Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 54 threat intelligence reports and compiled a concise summary of each report, along with the relevant metadata extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot MalwareLink: https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglotSummary: Researchers at Proofpoint have identified a targeted email campaign named UNK_CraftyCamel, which specifically targeted select customers in the United Arab Emirates connected to aviation, satellite communications, and critical transportation infrastructure. The campaign employed a compromised email account from the Indian electronics firm INDIC Electronics, sending malicious emails that directed recipients to a fraudulent domain that mimicked the legitimate entity. This led to the download of a sophisticated backdoor called Sosano, which utilizes polyglot files to evade detection and complicate analysis, showcasing the advanced operational capabilities of the attackers, who may have links to groups associated with the Islamic Revolutionary Guard Corps. The threat highlights a growing trend of utilizing trusted relationships for delivering customized malware, emphasizing the need for awareness regarding potential threats and deceptive communications.Threats: polyglot_ransomware sosano craftycamel_group polyglot_technique emmenhtal bloat_technique runkeys_technique spear-phishing_technique irgc_group apt33_group unc1549_group supply_chain_techniqueIndicators of compromise:-------------------------ip: 46[.]30[.]190[.]96, 104[.]238[.]57[.]61domain: indicelectronics[.]net, bokhoreshonline[.]comurl: https://indicelectronics[.]net/or/1/OrderList[.]ziphash: - sha256=0ad1251be48e25b7bc6f61b408e42838bf5336c1a68b0d60786b8610b82bd94c, - sha256=336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14, - sha256=394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3, - sha256=e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626, - sha256=0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327email:Title: Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their ArsenalLink: https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.htmlSummary: The Black Basta and Cactus ransomware groups have been utilizing BackConnect malware to maintain control over compromised systems and exfiltrate sensitive data, often gaining initial access through social engineering tactics like impersonation via Microsoft Teams. Trend Micro reported a notable increase in incidents involving Black Basta since October 2024, particularly affecting North America, with the group extorting nearly $107 million in Bitcoin from victims in 2023. Attackers exploit various channels including email flooding and misleading IT support interactions, leading to the installation of remote management tools, which they use to execute commands and transfer files internally. Additionally, they have demonstrated advanced capabilities by targeting ESXi hosts and bypassing multifactor authentication, showcasing a continued evolution in their tactics. Furthermore, a leak from Black Basta in February 2025 revealed internal communications about attacking financial institutions and adapting to circumvent security measures.Threats: cactus_group blackbasta cactus_ransomware backconnect microsoft_quick_assist_tool qakbot darkgate winrm_tool systembc Backdoor.Win64.REEDBED.A blackbasta_group contiIndicators of compromise:-------------------------ip: 45[.]8[.]157[.]199, 5[.]181[.]3[.]164, 38[.]180[.]25[.]3, 185[.]190[.]251[.]16, 207[.]90[.]238[.]52, 89[.]185[.]80[.]86, 208[.]115[.]200[.]146, 5[.]181[.]159[.]48, 45[.]128[.]149[.]32, 207[.]90[.]238[.]46, 45[.]8[.]157[.]158, 195[.]123[.]233[.]19, 178[.]236[.]247[.]173, 195[.]123[.]241[.]24, 5[.]78[.]41[.]255, 38[.]180[.]192[.]243, 89[.]185[.]80[.]251, 91[.]90[.]195[.]91, 45[.]8[.]157[.]162, 45[.]8[.]157[.]146, 195[.]123[.]233[.]148, 195[.]211[.]96[.]135, 38[.]180[.]135[.]232domain: pumpkinrab[.]comurl: https://sfu11[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052117-01[.]bpx, https://sfu11[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052123-02[.]bpx, https://filters14[.]s3[.]us-east-2[.]amazonaws[.]comhash: - sha1=e45b73a5f9cdf335a17aa97a25644489794af8e1, - sha1=9c8dea7602a99aa15f89a46c2b5d070e3ead97f9, - sha1=11ec09ceabc9d6bb19e2b852b4240dc7e0d8422e, - sha1=232fdfde3c0e180ad91ebeb863bfd8d58915dd39, - sha256=b79c8b7fabb650bcae274b71ee741f4d2d14a626345283a268c902f43edb64fd, - sha256=60bca9f0134b9499751f6a5b754a9a9eff0b44d545387fffc151b5070bd3a26a, - sha256=623a43b826f95dc109f7b46303c6566298522b824e86a928834f12ac7887e952email: admin_52351@brautomacao565[.]onmicrosoft[.]com, admin_734@gamicalstudio[.]onmicrosoft[.]comTitle: Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass toolLink: https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/Summary: Cybercriminals are utilizing Windows Packet Divert to distribute malware disguised as legitimate programs, often bundled within archived files that include text instructions aimed at discouraging users from running security software. A recent malware campaign involved a miner masquerading as a public block bypassing tool from GitHub, which has impacted over 2,000 users in Russia, with a noted influence from a popular YouTuber who linked malicious archives in tutorial videos. The malware operates discreetly by modifying executable sizes to evade detection, establishing persistence through services disguised as legitimate Windows functions, and employing innovative tactics like coercion against content creators to facilitate further distribution, highlighting an evolving threat landscape that could lead to more sophisticated malware strategies in the future.Threats: silentcryptominer_tool njrat xworm_rat phemedrone dcrat pyarmor_tool xmrig_miner rtm_locker process_hollowing_techniqueIndicators of compromise:-------------------------ip: 193[.]233[.]203[.]138, 150[.]241[.]93[.]90domain: gitrok[.]comurl: http://9x9o[.]com/q[.]txt, https://pastebin[.]com/raw/kDDLXFac, http://gitrok[.]com, http://swapme[.]fun, http://canvas[.]pethash: - md5=5c5c617b53f388176173768ae19952e8, - md5=ac5cb1c0be04e68c7aee9a4348b37195, - md5=574ed9859fcdcc060e912cb2a8d1142c, - md5=91b7cfd1f9f08c24e17d730233b80d5f, - md5=9808b8430667f896bcc0cb132057a683, - md5=0c380d648c0c4b65ff66269e331a0f00, - md5=1f52ec40d3120014bb9c6858e3ba907f, - md5=a14794984c8f8ab03b21890ecd7b89cbemail:Title: Operation sea elephant: The dying walrus wandering the Indian OceanLink: https://ti.qianxin.com/blog/articles/operation-sea-elephant-the-dying-walrus-wandering-the-indian-ocean-en/Summary: CNC, a cyber threat actor group with links to South Asia, has been conducting targeted espionage, termed Operation Sea Elephant, aimed at academic and scientific institutions, particularly in oceanic research. The group, previously known as Patchwork, employs sophisticated modular malware and sophisticated tactics including spear-phishing emails and communication through messaging apps like WeChat and QQ to infiltrate their targets. Key tools in their arsenal include a backdoor called qaxreporter.exe, which establishes persistent control over compromised systems, and other malware like MScleanup64.exe and windowsfilters.exe, designed for data theft and remote control of infected devices, using techniques such as SFTP for stealthy data exfiltration and the Github API for further exploitation. Their operations have increasingly focused on specific scientific sectors, leveraging social engineering tactics to bypass security protocols.Threats: sea_elephant_campaign raindrop_tool utg-q-011_group cnc_group dropping_elephant_group steganography_technique veles_campaign utg-q-008_groupIndicators of compromise:-------------------------ip: 2[.]58[.]15[.]28:8090, 45[.]86[.]162[.]79:443, 185[.]140[.]12[.]224:443, 45[.]86[.]162[.]125:52736, 185[.]243[.]112[.]79:52736, 45[.]56[.]162[.]111:443, 23[.]152[.]0[.]99:443domain: aliyunconsole[.]comurl: https://raw[.]githubusercontent[.]com/kkrightjack/controlid/main/feed[.]json, https://185[.]140[.]12[.]224/licenseAdministrator/discover[.]xml, https://185[.]140[.]12[.]224/[.]vendor/git/srclog, https://185[.]140[.]12[.]224/logindex[.]php?q=ascii, https://aliyunconsole[.]com/alcloud/dgyx-4121-Firnsnxywfytw, https://aliyunconsole[.]com/product/VectorRetrievalService/dashvector, https://66[.]85[.]26[.]161:443/csgdyhfywhefdj/gdydfhasc/chsgdjc[.]pdf, https://66[.]85[.]26[.]161:443/csgdyhfywhefdj/gdydfhasc/qgtopl[.]exe, https://192[.]52[.]166[.]252/cgyusdft/whfgujfg/calc[.]exe, https://192[.]52[.]166[.]252/cgyusdft/whfgujfg/tt[.]pdfhash: - md5=5c0d12de7c0dd7979ca5db3cad72688a, - md5=c5ed8776b63b698697fa6b22303bda2a, - md5=cfcd28199e448f35efe37c06c5da5565, - md5=d1737521c7c34c8a939e2eb3ec8ba53b, - md5=d7b8d909bfa3114abb3fa1c51875a084, - md5=e817f716f88bf628414659e3e6183aeb, - md5=bb2ca4f8eb95053dd450d58b335919c1, - md5=e65c3eeee6ba96ab7b72929ab53635a7, - md5=f3680b43abf218a16e58d991e54a6eee, - md5=54794189acbbfaf658bc5fd40b9a38dd, - md5=a2dd9a2fbb80a1b39c10c31870d7275f, - md5=0c23562c6208b080ac0b698215529a62email:Title: Emergency -themed APT attack and Kimsuky group association analysisLink: https://www.genians.co.kr/blog/threat_intelligence/apt-attacks-martial-lawSummary: The Kimsuky Group has been associated with advanced persistent threat (APT) attacks in South Korea, particularly exploiting the declaration of emergency martial law on December 3, 2024. These attacks predominantly employ spear phishing methods to distribute malicious files disguised as legitimate martial law documents, tailored to both Windows and MacOS users. The phishing emails utilize the identifier "CHAMSSAE" to mislead recipients and contain disguised URLs that lead to different malicious payloads depending on the operating system. Once interacted with, these malicious files execute a program that resembles legitimate software but ultimately employs DLL sideloading to deploy harmful codes aimed at information gathering. Additionally, the group's use of encrypted commands and command and control servers on trusted platforms like GitHub indicates a sophisticated obfuscation strategy, challenging traditional security measures.Threats: kimsuky_group spear-phishing_technique sparrow dll_sideloading_technique quasar_ratIndicators of compromise:-------------------------ip: 112[.]175[.]185[.]19, 161[.]97[.]100[.]171, 118[.]33[.]224[.]29, 172[.]67[.]133[.]130, 104[.]21[.]59[.]136, 104[.]21[.]2[.]11, 104[.]21[.]65[.]82, 104[.]21[.]36[.]117, 104[.]21[.]61[.]63, 104[.]21[.]36[.]135, 104[.]21[.]77[.]81, 104[.]21[.]75[.]198, 104[.]21[.]69[.]121, 104[.]21[.]62[.]206, 104[.]21[.]14[.]107, 104[.]21[.]51[.]95, 222[.]122[.]195[.]67, 104[.]21[.]34[.]210, 104[.]21[.]43[.]94, 104[.]21[.]26[.]97, 104[.]21[.]48[.]172, 104[.]21[.]86[.]123, 104[.]21[.]60[.]195, 104[.]21[.]62[.]150, 104[.]21[.]13[.]127, 77[.]247[.]126[.]189, 104[.]21[.]54[.]128, 104[.]21[.]48[.]88, 104[.]21[.]43[.]135, 104[.]21[.]86[.]221, 104[.]21[.]42[.]163, 104[.]21[.]74[.]209, 104[.]21[.]51[.]149, 104[.]21[.]68[.]29, 104[.]21[.]32[.]94, 206[.]206[.]123[.]55, 216[.]74[.]123[.]97, 104[.]21[.]96[.]63, 119[.]204[.]168[.]143, 118[.]36[.]192[.]211, 209[.]99[.]40[.]222, 112[.]175[.]185[.]59domain: stibee[.]navers[.]store, unusual[.]navers[.]store, navers[.]com-active[.]store, medis[.]navers[.]store, mid[.]naveos[.]website, navers[.]com-silver[.]site, googlauth[.]com, troy[.]ns[.]cloudflare[.]com, nid[.]auth-require[.]com, nid[.]naver-auth[.]com, nid[.]naverify[.]com, merryear[.]com, glaed-hotel[.]com, campaign2-nid[.]com, kyf-dream[.]com, samsunghospitol[.]com, lotto-rich[.]com, knovvhow[.]com, puac[.]net, yecchong[.]com, 100000recipe[.]com, yes24[.]vip, kcar-service[.]com, medicert[.]com-silver[.]site, ms-work[.]com-info[.]store, com-info[.]store, event[.]stibee[.]navers[.]store, navers[.]store, mt[.]certuser[.]info, certuser[.]info, goodemail[.]info, nid[.]naver-check[.]com, review[.]accountprotection[.]infourl: https://review[.]accountprotection[.]info/upload, https://github[.]com/adrhpbrn29, https://github[.]com/adrhpbrn29/iqWThPAGUQ/raw/main/data1, https://github[.]com/adrhpbrn29/iqWThPAGUQ/raw/main/GoogleUpdater[.]zip, https://github[.]com/adrhpbrn29/iqWThPAGUQ/raw/main/bzupdater[.]ziphash: - md5=929a87be39ed3ad28e7285340f64414f, - md5=c3bbdd7142b1b86e638e8585a4b16c7b, - md5=9e94126e8a26efd10b2a5b179d64be90, - md5=35b4f28dd2d50dbf48e5c63c3ef5efb7, - md5=66e8096b9b061550314a82654ce0fabd, - md5=71d5270d1a165bb6dec144e16089450d, - md5=456d05566fc3391e195a5f9cb346c92c, - md5=25156a29ad636eb708104ec69b05e54b, - md5=ca93591a9441a2ade70821f67292d982, - md5=72fc2de8e9339969b9be2bb4363e2741, - md5=72fc2de8e9393969b9be2bb4363e2741, - md5=fc7315b6b74aa43ab24965f3648f01a6, - md5=8fb97b701da7e49e6a78717f0179dd68email:Title: Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS SystemsLink: https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loaderSummary: Researchers from Socket have identified a cyber campaign that exploits the Go programming language ecosystem through typosquatted packages that install loader malware aimed at Linux and macOS systems. The threat actor behind this operation has created at least seven malicious packages that impersonate well-known Go libraries, specifically targeting developers in the financial sector. One particularly problematic package mimics the legitimate `github.com/areknoster/hypert` library and embeds concealed code for remote code execution to evade standard detection methods, while also employing deceptive practices to disguise malicious URLs, such as `alturastreet.icu`. Further investigations uncovered additional malicious packages targeting other legitimate libraries with similar techniques, indicating a coordinated supply chain attack that leverages tactics from the MITRE ATT&CK framework, including supply chain compromises and evasive methods, significantly undermining the security of the open-source ecosystem.Threats: typosquatting_technique spear-phishing_technique supply_chain_techniqueIndicators of compromise:-------------------------ip: 185[.]100[.]157[.]127domain: alturastreet[.]icu, binghost7[.]com, sharegolem[.]com, host3ar[.]comurl: https://host3ar[.]com/storage/de373d0df/a31546bf, https://binghost7[.]com/storage/de373d0df/a31546bf, https://alturastreet[.]icu/storage/de373d0df/a31546bf, https://alturastreet[.]icu/storage/de373d0df/f0eee999, http://185[.]100[.]157[.]127/storage/de373d0df/f0eee999hash: - sha256=b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4, - sha256=f70bc9a8e39eb36547717197efe88173c23c1b9c206d253f0e24a8aaadf0f915email:Title: Uncovering .NET Malware Obfuscated by Encryption and VirtualizationLink: https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/Summary: Recent analyses have revealed advancements in malware obfuscation techniques among known malware families such as Agent Tesla, XWorm, and FormBook/XLoader, focusing on evading detection through methods like AES cryptography and code virtualization. Attackers are increasingly leveraging the PE overlay area to hide information and employing strategies like dynamic code loading and staged payloads to enhance evasion tactics. One case detailed a .NET downloader orchestrating a multi-stage attack involving the KoiVM dropper, which subsequently deployed payloads like Agent Tesla, highlighting the modular design favored by malware developers to configure and execute tailored attacks while complicating detection.Threats: agent_tesla formbook xworm_rat proxyshell_vuln proxylogon_exploit remcos_rat koivm amsi_bypass_technique confuserex_tool kimsuky_groupIndicators of compromise:-------------------------ip: 66[.]63[.]168[.]133:7000domain: mail[.]iaa-airferight[.]com:25, weidmachane[.]zapto[.]org:7000url: hash: - sha256=a02bdd3db4dfede3d6d8db554a266bf9f87f4fa55ee6cde5cbe1ed77c514cdee, - sha256=3d8187853d481c74408d56759f427e2c3446e9310c2d109fd38a0f200696c32d, - sha256=098a18e96c4fb250ffadb3f01d601240c74a4d9f5df94cb72bd44cc81b80b2af, - sha256=695e038452a656d58471f284edb8d81754b78258a6afd3d8f62ae8a47c3130d9, - sha256=d72f4ef2e5caea42749d542384b6634e65e29f3aef5d09a9c231cc09e76e4988email: admin@iaa-airferight[.]com, web@iaa-airferight[.]com, mail@iaa-airferight[.]comTitle: Desert Dexter. Attacks on Middle Eastern countriesLink: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/desert-dexter-attacks-on-middle-eastern-countriesSummary: In February 2024, Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign named "Desert Dexter," which has targeted the Middle East and North Africa since September 2024. The attackers employ social media, particularly Telegram, to distribute modified AsyncRAT malware via fake news and misleading ads, leading victims to download malicious RAR archives that execute scripts to disable security features and establish persistence. The malware is designed to identify cryptocurrency wallets and capture keystrokes, with possible links to Libyan attackers suggested by Arabic comments and telemetry data. Approximately 900 potential victims, including individuals across various sectors, have been affected, highlighting the ongoing sophisticated cyber threats in the region.Threats: desert_dexter_group asyncrat seo_poisoning_technique luminosity_rat Trojan.Win32.ObfBins.a Trojan.Win32.Generic.a lolbin_technique Trojan.Win32.Inject.a Trojan.Win32.Generic.f qakbotIndicators of compromise:-------------------------ip: domain: sexzsex1[.]ddnsfree[.]com, lovlysexy[.]freeddns[.]org, dick2024[.]ddnsfree[.]com, pdflove[.]ddnsfree[.]com, ohsexoh[.]freeddns[.]org, sex2024[.]freeddns[.]org, fuck1up[.]freeddns[.]org, ducksex[.]ddnsfree[.]comurl: https://files[.]fm/f/yqsvtu99kn, https://files[.]fm/u/y5dys7zp96, https://files[.]fm/f/3npt84t4fn, https://files[.]fm/f/ux28ecfzvj, https://files[.]fm/f/nyxwvypjw9, https://files[.]fm/f/9hk7x9ppcg, https://files[.]fm/f/h5ufvb4xpc, https://files[.]fm/f/b4tvte22sv, https://files[.]fm/f/gdezxx73br, https://files[.]fm/f/wjmn8b82ge, https://files[.]fm/f/cjvc28m3j5, https://files[.]fm/f/2fwuanhk3t, https://files[.]fm/f/t5pp6hv9w4, https://files[.]fm/f/ts8hzkrmm9, https://files[.]fm/f/w89z65su8e, https://files[.]fm/f/v9dmzyk6ch, https://files[.]fm/f/54fvu5sr4x, https://files[.]fm/f/cg3yjvgtem, https://files[.]fm/f/n553v7ycsa, https://files[.]fm/f/evtg4qmz4f, https://files[.]fm/f/fgcnsf7r8v, https://files[.]fm/f/2fvbg9vr5r, https://files[.]fm/f/2deytc9v4n, https://files[.]fm/f/9xxadwws3e, https://files[.]fm/f/bp4jshj9yy, https://files[.]fm/f/fkgns7tc3g, https://files[.]fm/f/er3v3jte6c, https://files[.]fm/f/2eu98w8ghm, https://files[.]fm/f/w2269c2s3n, https://files[.]fm/f/pwkjge962n, https://t[.]me/NwesWaten, https://t[.]me/VoiceAE2024, https://t[.]me/ListNames1, https://t[.]me/News2025News, https://files[.]fm/f/jp4nmyz3e7, https://t[.]me/AlainNwes, https://t[.]me/UeaNwes, https://t[.]me/Al0Saa, https://t[.]me/TheNwes2025, https://t[.]me/LibyaPrees, https://t[.]me/TheLensLy, https://t[.]me/TheLensNwes, https://t[.]me/NwesLibya, https://t[.]me/TVAlmasar, https://t[.]me/LaamNwes, https://files[.]fm/f/62yub4t3xu, https://t[.]me/NwesLibya2025, https://t[.]me/NewsStepAgency, https://t[.]me/AlhurraTVNwes, https://t[.]me/alwasatLY, https://t[.]me/AlmasarNewsTV, https://t[.]me/TheLibyaObserver, https://t[.]me/News2025Nwes, https://t[.]me/AlhurraTv2025, https://t[.]me/SkyNwes2025, https://t[.]me/StepNews2025, https://files[.]fm/f/3mtfufs9uu, https://t[.]me/WatenNews1, https://t[.]me/SkyNewsBreaking, https://t[.]me/NwesLaam, https://t[.]me/AlmasarTVnews, https://t[.]me/News2025Breaking, https://t[.]me/NewsBreaking2025, https://t[.]me/TimeIsraelNEWS, https://t[.]me/VoiceQatar, https://t[.]me/ListNameAE, https://files[.]fm/f/z945eq5r6d, https://t[.]me/ListNameNwes, https://t[.]me/ListNamesSaudi, https://files[.]fm/f/ykxqvg9zt4, https://files[.]fm/f/9kqrkq4wquhash: - md5=50301fc5d522055e29b2122958263acc, - sha256=3014d48f6f667b6a6130b1ec2821073057c45a03f329ea6cecafc84784dd2252, - md5=1b4e81246bc9bdcfa554d5c2343cde4b, - sha256=4a3a95d68d85136618ab6f07674fb6ebd4a8e2fc373b5f5f9e0245d87ad9dfe3, - sha1=946345327b619ccd2609fff063a5ad23ec55730f, - sha256=d20d221d0b3a49133e9d50509380b20179132549182353ea97acad47bd25a137, - sha1=a4b114b05eef3e9cb4109d8e76f27c8ed554d3ee, - sha256=2c27fad3bdeab8dab52b21562df4dbd8217a84fb2553c1f99de03d1c686137e7, - sha1=7002f6f240ae07d4b4b4f7db7bcc889117abb4ef, - sha256=e0bd309a63d0daf9b231e4017176f788e987255f558712f372b085c0c13085fc, - sha1=5c7903ebe2cb97475e5505a3116464423c614706, - sha256=1791d00fbe569489f48cf5e56b9a2a9b71d3c17096df4982668f51d512b820c5, sha1=3ace4c356fd2a7d359e59263d81de9a138da3eeb, md5=c18828769cf0ee4159b0f73bcb1febb5, - sha1=755649612fb6b8d31165dd729d6044e62a5a2c99, md5=075fdf5c8b4409c1f39d175f4941c5da, sha256=1d9a6edc55a547b9e522b3dd7f40aebc3f1c4761070294cc56e328800569fc45, - sha1=767ff3096314e9a83177724b9fe9d2f04e8feae7, md5=7eda3a423372b7d39da6fb01d2a681d6, sha256=630c9ae8b4cbbe71c78bdc6f7da81a7d5de00cd7d8157021fd0aec870248c9eb, - sha1=e5a2d21fff7ebc448e6cc58f4b10427f82033841, sha256=b2e678427428898f46899140fea44fcad52acf5a614427981d357b23d5f77607, md5=f20f5bf86c65ad5d7d8e04f50e0fdd6a, - sha256=df07b378a833528cca8012ec0bd65f06372ccf23262b9930c246d8758cef342a, sha1=e1650405a2061dec28d8cb770964902028d0cf4a, md5=7d6aa05580c83825c688211f1e71b72a, - sha1=246e5dbb718afdd6be95fda076724bcdca484e1d, sha256=24f2877c5a47480f7873d8ae0c3f85ad16a3e656a058a92f38d358eb37cdc48f, md5=45801650db5dbc718c6bc5cace4832af, - md5=cdc521cfab18cf6b0b72c87e9018120b, sha256=704eabc86b2b3e7bc008059b59ceee8282847b08eb888c576b9105d0bd8f3c83, sha1=7e3d8f52eaf5b17693a0ca98fa837d3349a35a4f, - md5=a7f582c808f39659a53feecef6c3ebfe, sha256=8593a6c8fe6c98fd8c4d9b947e58066fd25bda10454da3f59b527a02795639e2, sha1=2d27b137a1136cb96a746de8fff7d51dd5c014a8, - sha256=b9d613cf9ff332a3269223ed553e9806038de764f89abfe6f7f9cfe7595ad7a9, md5=238f84f74dd3367c1068d31f025eb05e, sha1=2d27b137a1136cb96a746de8fff7d51dd5c014a8, - sha1=ca13c7619f5fbac8ab0153ced50f1929f512b1eb, md5=30fd61ec57dec347989030caaf0ec6e0, sha256=d8b2ea2b8e256df386b1a55a1aabdb1ec8a96f6b7f13ab41d0641da8386d24e6, - sha1=1a2afb6af4b54fc266d4a66f848afcb990ce237e, md5=294c8b3bc2c198795b20efa684c35b65, sha256=260a773be1ad179da987b22a87abf2eaac93fdf26c4e37b053f1ab2bbf1add82, - sha256=b7341efc8e08b5243091c23fd4775cf5b3b6227d7e15baf8ad9ed79cba74709d, md5=013ecb281bf4f5c25e7823d522895cdb, sha1=17f77c83a6dfa7f2a6ed5c65a3671434b4851950, - md5=e0415f4d3d8122214a3098ec6baa8dc6, sha1=17f77c83a6dfa7f2a6ed5c65a3671434b4851950, sha256=5f3e6175c93e9f070f35d6c10c995b92264a06987af335a85d47fd8825562c3a, - md5=195f42f7e6cc6416da279446c9fd10ee, sha1=537bea04526fe7f01f84ea765fa6a89fcc51d9bf, sha256=6a117f3ba96c3ff1ac073f90e648a45ffb3f86566144ba526a17ff46d31d679f, - sha256=6f38b9d1db71631887f8a0cc241c2d3e74237ed30c4e46a26cf92d6702860795, md5=6276af8151adad9b2e248faccae43d83, sha1=537bea04526fe7f01f84ea765fa6a89fcc51d9bf, - sha256=e61e533b6a88e899bf008d751725b2e3c52bf6871c80ce41ef4c520f7e4bf663, sha1=d88d5110ebe30c8ad3fd215a4bd85388c6113076, md5=a400fe79f7d615e35550a8a15cbc31a9, - sha256=f2225e97cb7f79fd2759117581a365300897860586aa12f3197def215ce3ef2a, sha1=626e7394e9efb8b8496768d87de8d9288a0021d3, md5=261d067103910dcdb5a966a9d6cbf917, - sha1=089e077bdba26833b848fac22a13d744aeb0b770, sha256=31d36f325ba63cf9e08cf7c0c08099089206cb9de556549491a6874e7f9101c7, md5=64ddb41e380281a2440eb93af06c2fe7, - sha1=763068d2c6a7771584126956cc8fca76f5d8ee6c, sha256=323fc0987bb2bc7d2f8aa1d6cb6db4901330b2874f01722ae5586ced09bba4fd, md5=1a50f670c9d8a0c6ed60a26423f38c6c, - md5=27dc626f052cde7ca5c99e09ba2c3bc5, sha1=2bc44b1968fe3063310aea0ae3e7f56ccd826b1a, sha256=6eebe78eaeed5994a575baa50964ee98edc0fbf03f23620aef0d76910754132f, - sha256=79434f9046555e2d4233f903af2bd99834d0b1f4e2abde2ed8a1aa095bdb24c3, sha1=c67cd9c5412a076b742e88f939dae496bdadba6d, md5=f5c257cf1b96459ad985de4ee778e995, - sha1=be57121278042b33d0cda331c8ae0d3bcf8e76c9, md5=4b667f53cd0abb72a05e1d16dacb094c, sha256=b1aa718183fa5059da99b9b5955b660dc495db375cf75e1d6731061e6492c408, - sha256=d931dba26eee7bdc532111f006ec7973176f6b6b5dda4d23ea3fa700ccc8aef0, md5=65e4b959ba44711fa63f9a7fefe32c24, sha1=f4bb8280e17617d6e0332776e2b197d51f76f0e1, - md5=3fbc9d18f8e94a0b5b1e39134be7c153, sha256=da58732f8c52ededed023e7d604dd10e295ad436884b990c8f13e6660cc42b5e, sha1=be9a946fae242ff3b59ed41e0847338dfc90c58f, - sha1=0f5c254b6ae8acb1dfadc7e4422e0c275b6a43ce, md5=dcabbd8c5904e246164411eb63730b76, sha256=f722df5995b24216d2b5b3607213e25c361eafd00ed988d130f66e93af3f8d67, - md5=f77a293d7128c66a2d18b48af317280c, sha256=fb3461c4514b421b60181102b33ac2ac683021ce57fcf7741334d6cafe68ab7f, sha1=519fc698d92f19f569dc7a129a9baac483cff8d3, - sha1=7330d8a5ca8f8dc85657c3ec54fc4ff51b5cc004, sha256=02ad851087bfb3a9fd7ead36727a4992de338de651fb9ff4c0269d5e2e55bce8, md5=d13ea3bf14a05e4aa8d3f3aca89fe327, - md5=bc78a149c773196e9b7af9f2fef260e4, sha1=1333eb3ffe1dbd5efe7e2f2d70501ce715e833ff, sha256=1579c6bcc9fa6f3565e3b74b26b5bf1c69c0671aec6bcace3d74d80fb4371c5b, - sha1=77d340f6f6e6f25c412ec866664ffcf3144ca0d9, sha256=1c8c4612142e65286f455ea64ba41e6870bf6424fe2ac587848b2b8bd89ebd3e, md5=bb997e1a845b20dd5c9ebc18ac716af2, - md5=11c6a227402d19f926adf61fdb6de824, sha256=61bd750ff7331471320abc06ad99b7289a5c44f417d136f8af1b7db25ac0cb35, sha1=4d5fb4a91875a8403c9894774635c4619e4659b1, - sha256=63c9f2a14e4edd0691ffc49e62d488077e6d6689d26e5af49fd8c392238bf1f7, md5=7dfa0cc4f95933e169f38ca80a99c86d, sha1=103d0125a56947ffa1783a46a14ceda30b6cea89, - sha1=76dda9bd72ef8a5a642a007b3074f922dc98d012, sha256=a0d5afdbaa125751e238760386b08037c01d442aef37e12194b75d40dfa485c9, md5=97fbbb9968f5739a0cd7aadc1a1e254d, - md5=7ef04955085db9621d592575b825a0e8, sha1=3ca892dceb68af13273e8877fde7776f043cb7e8, sha256=7348760bbb74159d0be1ebabe54c22f1e158780d9a76d0a73c5ed391491d563f, - sha1=39e904a06737e019fde4f47d1b13c264a76d3edc, md5=e59107b5d4866ab8f87c7f4561fb0d97, sha256=af5eef159cf15e82dcf062a4865562b2721b2d1abb6dc26f454ba2b0008654cf, - sha256=5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b, sha1=dac3bf00eeb34c9c1d9dca63973f2e04da045383, md5=4527c576f1af0580c8d96ac23c8f761c, - sha1=56bf9295b40a78534913a37095ff0abd8e8894ef, md5=b7a1f3c523644788977f45b1539d3d52, sha256=cca42f01a887d5261e9d389d8f82991c4a35c88eefd7e38afb90d70146ca15b0, - md5=33b6c435bdbbec12ae8cba21eb6d105f, sha1=41d43dc4ec1187e6120f26158e074e39475b0815, sha256=d4f4d3196d92b306f65ba4f1f90ec73403803530a58196b48db38210e3e3047demail:Title: Unmasking the new persistent attacks on JapanLink: https://blog.talosintelligence.com/new-persistent-attacks-japan/Summary: Cisco Talos has identified an ongoing cyber campaign orchestrated by an unidentified attacker targeting organizations in Japan since January 2025. The attacker exploits the CVE-2024-4577 vulnerability, which allows for remote code execution in the PHP-CGI implementation on Windows systems, gaining initial access through specially crafted POST requests. Once inside, they use the Cobalt Strike toolkit, in particular a variant called "TaoWu," to establish a reverse shell connection and execute post-exploitation activities, including privilege escalation exploits and extensive reconnaissance using various tools. The attacker operates from command and control servers on Alibaba Cloud, employing techniques such as registry modifications and event log clearance to maintain persistence and concealment while deploying offensive security frameworks across networks.Threats: cobalt_strike taowu_tool credential_harvesting_technique juicypotato_tool rottenpotato_tool sweetpotato_tool wevtutil_tool mimikatz_tool uac_bypass_technique lolbin_technique seatbelt_tool fscan_tool you_dun_group arl_tool vulfocus_tool viper starkiller_tool blue_lotus_tool empire_loader metasploit_tool meterpreter_toolIndicators of compromise:-------------------------ip: 38[.]14[.]255[.]23, 118[.]31[.]18[.]77domain: registry[.]cn-shanghai[.]aliyuncs[.]com, firesun[.]meurl: https://github[.]com/pandasec888/taowu-cobalt_strike, https://gitee[.]com/yijingsechash: email:Title: Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber ScamsLink: https://www.seqrite.com/blog/unmasking-grasscall-campaign-the-apt-behind-job-recruitment-cyber-scams/Summary: The GrassCall malware campaign, executed by the Russian-speaking cybercriminal group "Crazy Evil" and its subgroup "kevland," targets job seekers in the cryptocurrency and Web3 sectors through sophisticated social engineering methods, particularly using fake job interviews to trick victims into downloading malicious software. Victims are lured by attractive job ads on reputable platforms, leading to emails inviting them to interviews with fake officials, and ultimately prodding them to download the "GrassCall" application from a malicious site. This malware, tailored for both Windows and macOS users, installs a Remote Access Trojan and information-stealing malware that enables attackers to access sensitive data and cryptocurrency wallets while disabling security measures on the compromised systems. The operation has resulted in significant financial losses for numerous victims, highlighting the group's increasing notoriety in identity fraud and cryptocurrency theft since its establishment in 2021.Threats: grasscall rhadamanthys crazy_evil_group kevland_group traffer_technique amos_stealer spear-phishing_techniqueIndicators of compromise:-------------------------ip: domain: grasscall[.]neturl: https://vibecall[.]app, https://45[.]129[.]185[.]24:1896/22c0d31ace677b/digpu6k5[.]xditc, http://rustaisolutionnorisk[.]com/downloads/aisolution_vibecall_a[.]exe, http://rustaisolutionnorisk[.]com/downloads/soundsolution_vibecall_c[.]exe, http://rustaisolutionnorisk[.]com/downloads/videosolution_vibecall_b[.]exehash: - sha256=d23f79f9b7e1872d4671a18aa85b810c0cec2e0f5ce07c2cf99ed39f8936c8fb, - sha256=0160c14c3d84dcc5802a329a4d4bedcabd23b3a7761c1cd95d16bd0b7a7bb8eb, - sha256=b63367bd7da5aad9afef5e7531cac4561c8a671fd2270ade14640cf03849bf52, - sha256=386b61ccdd4b785c835a064179d5fa58dc0d5fe34970a04487968e1ee0189ce6, - sha256=4b371777c2c638c97b818057ba4b0a2de246479776eaaacebccf41f467bb93c3, - sha256=f2e8f1f72abbc42f96c5599b8f27f620d91ae1680aa14b4f0bbf3daabd7bee30email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
Based on the provided context, here is the structured summary focusing on the three distinct threat actor/campaign reports identified:
# Threat Actor: UNK\_CraftyCamel (Potentially linked to IRGC-associated groups)
## Attribution & Identity
Researchers identified a targeted email campaign associated with this actor. Potential links exist to groups associated with the Islamic Revolutionary Guard Corps (IRGC\_group, APT33\_group, UNC1549\_group).
## Activity Summary
Conducted a highly targeted email campaign named UNK\_CraftyCamel. This involved compromising the email account of the Indian electronics firm INDIC Electronics to send malicious emails to their select customers.
## Tactics, Techniques & Procedures
- Spear-phishing via compromised legitimate email accounts (supply chain technique).
- Delivery of sophisticated, multi-stage polyglot malware (Sosano) designed to evade detection and complicate analysis.
- Utilization of polyglot files, bloat techniques, and runkeys techniques.
## Targeting
- Sectors: Aviation, satellite communications, and critical transportation infrastructure.
- Geography: United Arab Emirates (UAE).
- Victims: Select customers of INDIC Electronics who operate in the targeted critical infrastructure sectors.
## Tools & Infrastructure
- Malware families used: Sosano (Backdoor), polyglot\_ransomware (mentioned as a related threat category).
- Infrastructure (C2, domains, IPs):
- Malicious domains used for delivery: indicelectronics\[.\]net, bokhoreshonline\[.\]com
- URLs: https://indicelectronics\[.\]net/or/1/OrderList\[.\]zip
- IPs: 46\[.\]30\[.\]190\[.\]96, 104\[.\]238\[.\]57\[.\]61
## Implications
The actor exhibits advanced operational capabilities, using trusted relationships (supply chain compromise) to deliver customized malware, posing a significant risk to critical infrastructure entities in the region.
## Mitigations
- Increased vigilance regarding suspicious communications originating from seemingly legitimate or expected supply chain partners.
- Enhanced detection capabilities for polyglot file types and multi-stage malware delivery.
***
# Threat Actor: Black Basta Group
## Attribution & Identity
Identified as the Black Basta ransomware group (blackbasta\_group, conti). They operate alongside the Cactus ransomware group.
## Activity Summary
Since October 2024, incidents involving Black Basta have notably increased, particularly in North America. They continue to extort victims, having extorted nearly $107 million in Bitcoin in 2023. Recent leaks (February 2025) indicate adaptation efforts to circumvent security measures and planning to attack financial institutions.
## Tactics, Techniques & Procedures
- Gaining initial access via social engineering tactics, including impersonation via Microsoft Teams.
- Utilizing email flooding and misleading IT support interactions.
- Deploying remote management tools for command execution and internal file transfer.
- Advanced capabilities include targeting ESXi hosts and bypassing multifactor authentication (MFA).
- Deployment of BackConnect malware for persistence and data exfiltration.
## Targeting
- Sectors: Financial institutions (planned/intended targets), general targets for ransomware/data theft.
- Geography: North America (particularly noted recent activity).
- Victims: Numerous victims susceptible to ransomware extortion (specific organizations not detailed).
## Tools & Infrastructure
- Malware families used: BackConnect (for persistence/exfiltration), Qakbot, DarkGate, WinRM\_tool, SystemBC, Backdoor.Win64.REEDBED.A.
- Infrastructure (C2, domains, IPs):
- IPs: 45\[.\]8\[.\]157\[.\]199, 5\[.\]181\[.\]3\[.\]164, 38\[.\]180\[.\]25\[.\]3, 185\[.\]190\[.\]251\[.\]16, [and many others listed in the context].
- Domains: pumpkinrab\[.\]com
- URLs: https://sfu11\[.\]s3\[.\]us-east-2\[.\]amazonaws\[.\]com/js/kb052117-01\[.\]bpx, [other S3 links listed in the context].
## Implications
Black Basta remains a highly evolved and financially motivated Ransomware-as-a-Service (RaaS) group, actively updating TTPs to bypass MFA and target high-value virtualization infrastructure (ESXi).
## Mitigations
- Harden MFA implementation across all services, especially those facing external connections.
- Monitor for unusual deployment of remote management tools and lateral movement indicative of ransomware execution.
- Specific controls against ESXi host exploitation.
***
# Threat Actor: Crazy Evil Group (and Kevland subgroup)
## Attribution & Identity
A Russian-speaking cybercriminal group designated "Crazy Evil" and its subgroup "kevland\_group."
## Activity Summary
Executed the GrassCall malware campaign (grasscall). This operation focuses heavily on phishing job seekers in the cryptocurrency and Web3 space since its establishment in 2021, leading to significant financial losses via identity fraud and crypto theft.
## Tactics, Techniques & Procedures
- Spear-phishing disguised as legitimate job recruitment processes.
- Sophisticated social engineering involving fake job interviews with fabricated officials.
- Luring victims to download proprietary malware (GrassCall) from malicious websites.
- GrassCall installs a Remote Access Trojan (RAT) and information-stealing malware.
- Malware is tailored for both Windows and macOS.
- Capability to disable security measures on compromised systems.
- Use of traffer techniques and Amos Stealer.
## Targeting
- Sectors: Cryptocurrency and Web3 sectors.
- Geography: Not explicitly stated, but typically targets individuals globally interacting with these sectors.
- Victims: Job seekers lured by fraudulent employment opportunities.
## Tools & Infrastructure
- Malware families used: GrassCall (RAT/Infostealer), Amos Stealer.
- Infrastructure (C2, domains, IPs):
- Malicious URLs for delivery: https://vibecall\[.\]app, http://rustaisolutionnorisk\[.\]com/downloads/aisolution\_vibecall\_a\[.\]exe, [other rustaisolutionnorisk download links listed].
- Malicious IP/Port: 45\[.\]129\[.\]185\[.\]24:1896
- Domain: grasscall\[.\]net
## Implications
This campaign represents a direct pipeline for identity fraud and cryptocurrency theft, capitalizing on employment seeking behavior within high-value digital asset industries. The cross-platform capability (Windows/macOS) broadens their reach.
## Mitigations
- Implement security training focused on identifying convincing job recruitment scams, especially those requiring the download and execution of proprietary software outside of standard enterprise application stores.
- Scrutinize communications from legitimate hiring platforms that redirect to non-corporate domains for application downloads.
- Utilize endpoint detection and response (EDR) capable of monitoring and blocking the execution of known GrassCall hashes and related files.