Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 59 threat intelligence reports and compiled a brief summary of each, along with the relevant metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: XE Group: From Credit Card Skimming to Exploiting Zero-DaysLink: https://intezer.com/blog/research/xe-group-exploiting-zero-days/Summary: XE Group is a sophisticated cybercriminal organization that has shifted focus from credit card skimming to targeted information theft since its emergence in 2013. Recent research by Solis Security highlights their exploitation of zero-day vulnerabilities, specifically CVE-2024-57968 and CVE-2025-25181, affecting the VeraCore software used in logistics, enabling them to deploy ASPX webshells for persistent access to compromised systems. The group has demonstrated tactical adaptability, maintaining unauthorized access for over four years and extending their operations to exploit supply chains within manufacturing and distribution sectors, utilizing advanced techniques such as obfuscated PowerShell scripts and remote access Trojans.Threats: xegroup_group meterpreter_tool supply_chain_technique magecart_group aspxspy_shell snipr_tool netstat_toolIndicators of compromise:-------------------------ip: 171[.]227[.]250[.]249, 123[.]20[.]29[.]193, 222[.]253[.]102[.]94, 222[.]253[.]102[.]94:7979domain: xegroups[.]com, object[.]fm, hivnd[.]com, xework[.]com, paycashs[.]com, sexadult[.]comurl: https://hivnd[.]com/software/7z[.]exehash: - sha256=884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7, - md5=cb424b3be3cb35ec1349bd3e09c53cc4, - sha256=ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771, - sha256=680b7e8ec8204975c5026bcbaf70f7e9620eacdd7bf72e5476d17266b4a7d316, md5=7abb73b7844f2308d9c62954e6e8b7fc, sha1=032dd95a1299f37aaa76318945e030eb7da94da9, - sha256=322f8cd560d5e10e93af3ea6d3505c8de213f549e6627c3ef4664ed92ba55f56, sha1=84e7f4ff1f93a4297c2e2c4e54f14edb18396b60, md5=457d7e3a708d1b5c6a8d449e52064985, - sha1=16db01fe25b0c09e18d13f38c88a4ead5d10e323, sha256=c564acd69efa62a5037931090bf70a6506419fdf59ec52f8d1ab0b15d861cc67, md5=339a79457a8cf3504312d394be3ece98, - sha1=ede5ddb97b98d80440553b23dfc19fdb4adc7499, md5=7a9b5c3bb7dab0857ee2c2d71758eca3, sha256=38b2d52dc471587fb65ef99c64cb3f69470ddfdaa184a256aecb26edeff3553a, - md5=7b5b7d96006fec70c2091e90fbf02b99, sha1=9e928a26aa3c0e6eb8e709fc55ea12dcf7e02ff9, sha256=013ccea1d7fc2aa2d660e900f87a3192f5cb73768710ef2eb9016f81df8e5c70email: xecloud@icloud[.]com, xethanh@gmail[.]com, joyn[.]nguyen@gmail[.]comTitle: Unmasking: Technological Advancement and Evolution of MuddyWater in 2024Link: https://www.gov.il/BlobFolder/reports/maddy_water_2024/en/ALERT_CERT_IL_W_1858.pdfSummary: MuddyWater, an Iranian threat actor associated with the Ministry of Intelligence and Security (MOIS) since 2017, has been actively conducting cyber operations primarily targeting Israel and other nations in response to geopolitical events. Known for sophisticated spear-phishing campaigns in the Middle East, particularly against Israeli entities, the group employs a diverse malware arsenal, combining custom-developed tools and legitimate software for persistence and stealth. With tactics involving social engineering, COM Hijacking, and encrypted communication channels, MuddyWater showcases a strategic evolution in state-sponsored cyber activities, utilizing advanced techniques like DNS and HTTP-based backdoors while demonstrating adaptability in exploiting known vulnerabilities and legitimate infrastructure for ongoing access to sensitive data.Threats: muddywater_group muddyrot anchorrat cannonrat neshta sad_c2_tool havoc com_hijacking_technique lolbin_technique spear-phishing_technique dll_sideloading_technique dllsearchorder_hijacking_technique blackout_rat blackpos venom_proxy_tool simplehelp_tool upx_tool go-socks5_tool pheonix treasurebox mythic_c2 chisel_toolIndicators of compromise:-------------------------ip: 212[.]232[.]225[.]5, 157[.]20[.]182[.]102domain: 1drv[.]business, magicallyday[.]com, ulpanim[.]wiki, spaziogroup[.]orgurl: https://ulpanim[.]wiki/signup, https://ulpanim[.]wiki/order, https://ulpanim[.]wiki/contact, https://ulpanim[.]wiki/shop, https://ulpanim[.]wiki/detail, https://ulpanim[.]wiki/support1, https://ulpanim[.]wiki/support2, https://ulpanim[.]wiki/support3hash: - md5=97e844797181cd163b794529447219d3, - md5=15022bda37f65f33cad2bb5bf84a3900, - md5=283c87eaf43a3099217a6d6f01d9c4f3, - md5=963b75b2a747eec611265a22582d38e2, - md5=c3b990474c06086db4311c1553570174, - md5=6e5451b250731fcb5713bd043f406bf1, - md5=ac819c8e223c20df9bb9a80ab5c20e4a, - md5=b15dd02164a9bb53356ba1d748301bf7, - md5=50da52b517c708a0d409ba20fd00b10f, - md5=7d5b1ae57599940faf51e0b38f4824bd, - md5=f700378578df895e80c0dfeea68fe694, - md5=297f77096dfb485641b4594c83b32a7c, - md5=c4406f5fff870955af772d676a30a0cf, - md5=25b6f3f4b13bc53dd4981915cdd95e33, - md5=2f257ead7f42df4e9115ddab552e77e4, - md5=c851e849c8442727eac69225203ee7f7, - md5=d3e259a8caa7e23e89453a387caa3a15, - md5=c1ef5f29c1811444e1e96c25e667f18d, - md5=fd5b55c1b97bef7b4f3114d39984e597, - md5=9077295f0eb9db45fc495a04637ee197, - sha256=044365681b0e781292e79c19906f379b7c3e0d5a404b19b56ed7b447b75d1485, - sha256=6f6869fe0d47ef2abbd30651f6348de3868e4e2f642e30f468bc8376ec30b150, - sha256=153128c13808b275b6f00bda3a616ee6fbb26f21d9124b13ab6daf1c7e7ff48eemail:Title: GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine’s Largest State-Owned BankLink: https://www.cloudsek.com/blog/getsmoked-uac-0006-returns-with-smokeloader-targeting-ukraines-largest-state-owned-bankSummary: UAC-0006, a financially motivated threat actor group, is executing phishing campaigns against PrivatBank in Ukraine, utilizing password-protected archives to deliver malicious files like JavaScript, VBScript, and LNK files, primarily using SmokeLoader for payload execution and command-and-control communication. Detailed analyses have identified specific SHA256 identifiers for malicious files that focus on payment instructions and passports, while attackers employ email deception to entice victims into downloading these files. The group has evolved its tactics to include LNK files that leverage PowerShell commands for executing files from C2 servers, displaying tactics similar to FIN7 and other Russian APT groups, with significant risks to sensitive data, credential security, brand integrity, and potential supply chain vulnerabilities.Threats: getsmoked_campaign uac-0006_group smokeloader process_injection_technique carbanak_group empiremonkey_group blackbasta credential_harvesting_technique supply_chain_technique spear-phishing_techniqueIndicators of compromise:-------------------------ip: 94[.]156[.]177[.]51, 89[.]23[.]107[.]219, 109[.]70[.]26[.]37domain: connecticutproperty[.]ru, constractionscity1991[.]lat, restructurisationservice[.]ru, spotcarservice[.]ru, 3-zak-media[.]de, cityutl[.]ruurl: http://89[.]23[.]107[.]219/privat[.]exe, http://3-zak-media[.]de/temp/paxynok_privatbank_06_01_2025p[.]zip, http://3-zak-media[.]de/temp/gate[.]php, http://89[.]23[.]107[.]219/invoce[.]pdf, http://89[.]23[.]107[.]219/final[.]mp4, http://spotcarservice[.]ru/fdjskf88cvt/invoce[.]pdf, http://spotcarservice[.]ru/fdjskf88cvt/invoce2[.]pdf, http://spotcarservice[.]ru/fdjskf88cvt/putty1[.]exe, http://spotcarservice[.]ru/fdjskf88cvt/yumba/putty[.]exe, http://3-zak-media[.]de/krayer-buergerschaft/Web/bilder/putty1[.]exe, http://cityutl[.]ru/download/pax[.]pdf, http://cityutl[.]ru/download/putty[.]exehash: - sha256=5a0b48ccc1a353c4ace5e9626f17622611432a016577797d4c891ca945ffa7f8, - sha256=80c450570cd338a594546f9e6c189ffc2a849d3bac3759c53592af30840ffb90, - sha256=e0c57518aeef787bcf7cc13484486cfa48458bdf6b0baee02598e777a3ef83f2, - sha256=ca90047f4c8b5c6628e38f11c1b3411ac8f0040a2d72e35c1a37de1d9a127131, - sha256=dada50182ca98f75e0055f9b4a47d8ef3a6dda5c126cac309467c02257f3c1c0, - sha256=119b79b9cdb773dc951c36fe35ea0237e5f035bda6493103399e3697dc929c3d, - sha256=21bbe1929d20c5525349dabe58748798f9cdaa1abd25f13dc98b4c0b8ffdde23, - sha256=31ba8ceffe689b570dc696c97291780288f16a15f91d3e55bf13d7dcdf3858a9, - sha256=3216f4728788cc9a0416290d31a2fdc97bcd3f028582efc52dc1cd8208f0cebd, - sha256=38eb41eebbc889d046d354de345cf7c073971f62c2aaf53163ecefb7914273cc, - sha256=3998a0d2e96417ce234a79897df8bcb879295043ce3d7f188c7b3de7375b26e5, - sha256=3bfb1a880ea62bb4ad24e98a3a641b85e2392942af59727701c57ed094e5554e, - sha256=4a559be38d60d64cb378643cc4332f40fe94d5f6c4f71a4f593e4efcd918349c, - sha256=4abf59022d70abac175ddd896e4d709d256ca56a7a9dd8a9805eb5f2af490576, - sha256=527a4b00fc95ecb9c1308ccc4ebd6bac7c03053e8ed11cdeb08ac3a6af8775c3, - sha256=5b259a3ce6c0ce88690eb15d71162a930f267d960e26e88d37c92403d747f44a, - sha256=6d29acbbaf0c75eca458e3936dea7d20fceca415b897573b704d151c7e9261b8, - sha256=75f20c4171c699a991c45671b46174b0879e1fcf83ee4cdc63af8d6a833698b3, - sha256=7c3a1bbbcbd2a328d8fb70efbdc55efaeb23b8511955109facef5c6c20350afb, - sha256=8a6466093bc38a5d075148fde75952372ab5d7bb991b74773d5e019e0e0145f0, - sha256=993518e45c78f9cc19daefbabef980e2e16a5e2fa11036f1e98c6446efb38676, - sha256=9aad92a2d4b310a344f102436f12d29c7ac635478918874181a18182e4f530b4, - sha256=a2b10deef491ec1430f65157a411a47de0e9ad1431518b2fa4fe5f18a4f3e2bd, - sha256=b62d21ec1f54e7f7d343bc836e87a13adf9f40f87fc54a7d3788baea9a2c2b08, - sha256=b815638024caac8bb7e482465564ec2a091f2af52cbf635be268e9093cbc4e92, - sha256=bfc7164ed334044c780f0f15b56b559dfabbb0007ba268c180a281ac5bcc1f19, - sha256=cd8dc77de5811a6a215e74cf61b3c34fcf28d5a05df5e4fc26fc9ad2ee72868b, - sha256=d143873322c13496b2fc580c07fead99c1679afe831202913cee522d88ff7795, - sha256=d35cd24668474580161008eb655ce979400e382a58f0e6967b10a4d86343b6ec, - sha256=ee5a55588bbdfe6749da1962a9b7d1b29a87a10a324347070edd9e8ec33f7c82, - sha256=f1d97e23cb0820e851d457dbb930576890e5bc6313cdf30d09f160cbdcdac90f, - sha256=f4222b240f88d43e6c63b9d9c09d93c10ba882b91fc4a61c0cd833f7c79b4c44, - sha256=f72f2e0f0873885313dbde954f26acd1c02ed963512111b3f00cf7e9cd6e5e6d, - sha256=e8b08cb0774145ac432406f5e579aabaddb485ad29ba7d1eb1c5fb3000c5eefa, - sha256=7722151293bdc50640c719a55438ffd663a3d2bccc70392cdce8052b651afea0, - sha256=9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188, - sha256=a3aac43dd6a592c9ec58121a09c8cd22fb1b2d05ca1ff91259e43565d5e33022, - sha256=97fe6b08d8a40c1f6990ca5c7405fdc98e014cf1fdfc2646580bffd34c1160ec, - sha256=476a8e2d8eae4d2315e719bf67be312c5e88476509bdbac2dffee48986ad54c1, - sha256=0a898f1df135d52ef5006f8dba9e9fce4ab4a85e07a9417f39c7612113eb6210, - sha256=1043ce610dd6e8b0cda635dbe1f15524c25d816f89ad22f9bc34403ef8e771cc, - sha256=107190bb8f28ed2bb2f0883ae1fbfe0e50cacc54c17dc526c865f6f46f40107aemail:Title: LockBit — Persistent TTPs in the Larger EcosystemLink: https://redsense.com/publications/lockbit-persistent-ttps-in-larger-ecosystemSummary: LockBit, a significant ransomware group originally dismantled by international law enforcement nearly a year ago, continues to exert influence on the cyber threat landscape. Following its evolution from ABCD ransomware in 2019 to LockBit 3.0, the group has provided tools like the LockBit builder that permit the creation of tailored ransomware variants for attacks. Even after its takedown, independent actors have leveraged LockBit's tactics, utilizing sophisticated methods for data exfiltration and lateral movement, while also employing various techniques to evade detection. This decentralized use of LockBit, along with strategic alliances with other threat groups, has contributed to an ongoing risk to numerous sectors through continued LockBit-based attacks.Threats: lockbit lockbit_group exmatter_tool zeon conti credential_dumping_technique hellokitty blackcat blacksuit_ransomware avaddon revil avos_group national_hazard_agency_group bl00dy_group 3am_ransomware citrix_bleed_vuln akira_ransomware ransomhub Trojan.Win32.Inject.aokvy uac_bypass_technique cobalt_strike mimikatz_tool pchunter_tool process_hacker_tool gmer_tool 0ktapus_group luminati_tool domain_fronting_technique brc4_toolIndicators of compromise:-------------------------ip: 198[.]199[.]74[.]168, 198[.]199[.]82[.]43, 159[.]89[.]236[.]37, 104[.]248[.]23[.]242, 89[.]203[.]223[.]42, 198[.]199[.]74[.]168:22, 198[.]199[.]74[.]168:80, 198[.]199[.]74[.]168:443, 198[.]199[.]82[.]43:22, 198[.]199[.]82[.]43:25, 198[.]199[.]82[.]43:53, 198[.]199[.]82[.]43:80, 198[.]199[.]82[.]43:443, 198[.]199[.]82[.]43:3389, 198[.]199[.]82[.]43:5432, 104[.]248[.]23[.]242:22, 104[.]248[.]23[.]242:25, 104[.]248[.]23[.]242:53, 104[.]248[.]23[.]242:80, 104[.]248[.]23[.]242:443, 104[.]248[.]23[.]242:3389, 104[.]248[.]23[.]242:5432, 159[.]89[.]236[.]37:22, 159[.]89[.]236[.]37:25, 159[.]89[.]236[.]37:53, 159[.]89[.]236[.]37:80, 159[.]89[.]236[.]37:443, 159[.]89[.]236[.]37:3389, 159[.]89[.]236[.]37:5432domain: exploit[.]in, realmigrator[.]comurl: hash: - sha1=7c67976bfc3ef3c673d5cabc60b7f6fbe0ab19dcemail:Title: Rat Race: ValleyRAT Malware Targets Organizations with New Delivery TechniquesLink: https://www.morphisec.com/blog/rat-race-valleyrat-malware-chinaSummary: Morphisec Threat Labs has uncovered a sophisticated multi-stage malware named ValleyRAT, linked to the Silver Fox APT actor, who has adapted their tactics by using a single URL for multiple attack iterations. The malware employs various distribution channels, like phishing emails and deceptive websites, to spread Remote Access Trojans (RATs), specifically targeting crucial roles within finance and accounting sectors. The infection chain begins with users downloading a counterfeit Chrome browser and executing a file that triggers the malware, which utilizes DLL search order hijacking to inject malicious payloads into legitimate applications. ValleyRAT, written in C++, features capabilities such as keylogging and stealthily connects to external addresses while avoiding detection through advanced techniques that manipulate security mechanisms.Threats: valleyrat silver_fox_group dllsearchorder_hijacking_technique dll_hijacking_technique dll_sideloading_technique apc_injection_technique process_hollowing_technique donutIndicators of compromise:-------------------------ip: 149[.]115[.]250[.]19, 8[.]217[.]244[.]40, 154[.]82[.]85[.]79, 118[.]107[.]44[.]219, 43[.]250[.]172[.]42, 202[.]146[.]222[.]208, 103[.]183[.]3[.]10domain: url: https://anizom[.]com, https://karlost[.]clubhash: - sha256=968b976167b453c15097667b8f4fa9e311b6c7fc5a648293b4abd75d80b15562, - sha256=311f2d4ef2598e4a193609c3cd47bf4ff5fb88907026946ecffe6b960d43d5b2, - sha256=51a9d06359952f6935619e8cf67042d2cec593788c324b72cffc0d34b1762bb0, - sha256=53a6735ce1eca68908c0367152a1f8f3ca62b801788cd104f53d037811284d71, - sha256=6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c, - sha256=a87745682da20ddfd6eac7ff2d27fec73ff56c6e9b4438121dcb6ba699c5cb3c, - sha256=1db77692eaf4777f69ddf78c52424d81834572f1539ccea263d86a46f28e0cea, - sha256=3989f7fa8d1d59ebc6adea90e3958a892b47d94268bf9d5c9c96811f3fb65b00, - sha256=7c2a1b09617566ff9e94d0b1c15505213589f7fd3b445b334051d9574e52e0f5, - sha256=bb89e401560ba763d1c5860dd51667ba17768c04d00270bf34abebac47fd040eemail:Title: CVE-2025–0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph AttacksLink: https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.htmlSummary: The ZDI Threat Hunting team discovered a zero-day vulnerability in the 7-Zip archiving tool, labeled CVE-2025-0411, which was actively exploited in a targeted SmokeLoader malware campaign against Ukrainian organizations amid regional tensions. This vulnerability allows attackers to circumvent Windows Mark-of-the-Web protections through a technique called double archiving, which disguises malicious files by embedding them in layers of archives, combined with homoglyph attacks to mislead users about file types. Primarily deployed via spear-phishing campaigns, the exploitation led to successful compromises of government and civilian sectors in Ukraine, exploiting weak cybersecurity defenses, particularly among smaller local governmental bodies.Threats: homoglyph_technique smokeloader motw_bypass_technique spear-phishing_technique credential_harvesting_techniqueIndicators of compromise:-------------------------ip: 185[.]156[.]72[.]78domain: api-mirosoft[.]com, trojan[.]win32[.]downloader[.]bz, xn--api-mirosoft-ehk[.]com, alfacentarusmulticopter[.]ru, johnfabiconinteraption[.]ru, storeagroculturnaya[.]ru, unicalads[.]ru, lazaretmed[.]pw, technoads[.]pw, oncomnigos[.]online, southlander[.]ru, goodmastersportunicum[.]ru, ukr-netfilediscdownloadapplication[.]ruurl: http://alfacentarusmulticopter[.]ru/index[.]php, http://johnfabiconinteraption[.]ru/index[.]php, http://storeagroculturnaya[.]ru/index[.]php, http://unicalads[.]ru/index[.]php, http://lazaretmed[.]pw/index[.]php, http://technoads[.]pw/index[.]php, http://oncomnigos[.]online/index[.]php, http://185[.]156[.]72[.]78/MyFolder/pay[.]zip, http://southlander[.]ru/dklfhgjdfhgjd78khdgfjgh/akt[.]bat, http://goodmastersportunicum[.]ru/load/svc[.]exe, http://ukrnetfilediscdownloadapplication[.]ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p[.]rar, https://ukrnetfilediscdownloadapplication[.]ru/file/download/68523654563845638465384585863874653786587365934/AKT_PAX_26_09_2024p[.]rarhash: - sha256=ba74ecae43adc78efaee227a0d7170829b9036e5e7f602cf38f32715efa51826, - sha256=84ab6c3e1f2dc98cf4d5b8b739237570416bb82e2edaf078e9868663553c5412, - sha256=7786501e3666c1a5071c9c5e5a019e2bc86a1f169d469cc4bfef2fe339aaf384, - sha256=2e33c2010f95cbda8bf0817f1b5c69b51c860c536064182b67261f695f54e1d5, - sha256=888f68917f9250a0936fd66ea46b6c510d0f6a0ca351ee62774dd14268fe5420, - sha256=a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2, - sha256=554d9ddd6fd1ccb15d7686c8badb8653323c71884c7f20efb19b56324ff34fc1, - sha256=54678013c8741db3340960e54ba93001c27619ead5cf5cc2eafd4c0fcf797ae6, - sha256=62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543, - sha256=cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c, - sha256=8ee225bdd38cf6fd014a16beb9e33a0650147a9b7ea2104afe2f47c01bd1db0b, - sha256=b3df042c5286fa91a4555e105038364bc66bfe7fdfe3769eb26b96e0ffe6096b, - sha256=915b73a57aaf759fbd5352d79656e1b697545e6c9d953ab05aacf61ed4f6e397, - sha256=d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21, - sha256=fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144, - sha256=5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34email:Title: SmokeLoader Malware Found in Open Directories Targeting Ukraines Auto & Banking IndustriesLink: https://hunt.io/blog/smokeloader-malware-found-in-open-directories-targeting-ukraine-s-auto-banking-industriesSummary: Recent research has identified open directories hosting SmokeLoader malware samples, specifically targeting Ukraine's automotive and banking sectors. Discovered on two misconfigured servers in Poland and Ukraine, the malware utilizes various financial-themed lure documents, such as fabricated invoices and account statements, to increase user interaction and compromise systems. SmokeLoader, initially recognized in 2011 and often associated with suspected Russian threat actors, serves to gain initial system access before deploying additional malicious payloads. The operational behavior of SmokeLoader observed during the research, including its injection into the explorer.exe process and communication with command-and-control servers, underscores the ongoing threat posed by cyberattacks targeting Ukrainian organizations, particularly through adaptable and financially motivated tactics.Threats: smokeloaderIndicators of compromise:-------------------------ip: 2[.]59[.]163[.]172, 2[.]59[.]163[.]72, 88[.]151[.]192[.]50, 94[.]156[.]177[.]72:80, 2[.]59[.]163[.]71:80, 94[.]156[.]177[.]72, 66[.]63[.]187[.]25, 88[.]151[.]192[.]71domain: www[.]connecticutproperty[.]ru, downloadmanager[.]ru, oncomnigos[.]ru, consultationoffice[.]ru, www[.]spotcarservice[.]ru, www[.]fileexportinc[.]ru, restructurisationservice[.]ru, fileexportinc[.]ru, constractionscity1991[.]lat, ns2[.]constractionscity1991[.]laturl: http://constractionscity1991[.]lat, http://restructurisationservice[.]ru, http://connecticutproperty[.]ruhash: - sha256=9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188, - sha256=f8bd5f0408409ea63a270d5aad8da5f0cb557f9a82e0da3e8077cbe589288054, - sha256=1118a93cc63a70ba8348182f7012ddbeecf890345941c82376ac967faf55a295, - sha256=4b00565a29eeb0446393d0538e8f24de232339cf3ffb6a76a2bce3ba160c2066, - sha256=5e7602b9073b8cf5c1a6afc6d0c8366545da65d2b48eb109f1bd9f40a58e73c0, - sha256=7991bfff4eb5f50aa9f5d3d95064411987a29de9621fc5afca9e4978ca568941email:Title: Premium Panel: phishing tool used in longstanding campaigns worldwideLink: https://www.intrinsec.com/wp-content/uploads/2025/01/TLP-CLEAR-Live-Control-Panel-Premium-EN.pdfSummary: The "Premium panel" phishing toolkit is a sophisticated framework designed for credential logging and redirecting victims to counterfeit login pages, particularly targeting sectors like banking and logistics across various Western countries and specific regions such as Saudi Arabia and South Africa. Discovered to operate for over two years, the toolkit utilizes common IP addresses across multiple phishing domains, suggesting centralized operations by the same threat actor, with instances of phishing sites targeting organizations in Cyprus and Hungary being noted. The toolkit employs a crucial script, "processor.php," which keeps victims engaged by maintaining their browser connection and facilitating redirection, enhancing the effectiveness of the phishing campaigns. Investigations into historical registries have unveiled patterns linking email addresses used in domain registrations, hinting at the potential tracing of threat actor groups behind the operations. Additionally, the toolkit's infrastructure exploits compromised legitimate websites and temporary domain services, showcasing its adaptability and increasing the likelihood of widespread phishing activities targeting financial sectors.Threats: premium_panel_tool mitm_technique geralIndicators of compromise:-------------------------ip: 139[.]177[.]180[.]48, 87[.]121[.]22[.]102, 87[.]121[.]22[.]214, 2[.]59[.]255[.]11, 20[.]100[.]169[.]28, 185[.]221[.]67[.]30, 45[.]55[.]112[.]74domain: cloudwayapps[.]com, tempurl[.]hosturl: http://kao[.]jfk[.]mybluehost[.]me/wp-admin/web, http://laelenasa[.]com[.]ar/auqanta/web, http://tly[.]vgj[.]mybluehost[.]me/cgi-bin/web, http://zppwpailkq[.]cfolks[.]pl/ar/web/login[.]php, http://didc-malls[.]net/nk1/de/delogin/66f9272999098-70971[.]php, http://redeem[.]quantasgift[.]store/v2/web, http://gth[.]srl[.]mybluehost[.]me/wp-content/web/bill[.]php, http://qantas[.]seawallet[.]pro/aufly/web, http://cggelhs4fvad[.]adigeni[.]ge/eazy/web, http://ryiucndes[.]mypi[.]co/T/il/index[.]php, http://of-cyprusgroup[.]com/cy/auth/login[.]php, http://profiles[.]riders[.]guide/js/web, http://wordpress-983281-3799665[.]cloudwaysapps[.]com/wpadmin/ca/auth/entrar[.]php, http://0rc5zd5pdqbnlrkv5[.]adigeni[.]ge/eazy/web, http://complete-card-tdn9g8zr3dqc[.]adigeni[.]ge/ccb/web, http://lna[.]ire[.]mybluehost[.]me/wp-content/web, http://ezv[.]jnk[.]mybluehost[.]me/auth/login[.]php, http://www[.]mobilvodafone[.]com/auth/auth[.]php, http://authentication[.]watchsanda[.]com/auth/login[.]php, http://serwer2255313[.]home[.]pl/finan/finan/auth/login[.]php, http://connect-client[.]serv00[.]net/app/app/login[.]php, http://snize-next[.]com/hy0/de/delogin/66e077efe7cf2-73438[.]php, http://espace-documents-authsecappmovil[.]codeanyapp[.]com/Particuliers/sg/web/wait[.]php, http://united-domainsgub9tvon[.]adigeni[.]ge/ud/web/add[.]php, http://webid[.]netcharge[.]lat/verif/miles-and-morekreditkarte[.]com/web/login[.]php, http://corres[.]live/GtTracking/auth/card[.]php, http://atzqatavtz[.]adigeni[.]ge/wino/web/add[.]php, http://tcuvbwgt8l[.]adigeni[.]ge/wino/web/add[.]php, http://7f6n14eabe[.]adigeni[.]ge/wino/web, http://bbndf7evqc[.]adigeni[.]ge/wino/web/add[.]php, http://qzif5odwmi[.]adigeni[.]ge/wino/web/add[.]php, http://w4hquoo7dg[.]adigeni[.]ge/wino/web/add[.]php, http://dervfpvcvy[.]adigeni[.]ge/ud/web/add[.]php, http://kamakatchi[.]serv00[.]net/NETFLIX/app/app/login[.]php, http://satfera[.]in/build/auth, http://myj[.]pju[.]mybluehost[.]me/web, http://clinicafatima[.]com/otp/auth/login[.]php, http://ltswedbank-ab[.]com/auth/login[.]php, http://www[.]post-israel[.]savacrm[.]com/il/index[.]php, http://ecomm-shop[.]org/kn21/page/wp/66c1c28a54602-47939[.]php, http://dash-appserv[.]net/hg0/page/wp/66bd88d6bedde-23358[.]php, http://urn[.]pyw[.]mybluehost[.]me/web, http://pintacaritasmiami[.]com/[.]well-known/-/global/takare/login[.]php, http://casabeachfront[.]in/mainz/auth/entrar[.]php, http://domains[.]bavarianmarketing[.]org/wp//domains/clients/web/add[.]php, http://lucassouzajlle[.]com/mains/auth/entrar[.]php, http://radiosouzahits[.]com[.]br/admin/swf, http://swedbankgroup[.]info/auth/login[.]php, http://onlineswedbank-lt[.]com/auth/login[.]php, http://radionave[.]com/scripts/colorbox/images/ie6, http://sparkteamsupport[.]com/web, http://swedbank-lt[.]online/auth/login[.]php, http://acconnex[.]eu/app/login[.]php, http://imprentacubodigital[.]com[.]ar/hu/auth/login[.]php, http://frezik-art[.]pl/finance/Financer/Pos/auth/login[.]php, http://serwer2043802[.]home[.]pl//biblioteka2018/szablon/Post, http://giermusicclub[.]com[.]ar/lt/auth/login[.]php, http://stanfordheathaccountants[.]co[.]uk/cyprus/auth/login[.]php, http://commerzbank-de-phototan[.]info/cmz[.]de/DEcommerzbanka_edit/DEcommerzbanka_edit/web/login[.]php, http://tfserviceupda[.]wpenginepowered[.]com/tf/de/home/login[.]php, http://ebenezerbandeira[.]com[.]br/cgi-bin/web, http://ci45998[.]tw1[.]ru/caixa/home/entrar[.]php, http://campomaior[.]website[.]radio[.]br/imagens/ico_redes/web/payment, http://cidadejornal[.]website[.]radio[.]br/includes/web/payment, http://nerco[.]es/wpincludes/Text/Diff/Engine/host/auth/login[.]php, http://rockbyes[.]com/de/tf-bank/home/login[.]php, http://radiothethemix[.]com/200/web/bill, http://app-update-service[.]site/wp-content/TF-0199/tfbanks/home/login[.]php, http://heisateam[.]com/ar/servizo/home/loading1[.]php, http://wise-idtransfer[.]napraw-agd[.]pl/valid/web/index[.]php, http://wise-transfer[.]napraw-agd[.]pl/suift/web/index[.]php, http://wise-signup[.]witchclean[.]com/web/index[.]php, http://wise-line[.]nilangroup[.]com/lg/web/index[.]php, http://centerpointaddisfurnishedapartment[.]com/yettel[.]hu/auth/login[.]php, http://wiseonline[.]fabsmarketinggroup[.]com/sss/web/index[.]php, http://targoholiscarl1999281292[.]codeanyapp[.]com/identificationauthentification/home/login[.]php, http://sb1[.]724[.]mytemp[.]website/s/auth/login[.]php, http://transwise[.]nilangroup[.]com/verify/web/index[.]php, http://tf-banks[.]online/De/tf-bank/home/login[.]php, http://fpv[.]ths[.]mybluehost[.]me/SPK/Online/spa/home/bic[.]php, http://www[.]brilliantcctvcamera[.]com/spk/sparkasse%20de/spa/home/bic[.]php, http://ckx[.]cna[.]mybluehost[.]me/u[.]p[.]s/app/track[.]php, http://kanonjdid[.]tempurl[.]host/xnallo/web/login[.]php, http://of[.]cyprus[.]centerpointaddisfurnishedapartment[.]com/cyprus/auth/login[.]php, http://highshopu[.]com/kWw3r/pos/auth/login[.]php, http://lizard[.]hu/sa/home/entrar[.]php, http://a2[.]detaynet[.]com/SWISS/auth/login[.]php, http://xqq[.]bof[.]mybluehost[.]me/mphb%202/2023/web/login[.]php, http://xvb[.]zca[.]mybluehost[.]me/sp2/abonne/delogin/6641e4a0b0a76-99562[.]php, http://onlinegatewayunpaidfees[.]com/JFYRTADZ/index[.]php, http://nilangroup[.]com/assets/online/web/index[.]php, http://billsleek[.]in/re0/abonne/delogin/663cc2566f456-49777[.]php, http://xvb[.]zca[.]mybluehost[.]me/sp2/abonne/delogin/663cdc75b4f70-86660[.]php, http://dal4[.]hostclusters[.]com/~pwaprmaze/AKEMZLA/ZAMELZ/SG/web/login[.]php, http://reschedulepackonlineus[.]com/JFYRTADZ/index[.]php, http://cyber_folks[.]schmerztherapieschumann[.]de/c1s2e3rt5y6e-ndd/tonline_beta/web/user[.]php, http://cyber_folks[.]kruzineser[.]org/c1s2e3rt5y6e-ndd/tonline_beta/web/user[.]php, http://cyber_folks[.]scrimbus[.]de//c1s2e3rt5y6e-ndd/tonline_beta/web/user[.]php, http://onlineuspsportalusa[.]com/JFYRTADZ/index[.]php, http://drshamimkhan[.]in/config/sparkasse/spa/home/login[.]php, http://bakeforeme[.]corenetwork[.]net/mycouriers/web, http://fordpussetto[.]com[.]ar/sparkassea/sparkasse/spa/home/bic[.]php, http://sidikhsu[.]com/sparkasse/spa/home/bic[.]php, http://wiseonline[.]aykernasbungalov[.]com/wises/web/index[.]php, http://receber-post-correiosrrfd[.]codeanyapp[.]com/SG1/sg/web/login[.]php, http://www[.]southerntennis[.]com/~pamrlr/PP/sg/web/login[.]php, http://dolphin4k[.]com/jw/wises/web/index[.]php, http://musclemeal[.]co[.]in/mll/comp/de, http://web-seb[.]com/web/login[.]php, http://69c[.]6b5[.]mywebsitetransfer[.]com/SWISS/auth/login[.]php, http://postfnccontact[.]de[.]swtest[.]ru/de/secure/auth/login[.]php, http://internetbanking[.]ne-tu[.]eu//libraro/mm/web/login[.]php, http://bar[.]bgd[.]mybluehost[.]me/idr/DEsparkasse/spa/home/login[.]php, http://swissonlinecom[.]com/fa/99/web/login[.]php, http://eti[.]hgn[.]mybluehost[.]me/wpadmin/css/auth/home/login[.]php, http://wordpress-168935-0[.]cloudclusters[.]net/spa/spa/hom/spar/spa/home/bic[.]php, http://www[.]moraesconcreto[.]com/wpadmin/nordddea/auth/login[.]php, http://l75[.]eee[.]mywebsitetransfer[.]com/Nordea/auth/login[.]php, http://themarketersdream[.]com[.]au/auth/login[.]php, http://hostnow[.]co[.]ke/twentytwent/auth/home/login[.]php, http://serwer2397890[.]home[.]pl/imodzeb/PostFinance/Finance/auth/login[.]php, http://ashadeofjade[.]com/sar/home/tarjeta[.]php, http://www[.]hospitalcovadonga[.]com/wpcontent/languages/themes/finance/auth/login[.]php, http://myblog-on8u3ksh23[.]live-website[.]com/wpadmin/A/spa/home/login[.]php, http://www[.]postbank[.]fameseminuevos[.]com/app/loginos[.]php, http://dzempas[.]com/wp-amln[.]php/auth/login[.]php, http://littlelight-baby[.]com/vod/auth/login[.]php, http://signin-postfinanceaccountch[.]sslawoff[.]com/id/auth/login[.]php, http://fastupdate[.]tempurl[.]host/vubs/vubs/web/login[.]php, http://politicsniger[.]com[.]ng/wpcontent/upgrade/auth/login[.]php, http://obzoronlinecasino[.]ru/wpadmin/stand/app/logins[.]php, http://sparrow[.]de/sa/home/tarjeta[.]php, http://www[.]edenthub[.]com/Downloads/consor/web/login[.]php, http://rfpiliberia[.]com/Application/DE/consor/web/login[.]php, http://thetrend[.]blog/wp-admin/search/web/login[.]php, http://www[.]turismotierraestella[.]com/fonts/_notes/tf/web/login[.]php, http://vfo[.]hdv[.]mybluehost[.]me/website_e9e0f586/A/tfsf/2023/web/login[.]php, http://postsendungschweiz[.]sviluppo[.]host/paket/global/index[.]php, http://clinicaperezdelolmo[.]com/wpincludes/assets/759821354697201255/auth/651f0b7cc227dcfa4c39a30c159dabf5[.]php, http://serwer1739297[.]home[.]pl/-/blog/fio/fiobanka/auth/login[.]php, http://tareeqalghaith[.]com/bas2024/auth/f8bc37e4d02386531effa2f0382cf809[.]php, http://cd69506[.]tw1[.]ru/PostFinance/auth/login[.]php, http://cznew[.]tempurl[.]host/aji/cz/web/login[.]ph, http://abelza[.]pl/cy/auth/login[.]php, http://everdaysca[.]temp[.]swtest[.]ru/up/spaaa/sparkasse/spa/home/login[.]php, http://melon-soft-hosting[.]com/cy/auth/login[.]php, http://support-contacthmz2[.]codeanyapp[.]com/D/Sparkass/auth/home/login[.]php, http://bol[.]yqp[.]mybluehost[.]me/css/auth/home/login[.]php, http://vdv6y[.]live/D/Spvrkvss/auth/home/login[.]php, http://universal-ferretera[.]com/mvm/auth/login[.]php, http://glenorchyinfocentre[.]co[.]nz/[.]well/3568653000/spa/home/login[.]php, http://swed[.]lietuva[.]conextium[.]com/auth/login[.]php, http://rainlapo[.]com/wpcontent/twentytwentyone/auth/home/login[.]php, http://hpp[.]b7b[.]mywebsitetransfer[.]com/SWISSPASS/auth/login[.]php, http://resultados[.]santaanadedios[.]com/css/auth/home/login[.]php, http://trocken[.]online/twentytwentyone/auth/home/login[.]php, http://adminparoisses42[.]fr/glpi/vendor/htmlawed/htmlawed/sparkasse/auth/home/login[.]php, http://emswidebay[.]com[.]au/rel/res/home/entrar[.]php, http://tadbircard[.]ir/govsa/res/home/tarjeta[.]php, http://bomnegociorural[.]com[.]br/d/home/entrar[.]php, http://fio[.]cz[.]k1informatica[.]com[.]br/auth/login[.]php, http://www[.]fio[.]cz[.]yviitv[.]com/auth/login[.]php, http://musclemeal[.]co[.]in/fonts/fb0/akkount/de/index[.]php, http://bubblecard[.]org/bubblecard[.]lk/KJ0/akkount/de/index[.]php, http://lt-coach[.]com/wpcontent/plugins/css/akkount/de/index[.]php, http://capetownew[.]tempurl[.]host/wp-tach/cz/web/login[.]php, http://rootland[.]in/mo0/akkount/de/index[.]php, http://rootland[.]in/wpincludes/Requests/bv1/akkount/de/index[.]php, http://millenium-velegozh[.]ru/news/files/cz/web/login[.]php, http://otpbank[.]cs-group[.]digital/post/auth/login[.]php, http://cec[.]ro[.]fabricebernasconiborzi[.]com/auth/login[.]php, http://lumdevelopmentresearch[.]com/wpcontent/plugins/auth/login[.]php, http://anaika[.]birlanavya63a[.]com/wpincludes/Requests/Cookie/auth/login[.]php, http://fort-client[.]college/consor/web/login[.]php, http://idkontoaktualisieren383266[.]codeanyapp[.]com/tr/home/login[.]php, http://www[.]ljrtrucking[.]com/Configs/PostFinance/auth/login[.]php, http://decorfine[.]com[.]ec//[.]well-known/pki-validation/login, http://posttfiinancelusi[.]com/PostF/auth/login[.]php, http://www[.]postfinance[.]ch/ap/ba/ob/html/finance/home?login, http://shrioswalsamaj[.]com/wpcontent/plugins/eqlfrvxfrz/ve/web/login[.]php, http://aktualisierung-kontoinformationenmarklisy1992160133[.]codeanyapp[.]com/ag/home/login[.]php, http://occasionifissowindtre[.]com/auth/login, http://otpdirekt[.]ro[.]pitruzzellaimpianti[.]it/auth/login[.]php, http://otpdirekt[.]sytes[.]net/otp/auth/login[.]php, http://www[.]santander-kreditkortconsumer[.]grey[.]com[.]pk/[.]f6f1fcaf81183bea5949c9ef837912945, http://kundenservice-ingdirekt-girokontoappmovil[.]codeanyapp[.]com/FR/sg/web/login[.]php, http://secure3-mabanque-bnpparibas[.]fr/auth/login[.]php, http://smartbank-otpbank[.]nobokoli[.]com/auth/login[.]php, http://arrarra[.]sa[.]com/app/login[.]php, http://suryamatrimony[.]in/[.]f6f1fcaf81183bea5949c9ef837912945, http://www[.]smartbank-otpbank[.]pieseimp[.]ro/auth/login[.]php, http://atchondabikestore[.]com/wpadmin/maint/web/login[.]php, http://48j[.]e35[.]mywebsitetransfer[.]com/carrefoures/auth/login[.]php, http://areabienesyservicios[.]com/res/res/home/entrar[.]php, http://whitefoxpouch[.]com/a/advancia/sparkasse/spa/home/bic[.]php, http://bundesanzeiger[.]gbclinic[.]com/[.]f6f1fcaf81183bea5949c9ef837912945, http://fomrationa[.]temp[.]swtest[.]ru/kada/spaaa/sparkasse/spa/home/login[.]php, http://regulardane[.]10web[.]site/de/mphb/2023/web/login[.]php, http://billsleek[.]in/ic0/comp/de, http://billsleek[.]in/ip0/de/akk/index[.]php, http://group-ibannk[.]web12010[.]web09[.]berowebspace[.]de/api/auth/login[.]php, http://myblog-mf8zji6ax8[.]livewebsite[.]com/mphb/2023/web/login[.]php, http://www[.]conectandocontumagia[.]com/lifrong/home/index[.]php, http://ibnk-gr-info[.]web12010[.]web09[.]berowebspace[.]de/api/auth/login[.]php, http://secure16-bnpparibas[.]fr/auth/login[.]php, http://ctbctw[.]icepluschap[.]com/tw/ctbcbank_panel/auth/login[.]php, http://secure19-bnpparibas[.]fr/auth/login[.]php, http://secure8-bnpparibas[.]fr/auth/login[.]php, http://servicecarfourassist[.]organiccrap[.]com/V0reER/index[.]php, http://srv204523[.]hostertest[.]ru/b456rt46d/4bre41gd2/xc4v21eczr/web/Login[.]php, http://vub[.]companyonlinecom[.]site/vub/web/login[.]php, http://automotive5[.]sa[.]com/login/app/login[.]php, http://secure213[.]inmotionhosting[.]com/~cocoam6/wpincludes/js/tinymce/plugins/compat3x/css/libra/web/login[.]php, http://nuevolead[.]com/tflogist/web/login[.]php, http://medra[.]sa[.]com/login/app/login[.]php, http://secure17-bnpparibas[.]fr/auth/login[.]php, http://ccmmmm[.]sa[.]com/login/app/login[.]php, http://www[.]indasiaglobal[.]com/-/webd/c/h/blue/11/23/2[.]99/d/e/8z52zee520ee/x854z1z5ze0000e/Sw/de/index[.]php, http://ergstaffingtemps[.]com/wpadmin/SAOPAZZE/home/card[.]php, http://statelinks[.]net/rmb/cxv/auth/login[.]php, http://www[.]nd-more-kartenabrechnung[.]de/il/index[.]php, http://buy[.]bigbenespana[.]es/cgi-biin/home/entrar[.]php, http://tourised[.]com/postbankgirokonto24/post1/423565/2455/de/user[.]php, http://toursgaudi[.]com/zahlung/home/index[.]php, http://billsleek[.]in/cd1/akkount/de/index[.]php, http://billsleek[.]in/ar0/st/arr/login[.]php, http://bnkgroup-gr[.]dorian[.]hostline[.]net[.]pl/api/auth/login[.]php, http://iaiqh[.]ac[.]id/auth/login[.]php, http://inndesage[.]org/mrd/fnbvics/mp33rd/auth/login[.]php, http://shrey[.]prep[.]co[.]in/auth/login[.]php, http://www[.]nbg[.]group[.]paymentsclaim[.]com/auth/login[.]php, http://afiliados[.]emanuelhallef[.]com[.]br/appcha/home/entrar[.]php, http://atualoja[.]com/zahlung/home/index[.]php, http://lasaath[.]com/Postfinance/home/login[.]php, http://organizacionvip[.]com/zahlung/home/index[.]php, http://tfservvabdofreedy27329072[.]codeanyapp[.]com/mphb/2023/web/login[.]php, http://icaroaph[.]com/liefere/home/index[.]php, http://cristianheredia[.]com/home/index[.]php, http://secure257[.]inmotionhosting[.]com/~dralsafadi/inro/web/login[.]php, http://mivcard[.]com/vieca/home/index[.]php, http://chcfngo[.]in/de/mphb/2023/web/login[.]php, http://mail[.]mindmateapp[.]com/error/israel2k23/il/step2[.]php, http://auth[.]facture-comptable-enligne[.]xyz/auth/login[.]php, http://dsfp5[.]ru[.]com/login/app/login[.]php, http://jsdmadeira[.]pt/home/index[.]php, http://israelbepostcoil[.]it/il/index[.]php, http://simasbos[.]id/assets/font/IKUJYHTGFR/2023/web/login[.]php, http://nenaotransportes[.]srv[.]br/vieca/home/index[.]php, http://gertfb[.]tempurl[.]host/look/web/login[.]php, http://anunciosparaempresas[.]com[.]br/wpcontent/upgrade/tf/web/login[.]php, http://digistore[.]myanmarcafe[.]trade/vieca/home/index[.]php, http://hamam-wellness[.]com/spa/home/card[.]php, http://opdatterinformasjon[.]dynv6[.]net/[.]f6f1fcaf81183bea5949c9ef837912945, http://sfr-annulationesim[.]fr/fr/51043913074cd820fe0fdafa16e77b07[.]php, http://alpha[.]parcelvit[.]com/login, http://brookfieldagricultural[.]com[.]au/wpadmin/yuoi/home/card[.]php, http://doutshstg[.]wpenginepowered[.]com/al/home/login[.]php, http://salviano[.]udoit[.]com[.]br/home/index[.]php, http://teamafitness[.]com/wp-admin/ibola/home/card[.]php, http://www[.]seoppcnews[.]com/wpadmin/Sapoer/home/card[.]php, http://www[.]mediamondo[.]com/vieca/-/home/index[.]php, http://ctbcbank-comtaseneh779753577[.]codeanyapp[.]com/cbtc/src/login[.]php, http://smart[.]patrickattema[.]nl/home/index[.]php, http://service-annulation-sfr[.]fr/fr/login[.]php, http://annulation-e-sim-sfr[.]fr/fr/login[.]php, http://ghi[.]billsleek[.]in/fg1/akkount/de/index[.]php, http://app[.]follieeventi[.]it/i/c/auth/login[.]php, http://www[.]tryyourweb[.]com/post/home/index[.]php, http://app[.]fnaemiliaromagna[.]it/ign/cec/auth/login[.]php, http://service-sim-sfr[.]fr/fr/login[.]php, http://ing[.]login-nic-ae[.]com/ign/gr/auth/login[.]php, http://oppdatterkontanktinformasjonn[.]de/[.]f6f1fcaf81183bea5949c9ef837912945, http://tw-postsafiramira099303091[.]codeanyapp[.]com/web/login[.]php, http://meine-tfbank-detaseneh779753577[.]codeanyapp[.]com/web/login[.]php, http://billsleek[.]in/sb3/akkount/de/index[.]php, http://app-153bc257-0381-4ee7-ba06-16f8e40914fc[.]cleverapps[.]io/tar/home/login[.]php, http://boxer[.]vivawebhost[.]com/~sharcoho/udomasa/vendor/brick/math/src/Internal/Calculator/inro/web/login[.]php, http://secure253[.]inmotionhosting[.]com/~belkoc5/wpincludes/js/tinymce/plugins/compat3x/css/inro/web/login[.]php, http://delivery-club-jacobs-millicano-test[.]digitalpreprod[.]ru/dpo/home/index[.]php, http://dev-s-id-check[.]pantheonsite[.]io/spa/home/card[.]php, http://licenselinks[.]com/vieca/home/index[.]php, http://secure4-bnpparibas[.]fr/auth/login[.]php, http://ausfilliing[.]duckdns[.]org/Au/global/index[.]php, http://zahlen-diepost[.]com/global/index[.]php, http://srv199153[.]hostertest[.]ru/n4f6g54h6r5t/b489t4h3f2/web/login[.]php, http://swiss-post-ch[.]com/global/index[.]php, http://musclemeal[.]co[.]in/sp06/akkount/de/index[.]php, http://secure2-credit-agricole[.]fr/fr/login[.]php, http://divinepublicschool[.]in/ax04/ax/axa-meine/index[.]php, http://secure3-sfr[.]fr/fr/login[.]php, http://diepost-login[.]com/global/index[.]php, http://article[.]wefre[.]nl/vieca/home/index[.]php, http://www[.]npt-chain[.]com/vieca/home/index[.]php, http://spl-service-sa[.]com/en/bill[.]php, http://usps[.]business/global/index[.]php, http://postal-service[.]co/ch//de/index[.]php, http://www[.]dhf-hilden[.]de/romavbv/web/login[.]php, http://musclemeal[.]co[.]in/ck1/akkount/de/index[.]php, http://www[.]instelatorim10[.]co[.]il/-/home/index[.]php, http://depkhongtuoi[.]com/ch-liefrung/home/index[.]php, http://taxibinhduong247[.]net/wpcontent/languages/seicea/home/index[.]php, http://purehoneyonline[.]com/kon/akkount/de/index[.]php, http://muscleforce[.]in/jprones/akkount/de/index[.]php, http://sonu[.]billsleek[.]in/jqGrid/frk/meine/IDPSTVONSA/index[.]php, http://cindyfernandezstudio[.]com/vieca/home/index[.]php, http://postbankmeinbestsign24h[.]elevadoresvision[.]com[.]br/postde1/423255/de/64AFD9050FBB1[.]php, http://purehoneyonline[.]com/ftx/st-point/clients/login[.]php, http://guciabu[.]com/pt/app/login[.]php, http://n2meinpost24h[.]elevadoresvision[.]com[.]br/postde1/324553/de/64A530E2B872B[.]php, http://die-osteopathin-in-wien[.]at/lvepayd/home/index[.]php, http://activation-cle-digitale-bnp-paribas[.]fr/auth/login[.]php, http://blastdesal[.]com/seices/home/index[.]php, http://hotelcampestrelafloresta[.]com/-/seices/home/index[.]php, http://myalphagr24[.]cursosglaucoleyser[.]com[.]br/alpha1/324344/2344/gr/login[.]php, http://mlsantanderesbanco24h[.]paisrecords[.]com/Qyh9C9b2YDX6g4n/santander24h/X46b9DngQ9Yy2Ch/es/login[.]php, http://todayuupdates[.]tempurl[.]host/tmb/tf/tf/web/login[.]php, http://uwtestserver3[.]nl/home/index[.]php, http://www[.]postbankdebest24h[.]biocroche[.]com[.]br/bestsignpostde24h/733dAT6jLAw8fb/b6fd38w37jTALA/de/user[.]php, http://bnpparibas-authentification[.]fr/auth/login[.]php, http://postbankde24hbestsigne[.]robotclub[.]com[.]br/meinbestsigne24/jAwT7b3f6L3dA8/7jAfAdTb63Lw38/de/user[.]php, http://postbankmeinbestsign24h[.]elevadoresvision[.]com[.]br/post1/423545/de/648B0A104BD95[.]php, http://activation-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://bnpparibas-activation-cle-digitale[.]fr/auth/login[.]php, http://postbank1bestsignwinde1[.]connectplus[.]co[.]mz/post1/244543/4314/de/6486DF4479403[.]php, http://bnpparibas-nouvelle-cle-digital[.]fr/auth/login[.]php, http://nouveau-service-bnpparibas[.]fr/auth/login[.]php, http://nouvelle-cle-digitale-bnp-paribas[.]fr/auth/login[.]php, http://nouvelle-cle-digitale-bnpparibas[.]fr/auth/login[.]php, http://andlpostbankbestsigne24h[.]despachantersantos[.]com[.]br/post1/234544/1377/de/6480653EEC279[.]php, http://meinpostbankdebest24h[.]despachantersantos[.]com[.]br/post1/453443/4227/de/6480650BDD441[.]php, http://pixelinegroup[.]com/postde1/203943/2433/de/648036F7977D8[.]php, http://service-clients-sfr[.]fr/fr/login[.]php, http://bnp-paribas-service-clients[.]fr/auth/login[.]php, http://nosservice-bnpparibas[.]fr/auth/login[.]php, http://die-post[.]co/ch/de/index[.]php, http://service-clients-bnp-paribas[.]fr/auth/login[.]php, http://pixelinegroup[.]com/postde1/203943/2433/de/647EFFE0977E0[.]php, http://postbankdebestsigne24h[.]rsantosseguros[.]com[.]br/TA3jd7AwfbL638/TA3jd7AwfbL638/de/647F00642B3E2[.]php, http://postbankdeibest24h[.]despachantersantos[.]com[.]br/post1/245344/3245/de/647F4CEA3686E[.]php, http://demande-esim-sfr[.]fr/fr/login[.]php, http://sfr-demande-e-sim[.]fr/fr/login[.]php, http://conversoresycables[.]com/pb/de/647DB5B0917DB[.]php, http://www[.]postbankdebest24h[.]biocroche[.]com[.]br/postde24h/ATfj33b7dLwA68/6AwLd7b338jfTA/de/user[.]php, http://service-mabanque-bnpparibas[.]fr/auth/login[.]php, http://accerpostfinarce[.]photoracertv[.]app/clientes24h/yZ4He8wcWQ764a/home/login[.]php, http://bnpparibas-service-client[.]fr/auth/login[.]php, http://kaya-group[.]eu/wpcontent/plugins/akismet/views/sviezas/home/index[.]php, http://valuecart[.]in/postch1/327892/3799/home/login[.]php, http://varshawires[.]com/postch2/378292/7622/home/login[.]php, http://nos-clients-bnpparibas[.]fr/auth/login[.]php, http://bnpparibas-nos-clients[.]fr/auth/login[.]php, http://kombbansrestaurant[.]com/post1/237888/0488/de/user[.]php, http://royalserenity[.]in/post1/829302/3722/de/user[.]php, http://unitechme[.]com/post1/328903/2987/de/user[.]php, http://rengelinkfonds[.]nl/shppment/home/index[.]php, http://rhscranes[.]com/depost2/289819/2811/de/user[.]php, http://shivaconstructions[.]co/post1/328901/3211/de/user[.]php, http://todayuupdates[.]tempurl[.]host/nikmk/tf/tf/web/login[.]php, http://www[.]monterreydelsur[.]com/post1/329021/3800/de/user[.]php, http://bankingpostbansign23[.]partywebshop[.]com/H2rp32R4eFnk5N/de/user[.]php, http://melnpostdesumzug[.]dtmteam[.]com/enpH42325FkrRN/de/user[.]php, http://comerzbanc[.]tel/lp/login/web/login[.]php, http://rawqha[.]com/commerzbank[.]de/web/login[.]php, http://www[.]commerzbank-loginup[.]multifilium[.]com/web/login[.]php, http://kunden[.]commerzservice[.]eu/web/login[.]php, http://grupopercon[.]com/wp-content/cai/home/entrar[.]php, http://caixadirectaonline[.]cgd-pt[.]tel/cdo/login[.]php, http://assistance-swiss-post[.]info/de/index[.]php, http://miseajour-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://votre-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://sim-sfr-service[.]fr/fr/login[.]php, http://cle-digitale-service-bnpparibas[.]fr/auth/login[.]php, http://bnp-paribas-nouvelle-cle-digitale[.]fr/auth/login[.]php, http://bnpparibas-nouvelle-cle-digitale[.]fr/auth/login[.]php, http://bnp-paribas-service-cle-digitale[.]fr/auth/login[.]php, http://votre-nouvelle-cle-digitalebnpparibas[.]fr/auth/login[.]php, http://votre-nouvelle-cledigitalebnpparibas[.]fr/auth/login[.]php, http://service-cledigitale-bnp-paribas[.]fr/auth/login[.]php, http://nouvelle-cledigitale-bnpparibas[.]fr/auth/login[.]php, http://sienahandmadeleatherbags[.]com/homr/hom/app/login[.]php, http://bnpparibas-service-cledigital[.]fr/auth/login[.]php, http://karacarulo[.]com[.]tr/menu/43356NT/app/login[.]php, http://renovvi[.]futuraproduction[.]it/servizipagamento/web/login[.]php, http://servizi[.]futurapress[.]it/servizipagamento/web/login[.]php, http://www[.]bankajk[.]com/rennovi/web/login[.]php, http://arubahosting[.]futurapress[.]it/file/servicehomeit/web/login[.]php, http://delinquenttaxsales[.]com/5235v/app/login[.]php, http://cia[.]4moor[.]it/avvizo/rennnove/web/login[.]php, http://track-posta-romana[.]com/post/confirm[.]php, http://dik[.]lelicriso[.]it/avvizo/rennnove/web/login[.]php, http://applepay-mena[.]com/id/confirm[.]php, http://aza[.]scia-a-roma[.]it/conferma/web/login[.]php, http://des[.]fabbroh24roma[.]it/conferma/web/login[.]php, http://ele[.]sos-elettricistaroma[.]it/conferma/web/login[.]php, http://server[.]bertuzzitravel[.]com/conferma/web/login[.]php, http://apu[.]impresapuliziediamante[.]it/rennovi/web/login[.]php, http://dep[.]autospurgoh24firenze[.]it/rennovi/web/login[.]php, http://www[.]jobsindubai[.]com/sendgrid/N548789564/app/login[.]php, http://perfectway[.]me/wpcontent/plugins/ioptimization/cuenta/home/entrar[.]php, http://www[.]logiroad[.]ci/wpcontent/plugins/apikey/validar/home/entrar[.]php, http://getnew[.]in/admin/controller/extension/extension/app/home/entrar[.]php, http://sportsmansharbor[.]net/tickets/DE548792164/de, http://santander-service[.]com/app/login[.]php, http://www[.]support-access[.]cf/app/login[.]php, http://www[.]supportaccess[.]peachmusicla[.]com/app/login[.]php, http://www[.]bottegafacile[.]it/modules/mod_simplefileupload, http://aspirebuildanddesign[.]com/SA654D94Z6Z4D6/home/entrar[.]php, http://yurimagoori[.]com/Z87D94Z64R96EZ546E/home/entrar[.]php, http://faporbaz[.]com/wpcontent/plugins/fecclfkawd/65S46A549846R56/home/entrar[.]php, http://adestrarseupet[.]com[.]br/wpcontent/plugins/biakvnctnl/Q654AD46546546T546R546R/home/entrar[.]php, http://bellydiet[.]com[.]br/A5D8D8T7Y8RE8/home/entrar[.]php, http://elbe[.]co[.]jp/news/wpcontent/plugins/dzjoskqgvj/5S46F56G5G4/home/entrar[.]php, http://bnpparibasconnexion[.]fr/app/id[.]php, http://cloud[.]physik-patio13[.]de/validar/home/entrar[.]php, http://kaqcnadqbo[.]cfolks[.]pl/65A6498R46T546/home/entrar[.]php, http://req-cap01w[.]net/auth/signin[.]php, http://pycwckviqz[.]cfolks[.]pl/654654R4TY44Y/home/entrar[.]php, http://www[.]watch-support[.]cf/app/login[.]php, http://www[.]watchsupport[.]starpizzapakistan[.]com/app/login[.]php, http://www[.]watch-support[.]ml/app/login[.]php, http://www[.]dessertstory[.]co/depost/de, http://www[.]netflix-esupport[.]ml/app/login[.]php, http://www[.]qatarpost[.]shatta[.]net/ar, http://parturier-avocats[.]fr/wp-content/plugins/alpha/loginhash: - md5=51043913074cd820fe0fdafa16e77b07email: tamazpam@yahoo[.]comTitle: University site cloned to evade ad detection distributes fake Cisco installerLink: https://www.malwarebytes.com/blog/cybercrime/2025/02/university-site-cloned-to-evade-ad-detection-distributes-fake-cisco-installerSummary: A recent cyber threat involved a malicious Google ad that impersonated a legitimate Cisco AnyConnect download, using the similarly convincing domain anyconnect-secure-client.com, registered shortly before the ad’s launch. Attackers exploited the credibility of Technische Universität Dresden to enhance the ad's legitimacy, intending to evade security detection rather than directly deceive victims. Users who clicked the ad were redirected to a fraudulent site mimicking Cisco's brand, leading to a malicious installer for the NetSupport Remote Access Trojan (RAT) that connected to specific external IP addresses, allowing remote access to victims’ machines. The attack utilized a PHP script for malware distribution through a compromised WordPress site and included a digitally signed installer, highlighting both effective impersonation tactics and identifiable execution flaws.Threats: netsupportmanager_ratIndicators of compromise:-------------------------ip: 91[.]222[.]173[.]67domain: anyconnect-secure-client[.]com, cisco-secure-client[.]com[.]vissnatech[.]com, monagpt[.]com, mtsalesfunnel[.]comurl: https://berrynaturecare[.]com/wp-admin/images/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exehash: - sha256=78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65demail:Title: Vidar still changes: Variable Payload and more refined clouding for this new waveLink: https://cert-agid.gov.it/news/vidar-muta-ancora-payload-variabile-e-offuscamento-piu-raffinato-per-questa-nuova-ondata/Summary: In February 2025, a new campaign involving Vidar malware was detected, employing advanced techniques such as Dynamic Domain Generation Algorithms (DGA) and delayed activation of malicious URLs to distribute an obfuscated JavaScript payload. The campaign generated 136 main domains and strategically delayed the activation of URLs, complicating immediate detection efforts. The malware has evolved to utilize sophisticated processing methods with XOR operations, complicating static analysis, and exhibits variable payloads that may lead to the deployment of additional malware post-infection.Threats: vidar_stealerIndicators of compromise:-------------------------ip: 45[.]61[.]138[.]200domain: trailblazerwheels[.]com, travelzgo[.]com, thenoushkashow[.]com, timeforstudio[.]com, tourismheroawards[.]com, thetransformationalgrowthacademy[.]com, trailsofintrigue[.]com, thelittlebigempire[.]com, theserpentschoice[.]com, tmeador[.]com, tk-9[.]com, tomotupedido[.]com, treadpoint[.]com, treasuredcrown[.]com, timothynew[.]com, trillionserver[.]com, trendingbabz[.]com, thrivefulness[.]com, timchapmanforfairfax[.]com, thinkmovefeelwell[.]com, therapeuticpsychology[.]com, thepikeman[.]com, trinitazcap[.]com, tiktauli[.]com, thernrco[.]com, theparentpager[.]com, topcommercialbrokers[.]com, thesolarsheet[.]com, tinkerandtwig[.]com, totaltechnyc[.]com, thumbmarket[.]com, traveltransformslives[.]com, theopulentgems[.]com, therollingsquare[.]com, trapthekiller[.]com, toyland-planet[.]com, tubuz3ubhz222[.]top, thenarcissismnetwork[.]com, thereadingandwritingtutor[.]com, thoughtblob[.]com, torah4today[.]com, themfaagency[.]com, traphousegolf[.]com, thepoochery[.]com, thepolymathicshaman[.]com, tlcmmwave[.]com, trackmytow[.]com, tirionnetbw[.]com, travelinparis[.]com, titanzinterior[.]com, toocleandetails[.]com, theplaybackband[.]com, travelmotivate[.]com, thinkthegift[.]com, tokmanni-finland[.]com, theprosaist[.]com, themachinerybuyers[.]com, tinytreasuredkeepsakes[.]com, tngiants[.]com, thethailandtravelhub[.]com, tommykhoa[.]com, travelonmymind[.]com, traversecityirrigation[.]com, thessalonikiairporttaxi[.]com, timbreblocks[.]com, tokointernet[.]com, trackercardz[.]com, thinkmagicmedia[.]com, tradercompare[.]com, triviasuperxtra[.]com, travelingveteran[.]com, travelseverywhere[.]com, thisisdlsmade[.]com, topfunsports[.]com, tracyslatton[.]com, tigereyegraphics[.]com, trackedpackage[.]com, trinesoulrenewal[.]com, tk9frenchies[.]com, tmkeenlogistics[.]com, transcriptsearcher[.]com, thepluggedinmusician[.]com, tqrecords[.]com, trankvila[.]com, tonireilly[.]com, trappseptic[.]com, thevapeexpress[.]com, tofa7a[.]com, theroyalresonance[.]com, treeservicelapeermi[.]com, thelovelysarahnichole[.]com, topdiscountedproducts[.]com, timothyridgefarm[.]com, tiggy123[.]com, torontosegwayrentals[.]com, theylleatforever[.]com, time4showgt[.]com, tiendabarmesa[.]com, topdeckshirts[.]com, traveledcity[.]com, thewildnotions[.]com, thepernateamannarbor[.]com, todayybigbazzarr[.]com, tiendabombasbarnes[.]com, translatinotranslation[.]com, towerhosts[.]com, timecapitalbitbank[.]com, thesacredpathschool[.]com, thetriviaproject[.]com, tipsaplastics[.]com, themagicofplace[.]com, theollivander[.]com, thesnowbee[.]com, triggertrader[.]com, theouttedshaman[.]com, theslightlyfaded[.]com, toptravelflights[.]com, trendykala[.]com, therisereign[.]com, the-tuning-workshop-dealerzone[.]com, tonicunningham[.]com, tonysschlockfest[.]com, transgenderlockerroomaccess[.]com, trainedbuyer[.]com, thisisrandiimas[.]com, thetortemk[.]com, thosegentlemen[.]com, tradeskillpro[.]com, theshopsnearme[.]com, kibcfmgnahkgand[.]top, theprojectboxboard[.]com, thinkpublishers[.]com, theseniorshow[.]com, thezealotbusinessagency[.]com, topvideoslotscasino[.]com, tradespaceapp[.]com, thevitaminscompany[.]com, theproversation[.]com, theplantedguide[.]com, thenootropicsguide[.]com, threat-expert[.]com, thuanart[.]com, thepranichealing[.]com, topbitcoinideas[.]com, thisindiecreator[.]com, three-mongos[.]com, themakeitstore[.]com, tntwocfo[.]com, ffjihcnfkhihlmd[.]top, idioinc[.]comurl: http://ffjihcnfkhihlmd[.]top/1[.]php, https://idioinc[.]com/5t4a[.]js, https://idioinc[.]com/js[.]phphash: - sha256=3b98dbb7962739800e54afdd915ba344f4359c369e3ee7693998b986611c476d, sha1=50227db22d2d75b768653a7edfe11061d3c9f416, md5=7ee8a19e94c10ad9fbfb7367ec26378bemail:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Tool/Technique: Exploitation of CVE-2024-57968 and CVE-2025-25181 via VeraCore Software
## Overview
This entry summarizes the exploitation techniques leveraged by XE Group against logistics software, specifically targeting vulnerabilities in the VeraCore software suite. Successful exploitation allows the threat actors to gain initial access and deploy webshells for persistent remote access.
## Technical Details
- Type: Technique (Vulnerability Exploitation)
- Platform: Unknown (Likely Windows/Web Servers hosting VeraCore applications)
- Capabilities: Exploiting zero-day vulnerabilities to achieve initial code execution and persistence.
- First Seen: Associated with XE Group's activities following their emergence in 2017, with these specific CVEs likely discovered recently in targeted campaigns.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.001 - Exploit through Web Shell
- T1566 - Phishing (Though exploitation is the result, initial access might involve phishing leading to software interaction)
- T1566.002 - Spearphishing Link (If used to direct users to exploited resources)
## Functionality
### Core Capabilities
* Exploitation of two zero-day vulnerabilities: CVE-2024-57968 and CVE-2025-25181.
* Targeting of VeraCore software, which is used in logistics environments.
* Deployment of ASPX webshells following successful exploitation.
### Advanced Features
* Persistent unauthorized access maintained for extended periods (over four years noted for the group).
* Supply chain targeting within manufacturing and distribution sectors.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes for exploits/webshells are not provided in the summary, though ASPX webshells are implied)
- File Names: ASPX webshells
- Registry Keys: N/A
- Network Indicators:
- 171[.]227[.]250[.]249
- 123[.]20[.]29[.]193
- 89[.]236[.]67[.]30
- xegroups[.]com
- object[.]fm
- hivnd[.]com
- xework[.]com
- paycashs[.]com
- sexadult[.]com
- Behavioral Indicators: Deployment of webshells to maintain command and control over compromised systems.
## Associated Threat Actors
- XE Group
## Detection Methods
- Signature-based detection: Signatures specific to the known content/structure of the deployed ASPX webshells.
- Behavioral detection: Monitoring for abnormal file modifications or unusual network traffic originating from web service processes.
- YARA rules: Creation of rules targeting the specific payload delivered by CVE-2024-57968 and CVE-2025-25181 exploitation.
## Mitigation Strategies
- Patching and updating VeraCore software immediately upon release of security advisories for CVE-2024-57968 and CVE-2025-25181.
- Strict network segmentation for critical logistics infrastructure.
- Web Application Firewalls (WAF) configured to detect exploit attempts against known application endpoints, even zero-days, through anomaly detection.
## Related Tools/Techniques
* ASPXSpy (Mentioned in associated threats, likely the type of webshell deployed)
* Meterpreter (Mentioned in associated threats, likely utilized post-exploitation)
* Obfuscated PowerShell scripts (Used for lateral movement or further payload deployment)
***
# Tool/Technique: XE Group Payload Toolkit (General Association)
## Overview
This section summarizes the broader toolset and techniques associated with the XE Group, including their shift from Magecart-style operations to sophisticated zero-day exploitation and supply chain attacks, often utilizing Remote Access Trojans (RATs) and specialized shells.
## Technical Details
- Type: Toolset / Collection of Techniques
- Platform: Multifaceted (Windows likely primary target for RATs/PowerShell)
- Capabilities: Credit card skimming, information theft, remote access, persistent backdoors via webshells.
- First Seen: Emergence in 2017.
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1219 - Remote Access Software (Leveraging RATs)
- T1505 - Server Software Discovery
## Functionality
### Core Capabilities
* **Credit Card Skimming:** Initial operational focus suggesting use of web skimmers/digital skimming tools (Magecart heritage).
* **Information Theft:** Current primary objective.
* **Obfuscated PowerShell Scripts:** Used for execution layers, evading static analysis.
### Advanced Features
* **Persistent Access:** Maintaining unauthorized access across multiple years.
* **Supply Chain Exploitation:** Targeting logistics and distribution sectors.
* **Remote Access Trojans (RATs):** Likely used for comprehensive remote control after initial compromise.
## Indicators of Compromise
* File Hashes: N/A
* File Names: N/A
* Registry Keys: N/A
* Network Indicators: (See Network Indicators listed under the VeraCore exploitation section, as these are associated with the group's C2 infrastructure)
* Behavioral Indicators: Use of obfuscated command-line arguments in PowerShell executions.
## Associated Threat Actors
- XE Group
## Detection Methods
- Detection focused specifically on the behavior of Remote Access Trojans.
- Dynamic analysis of PowerShell executions for high entropy or unusual execution chains following exploitation of VeraCore or other entry vectors.
- Signature detection for known components associated with Magecart operations if they are still in use.
## Mitigation Strategies
- Implement robust Application Allowlisting to restrict unauthorized execution of scripted languages.
- Strict monitoring of outbound connections from application servers to external hosts.
- Limit the privileges of web service accounts to prevent the deployment of persistent backdoors.
## Related Tools/Techniques
* ASPXSpy (Webshell)
* Meterpreter (RAT)
* SNIPR Tool (Mentioned in associated threats, function unspecified)