub, an advanced ransomware-as-a-service (RaaS) gang, emerging prominently in the ransomware landscape following the declines of LockBit and BlackCat. RansomHub, which is linked to established gangs like Play and Medusa, features a unique operational structure where operators supply ransomware tools, such as a custom EDR killer named EDRKillShifter, and affiliates deploy them in victim networks. Researchers also noted a concerning trend of malware recycling, with RansomHub's encryptor based on repurposed code from the Knight gang, and observed sophisticated attack techniques like Bring Your Own Vulnerable Driver (BYOVD), which help attackers disable security measures and effectively execute ransomware attacks.Threats: ransomhub edrkillshifter_tool medusalocker bianlian_group lockbit blackcat kryptik tdsskiller_tool rclone_tool anydesk_tool softperfect_netscan_tool coroxy systembc bianlian_backdoor filecoder grixba meshagent_tool putty_tool bianlian_ransomware qtox_tool chaos_ransomware blackbasta andariel_group lolbin_technique conti ammyyadmin_tool screenconnect_tool cosmicbeetle_group scransom byovd_technique pchunter_tool gmer_tool stealbit dispossessor_group embargo_ransomware ms4killer_toolIndicators of compromise:-------------------------ip: 45[.]32[.]206[.]169, 45[.]32[.]210[.]151, 79[.]124[.]58[.]130, 92[.]243[.]64[.]200, 130[.]185[.]75[.]198, 149[.]154[.]158[.]222domain: url: http://45[.]32[.]206[.]169, http://149[.]154[.]158[.]222:33031/win64_1[.]exe, http://45[.]32[.]206[.]169/WKTools[.]exe, http://130[.]185[.]75[.]198:8000/plink[.]exe, http://79[.]124[.]58[.]130/dl/git[.]exehash: - sha1=dcf711141d6033df4c9149930b0e1078c3b6d156, - sha1=77daf77d9d2a08cc22981c004689b870f74544b5, - sha1=97e13515263002809505dc913b04b49aeb78b067, - sha1=bf84712c5314df2aa851b8d4356ea51a9ad50257, - sha1=87d0f168f049befe455d5b702852ffb7852e7df6, - sha1=3b035da6c69f9b05868ffe55d7a267d098c6f290, - sha1=5ecaff68d36ec10337428267d05cd3cb632c0444, - sha1=e38082ae727aeaef4f241a1920150fdf6f149106, - sha1=046583deb4b418a6f1d8ded8bed9886b7088f338, - sha1=460d7cb14fced78c701e7668c168cf07bce94ba1, - sha1=5af059c44d6ac8ef92aa458c5ed77f68510f92cd, - sha1=67d17ca90880b448d5c3b40f69cec04d3649f170, - sha1=180d770c4a55c62c09aad1fc3412132d87af5cf6, - sha1=dd6fa8a7c1b3e009f5f17176252de5acabd0fb86, - sha1=fda5aac0c0db36d173b88ec9ded8d5ef1727b3e2email:Title: Pishing attacks disguised by hiring mail (Beavertail, Tropidoor)Link: https://asec.ahnlab.com/ko/87227/Summary: On November 29, 2024, a serious cyber threat was identified involving malicious code hidden within job postings on the developer community platform Dev.TO. The attack was executed via a BITBUCKET link that led to a project file containing a harmful script named "Tailwind.config.js," which incorporated a downloader called "car.dll" and the Beavertail malware, both attributed to North Korean threat actors. Analysis of the project files on VirustOTAL confirmed the presence of execution logs for these malicious components, with the malware replicating tactics previously linked to other threats from the Lazarus group, reflecting sophisticated operational methods that were also found to involve communication with multiple Command and Control (C&C) servers for further malicious activities.Threats: beavertail tropidoor lightlesscan lazarus_group invisibleferet process_injection_technique spear-phishing_techniqueIndicators of compromise:-------------------------ip: 135[.]181[.]242[.]24, 191[.]96[.]31[.]38domain: url: http://103[.]35[.]190[.]170/Proxy[.]php, http://86[.]104[.]72[.]247/Proxy[.]php, https://45[.]8[.]146[.]93/proxy/Proxy[.]php, https://86[.]104[.]72[.]247/proxy/Proxy[.]phphash: - md5=3aed5502118eb9b8c9f8a779d4b09e11, - md5=84d25292717671610c936bca7f0626f5, - md5=94ef379e332f3a120ab16154a7ee7a00, - md5=b29ddcc9affdd56a520f23a61b670134email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Threat Actor: Unspecified Actor (BlackSuit Ransomware Deployment)
## Attribution & Identity
No specific threat actor attribution is provided in the summary for the attack deploying BlackSuit Ransomware; the description labels the entity as "a threat actor."
## Activity Summary
In May 2024, this actor executed a sophisticated cyber attack by distributing a fake Zoom installer via a cloned website. This served as the initial access vector and downloader for:
1. `d3f@ckloader`
2. `SectopRAT` malware (used for lateral movement and reconnaissance)
3. `Cobalt Strike` beacon
4. Ultimately deploying `BlackSuit` ransomware.
The operation was well-coordinated, spanned 194 hours, and utilized advanced evasion techniques.
## Tactics, Techniques & Procedures
- Initial access via software impersonation (fake Zoom installer).
- Use of executable installers disguised as legitimate files.
- Lateral movement and reconnaissance using **SectopRAT**.
- Deployment of **Cobalt Strike** beacon.
- Evasion techniques described generally as "advanced."
- Post-exploitation activities leading to ransomware deployment.
- Deletion of shadow copies (implied by IOCs: `shadow_copies_delete_technique`, `vssadmin_tool`).
- Credential theft (`credential_dumping_technique`, `passthehash_technique`, `rubeus_tool`).
- Use of **DLL Sideloading** (`dll_sideloading_technique`).
- Dead drop communications (`dead_drop_technique`).
## Targeting
- Sectors: Not explicitly stated, but the use of a **fake Zoom installer** suggests targeting organizations utilizing video conferencing tools or general endpoints vulnerable to social engineering.
- Geography: Not specified.
- Victims: Not specified.
## Tools & Infrastructure
- **Malware families used**: BlackSuit Ransomware, SectopRAT, d3f@ckloader, Cobalt Strike.
- **Associated Tools**: brc4\_tool, nltest\_tool, passthehash\_technique, rubeus\_tool, connectwise\_tool, meterpreter\_tool, vssadmin\_tool.
- **Infrastructure (Defanged)**:
- IPs: 45[.]141[.]87[.]218, 5[.]181[.]159[.]31, 88[.]119[.]167[.]239, 143[.]244[.]146[.]183
- Domains: zoommanager[.]com, administrative-manufacturer-gw[.]aws-usw2[.]cloud-ara[.]tyk[.]io, provincial-gaiters-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io, megupdate[.]com:443
## Implications
This represents a financially motivated, highly structured operation culminating in ransomware deployment, indicating a significant cyber risk to organizations targeted. The use of a popular service impersonation (Zoom) highlights effective social engineering tactics.
## Mitigations
- Verify software sources rigorously; do not download essential tools from unverified or cloned websites.
- Implement advanced endpoint detection and response (EDR) to detect in-memory execution and lateral movement tools like Cobalt Strike and SectopRAT.
- Audit and restrict the modification or deletion of Volume Shadow Copies.
- Monitor for known TTPs associated with the loader and RAT stages (e.g., specific named techniques like credential dumping and DLL sideloading).
***
# Threat Actor: Storm-0249
## Attribution & Identity
Attributed by Microsoft to the threat actor **Storm-0249**. Known to be active around the tax season leveraging financial anxieties.
## Activity Summary
Storm-0249 conducted tax-themed phishing campaigns targeting individuals/entities sensitive to tax-related deadlines (likely targeting individuals or organizations involved in finance/tax filing). The primary goal appears to be malware distribution.
## Tactics, Techniques & Procedures
- **Social Engineering**: Leveraging tax season themes to create urgency.
- **Malware Distribution**: Phishing used to deliver various malicious tools.
- Tools leveraged include: BruteRatel C4 (**BRc4**), Latrodectus malware, AHKBot, GuLoader, and Remcos.
## Targeting
- Sectors: Financial / Tax-related entities or individuals.
- Geography: Not specified.
- Victims: Not explicitly named, implied to be targets of tax-themed phishing.
## Tools & Infrastructure
- **Malware families used**: BruteRatel C4 (BRc4), Latrodectus, AHKBot, GuLoader, Remcos.
- **Infrastructure (Defanged)**: Multiple hashes provided, indicating various stages of payload delivery. (No specific IPs/Domains listed under this actor's summary in the truncated text).
## Implications
Storm-0249 utilizes timely, financially relevant social engineering lures to deploy sophisticated, multi-stage malware kits, suggesting high operational capability and an intent to compromise systems for likely data theft or financial fraud alongside potential ransomware.
## Mitigations
- Enhance email filtering and security awareness training focusing specifically on tax-themed phishing lures during tax season.
- Implement strict application whitelisting to prevent execution of scripts downloaded via phishing or common loaders like GuLoader.
- Monitor for the presence of the listed post-exploitation tools (BRc4, Remcos).
***
# Threat Actor: North Korean Threat Actors (Lazarus Association suspected)
## Attribution & Identity
Attributed to **North Korean threat actors**. Tactics show replication of methods previously linked to the **Lazarus group**.
## Activity Summary
On November 29, 2024, this group executed an attack using malicious code embedded in job postings on the developer community platform **Dev.TO**. The attack utilized a BITBUCKET link pointing to a project file containing a malicious script named "Tailwind.config.js." This script deployed a downloader (`car.dll`) and the **Beavertail** malware. The structure of the attack points to sophisticated operational methods, including communication with multiple C&C servers.
## Tactics, Techniques & Procedures
- **Initial Access**: Spear-phishing disguised as hiring/job-related material.
- **Initial Access Vector**: Malicious code hidden in a legitimate-looking platform (Dev.TO job postings).
- **File Dropper/Loader**: Use of a downloader named `car.dll`.
- **Malware Deployment**: Beavertail malware.
- **Evasion/Persistence**: Process injection technique utilized.
- **Command and Control**: Communication established with multiple C&C servers.
- **Related Threats**: Tropidoor, Lightlesscan.
## Targeting
- Sectors: Targets using developer community platforms (Dev.TO), likely IT/Tech organizations globally.
- Geography: Not specified.
- Victims: Organizations that review job postings or hire developers via Dev.TO.
## Tools & Infrastructure
- **Malware families used**: Beavertail, Tropidoor, Lightlesscan.
- **Associated Tools**: car.dll (downloader).
- **Infrastructure (Defanged)**:
- IPs: 135[.]181[.]242[.]24, 191[.]96[.]31[.]38
- URLs: http://103[.]35[.]190[.]170/Proxy[.]php, http://86[.]104[.]72[.]247/Proxy[.]php, https://45[.]8[.]146[.]93/proxy/Proxy[.]php, https://86[.]104[.]72[.]247/proxy/Proxy[.]php
## Implications
This actor demonstrates persistence in using unconventional social engineering (job postings) to bypass security controls and insert specialized malware (Beavertail/Tropidoor) associated with sophisticated state-sponsored activity, indicative of long-term access goals.
## Mitigations
- Implement strict security protocols for file sharing and external code execution, especially when sourced from platforms like Bitbucket or developer forums.
- Monitor for process injection and unusual network beaconing associated with Beavertail and Tropidoor C&C communication paths.
- Review outbound connections to the specified IP/URL patterns, indicative of proxy/C&C activity.