Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 67 threat intelligence articles and compiled a concise summary along with the relevant metadata that was extracted. You can find below a short summary of 10 articles, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original articles. More granular information, including TTPs, on all articles is available via RST Report Hub.Title: A Wretch Client: From ClickFix deception to information stealer deploymentLink: https://www.elastic.co/security-labs/a-wretch-clientSummary: Elastic Security Labs has reported a notable rise in ClickFix campaigns, which employ social engineering tactics to deliver advanced malware such as GHOSTPULSE, LUMMA, and ARECHCLIENT2, with the first identified instance occurring in March 2024. These campaigns manipulate users into executing malicious PowerShell commands disguised as legitimate updates, often initiated through phishing pages mimicking genuine services. The GHOSTPULSE loader, notable for its evolving evasion techniques, utilizes a multi-stage approach to execute malware, including storing encrypted payloads within image files, while ARECHCLIENT2, also known as SectopRAT, has emerged as a potent threat by specializing in credential theft and employing persistent command-and-control mechanisms that frequently change IP addresses for security. The complexity of these attacks signifies an alarming trend of heightened sophistication in cybersecurity threats.Threats: clickfix_technique ghostpulse lumma_stealer sectop_rat fakecaptcha_technique eddiestealer hijackloader dll_sideloading_technique spear-phishing_techniqueIndicators of compromise:-------------------------ip: 50[.]57[.]243[.]90, 144[.]172[.]97[.]2, 143[.]110[.]230[.]167, 66[.]63[.]187[.]22, 45[.]94[.]47[.]164, 84[.]200[.]17[.]129, 82[.]117[.]255[.]225, 45[.]77[.]154[.]115, 144[.]172[.]94[.]120, 79[.]124[.]62[.]10, 62[.]60[.]247[.]154, 107[.]189[.]24[.]67, 185[.]156[.]72[.]80, 85[.]158[.]110[.]179, 144[.]172[.]101[.]228, 107[.]189[.]18[.]56, 194[.]87[.]29[.]62, 185[.]156[.]72[.]63, 45[.]141[.]87[.]249, 176[.]126[.]163[.]56, 185[.]156[.]72[.]71, 91[.]184[.]242[.]37, 67[.]220[.]72[.]124, 45[.]118[.]248[.]29, 172[.]105[.]148[.]233, 194[.]26[.]27[.]10, 45[.]141[.]86[.]82, 45[.]141[.]87[.]7, 185[.]125[.]50[.]140domain: contology[.]com, clients[.]dealeronlinemarketing[.]com, clients[.]contology[.]com, koonenmagaziner[.]clickurl: https://clients[.]dealeronlinemarketing[.]com/captcha, https://clients[.]contology[.]com/captcha, https://shorter[.]me/XOWyT, https://bitly[.]cx/iddD, https://pastebin[.]com/raw/Wg8DHh2xhash: - md5=82cddf3a9bff315d8fc708e5f5f85f20, - sha256=f92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55, - sha256=4dc5ba5014628ad0c85f6e8903de4dd3b49fed65796978988df8c128ba7e7de9, - sha256=2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a, - sha256=a8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90email:Title: Case of an attack targeting MySQL servers that installs RAT malwareLink: https://asec.ahnlab.com/ko/88468/Summary: The AhnLab Security Intelligence Center (ASEC) reports a series of cyberattacks targeting MySQL servers that are mismanaged and exposed to the internet, particularly in Korea. Attackers exploit poorly secured systems using malware variants such as Gh0stRAT, AsyncRAT, and XWorm, among others, often exploiting weak credentials via brute force attacks on port 3306/TCP. Once inside, the attackers deploy User Defined Function (UDF) libraries to execute commands and download further malicious payloads, including a UEMS Agent, which stealthily installs on compromised systems and connects to a specific domain for additional components, highlighting a shift toward using legitimate remote management tools for exploitation instead of traditional backdoor methods.Threats: gh0st_rat asyncrat ddostf xworm_rat hploader zoho_assist_tool sqlshell_tool cringe hiddengh0st uacme_toolIndicators of compromise:-------------------------ip: 103[.]101[.]178[.]170, 154[.]204[.]177[.]54, 154[.]222[.]24[.]186, 39[.]108[.]132[.]22domain: star[.]zcnet[.]net, yyinfo8999[.]fiturl: http://star[.]zcnet[.]net:7766/Server[.]exe, http://39[.]108[.]132[.]22:8080/ceshi[.]exehash: - md5=2cd59cff23a2e0f98e710bf52b799154, - md5=33096e0bc0785ffb2094054bebb9be26, - md5=3ee3a5fef87b72a024bd0f45e6f6039f, - md5=454ff880e99d5777276bdee1a3e078d9, - md5=9d098864bc5746b9ff00432686d59b9femail:Title: Analyzing APT Mustang Panda’s Latest DLL Sideloading Tactics & Malware CampaignLink: https://blog.killswitchx7.com/apt-mustang-panda-malware-campaignSummary: Mustang Panda, a China-aligned cyber espionage group, continues to threaten governmental and non-governmental organizations in Europe and East Asia, particularly targeting Myanmar in 2025. Their primary attack method involves DLL sideloading, utilizing spear-phishing techniques with seemingly legitimate documents that trigger a complex infection process. Recent enhancements to their toolkit include the TONESHELL backdoor and SplatCloak driver, aimed at disabling detection systems, while their latest campaign involves the Lightpipe malware, which uses a legitimate signed binary for infection, establishing persistence through task scheduling and registry modifications. The malware exhibits capabilities such as shutting down the victim's computer and employs advanced evasion tactics, illustrating Mustang Panda's adaptation and continued sophistication in cyber operations.Threats: red_delta_group dll_sideloading_technique spear-phishing_technique toneshell splatcloak lightpipe antidebugging_technique dllsearchorder_hijacking_techniqueIndicators of compromise:-------------------------ip: 218[.]255[.]96[.]245domain: www[.]mgood[.]co[.]krurl: https://www[.]mgood[.]co[.]kr/upload/ebook/04-17-2025/NSC_Meeting_Minutes_Apr2025[.]zip, https://www[.]mgood[.]co[.]kr/upload/ebook/04-17-2025/Strategic_Minerals_Development_Policy[.]ziphash: - md5=6d8889f113cdfa27bc76a59c788d6a17, - md5=60033579563b1af5fa06e3cd3d6e0951, - md5=47dff78a81c694066489b7fdac353f28, - md5=bd806ab870f06cec107c5ae44442b5fb, - md5=5d88adf862e6944b995ac6dd5151588d, - md5=2123eab51aa468d5140c3bfe2bbe7775, - md5=42b3081297597814f82aff32e9d7076demail:Title: Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, SophisticationLink: https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophisticationSummary: Proofpoint has identified Amatera Stealer, a new variant of the ACR Stealer, rebranded and marketed as malware-as-a-service (MaaS) with advanced features and sophisticated anti-analysis capabilities. This malware enhances its stealth by employing NTSockets for communication with its command and control server and utilizes complex HTTP requests that avoid traditional DNS resolution. Amatera Stealer is distributed through ClearFake, which injects malicious scripts into legitimate sites, using techniques such as EtherHiding and ClickFix to deceive users and extract sensitive information from web browsers, cryptocurrency wallets, and messaging applications while evading detection. The overarching development of Amatera Stealer highlights a significant evolution in the threat landscape posed by information stealers, particularly amid increased competition from other malware solutions.Threats: amatera_stealer acr_stealer lumma_stealer clearfake etherhiding_technique rhadamanthys clickfix_technique fakecaptcha_technique null-amsi_tool dead_drop_techniqueIndicators of compromise:-------------------------ip: 172[.]67[.]178[.]5domain: amaprox[.]icu, overplanteasiest[.]top, badnesspandemic[.]shop, b1[.]talismanoverblown[.]comurl: https://cv[.]cbrw[.]ru/t[.]csproj, https://tt[.]cbrw[.]ru/vb7to8[.]psd, https://cv[.]cbrw[.]ru/init1[.]binhash: - sha256=120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2, - sha256=7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea, - sha256=35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af, - sha256=2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991, - sha256=ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55, - sha256=055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5bemail:Title: APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing MalwareLink: https://www.cyfirma.com/research/apt36-phishing-campaign-targets-indian-defense-using-credential-stealing-malware/Summary: APT36, also known as Transparent Tribe, is a cyber espionage group based in Pakistan that primarily targets Indian defense personnel through sophisticated phishing campaigns. They utilize phishing emails that contain malicious PDF attachments, imitating official government documents, which lead to the download of a disguised executable file designed to steal credentials and facilitate long-term infiltration into Indian defense networks. The malware exhibits stealthy behavior, employing anti-analysis techniques and allowing remote access, data exfiltration, and extensive data theft, including keystrokes and browser cache information, thereby posing a significant threat to national security.Threats: transparenttribe_group credential_stealing_technique credential_harvesting_technique spear-phishing_technique dll_sideloading_technique process_injection_technique credential_dumping_techniqueIndicators of compromise:-------------------------ip: 188[.]114[.]97[.]7, 84[.]32[.]84[.]32, 217[.]114[.]10[.]11, 207[.]244[.]126[.]106, 198[.]252[.]111[.]31, 162[.]254[.]38[.]217, 104[.]21[.]0[.]118domain: superprimeservices[.]com, advising-receipts[.]com, funday24[.]ru, slotgacorterbaru[.]xyz, servisyeni[.]xyz, chillchad[.]xyz, ggpoker[.]xyz, boldcatchpoint[.]shop, zhangthird[.]shop, vipwin[.]buzz, wholly-well[.]info, rapio[.]site, 55cc[.]info, megasofteware[.]net, worrr19[.]sbs, kp85[.]cyou, mczacji[.]top, 59292406[.]xyzurl: https://superprimeservices[.]com/nishat/order/PO-003443125[.]pdf[.]7zhash: - md5=154f4cdcd4b822314293ad566d7255fa, - sha256=f03ac870cb91c00b51ddf29b6028d9ddf42477970eafa7c556e3a3d74ada25c9, - sha256=55b7e20e42b57a32db29ea3f65d0fd2b2858aaeb9307b0ebbcdad1b0fcfd8059, - sha256=55972edf001fd5afb1045bd96da835841c39fec4e3d47643e6a5dd793c904332, - md5=6ee3b0f4cb84e18751e7088043741e9a, - md5=cdb9fb87dcb44d8f3040f4fb87d89508email:Title: Famous Chollima deploying Python version of GolangGhost RATLink: https://blog.talosintelligence.com/python-version-of-golangghost-rat/Summary: In May 2025, Cisco Talos identified a new Python-based remote access trojan (RAT) named "PylangGhost," utilized exclusively by the North Korean-aligned threat actor group Famous Chollima. This RAT targets Windows systems and specifically focuses on individuals engaged in cryptocurrency and blockchain technologies, with a significant concentration of attacks in India. The malware functions similarly to the previously known GolangGhost RAT, employing deceptive tactics such as fake job postings to lure victims into executing malicious commands that deliver the trojan. PylangGhost is structured into six Python modules designed for tasks like establishing persistence and connecting to a command and control server, while its communication uses RC4 encryption over an unencrypted HTTP protocol to facilitate data exfiltration, including sensitive information from popular browser extensions.Threats: famous_chollima_group golangghost pylangghost wagemole_campaign contagious_interview_campaign clickfix_technique robinhoodIndicators of compromise:-------------------------ip: domain: api[.]quickcamfix[.]online, api[.]auto-fixer[.]online, api[.]quickdriverupdate[.]online, api[.]camtuneup[.]online, api[.]driversofthub[.]online, api[.]drive-release[.]cloud, api[.]vcamfixer[.]online, api[.]nvidia-drive[.]cloud, api[.]nvidia-release[.]us, api[.]autodriverfix[.]online, api[.]camdriversupport[.]com, api[.]smartdriverfix[.]cloud, api[.]drivercams[.]cloud, api[.]camtechdrivers[.]com, api[.]web-cam[.]cloud, api[.]camera-drive[.]org, api[.]nvidia-release[.]org, api[.]fixdiskpro[.]online, api[.]autocamfixer[.]online, krakenhire[.]com, yuga[.]skillquestions[.]com, uniswap[.]speakure[.]com, doodles[.]skillquestions[.]com, www[.]hireviavideo[.]com, kraken[.]livehiringpro[.]com, quiz-nest[.]com, www[.]smartvideohire[.]com, www[.]talent-hiringstep[.]com, provevidskillcheck[.]com, skill[.]vidintermaster[.]com, digitaltalent[.]review, robinhood[.]ecareerscan[.]com, evalswift[.]com, livetalentpro[.]com, quantumnodespro[.]com, evalassesso[.]com, parallel[.]eskillora[.]com, coinbase[.]talentmonitoringtool[.]com, uniswap[.]testforhire[.]com, coinbase[.]talenthiringtool[.]com, crosstheages[.]skillence360[.]com, parallel[.]eskillprov[.]com, assesstrack[.]com, talent-hiringtalk[.]com, uniswap[.]prehireiq[.]com, fast-video-recording[.]comurl: http://31[.]57[.]243[.]29:8080, http://154[.]58[.]204[.]15:8080, http://212[.]81[.]47[.]217:8080, http://31[.]57[.]243[.]29, http://154[.]58[.]204[.]15, http://212[.]81[.]47[.]217, http://31[.]57[.]243[.]190hash: - sha256=a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a, - sha256=c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b, - sha256=0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec, - sha256=8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a, - sha256=5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e, - sha256=267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3, - sha256=7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32, - sha256=b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5, - sha256=fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225, - sha256=d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd, - sha256=b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee, - sha256=1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee, - sha256=ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e, - sha256=929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b, - sha256=127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780, - sha256=0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385, - sha256=c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6, - sha256=e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4, - sha256=28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df, - sha256=fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d, - sha256=d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fdemail:Title: Threat Group Targets Companies in TaiwanLink: https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwanSummary: In January 2025, FortiGuard Labs uncovered a cyber attack targeting users in Taiwan, involving the distribution of malware known as winos 4.0 through phishing emails masquerading as communications from the National Taxation Bureau. The campaigns used deceptive tactics, including links to malicious domains and password-protected ZIP files containing the HoldingHands RAT, which enabled attackers to execute advanced techniques for privilege escalation. The malware facilitated command and control communications, extracted vital system information, and showcased an evolving threat landscape as the attackers employed diverse malware types and complex execution methods to maintain persistent access to the compromised systems.Threats: holdinghands winos gh0stbin_rat cringe gh0stcringIndicators of compromise:-------------------------ip: 154[.]91[.]85[.]204, 154[.]86[.]22[.]47, 156[.]251[.]17[.]17, 206[.]238[.]179[.]173, 206[.]238[.]220[.]60, 206[.]238[.]199[.]22, 154[.]91[.]85[.]201, 206[.]238[.]221[.]182, 206[.]238[.]196[.]32, 154[.]91[.]64[.]45, 206[.]238[.]115[.]207, 156[.]251[.]17[.]12, 107[.]149[.]253[.]183domain: twszz[.]xin, 00-1321729461[.]cos[.]ap-guangzhou[.]myqcloud[.]com, 6-1321729461[.]cos[.]ap-guangzhou[.]myqcloud[.]com, twzfte-1340224852[.]cos[.]ap-guangzhou[.]myqcloud[.]com, cq1tw[.]top, twcz[.]pro, twczb[.]com, twnc[.]ink, twnic[.]icu, twnic[.]ink, twnic[.]ltd, twnic[.]xin, twsa[.]top, twsw[.]cc, twsw[.]club, twsw[.]info, twsw[.]ink, twsw[.]ltd, twsw[.]pro, twsww[.]vip, twsww[.]xin, twswz[.]top, twswzz[.]xin, twtgtw[.]net, twzfw[.]vipurl: hash: - sha256=6558dfb070421c674b377a0a6090593fa0c44d5b0dec5325a648583f92175ce2, - sha256=d3a270d782e62574983b28bd35076b569a0b65236e7f841a63b0558f2e3a231c, - sha256=a8430ce490d5c5fab1521f3297e2d277ee7e7c49e7357c208878f7fd5f763931, - sha256=7d3f352ded285118e916336da6e6182778a54dc88d4fb7353136f028ac9b81e0, - sha256=143f434e3a2cac478fb672b77d6c04cdf25287d234a52ee157f4f1a2b06f8022, - sha256=c25e80cd10e7741b5f3e0b246822e0af5237026d5227842f6cf4907daa039848, - sha256=7263550339c2a35f356bb874fb3a619b76f2d602064beada75049e7c2927a6dc, - sha256=a8b6c06daeede6199e69f4cafd79299219def5bf913a31829dede98a8ad2aaa9, - sha256=6fcd6aef0678d3c6d5f8c2cb660356b25f68c73e7ee24fbb721216a547d17ffa, - sha256=ed72721837c991621639b4e86ffe0c2693ef1a545741b5513d204a1e3e008d8c, - sha256=65edd9e1a38fd3da79c8a556eb2c7c595125ffec9f7483e2e6e189a08cc5d412, - sha256=0a0375648bc9368bccfd3d657d26976d5b1f975381d1858d001404d807334058, - sha256=e809582faccdd27337aa46b4a11dd11f5d0c7d7428ebdc8c895ea80777e4da5f, - sha256=59d2433264d8ec9e9797918be3aa7132dbeb71e141f6e5c64c0d6f1cb4452934, - sha256=ac957ba4796f06c4bf0c0afb8674bbeb30eb95cef85bc68ced3ee1aa30e3acff, - sha256=9296adb71bc98140a59b19f68476d45dbb38cc60b9e263d07d14e7178f195989, - sha256=636c2ccffce7d4591b0d5708469070b839f221400b38189c734004641929ae05, - sha256=31ffa4e3638c9e094275051629cc3ac0a8c7d6ae8415bbfcacc4c605c7f0df39, - sha256=da3deea591b59b1a0f7e11db2f729a263439a05f3e8b0de97bbac99154297cea, - sha256=e2269b38655a4d75078362856c16594e195cd647c56b8c55883b8e1286baa658, - sha256=52632d9e24f42c4651cf8db3abc37845e693818d64ab0b11c235eddf8e011b2f, - sha256=7200155f3e30dbbd4c4c26ce2c7bd4878ab992b619d80b43c0bd9e17390082fc, - sha256=e516b102a2a6001eafb055e42feb9000691e2353c7e87e34ddaa99d7d8af16fd, - sha256=a9ddd4e4d54336ce110fdc769ff7c4940f8d89b45ee8dc24f56fc3ea00c18873, - sha256=a12d17cca038cdbf79b72356e5d20b17722c7b20bd2ee308601bac901890f3f4, - sha256=b1ac2178c90c8eafd8121d21acbae7a0eb0cbc156d4a5f692f44b28856a23481, - sha256=a6c1629b4450f713b02d24f088c4f26b0416c6a7924dcf0477425f3a67a2e3ff, - sha256=3ce81c163ddedb132116cdf92aae197ced0b94f3fc3d1036f5c41b084a256a03, - sha256=a19fdfc131e8fbe063289c83a3cdefb9fb9fb6f1f92c83b892d3519a381623db, - sha256=db15f45f69f863510986fb2198a8a6b3d55d8ccc8a2ed4bb30bc27bdd1bf151c, - sha256=bf1a7938f61a9905e1b151c7a5f925a2ce3870b7c3e80f6e0fc07715bdc258b7, - sha256=f42c6949c6d8ecf648bacca08cde568f11ec2663221a97dae5fbf01218e8775aemail:Title: SadFuture: Mapping XDSpy latest evolutionLink: https://harfanglab.io/insidethelab/sadfuture-xdspy-latest-evolution/Summary: A sophisticated malware campaign has been discovered that exploits a vulnerability in Microsoft Windows, identified as "ZDI-CAN-25373," using LNK files as an infiltration vector. This campaign involves the distribution of a downloader named ETDownloader, which gathers sensitive information and communicates with a command-and-control server, quan-miami.com, utilizing encrypted commands. Linked to the threat actor XDSpy, the malware has targeted governmental bodies in Eastern Europe since at least 2011, employing advanced Tactics, Techniques, and Procedures to evade detection and maintain operational security, ultimately reflecting an ongoing espionage effort focused on Belarus and its surrounding regions.Threats: xdspy_group etdownloader xdigo lolbas_technique spear-phishing_technique silent_werewolf_group minidump_tool meterpreter_toolIndicators of compromise:-------------------------ip: domain: melodicprogress[.]com, pechalnoyebudushcheye[.]com, quan-miami[.]com, sogrevayushchiynapitok[.]com, vashazagruzka365[.]com, zagruzka-pdf[.]com, utrennyesolntse[.]com, temnayamashina[.]com, otpravkafaylov[.]com, zelenyysalat[.]com, cellporyad[.]com, sbordokumentov[.]com, bystryvelosiped[.]com, zhestovyyliker[.]com, slomannyymonitor[.]com, krasnayastena[.]com, kletchatayarubashka[.]com, svobodnoepredlozheniye[.]com, zagruzkadannykh[.]com, khitrayalisitsa[.]com, vash-disk[.]com, chistyyvozdukh[.]com, file-bazar[.]com, www[.]tvoy-disk[.]com, www[.]skachivanie-failov24[.]com, lunnayareka[.]com, tantsuyushchiykarlik[.]com, enjoyever[.]com, pdf-bazaar[.]com, pdfdepozit[.]com, aoc-upravleniye[.]com, bukhgalter-x5group[.]com, dwd765m[.]com, khoroshayamych[.]com, magnitgroup[.]com, ru-pochta365[.]com, ru-sistema[.]com, utrenneyesolntse[.]com, laultrachunk[.]com, promenimath[.]com, doverennyye-fayly[.]com, faylsklad[.]com, moy-pdf[.]com, nevynosimayapchela[.]com, pdf-reyestr[.]com, pdf-sklad[.]com, reyestr-faylov[.]com, serayagrust[.]com, protej[.]org[.]nniir[.]com, nniir[.]com, file-magazin[.]com, pdfmagazin[.]com, skachivanie-failov[.]com, zetta-strakhovaniye[.]com, downloading24[.]com, easy-download24[.]com, full-downloader[.]com, skachivanie-failov24[.]com, obmen-faylami[.]com, tvoy-disk[.]com, www[.]vashi-fayly[.]com, zagruzkafayla[.]comurl: https://quan-miami[.]com/wevjhnyhhash: - sha256=1793dae4d05cc7be9575f14ae7a73ffe3b8279a811c0db40f56f0e2c1ee8dd61, - sha256=021d13de99e996fbf03e57b78ce67630c19d33242eee8480383d7b065edebb51, - sha256=9f17ff59172a802bc6ce8490c1ea379a5bf75af839f8b59373fba8c51e878af0, - sha256=40e3fcfcc09fd84b2745b75e0e5e7beae866f4300ec8f36e2e9ab3197f198dcd, - sha256=15277bfc6b784c373d535fbda9396bd16c15d990943423167602fb81b26d0f07, - sha256=95060ba948948eea9bfc801731960b97d3efceb300622630afcbccfe12c21ccd, - sha256=792c5a2628ec1be86e38b0a73a44c1a9247572453555e7996bb9d0a58e37b62b, - sha256=5e34d754b0a938de7e512614f8fc6d7cd6c704f76b05044e07c97bd44bd5d591, - sha256=68347b0c6494a56dd0f6492c6c56158b46bcaf44878a8741f6e63ff2946cf30f, - sha256=7e04c69685d8612f7fc3512ad9ad1802a28428f75874b8717c0f04e939a3324d, - sha256=f3f2c3c5836ce6e3cb92aa6dfc0f133e15a7fd169a3d1049b7d82e49d1577273, - sha256=448245612a5388074e32251a0b44769170c586cc4c2ae06cd953c7a461ce34a6, - sha256=747dfd7f0ca893034136fd286c737b55edc9276b5794a02c6dd3771da0342729, - sha256=5248b0e4af1914762cc1c436a898d12d5f74980b816155f4191dc9692402668f, - sha256=7a2af22372a4fd3ba89d36fdee38967cb77f43e14255d0b5ad80da863b146625, - sha256=7c0597aa77031a100db0941921b60f08079bec7f710b6e736a15012db6465c39, - sha256=031e05d15afabef6010179d2acd09925395167fd442b64b6aa8ffd81bd5e268e, - sha256=056cd36bf4bc6efc119a64f2ffedd76f3dcb75daa95c22c59d91664dfcaa6fd5, - sha256=fb1df37336d79861b13d5f4ba875393c7e91b12cd73302cb414c1d084104a6a8, - sha256=c8899a6e8d3dd11c75217253f8dd78f5029c01e886880cafce0388d5fd6aa54b, - sha256=ffc538f2c6e91f07be067311ed143d28c5437a8af69974f751c043e2944d60b2, - sha256=efd44bc4e0efcab72106ea065c8a89d51d499202732319b21324487e8d00eccf, - sha256=2dde92fc0936cb275be79d5864c98772d1270e4a54c01e61ebc4b856b5e048d5, - sha256=666f4977abf17db6da2d05b385c5cf53f6500517226a3ac5bd0360eda9193d08, - sha256=be6a545180300554eea2ee6ece9f835a12996059d726df810fe13ba0044033cd, - sha256=07e2376d2c4318b0f9c472d01342d67e23a2e8edc182533a291336dfeaff4e60, - sha256=12fd8d45a181adfd6725ea9806d72ed61b3af1e31d80fa7ddd32e1932a8dfd75, - sha256=bcb5df098a79e3bc1d8bcb3b1a354b6643afdb4ca40333e0548e5ed1a9470cac, - sha256=f7be89ae645831d519b7c781d69cf8e88e5762b824c9a6753eb16b25c4abef76, - sha256=a8d578d4b50ac4029db22b76563e927ab691075aacc87621795b16b388b7d48c, - sha256=ef8fdec66751b6a17da45dd4d9c22cef8d3c78604e7a8bc6fc8e2b30342ff408, - sha256=0993b0bb897402954eb9057bc84ea98e2c12ff1185a87ac3c3a15a241560bb1a, - sha256=0a626f1837da9043e65ccf9e23192aef36d58402a1fd56577952c7bb426f2ec5, - sha256=e0ffc3442215b888c55d8dfd9d33c5cfff315a59089aeb42da4cf6869eed8f5d, - sha256=77b2f2ef5bc3b7bb2d1b85491ece85b56da37685652526c6fa6e3562cd12e3b6, - sha256=83341b08425a1a247becd79e829064ddbd309636d7d62a369338ffd47af6e955, - sha256=5409eb70942a6b875d8343437bb04e368f56de1854953fa87890fc8ee8a8bc37, - sha256=a9b9022aedd1b9afbd7ab1f11f60f236102e1f70b340658da8cb39c072a9af61, - sha256=155b94be1c3dca48314f6f2ee0c89c09553851ecc9ceefc436e16ebb7fca5f1a, - sha256=2414dd462e3ca05ecd37aa56dc8841f5ef9588663572e7bc36d07520af7864b1, - sha256=bbc5e80d3f068d8eff0cfa745ecba97903a83dfd9fe6f43cf05e803bbe9ce8b9, - sha256=e95f2982195399b5f9e453be6db02a346bb516320659a3ade2c385bcb7fc27da, - sha256=ef34c433c818774b466ba4e6f677b1c6cf51bb9213a60fd779fd7df39011e97b, - sha256=4f1d5081adf8ceed3c3daaaa3804e5a4ac2e964ec90590e716bc8b34953083e8, - sha256=9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed, - sha256=bc0b9075e3b8504c4e0c7097c6be8aa05f96032053ec43e502d297136aaf375e, - sha256=ccf56b6b727da47c89f7a1a47cc04ab3a41d225c1298a74f16c939a5622b03f2, - sha256=536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d, - sha256=dd279ea6c2a660ff7e70788af4a6c98524836c1b63beed756a77942c83de06fa, - sha256=a28ee84bfbad9107ad39802e25c24ae0eaa00a870eca09039076a0360dcbd869, - sha256=0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3, - sha256=52a98f2b2de46bc0835a11d2ba22b874a09788596507c13ac22b9b8877a8f3c6, - sha256=678f79e78847a1274238740bb8cada62f9c41cab96df8537d87d38850502d0a2, - sha256=e62c3135fd708ee420cf767fa1654d8d66ff01f5160ddadf633e3cc5eaeaa926, - sha256=7d6eb47ff307bebf87022575edd19181ad34ee5a5db1f408a25d16cd27d8aa2f, - sha256=b03d9dd170cd82890ee1a5503529b81ce8064893e31a88b87081a8c72610d810, - sha256=cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa, - sha256=40bc204062a1f936c246fbffbed1a6bb41107ad9e5ad25df8970e4090258e145, - sha256=e14fdb6c0b5b64e1ca318b7ad3ac9a4fd6dec60ef03089b87199306eba6e0ca6, - sha256=904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e, - sha256=564b2184a7f53d5f1680673ced354f5e956d897b7e1ea7d3f992cc38be6a9b20, - sha256=81bb1cf3a805c1375bb3251eea9f1ad132ab1266295a75cda9ffe9278588ac7f, - sha256=65209053f042e428b64f79ea8f570528beaa537038aa3aa50a0db6846ba8d2ec, - sha256=59b907430dde62fc7a0d1c33c38081b7dcf43777815d1abcf07e0c77f76f5894, - sha256=5be9aba659baa089bcd253905deaf3f084f2b8f03701e90f2a46b36781165925, - sha256=38489af1360af2cb7ba70f61e4c562fa63ce58e59576ba452db560f75ed1680a, - sha256=d5c0fd26ba1504bde3222202f7a257efa9cdbc6949718495a7c33cd6510fce2a, - sha256=3adeda2a154dcf017ffed634fba593f80df496eb2be4bee0940767c8631be7c1, - sha256=49714e2a0eb4d16882654fd60304e6fa8bfcf9dbd9cd272df4e003f68c865341, - sha256=0d983f5fb403b500ec48f13a951548d5a10572fde207cf3f976b9daefb660f7e, - sha256=e32f04362ec4db90e024bfb57adf6e5c02f1061cd17dbf81a5bbc0b588119b25email:Title: Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday LoaderLink: https://g0njxa.medium.com/dark-partners-the-crypto-heist-adventure-of-poseidon-stealer-and-payday-loader-c91382fac5c8Summary: A malware campaign named "Dark Partners" has been identified, targeting Windows and MacOS users through malicious payloads delivered by a loader called "PayDay Loader." This campaign exploits impersonated websites mimicking reputable AI and VPN services to build user trust, facilitating the distribution of infostealers like Poseidon Stealer for MacOS. The PayDay Loader employs anti-sandbox techniques to avoid detection and encodes command and control server information using Google Calendar links, resulting in the silent installation of various malware types—most notably, Lumma Stealer, which harvests sensitive data, including cryptocurrency wallet information. Dark Partners' operations leverage certificate-based signing, acquiring EV certificates to distribute their malware, though these are regularly revoked, prompting temporary disruptions in their campaign. The main aim of Dark Partners is to monetize stolen data, particularly by accessing victims' cryptocurrency holdings and credentials through innovative exploitation techniques.Threats: dark_partners_campaign payday_loader poseidon ultraviewer_tool lumma_stealer process_hacker_tool sandman_group procmon_tool dead_drop_technique uac_bypass_technique lolbin_techniqueIndicators of compromise:-------------------------ip: 140[.]82[.]54[.]223, 95[.]179[.]216[.]217domain: haiper-black[.]little-mouse[.]net, swett-black[.]upscayl-ai[.]org, magicalstyle[.]org, download[.]dianecarson[.]workers[.]dev, panel[.]dianecarson[.]workers[.]dev, x00x[.]online, panel[.]x00x[.]online, app-tools[.]info, bendiregitimi[.]com, face[.]techdom[.]click, mulkrsvtolooy8s[.]woltde[.]com, -217[.]netherlands-2[.]vps[.]ac, runwayml[.]mandarin-ca[.]com, abstract[.]little-mouse[.]net, copy-ai[.]little-mouse[.]net, copy-ai-de[.]little-mouse[.]net, haiper[.]little-mouse[.]net, upscayl-ai[.]org, runway[.]upscayl-ai[.]org, run[.]upscayl-ai[.]org, runway-two[.]upscayl-ai[.]org, runway-black-two[.]upscayl-ai[.]org, tg-l[.]upscayl-ai[.]org, sweet[.]upscayl-ai[.]org, soraai-install-now[.]com, get-loom[.]org, app-creatify[.]com, tiktok-studio-download[.]com, get-loom[.]com, get-tradingview[.]org, my-bisc[.]network, creatify-app[.]com, my-creativity[.]org, my-pica[.]com, my-pica[.]art, my-descript[.]com, my-koinly[.]com, my-hotgame[.]com, meta-trader5[.]com, my-creatify[.]org, tradingview-app[.]org, ai-creatify[.]org, my-loom[.]org, piica-art[.]com, traidingview-app[.]com, windscriibe[.]org, sora-install-now[.]com, blender-ai[.]com, descript-ai[.]com, loom-rewind[.]com, piica[.]org, deepseek-download[.]com, app-deepseek[.]org, app-deepspeek[.]com, ai-deepseek[.]org, my-deepseek[.]com, get-deepseek[.]com, my-deepseek[.]org, sora-ai-explore[.]com, loom-download[.]com, soraai-install[.]com, openai-index[.]org, sora-ai-download-now[.]com, sora-installs[.]com, my-exodus[.]com, check-airdrop[.]org, index-my[.]com, tradingview-exchange[.]com, lumion2024[.]com, -alpha[.]com, app-ispring[.]com, get-hiper[.]me, creatify-ai[.]org, videopto[.]com, moxon4d[.]com, maxon-cinema4d[.]com, videoproconv[.]org, runway-gen3-alpha[.]com, runaway-gen3[.]com, alpha-gen-3[.]com, gen3alpha[.]org, openai[.]app-technology[.]org, sora-library[.]com, gen3ai[.]app-technology[.]org, ai[.]app-technology[.]org, app-technology[.]org, ai[.]app-openai[.]com, sora-ai[.]app-openai[.]com, index-sora[.]app-openai[.]com, sora[.]app-openai[.]com, my-sora[.]app-openai[.]com, app-openai[.]com, get-openai[.]app-sora[.]org, app-sora[.]org, ai-runway[.]gen3-alpha[.]com, get-runway[.]gen3-alpha[.]com, get[.]openai-index-sora[.]com, generation[.]openai-index-sora[.]com, openai-index-sora[.]com, replicate-page[.]generate-ai[.]org, get[.]index-sora-ai-video[.]com, runwayai[.]gen3-alpha[.]com, openai[.]index-sora-ai-video[.]com, index-sora-ai-video[.]com, italy-openai[.]app-sora[.]org, app[.]unusual-whales[.]com, france-openai[.]app-sora[.]org, spain-openai[.]app-sora[.]org, openai[.]app-sora[.]org, gen3-alpha[.]com, runway[.]gen3-alpha[.]com, unusual-whales[.]com, tiktoklivestudio[.]com, runway[.]xyz-domination[.]com, eth[.]xyz-domination[.]com, eclipse[.]xyz-domination[.]com, abstract[.]xyz-domination[.]com, girlvanc[.]xyz-domination[.]com, tt[.]xyz-domination[.]com, koinly[.]xyz-domination[.]com, metatrader[.]xyz-domination[.]com, bisq[.]xyz-domination[.]com, aave[.]xyz-domination[.]com, descript[.]xyz-domination[.]com, ledger[.]xyz-domination[.]com, earni-fi[.]xyz-domination[.]com, tg-l[.]xyz-domination[.]com, redirect[.]xyz-domination[.]com, windscribe[.]xyz-domination[.]com, tradingview[.]xyz-domination[.]com, piica-org[.]xyz-domination[.]com, loom-rewind[.]xyz-domination[.]com, creatify[.]xyz-domination[.]com, sora[.]xyz-domination[.]com, phm9gg3zoacooy[.]xyz-domination[.]com, loom-rewind[.]app-tools[.]info, earni-fi[.]app-tools[.]info, wind-scribe[.]app-tools[.]info, piica-org[.]app-tools[.]info, ledger[.]app-tools[.]info, redirect[.]app-tools[.]info, jotoform[.]app-tools[.]info, deep[.]app-tools[.]info, tradingview[.]app-tools[.]info, runwayml[.]app-tools[.]info, tg-l[.]app-tools[.]info, creatify[.]app-tools[.]info, upscayl[.]app-tools[.]info, hedra[.]app-tools[.]info, aiarty[.]app-tools[.]info, timedoctor[.]app-tools[.]info, videoproc[.]app-tools[.]info, ispring[.]app-tools[.]info, maxon[.]app-tools[.]info, lumion[.]app-tools[.]info, unusualwhales[.]app-tools[.]info, albert[.]app-tools[.]info, stripe[.]app-tools[.]info, macclean[.]app-tools[.]info, phm9gg3zoacooy[.]app-tools[.]info, redirect-gqxpcgzdrjeebyx[.]app-tools[.]info, deepseek-umxvljvoilcnxih[.]app-tools[.]info, stripe-redirect-zoimglwkogheeel[.]app-tools[.]info, haiper-umxvljvoilcnxih[.]app-tools[.]info, sweethome-umxvljvoilcnxih[.]app-tools[.]info, face-umxvljvoilcnxih[.]app-tools[.]info, sora-umxvljvoilcnxih[.]app-tools[.]info, mac-clean-umxvljvoilcnxih[.]app-tools[.]info, runway-umxvljvoilcnxih[.]app-tools[.]info, proai[.]bignoxplay[.]com, sweethome[.]bignoxplay[.]com, synthesia[.]bignoxplay[.]com, uizard[.]bignoxplay[.]com, luminar[.]bignoxplay[.]com, akool[.]bignoxplay[.]com, weface[.]bignoxplay[.]com, haiper[.]bignoxplay[.]com, aimodel[.]bignoxplay[.]com, lulu[.]mandarin-ca[.]com, monday[.]mandarin-ca[.]com, -trip-ae[.]com, postman[.]travel-watch[.]org, bybit[.]travel-watch[.]org, proai[.]travel-watch[.]org, havoc[.]travel-watch[.]org, sweethome[.]travel-watch[.]org, synthesia[.]travel-watch[.]org, uizard[.]travel-watch[.]org, aimodel[.]travel-watch[.]org, luminar[.]travel-watch[.]org, haiper[.]travel-watch[.]org, weface[.]travel-watch[.]org, ultra[.]cleartrip[.]voyage, dipo[.]cleartrip[.]voyage, liama[.]cleartrip[.]voyage, cap[.]cleartrip[.]voyage, albert[.]cleartrip[.]voyage, sweethome[.]cleartrip[.]voyage, synthesia[.]cleartrip[.]voyage, uizard[.]cleartrip[.]voyage, sorablack[.]cleartrip[.]voyage, macblack[.]cleartrip[.]voyage, mac[.]cleartrip[.]voyage, akool[.]cleartrip[.]voyage, haiper[.]cleartrip[.]voyage, weface[.]cleartrip[.]voyage, leonardoai[.]evoto-ai[.]me, haiper[.]techdom[.]click, akool[.]techdom[.]click, facetwo[.]techdom[.]click, luminarblack[.]techdom[.]click, aimodel[.]techdom[.]click, uizard[.]techdom[.]click, synthesia[.]techdom[.]click, locketgold[.]techdom[.]click, liama[.]techdom[.]click, upscayl[.]techdom[.]click, ynthesia[.]techdom[.]click, haiper[.]evoto-ai[.]me, black[.]evoto-ai[.]me, evoto-ai[.]meurl: hash: - sha256=b5151e75e8e8af1519bef9111f2acbb24b290f0b1f9e7bc0518e9e6eac95f7cc, - sha256=5ca6b15a14af2c8e9024e6168a8b30b84b49aeb593af31ecd7d0bbfc0a82c067, - sha256=07b610bf7862614da77ebf4ba2773471fc6f9dc80a6e64b9f1e1287e260d739b, - sha256=cee3a87d1cbce053b9ab01966eecab5eee34934b62ea662fe8bc97a0ef6f4f11, - sha256=80303bf8c5e0d105e96c61627e5bc599ced1a9708c216fa575d7ce33535e7047, - sha256=7a368e51340b4cf673bce4031aafbb091f889439108e0bd9af7f9db39637c92f, - sha256=b9457326cb02aa98a2e9243b79ba6cc1138485d1066b64621b6013c6df15d8a2, - sha256=e6c74a6f5d4b19f33730576fc8d0104501327f208ca4bd3cf0b96be86cc4e911, - sha256=c90782b335649daeb853d04944f138a5662d5644d642f07e4a064ff1315fe2cf, - sha256=3c82e15750142216665e2a2537ce5d0de05312ff06bdf62819ef86cbb3826d08, - sha256=2355248070b08d290a07e9a6ff8f8eed856a1bdfb28e256368afdb89ffc38e35, - sha256=c3f9c300ca939a51d599114246beb08afb473bff565438994e9e1b457dbf5492, - sha256=5a1fab9beb8ee0c8f570d5df14c018b3444b0859b0b9f8cb6abc41fb9bf4e073, - sha256=9d54779c91c5ff137e5c5c4b7eb1a284d29dc27c4e64126615c58e4557ee998c, - sha256=82d2b0397dba3749c0444a70a197edaf4c862d815f00c2c4b47746c8e11da4f7, - sha256=bdda199202fb5d66c5e17539818b06d6b514af8a9a6535a4393fecd3a32e670c, - sha256=f82be98ea43b62e983683c0494dc6abf7a155843363f0107d484247ff1c2520a, - sha256=4924ff91e9be84960f9241130e080bb5f3cbf19f17f62e1fc15e48fb6852cd89, - sha256=baa5220f6fed2cf0b526b1b2fbc3fbf45abf1968de40acbab99f0e57ab2127b1, - sha256=aa39323513603117cbc6d6c694849e92854b4193e22be087ec0f20019872e98a, - sha256=85f61e048c330aaafd81ac5a78b8d72049d80e006fcfd95e32afaf8a883d2b10, - sha256=3ef9c05b09eced9e1ea6bd3ebaaf6df26573db0addbbdcef025fb1f0438f5e7aemail:Title: APT-C-60 (Pseudo Hunter) Attack Evolution: Dynamic Payload Distribution and Command Relay Based on GitHubLink: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506307&idx=1&sn=917d291b3f14b349263a9b0a2f115323&chksm=f9c1ea8aceb6639ce7e8fa02c8630b203f508d3d971d21174c6a55f1bf4d4102ddc2af602d73&scene=178&cur_album_id=1955835290309230595&search_click_id&poc_token=HF9FVGijkTpFSMB-M7CWfzibM6JAyWn_ZJDaBEvuSummary: APT-C-60, also known as Pseudo Hunter, is a North Korean advanced persistent threat (APT) group active since at least 2014, which primarily targets Korean government, economy, trade, and culture-related entities. Investigations by the 360 Advanced Threat Research Institute have identified APT-C-60's use of trusted cloud services like GitHub and Bitbucket to create covert command channels, enhancing their stealthy operations. The malware associated with this group includes an encrypted payload that operates through distinctive mechanisms, ensuring limited exposure while executing a two-step delivery process on compromised machines, and is equipped with functionalities such as keylogging, all while adhering to specific communication protocols reminiscent of previous APT-C-60 samples.Threats: camouflaged_hunter_group spear-phishing_technique com_hijacking_technique goldbarIndicators of compromise:-------------------------ip: 66[.]85[.]161[.]186domain: url: https://c[.]statcounter[.]com/13075150/0/caa8d685/1, https://raw[.]githubusercontent[.]com/goldbars33/ozbdkak33/refs/heads/main, https://github[.]com/fenchiuwu/class2025/raw/refs/heads/main, https://github[.]com/football2025/class2025/raw/refs/heads/main/Master[.]txt, https://bitbucket[.]org/clouds999/glo29839/downloadshash: - md5=df58cd2b90db1960c8ac30f57839e513, - md5=b3b0366a5696ab4a733cbfb0dddcc563, - md5=cc0c2ffe71cf06f8bc907b4a1276d586, - md5=1afcdf065669868e038a5fab934c28d2email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Tool/Technique: GHOSTPULSE Loader
## Overview
GHOSTPULSE is a malware loader identified in recent ClickFix campaigns. Its primary purpose is to execute malware through a multi-stage approach, leveraging social engineering tactics like phishing pages mimicking legitimate services to trick users into running malicious PowerShell commands. It is notable for its continuously evolving evasion techniques.
## Technical Details
- Type: Malware Loader
- Platform: Windows (implied by PowerShell usage)
- Capabilities: Multi-stage execution, payload encryption/storage within image files, execution via malicious PowerShell commands.
- First Seen: March 2024 (in context of ClickFix campaigns)
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on description (loader, execution via PowerShell, evasion).*
- TA0002 - Execution
- T1059.001 - Command and Scripting Interpreter: PowerShell
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (storing encrypted payloads)
## Functionality
### Core Capabilities
- Injecting or executing subsequent malicious payloads.
- Utilizing a multi-stage execution chain.
- Initial stage involves deceiving users into running malicious PowerShell scripts.
### Advanced Features
- Storing encrypted payloads inside image files for obfuscation.
- Evolving evasion techniques over time.
## Indicators of Compromise
- File Hashes:
- MD5: 82cddf3a9bff315d8fc708e5f5f85f20
- SHA256: f92b491d63bb77ed3b4c7741c8c15bdb7c44409f1f850c08dce170f5c8712d55
- SHA256: 4dc5ba5014628ad0c85f6e8903dd4dd3b49fed65796978988df8c128ba7e7de9
- SHA256: 2ec47cbe6d03e6bdcccc63c936d1c8310c261755ae5485295fecac4836d7e56a
- SHA256: a8ba1e14249cdd9d806ef2d56bedd5fb09de920b6f78082d1af3634f4c136b90
- File Names: Not explicitly provided.
- Registry Keys: Not provided.
- Network Indicators: (Associated C2/Delivery IPs for the associated campaign)
- 50[.]57[.]243[.]90, 144[.]172[.]97[.]2, 143[.]110[.]230[.]167, 66[.]63[.]187[.]22, 45[.]94[.]47[.]164, 84[.]200[.]17[.]129, 82[.]117[.]255[.]225, 45[.]77[.]154[.]115, 144[.]172[.]94[.]120, 79[.]124[.]62[.]10, 62[.]60[.]247[.]154, 107[.]189[.]24[.]67, 185[.]156[.]72[.]80, 85[.]158[.]110[.]179, 144[.]172[.]101[.]228, 107[.]189[.]18[.]56, 194[.]87[.]29[.]62, 185[.]156[.]72[.]63, 45[.]141[.]87[.]249, 176[.]126[.]163[.]56, 185[.]156[.]72[.]71, 91[.]184[.]242[.]37, 67[.]220[.]72[.]124, 45[.]118[.]248[.]29, 172[.]105[.]148[.]233, 194[.]26[.]27[.]10, 45[.]141[.]86[.]82, 45[.]141[.]87[.]7, 185[.]125[.]50[.]140
- Behavioral Indicators: Execution chains initiated by user interaction with socially engineered lures leading to PowerShell execution.
## Associated Threat Actors
Not explicitly named, but associated with ClickFix campaigns delivering Lumma and ARECHCLIENT2/SectopRAT.
## Detection Methods
- Signature-based detection: Based on provided file hashes.
- Behavioral detection: Monitoring for unauthorized PowerShell execution chains originating from user interaction with deceptive files or prompts.
- YARA rules: Not provided.
## Mitigation Strategies
- User awareness training focused on social engineering ('ClickFix' deception) and verifying legitimacy of requested updates/scripts.
- Application control policies to restrict unauthorized PowerShell execution.
- Monitoring for the use of image files containing suspicious encrypted data.
## Related Tools/Techniques
- LUMMA (Infostealer)
- ARECHCLIENT2 (SectopRAT)
- HijackLoader (Mentioned in related threats)
- ClickFix (Delivery technique)
***
# Tool/Technique: ARECHCLIENT2 (a.k.a. SectopRAT)
## Overview
ARECHCLIENT2, also known as SectopRAT, is a potent malware primarily focused on credential theft. It utilizes persistent Command and Control (C2) mechanisms characterized by frequently changing IP addresses to maintain communication with operators.
## Technical Details
- Type: Remote Access Trojan (RAT) / Information Stealer
- Platform: Not specified (Implied Windows due to ecosystem)
- Capabilities: Credential theft, persistent C2 communication with rotating IPs.
- First Seen: March 2024 (context of ClickFix campaigns)
## MITRE ATT&CK Mapping
- TA0010 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols
- TA0009 - Collection
- T1003 - OS Credential Dumping
## Functionality
### Core Capabilities
- Stealing sensitive user credentials.
- Establishing persistent C2 communication channels.
### Advanced Features
- Frequent rotation of Command and Control IP addresses for improved evasion.
## Indicators of Compromise
- File Hashes: Not specifically linked only to ARECHCLIENT2/SectopRAT in the summary.
- File Names: Not provided.
- Registry Keys: Not provided.
- Network Indicators: See GHOSTPULSE section for associated campaign IPs used for C2 infrastructure.
- Behavioral Indicators: Persistent connections established using dynamically changing network addresses.
## Associated Threat Actors
Associated with ClickFix campaigns delivering GHOSTPULSE.
## Detection Methods
- Signature-based detection: Needs specific signatures tailored to ARECHCLIENT2/SectopRAT payload.
- Behavioral detection: Monitoring for high volumes of credential access attempts or network beaconing activity from unusual processes.
- YARA rules: Not provided.
## Mitigation Strategies
- Strong credential hygiene and MFA deployment.
- Network traffic analysis focusing on outbound connections to known or newly registered IP addresses, especially those showing rapid changes.
## Related Tools/Techniques
- GHOSTPULSE Loader
- LUMMA Stealer
***
# Tool/Technique: Gh0stRAT, AsyncRAT, XWorm (RATs)
## Overview
These are various Remote Access Trojans (RATs) observed being deployed against mismanaged MySQL servers exposed to the internet, particularly in Korea. They are used by attackers to establish remote control over compromised systems after initial brute-force access.
## Technical Details
- Type: Malware (RAT Families)
- Platform: Server OS / Windows (Implied by MySQL context)
- Capabilities: Full remote control, executing system commands.
- First Seen: Contextually ongoing attacks against MySQL servers.
## MITRE ATT&CK Mapping
*Mapped generally for RAT post-exploitation activities.*
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostarts: Registry Run Keys / Startup Folder
## Functionality
### Core Capabilities
- Providing unauthorized remote access to the compromised MySQL hosts.
### Advanced Features
- Installation often via User Defined Function (UDF) libraries loaded onto the database server.
## Indicators of Compromise
- File Hashes:
- MD5: 2cd59cff23a2e0f98e710bf52b799154, 33096e0bc0785ffb2094054bebb9be26, 3ee3a5fef87b72a024bd0f45e6f6039f, 454ff880e99d5777276bdee1a3e078d9, 9d098864bc5746b9ff00432686d59b9f
- File Names: Server[.]exe, ceshi[.]exe
- Registry Keys: Not provided.
- Network Indicators:
- IP: 103[.]101[.]178[.]170, 154[.]204[.]177[.]54, 154[.]222[.]24[.]186, 39[.]108[.]132[.]22
- Domain: star[.]zcnet[.]net, yyinfo8999[.]fit
- URL/Endpoint: http://star[.]zcnet[.]net:7766/Server[.]exe, http://39[.]108[.]132[.]22:8080/ceshi[.]exe
- Behavioral Indicators: Execution of commands via UDF libraries on the MySQL server after successful credential compromise.
## Associated Threat Actors
Unknown actors targeting misconfigured MySQL servers, leveraging common RAT tools.
## Detection Methods
- Signature-based detection: Based on provided file hashes.
- Behavioral detection: Monitoring for UDF library additions/loads on MySQL instances, or brute-force attempts on port 3306/TCP.
- YARA rules: Not provided.
## Mitigation Strategies
- Immediately patch/secure all internet-exposed MySQL servers.
- Disable or strictly control the use of User Defined Functions (UDFs) if not explicitly required.
- Enforce strong, unique passwords and MFA for database access.
## Related Tools/Techniques
- UEMS Agent (Used for stealthy post-exploitation installation)
- Zoho Assist Tool, UACME Tool (Legitimate and malicious tools mentioned in association)
***
# Tool/Technique: TONESHELL Backdoor and SplatCloak Driver
## Overview
TONESHELL is a backdoor utilized by the APT group Mustang Panda. It works in conjunction with the SplatCloak driver, which is specifically designed to aid in disabling detection systems on the victim's machine.
## Technical Details
- Type: Backdoor (TONESHELL) / Driver (SplatCloak)
- Platform: Not specified (Likely Windows, given the use of a driver for detection evasion)
- Capabilities: Maintaining persistence (TONESHELL), kernel-level defense evasion (SplatCloak).
- First Seen: Recent enhancements observed in Mustang Panda campaigns.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1218.011 - System Binary Proxy Execution: Signed Driver Proxy Execution (if SplatCloak uses legitimate signed binaries)
- TA0011 - Persistence
## Functionality
### Core Capabilities
- Establishing covert access (TONESHELL).
- Disabling security components (SplatCloak).
### Advanced Features
- Use of a driver (SplatCloak) to actively interfere with host defenses.
## Indicators of Compromise
- File Hashes:
- SHA256: 3ef9c05b09eced9e1ea6bd3ebaaf6df26573db0addbbdcef025fb1f0438f5e7a (Associated with Lightpipe malware in the campaign)
- File Names: Not provided for TONESHELL/SplatCloak specifically.
- Registry Keys: Not provided.
- Network Indicators: Not provided in the section describing these tools specifically.
- Behavioral Indicators: System stability issues or unexpected driver behaviors potentially indicating SplatCloak activity.
## Associated Threat Actors
Mustang Panda (China-aligned cyber espionage group).
## Detection Methods
- Signature-based detection: Needs signatures for TONESHELL payloads.
- Behavioral detection: Monitoring for malicious driver loading or attempts to disable security controls.
- YARA rules: Not provided.
## Mitigation Strategies
- Strict driver signing policies must be enforced.
- Enhanced monitoring of system core components (e.g., EDR rules targeting driver interaction).
## Related Tools/Techniques
- Lightpipe Malware
- DLL Sideloading (Primary infection vector for the campaign)
***
# Tool/Technique: APT-C-60 Encrypted Payload/Delivery Architecture
## Overview
This refers to the operational methods and malware structure utilized by APT-C-60 (Pseudo Hunter), a North Korean APT group. They utilize trusted cloud services (GitHub and Bitbucket) as covert command channels and employ an encrypted payload executed via a two-step delivery process, including keylogging functionality.
## Technical Details
- Type: Malware Campaign/Framework utilizing C2 infrastructure techniques
- Platform: Not specified, targeting Korean entities.
- Capabilities: Encrypted payload delivery, keylogging, command relay via cloud services.
- First Seen: Active since at least 2014.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1530 - Data from Information Repositories (Using GitHub/Bitbucket for C2)
- TA0007 - Credential Access
- T1056.001 - Input Capture: Keylogging
## Functionality
### Core Capabilities
- Two-step payload delivery mechanism.
- Keylogging capability integrated into the malware.
### Advanced Features
- Utilizing legitimate code hosting platforms (GitHub/Bitbucket) to host staging data or C2 configuration, minimizing exposure.
- Encrypted payloads designed for stealth.
## Indicators of Compromise
- File Hashes:
- MD5: df58cd2b90db1960c8ac30f57839e513, b3b0366a5696ab4a733cbfb0dddcc563, cc0c2ffe71cf06f8bc907b4a1276d586, 1afcdf065669868e038a5fab934c28d2
- File Names: Master[.]txt
- Registry Keys: Not provided.
- Network Indicators: (C2 infrastructure hosted on cloud platforms)
- URL: https://c[.]statcounter[.]com/13075150/0/caa8d685/1 (Likely tracking/beaconing endpoint)
- URL: https://raw[.]githubusercontent[.]com/goldbars33/ozbdkak33/refs/heads/main
- URL: https://github[.]com/fenchiuwu/class2025/raw/refs/heads/main
- URL: https://github[.]com/football2025/class2025/raw/refs/heads/main/Master[.]txt
- URL: https://bitbucket[.]org/clouds999/glo29839/downloads
- Behavioral Indicators: Frequent access to specific repositories on GitHub/Bitbucket endpoints potentially containing configuration or second-stage payloads.
## Associated Threat Actors
APT-C-60 (Pseudo Hunter).
## Detection Methods
- Signature-based detection: Based on provided file hashes.
- Behavioral detection: Detecting connections to GitHub/Bitbucket URLs matching known attacker repository structures, especially when paired with suspicious file downloads.
- YARA rules: Not provided.
## Mitigation Strategies
- Network egress filtering should be reviewed; however, blocking GitHub/Bitbucket is often impractical. Focus on monitoring unusual download patterns from these services.
- Implement robust endpoint detection focusing on the execution chain following initial access (spear-phishing).
## Related Tools/Techniques
- Goldbar (Mentioned threat)
- Spear-phishing (Initial access method)