Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we processed 55 threat intelligence reports and have compiled a brief summary of the findings, along with the pertinent metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: UNC5174s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShellLink: https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/Summary: The Chinese state-sponsored threat actor UNC5174 has been operating stealthily for about a year, utilizing advanced malware techniques such as the VShell Remote Access Trojan (RAT) and SNOWLIGHT malware to target Western nations and organizations in the Asia-Pacific region. Discovered through the analysis of their unique command-and-control methods, UNC5174 employs encryption and uses WebSockets for stealthy communication, which makes detection difficult. The malware components, including SNOWLIGHT acting as a dropper, exploit system vulnerabilities and evade traditional detection through fileless execution and persistence strategies, while their infrastructure leverages domain squatting tactics for phishing attacks, indicating a high level of expertise and adaptability in their cyber operations.Threats: unc5174_group snowlight vshell phoreal cobalt_strike sliver_c2_tool supershell upx_tool gobfuscate_tool pyration_campaignIndicators of compromise:-------------------------ip: 34[.]96[.]239[.]183, 8[.]219[.]171[.]47, 34[.]55[.]187[.]149, 34[.]96[.]252[.]230, 34[.]91[.]68[.]192domain: gooogleasia[.]com, vs[.]gooogleasia[.]com, apib[.]googlespays[.]com, evil[.]gooogleasia[.]com, account[.]gooogleasia[.]com, ks[.]evil[.]gooogleasia[.]com, btt[.]evil[.]gooogleasia[.]com, mtls[.]sex666vr[.]com, wg[.]gooogleasia[.]com, https[.]sex666vr[.]com, samsungcdn[.]com, start[.]bootstrapcdn[.]fun, mcafeecdn[.]xyz, chmobank[.]com, googlespays[.]com, login[.]microsoftonline[.]gooogleasia[.]com, telegrams[.]icu, huionepay[.]me, c1oudf1are[.]comurl: http://vs[.]gooogleasia[.]com:8443/?a=l64&h=vs[.]gooogleasia[.]com&t=ws_&p=8443, http://ciscocdn[.]com:8888/supershell/compile/download/x64, http://www[.]bing-server[.]com:443, http://47[.]97[.]176[.]108:8887/?a=l64&h=47[.]97[.]176[.]108&t=ws_&p=8887, http://images[.]windowstimes[.]online/?a=l64&h=images[.]windowstimes[.]online&t=ws_&p=80, http://124[.]221[.]120[.]25:2222/vs666, http://lin[.]huionepay[.]me:2086/?a=l64&h=lin[.]huionepay[.]me&t=ws_&p=2086, http://lin[.]telegrams[.]icu:2086/?a=l64&h=lin[.]telegrams[.]icu&t=ws_&p=2086, http://lin[.]c1oudf1are[.]com:42323/?a=l64&h=lin[.]c1oudf1are[.]com&t=ws_&p=42323hash: - sha256=e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8, - sha256=8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38, - sha256=21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db, - sha256=6579defcd1326efad359c59cfe9a76d7df375e54f6e977dd880d10f81325999e, - sha256=f064fdd24c56f2d20f1a6a32fc7edbd3848f962b25965b788b0dc725eeab9db4email:Title: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python MalwareLink: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/Summary: Slow Pisces, a North Korean state-sponsored threat group, focuses on the cryptocurrency sector to financially support the DPRK regime through advanced phishing tactics that masquerade as legitimate recruiting efforts on LinkedIn. The group’s recent operations involve creating enticing coding challenges that, once executed, deploy malware such as RN Loader and RN Stealer, leveraging coding tasks linked to GitHub repositories predominantly using Python and JavaScript. By employing techniques like YAML deserialization and simulating benign C2 server interactions, Slow Pisces manages to execute malware while avoiding detection, tracking victim sessions through unique IDs, and selectively maintaining access based on the target's perceived value, ultimately enabling the extraction of sensitive information from compromised systems.Threats: tradertraitor_group rn_loader rn_stealer jade_sleet_group unc4899_group supply_chain_technique bluenoroff_group contagious_interview_campaignIndicators of compromise:-------------------------ip: 23[.]254[.]230[.]253, 146[.]70[.]88[.]126domain: getstockprice[.]com, cdn[.]clubinfo[.]io, getstockprice[.]info, api[.]stockinfo[.]io, cdn[.]logoeye[.]net, en[.]wfinance[.]org, en[.]stocksindex[.]org, cdn[.]jqueryversion[.]net, en[.]stockslab[.]org, update[.]jquerycloud[.]io, cdn[.]soccerlab[.]io, api[.]coinpricehub[.]me, cdn[.]leaguehub[.]net, cdn[.]clubologos[.]io, api[.]jquery-release[.]com, cdn[.]logosports[.]net, skypredict[.]org, api[.]bitzone[.]me, weatherdatahub[.]org, api[.]ethzone[.]me, api[.]fivebit[.]io, blockprices[.]io, api[.]sover[.]io, api[.]thaibit[.]io, chainanalyser[.]comurl: https://en[.]stockslab[.]org/symbols/sp500hash: - sha256=47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f, - sha256=937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79, - sha256=e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7email:Title: Interlock ransomware evolving under the radarLink: https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/Summary: Interlock is a ransomware intrusion set identified in September 2024, involved in Big Game Hunting and double extortion, with 24 victims reported as of March 2025 across diverse sectors in North America and Europe. Attackers compromise legitimate websites to deliver malicious fake browser updates that install a PowerShell backdoor for persistent system access and command execution, utilizing techniques like ClickFix and credential-stealing malware such as LummaStealer. Interlock's ransomware operates on both Windows and Linux systems, uses AES CBC encryption, and incorporates a methodical data exfiltration process, uploading sensitive information to Azure before distribution on TOR, while employing pressure tactics in ransom notes to compel compliance from victims.Threats: interlock clop ransomhub akira_ransomware babuk lynx qilin_ransomware fog_ransomware clickfix_technique lumma_stealer berserkstealer putty_tool anydesk_tool logmein_tool azcopy_tool rhysida credential_stealing_technique funcksec_groupIndicators of compromise:-------------------------ip: 216[.]245[.]184[.]181, 212[.]237[.]217[.]182, 168[.]119[.]96[.]41, 96[.]62[.]214[.]11, 23[.]95[.]182[.]59, 195[.]201[.]21[.]34, 159[.]223[.]46[.]184, 23[.]227[.]203[.]162, 65[.]109[.]226[.]176, 65[.]38[.]120[.]47, 216[.]245[.]184[.]170, 65[.]108[.]80[.]58, 84[.]200[.]24[.]41, 206[.]206[.]123[.]65, 49[.]12[.]102[.]206, 193[.]149[.]180[.]158, 85[.]239[.]52[.]252, 5[.]252[.]177[.]228, 80[.]87[.]206[.]189, 212[.]104[.]133[.]72, 140[.]82[.]14[.]117, 64[.]94[.]84[.]85, 49[.]12[.]69[.]80, 177[.]136[.]225[.]153, 188[.]34[.]195[.]44, 45[.]61[.]136[.]202domain: sublime-forecasts-pale-scored[.]trycloudflare[.]com, washing-cartridges-watts-flags[.]trycloudflare[.]com, investigators-boxing-trademark-threatened[.]trycloudflare[.]com, fotos-phillips-princess-baker[.]trycloudflare[.]com, casting-advisors-older-invitations[.]trycloudflare[.]com, complement-parliamentary-chairs-hc[.]trycloudflare[.]com, refrigerator-cheers-indicator-ferrari[.]trycloudflare[.]com, analytical-russell-cincinnati-settings[.]trycloudflare[.]com, bristol-weed-martin-know[.]trycloudflare[.]com, speak-head-somebody-stays[.]trycloudflare[.]com, photo-auction-visual-gains[.]trycloudflare[.]com, suffering-arnold-satisfaction-prior[.]trycloudflare[.]com, lancaster-sean-initial-ru[.]trycloudflare[.]com, open-exceptions-cleared-feelings[.]trycloudflare[.]com, medicine-podcasts-halo-expected[.]trycloudflare[.]com, securities-variance-vocal-temporal[.]trycloudflare[.]com, scientific-shown-desperate-ratio[.]trycloudflare[.]com, views-ethics-orientation-roommate[.]trycloudflare[.]com, pipe-hawaii-monkey-automatic[.]trycloudflare[.]com, california-appeals-pilot-harper[.]trycloudflare[.]com, una-idol-ta-missile[.]trycloudflare[.]com, musicians-implied-less-model[.]trycloudflare[.]com, strain-brighton-focused-kw[.]trycloudflare[.]com, mortgage-i-concrete-origins[.]trycloudflare[.]com, www[.]sublime-forecasts-pale-scored[.]trycloudflare[.]comurl: https://microsoft-msteams[.]com/additional-check[.]html, https://microstteams[.]com/additional-check[.]html, https://ecologilives[.]com/additional-check[.]html, https://advanceipscaner[.]com/additional-check[.]html, http://topsportracing[.]com/wp-25, http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion, http://topsportracing[.]com/wp-az, http://topsportracing[.]com/az10, https://airbluefootgear[.]com/wp-includes/images/xits[.]php, https://apple-online[.]shop/ChromeSetup[.]exe, https://apple-online[.]shop/MSTeamsSetup[.]exe, https://apple-online[.]shop/MicrosoftEdgeSetup[.]exe, http://162[.]55[.]47[.]21:8080/1742688720, http://64[.]95[.]10[.]95:8080/misteams, http://64[.]95[.]10[.]95:8080/recaptch, http://45[.]61[.]136[.]228:8080/recaptha, https://album-anthony-rn-submission[.]trycloudflare[.]com/25423565, https://spa-step-hopkins-islands[.]trycloudflare[.]com/erfgtrtt, https://metro-offset-imposed-behind[.]trycloudflare[.]com/ytjstast, https://santa-reflection-capitol-classifieds[.]trycloudflare[.]com/12341234, https://diff-beats-belize-chapter[.]trycloudflare[.]com/12341234, https://phones-pichunter-businesses-drop[.]trycloudflare[.]com/12341234, https://lcd-add-palace-switching[.]trycloudflare[.]com/12341234, https://forest-offensive-height-letters[.]trycloudflare[.]com/12341234, https://pub-motorola-viking-charger[.]trycloudflare[.]com/12341234, https://dc-broader-green-norwegian[.]trycloudflare[.]com/12341234hash: - sha256=576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296, - sha256=f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c, - sha256=09793a85d372f044fe53c4b47c47049c6bc13d1141334727800b2e32e6d92342, - sha256=dee5915b76dd3bae3d3cedc0c1d1b055daab5852cba4868c92eb88b9a84a0b00, - sha256=5627457a12c562b7a08f634878758d268b9fde44ce35292e887ca13741c5f942, - sha256=3a560ca66f61ba5dceb6016703e0346ff8fe1144bd356a40f740149a2a878fe5, - sha256=f6c7ecff7b07cba12bd79833a23d12d5fcd12a75a3394d923b994ba0ed535db3, - sha256=7890b116d13a52efe696ce1e2c0ed83029775cf4bea836ce551e71d222ee116f, - sha256=e668e30b4e111e16b4017cd49dd90c39f9988f8a44cd9cc16b95b7b451862b74, - sha256=be6e5cede4e6a8b807062db211eb3e8825a6cc00d71ddf7bcd63971d76219a25, - sha256=05c99f2c1a218ce4a985fd03a3a510c2eaf08ef4772f93ef4f2d5da6cd9b86a1, - sha256=25a1d86248b7cf5f870dbc9960ce336266473bd40be3a8dcb35e6be88c9df261, - sha256=2f03b5d1081dfde3d1296dace404b362188b4a941530746d7b14711b42bc53ad, - sha256=b36c20c757c4780f89272ce224a29a5a61b62733367893574196debde19383fe, - sha256=d1cd8c4574c3290ae16bf4e718c5e89dadef5b2fd4eea2211a19a6180ff8ee5b, - sha256=eaca86a3f397d10d9188be9fcd2af1a7a30a9b573b2282b0b8300efeb5ff1efd, - sha256=f1df43fe0f95de6badfb710827cdc7272e6654f108ef2cfcb2a01aca089f0624, - sha256=5c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e, - sha256=eb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34, - sha256=958ff93e92ee8bed7819555603ea612f263c1b9c673566f5c506288b5318eff8, - sha256=91fcf70c1775dcaaaa4d3de17d87d67976b0cec9939dedfb86f093ab388ed3b0, - sha256=e69491a61ebc4a9ffc17884063c69a5489a83dd6d71295b4216962a43242a6c8, - sha256=04bae0045b86456d6000378a2e37d58b1fa617101543ad23bcec862300b87be3, - sha256=71f773b4e9178dcedd402c94fb9384aea6312d8a93f95f3f9dc1249fd4933658, - sha256=888842bc1f6fcb354431919080858c623def305bed2214f11b93591859d4dee2, - sha256=045c041354a6d6b47e91e1124a7dc77397c18e0695ccbc73f87b12a0a1079d46, - sha256=6e4ca569ab809ba3545860d26180316366803c231a2e3a66b4906adc5826a397, - sha256=074d26b9b128be8e4a77d73dcac31307f28b0e8b8097622c02267be349fe4b4f, - sha256=a760e28145620fccd072a415031cec4036fc09e8530c93d85f5d1509d62fe551, - sha256=62971070d6a8b9fca8a50b9cd8e91545bfcc2c2b6665f134c112081f54e6bf31, - sha256=17db9d121fb3eb5033307fdb53df67402bcbc9d8970f45d8142b78c83769b7af, - sha256=60af8899b49013e9deb1d5cac58562d7ed12bfda1187627e9d25714b26218f0d, - sha256=fdd4e0bb2a4475e4e44154d7bf29490de98496553af3c8807f999ab8b920263f, - sha256=7d9f3701bf6f43ab84ce02ce4915dc0703504263db2e1eb65f4f7c791565f731, - sha256=f613966b6ed1f080aacba005b1e48268ef662fffdf9894382299645f42900848, - sha256=e307d3e9b8de59311c692b2ab0ee864f0d469066e041141d577b65b43a4b3ffa, - sha256=351b8a0081fd9f5c35497f5183fb14aef73c1af75628ae689c9218689db01cd9, - sha256=7501623230eef2f6125dcf5b5d867991bdf333d878706d77c1690b632195c3ff, - sha256=31f49c74046cc61bf102f3b9f2ce06471b0372d794139325e71c2dacca7bd00a, - sha256=1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83, - sha256=299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2, - sha256=2faef6a1a0c00f8d44955c243df3c098f0fccd20c59677d274a43023002a4e90, - sha256=39539766ae8f5256e6f21d853b8b7ea8f003d29f6d7cd57d1ecb621dc2b97c89, - sha256=464ca510a465a38689bd61988b7d366a8fd7e26ca805850b3adb418e95307601, - sha256=61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610, - sha256=68366ced818508de187167d8f9106be7801b8dcf1f03ae169459c7336d6e69de, - sha256=8251186b3196e3fefb0dbfcf71dfccc2c1cd66515686c9af8a6fb48766c739c6, - sha256=9031652af104aa207d6dad1c402db86c557323b2567c0cc93d022f01ae926e9a, - sha256=9e387f1564f9e38ba87dbafbde3731db2e844ff3800500d6707028bb065c070b, - sha256=b3a512b9f4705d1947fbbbc42accdbd6bd95af1b07cec09d75af501746fecdd5, - sha256=f02622129e7774b7673e2a9f62bb4a208d4a142b5d925532c7920481549bd07b, - sha256=61d092e5c7c8200377a8bd9c10288c2766186a11153dcaa04ae9d1200db7b1c5, - sha256=b35da0c1a515286a2b3021cf518140a59a63b470a9d611303304918be9354d68, - sha256=5cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8, - sha256=df41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782, - sha256=d4f3d0446e08dbf1a7ccb6da09e756ff75eae3b04dafe2c2a69d6919052d2ebf, - sha256=eb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692, - sha256=a5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf, - sha256=4672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e, - sha256=4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9, - sha256=33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9, - sha256=b85586f95412bc69f3dceb0539f27c79c74e318b249554f0eace45f3f073c039, - sha256=a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642, - sha256=0fff8fb05cee8dc4a4f7a8f23fa2d67571f360a3025b6d515f9ef37dfdb4e2ea, - sha256=c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f, - sha256=28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f, - sha256=0e0a647b3156d430cd70ad5a430277dc99014d069940a64d9db1ecd60ca00467, - sha256=58ed0431455a1d354369206a1197d1acfcd3e0946cdc733bee50573867fda444, - sha256=1f568c2eaa8325bf7afcf7a90f9595f8b601a085769a44c4ffa1cdfdd283594c, - sha256=8e273e1e65b337ad8d3b2dec6264ed90d1d0662bd04d92cbd02943a7e12df95aemail:Title: From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden SecretsLink: https://www.cybereason.com/blog/threat-analysis-lummastealer-2.0Summary: LummaStealer, or LummaC2, is a sophisticated malware attributed to Russian-speaking actors and classified as Malware-as-a-Service (MaaS) since its emergence in 2022. Designed to steal sensitive data such as credentials, cookies, and cryptocurrency wallets, it employs various deployment techniques, including DLL side-loading and phishing emails that trick victims into executing harmful scripts. Recent advancements include the exploitation of trusted system processes for stealthy payload delivery and the use of obfuscated HTML applications to execute malicious tasks while evading detection. The operators have also created a Telegram marketplace for trading stolen information, revealing a commercialization of cybercrime that includes subscription-based tiers for different functionalities in managing cyber operations and a log market that began in August 2024.Threats: lumma_stealer dll_sideloading_technique lolbin_technique clickfix_technique amadey heavens_gate_technique vidar_stealerIndicators of compromise:-------------------------ip: 104[.]21[.]64[.]1, 77[.]105[.]164[.]117, 176[.]113[.]115[.]170, 172[.]67[.]144[.]15, 104[.]21[.]35[.]211domain: klipderiq[.]shop, check[.]qlkwr[.]com, xian[.]klipderiq[.]shop, simplerwebs[.]world, affc[.]klipcewucyu[.]shop, klipdiheqoe[.]shop, kliphylj[.]shop, klipbyxycaa[.]shop, goatstuff[.]sbs, awagama2[.]org, t1[.]awagama2[.]org, awagama[.]org, savecoupons[.]store, klipbazyxui[.]shop, deduhko2[.]klipzyroloo[.]shop, solve[.]gevaq[.]com, topofsuper[.]store, onceletthemcheck[.]com, dma[.]sportstalk-musiclover[.]com, scrutinycheck[.]cash, atsuka[.]thrivezest[.]org, solve[.]fizq[.]net, sos-at-vie-1[.]exo[.]io, pawpaws[.]readit-carfanatics[.]com, anita2[.]snuggleam[.]org, hookylucnh[.]click, buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com, sakura[.]holistic-haven[.]shop, pub-e62cce9a08224552b513d24397cb4413[.]r2[.]dev, heavens[.]holistic-haven[.]shopurl: https://sakura[.]holistic-haven[.]shop/singl6hash: - sha1=ef85ba125184cbb92b3abf780fa9dbf0a1f1d4d0, - sha1=b133d42502750817aa8e88119ff36158d2f8ecee, - sha1=30b18eb4082b8842fea862c2860255edafc838ab, - sha1=f2ec439b1f1b8d7dcc38d979bcf6ad64fe437122, - sha1=0551cdbf681c7ce31754247291dc550df0807cee, - sha1=decd01a95a05f557720e62ada86fa929f4687e88, - sha1=279ec364b8bc3244335c47ed2586d387e448ac7b, - sha1=88958d7c9749b7d085ee28d9fa50151a505eba09, - sha1=b9ff81cc8ad9e4d30df66fe520d1a0f5231902a6, - sha1=a2840e3927351244f253d54389a66342a4f6be33, - sha1=60e30eaeedc7abb079fd7e6d2d8f486de5a9af38, - sha1=d896764e7ce9e8685ce4e11aa49d556f8a23a547, - sha1=8b0f45b361b9b74a5e4383d692e281a59f44f508, - sha1=8bb8f2324aa1aca4da6fbea5cdaad4f66263b545, - sha1=ded3ed8724e5913d341b3eaca9bd9f47f0e4a4a2email:Title: Inside Gamaredons PteroLNK: Dead Drop Resolvers and evasive InfrastructureLink: https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/Summary: The Pterodo malware ecosystem, linked to the Gamaredon group, showcases advanced attack strategies involving the PteroLNK VBScript malware, which employs heavy obfuscation to conceal its operational goals. Upon execution, the PteroLNK generates additional malicious payloads and modifies system settings to maintain persistence and evade detection, propagating across networks by exploiting shared drives. Gamaredon utilizes a resilient command and control infrastructure that incorporates Cloudflare tunnels and Dead Drop Resolvers, ensuring adaptability and stealth in its operations, primarily targeting Ukrainian government and military sectors amidst ongoing geopolitical tensions, with strong indications of ties to Russia's Federal Security Service.Threats: dead_drop_technique gamaredon_group pterolnk litterdrifter cloudflared_tool spear-phishing_techniqueIndicators of compromise:-------------------------ip: 194[.]67[.]71[.]128, 31[.]129[.]22[.]156domain: nandayo[.]ru, kimiga[.]ru, tienes[.]ru, mahombres[.]ru, kigigi[.]ru, areyouall[.]ru, des-cinema-democrat-san[.]trycloudflare[.]com, satin-adams-writings-idol[.]trycloudflare[.]com, such-bad-magnet-dealer[.]trycloudflare[.]com, chaos-forces-bears-sent[.]trycloudflare[.]com, cups-technologies-knock-posts[.]trycloudflare[.]com, cables-encounter-chem-stranger[.]trycloudflare[.]com, asset-advised-jane-disc[.]trycloudflare[.]com, recreational-bosnia-granny-interventions[.]trycloudflare[.]com, governmental-rocket-hourly-blair[.]trycloudflare[.]com, silence-modems-france-fact[.]trycloudflare[.]com, extend-terrorism-nowhere-two[.]trycloudflare[.]com, taking-hl-kerry-pet[.]trycloudflare[.]com, horizon-fee-calendar-seek[.]trycloudflare[.]com, rows-slideshow-toll-dsl[.]trycloudflare[.]com, blowing-traveling-looks-appropriations[.]trycloudflare[.]com, making-toys-sn-kijiji[.]trycloudflare[.]com, checklist-digital-proved-labels[.]trycloudflare[.]com, im-trend-naturally-administrator[.]trycloudflare[.]com, dressed-emissions-councils-storage[.]trycloudflare[.]com, sand-northeast-consumers-sells[.]trycloudflare[.]com, architect-reverse-poster-failed[.]trycloudflare[.]com, mailed-this-chemical-thermal[.]trycloudflare[.]com, adjustable-za-creativity-copper[.]trycloudflare[.]com, amenities-minus-judges-clearly[.]trycloudflare[.]com, zambia-relate-highlights-tasks[.]trycloudflare[.]com, adventures-worked-exposure-maui[.]trycloudflare[.]com, asks-ribbon-nearest-traveler[.]trycloudflare[.]com, relax-spas-miss-feeling[.]trycloudflare[.]com, sized-professionals-expertise-reveals[.]trycloudflare[.]com, sat-mapping-metadata-instrumentation[.]trycloudflare[.]com, dimensions-incorporated-citysearch-quotes[.]trycloudflare[.]com, funky-honduras-drives-statutory[.]trycloudflare[.]com, outputs-sam-come-bosnia[.]trycloudflare[.]com, efficiently-noble-pubs-armed[.]trycloudflare[.]com, place-experiencing-teen-kitty[.]trycloudflare[.]com, cat-pop-injuries-gallery[.]trycloudflare[.]com, compact-egypt-meal-imagination[.]trycloudflare[.]com, stockholm-align-closed-far[.]trycloudflare[.]com, cope-senator-european-texas[.]trycloudflare[.]com, playstation-look-became-circles[.]trycloudflare[.]com, fixtures-bracelet-anatomy-jon[.]trycloudflare[.]com, engineering-moreover-packages-shareholders[.]trycloudflare[.]com, applicant-approx-vatican-senators[.]trycloudflare[.]com, wallpaper-duplicate-agents-exports[.]trycloudflare[.]com, advisors-commission-burn-valuation[.]trycloudflare[.]com, wto-ls-stocks-pie[.]trycloudflare[.]com, forces-details-round-gates[.]trycloudflare[.]com, spectrum-maldives-literally-garcia[.]trycloudflare[.]com, performances-look-humidity-pie[.]trycloudflare[.]com, unlike-processes-saskatchewan-prepared[.]trycloudflare[.]comurl: https://telegra[.]ph/Vizit-12-28, https://nandayo[.]ru/srgssdfsf, https://teletype[.]in/@mew31/y4JyD2Rpb41, https://telegra[.]ph/Post-12-20-7, https://graph[.]org/LifeNews-02-20, https://telegra[.]ph/VectorsWar-03-06, https://telegra[.]ph/mark-01-20-5, https://telegra[.]ph/Leons-01-13, https://telegra[.]ph/Kasiopeya-01-09, https://teletype[.]in/@dc1/p9G48lhQVjw, https://teletype[.]in/@din3/VByOMkbbyIt, https://telegra[.]ph/Simphoniya-03-07hash: - md5=98cf1a959f11af59bd5ac2c2d746541f, - md5=a38399ecb70b504573ce708c7a26c306, - sha256=0cec5ca5d2fe9616a275b54ca37f45248e1ed6e15f627d6bffb566ffd6295208, - sha256=913e2001d1b13711728ff63fa44b720e5a6d464a68be2e3e72a091bd6c245de1, - sha256=d0b6e053a967db89cd6492beb5202be67b7fd7be8f7eb1d60905310a4bfb9ea8, - sha256=1bd6df231f94053b33ae6becb9e49894236a123b82e62eaedf566e8d2572e018, - sha256=1c32b8ee9442e7e6d0e2e61fb15d3beea9db2fe77d2f70b38ce05eab7c6933f6, - sha256=5062ca28db713d36e2523f0a041ccde2ea563e3d20c436197e8d33ec3025f3be, - sha256=28166ea98915ce5c07108bae1ae116d7eeab3fceb64d9564dd2d483cdc2c5e1c, - sha256=d5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705, - sha256=582075b7d84fd7233359ede009ae5ccd9c05d06087e4eebf2fcde86286a67938, - sha256=ab7b9e5025b9095a4fcf76dfa5becc12bd219de84bd2a300371cc303af4463f4, - md5=53fe1f6b3d603d846580cc1be649c2aaemail:Title: Around the World in 90 Days: State-Sponsored Actors Try ClickFixLink: https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfixSummary: Proofpoint researchers have identified a first-time use of the ClickFix social engineering technique by state-sponsored actors from North Korea, Iran, and Russia between late 2024 and early 2025. This technique, which modifies infection chains primarily during installation and execution, was initially deployed by the group TA571 but has since been adopted by groups like TA427, TA450, UNK_RemoteRogue, and TA422. For instance, TA427 targeted think tank professionals with manipulated meeting requests leading to the execution of PowerShell commands that deployed QuasarRAT malware, while TA450 conducted phishing campaigns presenting themselves as Microsoft security updates to install remote management tools. The use of ClickFix by these state actors indicates a trend of adapting cybercriminal techniques, signaling a potential evolution in their operational strategies.Threats: clickfix_technique kimsuky_group muddywater_group unk_remoterogue_group fancy_bear_group ta571_group clearfake quasar_rat pdq_connect_tool atera_tool screenconnect_tool simplehelp_tool empire_loader metasploit_toolIndicators of compromise:-------------------------ip: 38[.]180[.]157[.]197, 5[.]231[.]4[.]94, 80[.]66[.]66[.]197, 115[.]92[.]4[.]123, 121[.]179[.]161[.]230, 121[.]179[.]161[.]231, 172[.]86[.]111[.]75, 210[.]179[.]30[.]213, 221[.]144[.]93[.]250, 118[.]194[.]228[.]184, 14[.]34[.]85[.]86domain: office[.]rsvp, ukrtelcom[.]com, mail[.]ukrtelecom[.]eu, securedrive[.]networkguru[.]com, securedrive[.]servehttp[.]com, securedrive-mofa[.]servehttp[.]com, login-accounts[.]servehttp[.]com, accounts-myservice[.]servepics[.]com, securedrive[.]netsecgroup[.]com, securedrive[.]privatedns[.]org, drive[.]us-dos[.]securitel[.]com, securedrive[.]fin-tech[.]com, securedrive[.]opticalize[.]com, securedrive[.]dob[.]jp, accounts-porfile[.]serveirc[.]com, account-profile[.]servepics[.]com, freedrive[.]servehttp[.]com, e-securedrive[.]mofa[.]mtomtech[.]co[.]kr, securedrive[.]root[.]sx, myaccounts-profile[.]servehttp[.]com, undocs[.]myvnc[.]com, undocs[.]servehttp[.]com, raedom[.]store, microsoftonlines[.]com, uktelecom[.]eu, ukrtelecom[.]comurl: https://securedrive[.]fin-tech[.]com/docs/en/t[.]vmd, https://office[.]rsvp/fin?document=2hg6739jhngdf7892w0p93u4yh5g, https://securedrive[.]root[.]sx:8443/us[.]emb-japan[.]go[.]jp/doc/eh, https://securedrive[.]root[.]sx:8443/us[.]emb-japan[.]go[.]jp/doc/eh/alert, https://securedrive[.]root[.]sx:8443/us[.]emb-japan[.]go[.]jp/doc/eh/register, https://securedrive[.]fin-tech[.]com/docs/en, https://securedrive[.]fin-tech[.]com/docs/en/alert, https://securedrive[.]fin-tech[.]com/docs/en/register, https://securedrive[.]fin-tech[.]com/docs/en/src/pdf_0[.]pdf, https://securedrive[.]fin-tech[.]com/docs/en/src/resp[.]php, https://raedom[.]store/REDACTED/demo[.]php?ccs=cin, https://bit-albania[.]com/REDACTED/demo[.]php?ccs=cinhash: - sha256=07a45c7a436258aa81ed2e770a233350784f5b05538da8a1d51d03c55d9c0875, - sha256=f9536b1d798bee3af85b9700684b41da67ff9fed79aae018a47af085f75c9e3e, - sha256=85db55aab78103f7c2d536ce79e923c5fd9af14a2683f8bf290993828bddeb50, - sha256=bfb11abb82ab4c788156df862a5cf4fa085f1ac3203df7a46251373d55cc587c, - sha256=8a8c57eedca1bd03308198a87cae7977d3c385f240c5c62ac7c602126a1a312f, - sha256=06816634fb019b6ed276d36f414f3b36f99b845ddd1015c2b84a34e0b8d7f083, - sha256=0ff9c4bba39d6f363b9efdfa6b54127925b8c606ecef83a716a97576e288f6dd, - sha256=18ee1393fc2b2c1d56d4d8f94efad583841cdf8766adb95d7f37299692d60d7d, - sha256=78aa2335d3e656256c50f1f2c544b32713790857998068a5fa6dec1fb89aa411email: support@microsoftonlines[.]com, yasuyuki[.]ebata21@proton[.]me, eunsoolim29@gmail[.]comTitle: APT Group Tracking Report -LARVA -24005Link: https://asec.ahnlab.com/ko/87453/Summary: AhnLab Security Intelligence Center (AhnLab ASEC) has uncovered a new cyber operation attributed to the KIMSUKY threat group, named Larva-24005, which exploits the BlueKeep vulnerability (CVE-2019-0708) in Remote Desktop Protocol (RDP). The operation enables the group to gain unauthorized access to systems, install MySPY malware and RDPWRAP for persistent access, and deploy keyloggers to capture sensitive user information. Since October 2023, KIMSUKY has targeted various sectors in South Korea and extended its attacks internationally, utilizing phishing emails and RDP vulnerability scanners, although the exact methods of initial compromise remain unclear.Threats: kimsuky_group myspy rdpwrap_tool bluekeep_vuln larva-24005_group kimalogger randomquery spear-phishing_technique fpspyIndicators of compromise:-------------------------ip: domain: access-apollo-page[.]r-e[.]kr, access-apollo-star7[.]kro[.]kr, access-mogovernts[.]kro[.]kr, apollo-page[.]r-e[.]kr, apollo-star7[.]kro[.]krurl: http://star7[.]kro[.]kr/login/help/show[.]php?_Dom=991, http://star7[.]kro[.]kr/login/img/show[.]php?uDt=177, http://www[.]sign[.]in[.]mogovernts[.]kro[.]kr/rebin/include[.]php?_sys=7hash: - md5=1177fecd07e3ad608c745c81225e4544, - md5=14caab369a364f4dd5f58a7bbca34da6, - md5=184a4f3f00ca40d10790270a20019bb4, - md5=30bcac6815ba2375bef3daf22ff28698, - md5=46cd19c3dac997bfa1a90028a28b5045email:Title: Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case StudiesLink: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movementSummary: Mandiant has reported a surge in cyber activities exploiting the vulnerabilities CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, primarily targeting Ivanti Connect Secure appliances. Distinct clusters of attackers, including the China-nexus espionage group UNC5291 and the financially motivated UNC5221, have been implicated in sophisticated operations, deploying advanced malware like Bishop Fox's SLIVER implant and the custom family TERRIBLETEA. Additionally, UNC5330 has exploited these vulnerabilities to establish persistent access and lateral movement within networks by leveraging compromised administrator credentials and sophisticated backdoors like BRICKSTORM, highlighting an alarming trend in advanced exploitation techniques against critical infrastructure systems.Threats: volt_typhoon_group unc5291_group unc5221_group unc5266_group sliver_c2_tool warpwire terribletea unc3569_group unc5330_group downtown tonerjam unc5337_group spawnsnail spawnmole spawnnant spawnsloth crackmapexec_tool rootrot brickstorm dcsync_technique unc5325_group dslogIndicators of compromise:-------------------------ip: 8[.]218[.]240[.]85, 98[.]142[.]138[.]21, 103[.]13[.]28[.]40, 103[.]27[.]110[.]83, 103[.]73[.]66[.]37, 193[.]149[.]129[.]191, 206[.]188[.]196[.]199domain: pan[.]xj[.]hk, akapush[.]us[.]tourl: hash: - md5=4f79c70cce4207d0ad57a339a9c7f43c, - md5=e7d24813535f74187db31d4114f607a1, - md5=4acfc5df7f24c2354384f7449280d9e0, - md5=3ef30bc3a7e4f5251d8c6e1d3825612d, - md5=bb3b286f88728060c80ea65993576ef8, - md5=cfca610934b271c26437c4ce891bad00, - md5=08a817e0ae51a7b4a44bc6717143f9c2, - md5=71b4368ef2d91d49820c5b91f33179cb, - md5=8e429d919e7585de33ea9d7bb29bc86b, - md5=fc1a8f73010f401d6e95a42889f99028, - md5=e72efc0753e6386fbca0a500836a566e, - md5=4645f2f6800bc654d5fa812237896b00, - md5=c7ffd2c06e9b7e8e0b7ac92a0dbe3294, - md5=59f4d38a5caafbc94673c6d488bf37e3, - md5=5ecd0c38501dfb02b682cec0a2d93aa9, - md5=9d684815bc96508b99e6302e253bc292, - md5=b210a9a9f3587894e5a0f225b3a6519f, - md5=e7fdbed34f99c05bb5861910ca4cc994, - md5=c251afe252744116219f885980f2caea, - md5=4f68862d3170abd510acd5c500e43548, - md5=9d0b6276cbc4c8b63c269e1ddc145008, - md5=d88bbed726d79124535e8f4d7de5592e, - md5=846369b3a3d4536008a6e1b92ed09549email:Title: Renewed APT29 Phishing Campaign Against European DiplomatsLink: https://research.checkpoint.com/2025/apt29-phishing-campaign/Summary: APT29, a Russian-linked group, has initiated a targeted phishing campaign against European diplomatic organizations, utilizing deceptive emails that appear to be invitations to fake wine-tasting events. This operation involves the deployment of GRAPELOADER, a malware loader activated via a legitimate PowerPoint executable, which modifies the Windows registry for persistence and communicates host information to a Command and Control (C2) server using HTTPS. Concurrently, a new variant of an established backdoor called WINELOADER has emerged, characterized by refined stealth capabilities and advanced anti-analysis techniques. Both GRAPELOADER and WINELOADER share similar code structures and obfuscation methods, reflecting the attackers' commitment to evolving their tactics and maintaining a low-profile while executing their operations.Threats: duke_group grapeloader wineloader junk_code_technique supply_chain_technique dll_sideloading_technique bloat_technique envyscoutIndicators of compromise:-------------------------ip: domain: bakenhof[.]com, silry[.]com, ophibre[.]com, bravecup[.]comurl: https://silry[.]com/inva[.]php, https://bakenhof[.]com/invb[.]php, https://ophibre[.]com/blog[.]php, https://bravecup[.]com/view[.]phphash: - sha256=653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358, - sha256=420d20cddfaada4e96824a9184ac695800764961bad7654a6a6c3fe9b1b74b9a, - sha256=85484716a369b0bc2391b5f20cf11e4bd65497a34e7a275532b729573d6ef15e, - sha256=78a810e47e288a6aff7ffbaf1f20144d2b317a1618bba840d42405cddc4cff41, - sha256=d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164, - sha256=24c079b24851a5cc8f61565176bbf1157b9d5559c642e31139ab8d76bbb320f8, - sha256=adfe0ef4ef181c4b19437100153e9fe7aed119f5049e5489a36692757460b9f8email:Title: TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaignLink: https://sublime.security/blog/trox-stealer-a-deep-dive-into-a-new-malware-as-a-service-maas-attack-campaign/Summary: TROX Stealer is a newly identified Malware as a Service (MaaS) variant discovered by security researchers in December 2024, with initial marketing efforts traceable to April 2024. This malware is designed to steal sensitive information, including credit card details and credentials from popular messaging applications, employing urgent-themed phishing emails to entice users into executing malicious files. TROX Stealer is delivered via links in these emails that lead to documents masked as debt collection notices, and it utilizes a sophisticated execution chain incorporating various programming technologies like Python, Node.js, and WebAssembly to evade detection. Key operational features include extensive obfuscation techniques and a reliance on established data exfiltration channels, such as GoFile and Telegram accounts, to retrieve stolen information, showcasing its focus on individual users rather than enterprises.Threats: trox_stealer smuggling_technique junk_code_techniqueIndicators of compromise:-------------------------ip: 89[.]185[.]82[.]34domain: documents[.]debt-collection-experts[.]com, debt-collection-experts[.]com, debt-collection-experts[.]online, download[.]debt-collection-experts[.]online, downloads[.]debt-collection-experts[.]online, docs[.]debt-collection-experts[.]onlineurl: https://documents[.]debt-collection-experts[.]com/download?token=abe186e045cbf8a0a078cf221f2fe532hash: - sha256=c404baad60fa3e6bb54a38ab2d736238ccaa06af877da6794e0e4387f8f5f0c6, - sha1=ae5166a8e17771d438d2d5e6496bee948fce80a4, - md5=c568b578da49cfcdb37d1e15a358b34a, - sha256=12069e203234812b15803648160cc6ad1a56ec0e9cebaf12bad249f05dc782ef, - sha1=29a13e190b6dd63e227a7e1561de8edbdeba034b, - md5=f5f75c9d71a891cd48b1ae9c7cc9f80d, - sha256=5d7ed7b8300c94e44488fb21302a348c7893bdaeef80d36b78b0e7f0f20135df, - sha1=6deea67690f90455280bc7dfed3c69d262bf24f6, - md5=fedb7287bcccc256a8dad8aeace799f7email: vpn@esystematics[.]de, vpn@contactcorporate[.]de, vpn@evirtual-provider[.]deThis article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
As an Incident Response Analyst, I have compiled a structured timeline summary based on the provided threat intelligence clippings. Please note that since the source is a compilation of *weekly reports*, specific dates for individual compromises are not available; therefore, the timeline reflects the *discovery/reporting window* and *development timeline* of the threats analyzed.
# Incident Report: Intelligence Compilation Summary (UNC5174, Slow Pisces, TROX Stealer)
## Executive Summary
This summary covers intelligence from multiple threat reports identifying three distinct threat activities: the stealthy evolution of Chinese state-sponsored group UNC5174 using VShell RAT, North Korean group Slow Pisces targeting cryptocurrency developers via deceptive coding challenges, and the emergence of TROX Stealer, a new Malware-as-a-Service (MaaS) focused on credentials and credit card theft via urgent phishing lures. Impact varies from sophisticated state espionage to financial fraud targeting individual users.
## Incident Details
- **Discovery Date**: Varied reporting week (Context suggests recent weekly aggregation)
- **Incident Date**: Ongoing activities reported across the analysis period. UNC5174 active for "about a year"; TROX initial marketing noted April 2024, researchers identified in December 2024.
- **Affected Organization**: Not specified (General threat reporting)
- **Sector**: Government/Defense (UNC5174), Cryptocurrency/Finance (Slow Pisces), General Users (TROX Stealer)
- **Geography**: Western nations and Asia-Pacific region (UNC5174); Global targeting of crypto sector (Slow Pisces).
## Timeline of Events
### Initial Access
- **UNC5174**: Tactics suggest exploiting system vulnerabilities facilitated by the SNOWLIGHT dropper component. Infrastructure used domain squatting for phishing.
- **Slow Pisces**: Advanced phishing via LinkedIn, masquerading as legitimate recruiting efforts, often involving coding challenges linked to GitHub repos. Initial execution leverages customized Python/JavaScript malware upon solving/running the challenge.
- **TROX Stealer (MaaS)**: Urgent-themed phishing emails deliver links to documents masked as debt collection notices, prompting execution.
### Lateral Movement
- **UNC5174**: Techniques utilized stealthy command-and-control (C2) via WebSockets and complex encryption to maintain connectivity. Details on internal network movement are implied but not explicitly detailed beyond C2.
- **Slow Pisces**: After execution, malware simulates benign C2 server interactions. Access is selectively maintained based on perceived victim value.
- **TROX Stealer (MaaS)**: Focus appears to be on local data collection rather than extensive enterprise lateral movement, though framework capabilities are not fully detailed.
### Data Exfiltration/Impact
- **UNC5174**: Unknown specific data, but targeting Western nations and APAC suggests espionage objectives.
- **Slow Pisces**: Extraction of sensitive information from compromised systems, facilitated by RN Stealer and controlled via C2 tracking sessions.
- **TROX Stealer (MaaS)**: Theft of credit card details and credentials from popular messaging applications, exfiltrated via GoFile or Telegram drop zones.
### Detection & Response
- **UNC5174**: Discovered via analysis of unique command-and-control methods.
- **Slow Pisces**: Discovery noted via analysis of custom malware (RN Loader/Stealer) and deceptive coding challenges.
- **TROX Stealer (MaaS)**: Identified by security researchers following marketing efforts and execution analysis beginning in December 2024.
- *Note: Specific response actions for these broad threats are not detailed in the summary, only the discovery method.*
## Attack Methodology
| Category | UNC5174 | Slow Pisces | TROX Stealer (MaaS) |
| :--- | :--- | :--- | :--- |
| **Initial Access** | Vulnerability exploitation, Domain Squatting Phishing | LinkedIn Phishing (Recruitment Lures) | Urgent Phishing Emails (Debt Collection Lures) |
| **Persistence** | Fileless execution strategies | Selective maintenance based on victim value | Implied via execution chain utilizing various technologies |
| **Privilege Escalation**| Not explicitly detailed | Not explicitly detailed | Not explicitly detailed |
| **Defense Evasion** | Encryption, WebSockets for C2, Fileless techniques | YAML deserialization, Simulation of benign C2 | Extensive obfuscation techniques, Evasion via mixed programming languages (Python, Node.js, WebAssembly) |
| **Credential Access** | Implied via RAT usage | RN Stealer capabilities | Theft of credentials from messaging apps |
| **Discovery** | Not explicitly detailed | Tracking victim sessions using unique IDs | Not explicitly detailed |
| **Lateral Movement** | Stealthy C2 via WebSockets | Simulated benign C2 traffic | Focus on local system data, less focus on enterprise movement |
| **Collection** | Implied via VShell RAT functionality | Sensitive information gathering | Credit card details, messaging app credentials |
| **Exfiltration** | Encrypted C2 communication | Data extraction enabled by RN Stealer | GoFile and Telegram accounts |
| **Impact** | State espionage/Advanced persistent threat activity | Financial gain for DPRK regime | Theft targeting individual user financial/login data |
## Impact Assessment
- **Financial**: Slow Pisces targets cryptocurrency for DPRK funding; TROX Stealer targets individual credit card data.
- **Data Breach**: Sensitive information/credentials for Slow Pisces; Credit card details and messaging app credentials for TROX Stealer.
- **Operational**: Minimal detail provided for operational impact outside of assumed intelligence gathering for UNC5174.
- **Reputational**: High risk associated with UNC5174 (state actor) and Slow Pisces (state-sponsored financial crime).
## Indicators of Compromise
*Note: All IOCs are defanged below.*
**UNC5174 Related IOCs:**
- **IPs:** 34[.]96[.]239[.]183, 8[.]219[.]171[.]47, 34[.]55[.]187[.]149, 34[.]96[.]252[.]230, 34[.]91[.]68[.]192
- **Domains:** gooogleasia[.]com, vs[.]gooogleasia[.]com, apib[.]googlespays[.]com, evil[.]gooogleasia[.]com, samsungcdn[.]com, googlespays[.]com, telegrams[.]icu
- **Hashes (SHA256 examples):** e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8, 8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38
**Slow Pisces Related IOCs:**
- **IPs:** 23[.]254[.]230[.]253, 146[.]70[.]88[.]126
- **Domains:** getstockprice[.]com, cdn[.]clubinfo[.]io, api[.]stockinfo[.]io, en[.]wfinance[.]org, api[.]coinpricehub[.]me
**TROX Stealer Related IOCs:**
- **IPs:** 89[.]185[.]82[.]34
- **Domains:** documents[.]debt-collection-experts[.]com, debt-collection-experts[.]online
- **Hashes (SHA256 examples):** c404baad60fa3e6bb54a38ab2d736238ccaa06af877da6794e0e4387f8f5f0c6
## Response Actions
*(Specific containment/eradication actions for generalized threat intelligence reports are typically absent. The response listed here reflects actions taken if these IoCs were observed in an environment.)*
- **Containment Measures**: Immediate isolation of endpoints communicating with identified C2 infrastructure (IPs/Domains). Blocking outbound connections to known suspicious domains (e.g., those related to GoFile/Telegram exfiltration for TROX).
- **Eradication Steps**: Removal of fileless components and memory artifacts related to VShell/SNOWLIGHT (UNC5174) and RN execution (Slow Pisces). Comprehensive scanning for known signatures related to TROX payloads.
- **Recovery Actions**: Password resets for potentially compromised accounts (credentials targeted by TROX). Full rebuild/restoration for systems confirmed to host persistent malware components.
## Lessons Learned
- **Stealth is paramount**: UNC5174's use of WebSockets and encryption highlights the difficulty in detecting modern state-sponsored C2 traffic not relying on standard HTTP/S.
- **Supply Chain/Social Engineering Convergence**: Both Slow Pisces (deceptive coding tasks) and TROX Stealer (urgent debt notices) prove that pre-texting combined with technical execution via shared environments (GitHub) or urgent documents remains highly effective against targeted and general users, respectively.
- **MaaS Proliferation**: The emergence of TROX Stealer shows that sophisticated credential harvesting techniques are rapidly commoditized as a service.
## Recommendations
- **Network Monitoring**: Implement deep packet inspection capable of analyzing non-standard protocol use over common ports (like WebSocket traffic) to identify anomalous C2 communication.
- **Behavioral Analysis**: Enhance EDR/XDR solutions to prioritize alerts based on process execution chains that involve multiple scripting languages (Python, Node.js) and fileless persistence mechanisms.
- **User Training**: Conduct specific training against social engineering tactics targeting professionals, focusing on verifying legitimacy of remote coding challenges and being hyper-skeptical of financial urgency in unsolicited communication.
- **Credential Hardening**: Mandate MFA universally, especially for high-value accounts, to mitigate the impact of credential harvesting by MaaS operations like TROX Stealer.