RST TI Report Digest: 26 May 2025

This is a weekly threat intelligence report review from RST Cloud. This week, we processed 76 threat intelligence articles and compiled a concise summary of each, along with the pertinent metadata that was extracted. You can find below a short summary of 10 articles, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation WebsiteLink: https://research.checkpoint.com/2025/impersonated-kling-ai-site-installs-malware/Summary: In early 2025, a threat actor launched a cyber campaign that exploited popular AI content generation platforms by spoofing Kling AI through fake social media pages and advertisements, redirecting users to a counterfeit website. Victims were misled into submitting prompts, receiving malicious executable files disguised as media files that utilized Hangul Filler characters to mask their true nature. These executables operated as loaders to install an information stealer that harvested sensitive data, leveraging .NET Native AOT compilation for stealth and persistence mechanisms. Additionally, the campaign deployed the PureHVNC Remote Access Trojan (RAT) as a DLL file, designed to exfiltrate sensitive information from cryptocurrency-related applications and monitor activities using predefined keywords. Historical patterns indicate a possible link to Vietnamese threat actors, with previous malvertising efforts suggesting a continuity in exploiting vulnerabilities through social engineering techniques.Threats: purehvnc_tool procmon_tool dotnet_reactor_tool screenconnect_tool process_hollowing_technique runpe_tool Trojan.Win.MITREClassifierIndicators of compromise:-------------------------ip: 185[.]149[.]232[.]197, 185[.]149[.]232[.]221, 147[.]135[.]244[.]43domain: klingaimedia[.]com, klingxai[.]com, kingaitext[.]com, ai-kling[.]com, klings-ai[.]com, klingx[.]ai, www[.]kling-ai[.]tech, www[.]klingai[.]cloud, aikling[.]ai, klingturbo[.]com, klingaistudio[.]com, klingaieditor[.]com, kingaimediapro[.]com, kingaivideotext[.]com, kingaiplus[.]comurl: https://aikling[.]ai/Create_standard_mode_photo[.]zip, https://klingturbo[.]com/images/ai-images/Image_Generation_158666[.]jpg, https://www[.]facebook[.]com/61574724896485, https://www[.]facebook[.]com/61574162357787, https://www[.]facebook[.]com/people/KLING-AI/61574316153107hash: - sha256=f5b31bd394e0a3adb6bd175207b8c3ccc51850c8f2cee1149a8421736168e13e, - sha256=f89298933fed52511bb78f8f377979190e37367d72ccf4f3b81374a70362cc42, - sha256=beeea592251a0a205b3bdb34802bd2f4f5181ee38226a05ec468a86be44e9508, - sha256=732aa8ed8ca9a12f4bfc29a693ec3eba74ed1b2d00de4296180d91b86d09747b, - sha256=7035b5ba24146db537eedb1f05e6cad1775f9f5e81306f72422c03b288f75448, - sha256=2588fdfa7417d617df2d31eddea710d0f964008abc2f4860cdff588ab9786d0a, - sha256=06d9d60ddbe835abc5b16911a35732cc9b56ea9425de210961a15d465823978f, - sha256=2d5e01cfacdf9f900b51b0539e0809f22ce1859eac0886866af35a2eb2dc2d42, - sha256=5200b27726c0be8e6f34a3920fbd5d40aeaec460169b1f3c7a174ebeee6553d9, - sha256=d95b3eabfe9892371cb518fd6e733d2d33d2fabb2b1df4dab650a8f8e1ea8745, - sha256=d1b712b215612c8df5fef02b614c616a78b723bffbec6e10e32bfd0b758df41b, - sha256=39d771c12bd5da15d3fb63905df1e2c4c7c12b8f77c630a35b247c418950eafe, - sha256=4bbaf3ececd53bc4028723e87b1669268a6fadc4d480590c2d59bb4322a17de7, - sha256=30e26f4fd7cb0ac626950bb01e01a2c02e277727d1d3ec94286a44af262f37cf, - sha256=699e348260ae5b60cd822325f1c4bf2c793f6f25001357856c58520a9af10987, - sha256=b33e162a78b7b8e7dbbab5d1572d63814077fa524067ce79c37f52441b8bd384, - sha256=0c9228983fbd928ac94c057a00d744d6be4bd4c1b39d1465b7d955b7d35bf496, - sha256=839371cd5a5d66828ac9524182769371dede9606826ad7c22c3bb18fb2ee91cb, - sha256=9dab2badfdae86963b2f13ce8942fe78dd66ec497f8d82dd40c0cb5bec4fb2a7, - sha256=cee3f98b5f175219d025a92eddec4fd8bcaae31e6ad99321ae7c00b822063fc3, - sha256=a5baceb97a2be17fdd0c282292ebb0b5a56a555013a4c8fffcc2335c504780fb, - sha256=3fba4a0942244e9c3ad25a57a21f91b06f8732a2ca36da948ae5f0afa51dc72b, - sha256=557becfcc7eccaa5a7368a6d5583404af26aadede2c345d6070e6e9fab44a641, - sha256=1e66ebaef295c2a32245162979d167cebad1fece51b7cdb6a6c3a1d705befa6bemail:Title: Operation RUN: Cyber ​​Carnival of “Offshore Patriots”Link: https://www.ctfiot.com/247198.htmlSummary: In December 2024, the UTG-Q-015 attacker group became known for exploiting Trojan horse incidents, particularly on major websites like CSDN, and later shifted tactics by targeting government and enterprise sites with a combination of newly identified zero-day and known vulnerabilities. By April 2025, they expanded their operations to encompass blockchain-related websites and engaged in phishing campaigns aimed at financial personnel, utilizing instant messaging to deliver malware payloads. The group's activities included a notable "watering hole" campaign that compromised over 100 targeted websites, the use of a lightweight .NET backdoor for further infections, and an increasing focus on AI sectors, where they exploited vulnerabilities in plugins to deploy additional malicious tools.Threats: utg-q-015_group giant_campaign eviloong_campaign cobalt_strike_tool fscan_tool watering_hole_technique hawk xnote vshellIndicators of compromise:-------------------------ip: 209[.]250[.]254[.]130:13389domain: updategoogls[.]cc, safe-controls[.]oss-cn-hongkong[.]aliyuncs[.]comurl: https://updategoogls[.]cc/tools[.]exe, https://safe-controls[.]oss-cn-hongkong[.]aliyuncs[.]com/res/tools[.]ziphash: - md5=c313868c3e3e470fc7dde07ebaac0a87, - md5=fb68d6affca239ba4f9315889fcf6d61, - md5=e9ab0bc9d47c84285b82b25834aeae03, - md5=53a83040fea6dbe2845747d69da6504e, - md5=e89a6d6a0ca026317456594211ccb007email:Title: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malwareLink: https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/Summary: Cisco Talos has reported the exploitation of CVE-2025-0994, a critical vulnerability in the Cityworks asset management system, attributed to Chinese-speaking threat actors identified as UAT-6382. Following the initial compromise, attackers deployed various web shells on IIS servers to maintain access, utilizing a Rust-based loader named "TetraLoader" to introduce additional malware, including Cobalt Strike and VShell. The malicious tools and their communication with specific command-and-control servers indicate a sophisticated approach to targeting local U.S. government networks since January 2025, emphasizing the perpetrators' linguistic and cultural familiarity.Threats: uat-6382_group antsword chinachopper cobalt_strike_tool vshell tetraloader maloader_tool behinderIndicators of compromise:-------------------------ip: 192[.]210[.]239[.]172domain: cdn[.]lgaircon[.]xyz, lgaircon[.]xyz, www[.]roomako[.]com, cdn[.]phototagx[.]comurl: http://192[.]210[.]239[.]172:3219/LVLWPH[.]exe, http://192[.]210[.]239[.]172:3219/MCUCAT[.]exe, http://192[.]210[.]239[.]172:3219/TJPLYT[.]exe, http://192[.]210[.]239[.]172:3219/z44[.]exe, https://www[.]roomako[.]com/jquery-3[.]3[.]1[.]min[.]js, https://lgaircon[.]xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2, https://cdn[.]lgaircon[.]xyz/jquery-3[.]3[.]1[.]min[.]js, https://cdn[.]phototagx[.]comhash: - sha256=14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f, - sha256=4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9, - sha256=1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b, - sha256=1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901, - sha256=c02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738email:Title: Infostealer Watch: Will Lummas Takedown Help Rhadamanthys Rise?Link: https://www.forescout.com/blog/infostealer-watch-will-lummas-takedown-help-rhadamanthys-rise/Summary: Infostealer malware has gained prominence within cybercrime, particularly through advanced delivery techniques like ClickFix campaigns. The recent takedown of Lumma Stealer by law enforcement highlights the ongoing evolution of this ecosystem, which has seen the rise of new competitors such as the Rhadamanthys infostealer. Rhadamanthys employs tactics like mshta.exe and spearphishing emails to lure users into executing harmful PowerShell scripts that facilitate the theft of sensitive information, including browser credentials and cryptocurrency wallets. Its modular architecture allows for continuous enhancements, while its operation involves a three-stage process aimed at efficient data exfiltration. The emergence of Rhadamanthys and the ongoing developments surrounding infostealers underscore the adaptive strategies of cybercriminals as they utilize legitimate platforms for malware distribution and credential theft.Threats: lumma_stealer rhadamanthys clickfix_technique formbook raccoon_stealer redline_stealer vidar_stealer spear-phishing_technique process_injection_technique amsi_bypass_technique process_hollowing_technique dll_sideloading_techniqueIndicators of compromise:-------------------------ip: 104[.]21[.]46[.]32domain: cracking[.]orgurl: https://bird[.]stone-apple-vine[.]pro/ukk6dd9hy825[.]bin, https://t[.]me/+seHLUhOHbVhMDM0, http://ok[.]fish-cloud-jar[.]us, https://b8t[.]watchcollision[.]xyz/7456f63a46cc318334a70159aa3c4291, https://api[.]blue-pencil-wave[.]today/78fc5131525a9e8d335b1/bu4x10qhash: - sha256=771002ad7876cd86be8cbdf09a121119d9bcc0748efd4e8664be781161bcc460, - sha256=3773769cadbbc7cdd92f572e08915fe53d05f1a873c74c7d57be4876b1a64bffemail:Title: Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload ChainLink: https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.htmlSummary: Recent investigations by Trend Micro have uncovered a sophisticated cyber threat that utilizes fake CAPTCHA pages to trick users into executing harmful commands within Windows environments. This attack primarily exploits phishing emails, malvertising, and SEO poisoning, leading victims to counterfeit CAPTCHA prompts where they inadvertently input malicious commands. The threat employs apparently benign files like MP3s or PDFs, embedded with obfuscated JavaScript that activates harmful scripts via Microsoft HTML Application Host or PowerShell, facilitating actions such as data exfiltration and credential theft. The deceptive nature of these attacks is heightened by the attackers' use of urgency in their communication and the mimicry of legitimate-looking prompts, which can evolve over time to utilize different delivery methods or social media platforms, posing an ongoing risk in the cyber threat landscape.Threats: seo_poisoning_technique lumma_stealer rhadamanthys asyncrat emmenhtal xworm_rat fakecaptcha_technique reign dll_sideloading_technique retefe lolbin_technique dll_injection_techniqueIndicators of compromise:-------------------------ip: 176[.]65[.]141[.]165:8587, 185[.]7[.]214[.]108domain: guest-idreserve[.]com, buyvault[.]shop, bi[.]yuoei[.]shop, trojan[.]js[.]emmenhtal[.]sm, x63-hello[.]live, tool-back[.]com, vapotrust[.]com, check[.]symad[.]icu, kajec[.]icuurl: https://ernier[.]shop/lyricalsync[.]mp3, https://zb-files[.]oss-ap-southeast-1[.]aliyuncs[.]com/DPST_doc[.]mp3, http://ok[.]fish-cloud-jar[.]us, https://yedik[.]shop/Tech_House_Future[.]mp3, https://x63-hello[.]live/nF3mXcQ9FVjs1sMt[.]html, https://welcome12-world[.]com/wpDoQRpZt2PIffud[.]html, https://w19-seasalt[.]com/mbDjBsRmxM1LreEp[.]html, https://fessoclick[.]com/clck/dub[.]txt, https://check[.]nejyd[.]icu/gkcxv[.]google?i=db47f2d4-a1c2-405f-ba9f-8188d2da9156, https://viewer-vccpass[.]com, https://ernie[.]shop, https://bi[.]yuoie[.]shop/750413b4e6897a671bc759e04597952a0be747830189873b[.]xlsx, https://pn3[.]gapdevoutlycitrus[.]shop:443/809e682faadb839aaf9e5e6b171dfa3e, https://yedik[.]shop:443/tech_house_future[.]mp3, https://sns[.]XX[.]Xa/link[.]php?url=///guest-idreserve[.]com, https://sns[.]XX[.]Xa/link[.]php?url=///guests-reservid[.]com, https://guests-reservid[.]com, https://guest-idreserve[.]com, https://idguset-reserve[.]com, https://guestdocfound[.]com, https://itemsfoundguest[.]com, https://guestitemsfound[.]com, https://x63-hello[.]live/J5a5WFr1sJBU7zvr[.]html, https://x63-hello[.]live/xkF66hfe3HwquFTY[.]html, https://x63-hello[.]live/4jj0zJALq7txS3qW[.]html, https://bi[.]youei[.]shop/750413b4s68716bc759e0459752a0be747830189873b[.]xlsm, https://pn2[.]gapdevoutlycitrus[.]shop/939e2f74d1743cbc2f9fab0130be1f38, https://b8t[.]watchcollision[.]xyz/7456f63a46cc318334a70159aa3c4291, http://fessoclick[.]com/clck/dub[.]txt, https://video-lga3-2[.]xx[.]fbcdn[.]net/o1/v/t2/f2/m69/AQMYDglrdW4sk55SwyquB, https://viewer-vccpass[.]com/in[.]php?action=1, http://185[.]7[.]214[.]108/a[.]mp4, https://w19-seasalt[.]com/5yV847cNSBk97jya[.]html, https://check[.]symad[.]icu/gkcxv[.]google?i=f3f04e08-9474-4aa2-bc7f-911bc3916134, https://check[.]symad[.]icu/gkcxv[.]google?i=6f8502e1-2fca-4663-9562-e39aadcdf072, https://kajec[.]icu/f04b18c2f7ff48bdbf0670138f9eb24f[.]txthash: - sha1=3e2794400664f6ae9a9b27821bf01ca008f99e1d, - sha256=dd8c688c4366bb144136404af5d9e4568ecb632ce3f8468f9ad48c21e6fe3e5b, - md5=809e682faadb839aaf9e5e6b171dfa3e, - sha256=f43b4138d5b60d8db05fc9c382f2e6430cf89e1f622a04186c0748b1be94cd3e, - sha256=07253a1e6616775fcf3fa678512f2e18c0b557b043127b14b3446aa352e99d49, - sha256=cb33d8860e275ed1bb222f07e833c8e441369d7137bb29795a9db283b36b33fa, - sha256=4628462f5deb22438e2eb96aa8352264c6001fb994f0b193ecd839ce5421e82a, - sha256=f86259193d9e20a33d2d458cc1a2be1bd1448c939ffde9cceb1c0ad7bc24e9d6, - sha256=41ece1dbce5dd8a737b47340e4289e09c7e2f29ebfecc82a987a4de64a1f5178, - sha256=1d3ac3369ce2469bdeabdfb9ce770848e726295771187e8442aa83aa27d40040, - sha256=b39eec54e71b92dcbfed1241b2ec2e77bb1d99fc274903f16c974c64656edbbc, - sha256=75eb739508b633ec72600753b5f7848c2f02961a93251726a80ce0c0458355e0, - sha256=9ea6a61cec03421aa7e14aa9c78dc25491bb3169b002b6513e3c4c9dff249beb, - sha256=f25e6acd68c57b6116a048ab737c8d16527858d0c5ee3cd5c90e9b470c30c0b1, - sha256=028ddb2442aa0387a66c2c02d650e2620b24a569fc4a8366a762431a11209f94, - sha1=d9f3f678b853e270915dcc4ac0bf0cd37a448ebb, - sha1=df0417889347c822d5b643566a1565971c5450b2email:Title: China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025–4428) VulnerabilityLink: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerabilitySummary: On May 15, 2025, Ivanti disclosed vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM), which permitted unauthenticated remote code execution (RCE) and have been exploited in the wild from the same day the vulnerabilities were identified. EclecticIQ attributed the attacks to UNC5221, a China-nexus cyber-espionage group, which targeted critical sectors, including healthcare, telecommunications, and government across various regions such as Europe, North America, and the Asia-Pacific. The attackers exploited an endpoint to execute arbitrary commands remotely, deployed KrustyLoader malware via AWS S3 buckets, and used hardcoded MySQL credentials to access sensitive information, all while maintaining persistence and enabling lateral movement within compromised networks through tools like Fast Reverse Proxy. Evidence of repeated infrastructure reuse associated with UNC5221 further supported this attribution, indicating a concerted effort to employ stolen data for espionage linked to the interests of the People's Republic of China.Threats: krustyloader auto-color sliver_c2_tool unc5221_group nmap_tool netstat_tool yakit_toolIndicators of compromise:-------------------------ip: 64[.]52[.]80[.]21:4444, 103[.]244[.]88[.]125, 27[.]25[.]148[.]183, 146[.]70[.]87[.]67:45020, 124[.]223[.]202[.]90domain: openrbf[.]s3[.]amazonaws[.]com, tnegadge[.]s3[.]amazonaws[.]com, fconnect[.]s3[.]amazonaws[.]com, trkbucket[.]s3[.]amazonaws[.]com, the-mentor[.]s3[.]amazonaws[.]com, tkshopqd[.]s3[.]amazonaws[.]com, dpaste[.]com, ns1[.]cybertunnel[.]run, dnstunnel[.]runurl: https://dpaste[.]com/9MQEJ6VYR[.]txt, http://abbeglasses[.]s3[.]amazonaws[.]com/dSn9tM, http://103[.]244[.]88[.]125:8080/frpc, http://malicious[.]domain/payloadhash: - sha256=44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a, - sha256=7a4e0eb5fbab9709c8f42beb322a5dfefbc4ec5f914938a8862f8e26a31d30a5, - sha256=f34db4ea8ec3c2cbe53fde3d73229ccaa2a9e7168cd96d9a49bf89adef5ab47c, - sha256=150ccd3b24a1b40630e46300100a3f810aa7a6badeb6806b59ed6ba7bafb7b21, - sha256=29ae4fa86329bf6d0955020319b618d4c183d433830187b80979d392bf159768, - sha256=64764ffe4b1e4fc5b9fe27b513e02f0392f659c4e033d23a4ba7a3b7f20c6d30, - sha256=b422645db18e95aa0b4daaf5277417b73322bed306f42385ecfd6d49be26bfabemail:Title: Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in TaiwanLink: https://www.trendmicro.com/en_us/research/25/e/earth-ammit.htmlSummary: Earth Ammit, a threat actor associated with Chinese-speaking APT groups, has conducted two major campaigns—VENOM and TIDRONE—targeting the drone supply chain and military sectors from 2023 to 2024. The VENOM campaign primarily focused on software service providers, while TIDRONE shifted its attention to military and satellite industries, employing both open-source and custom-developed tools like CXCLNT and CLNTEND to enhance their cyberespionage capabilities. The campaigns showcased innovative supply chain attack strategies, including the exploitation of trusted vendor communications and web server vulnerabilities to deploy malware, enabling Earth Ammit to compromise sensitive systems in Taiwan and South Korea and exfiltrate valuable credentials while maintaining stealth through advanced techniques like in-memory operation and thread-to-fiber conversion.Threats: earth_ammit_group supply_chain_technique venom_group tidrone_group cxclnt clntend venfrpc_tool screencap frpc_tool process_injection_technique edrsilence_tool dalbit_groupIndicators of compromise:-------------------------ip: 45[.]121[.]50[.]30, 45[.]121[.]50[.]185, 103[.]61[.]139[.]60domain: fuckeveryday[.]life, client[.]wns[.]windowswns[.]com, server[.]microsoftsvc[.]com, service[.]symantecsecuritycloud[.]com, time[.]vmwaresync[.]com, ac[.]metyp9[.]comurl: hash: - sha256=40bcd87bcd851c5c2d6e5c901c59312d480eed58b4ebb2981607c0d80c27b529, - sha256=0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f, - sha256=73372378dd3c5455b466a61d5807b903ed6c1d9284628b9b7480ccd49cc15635, - sha256=8907907a571a90c28ae72c10945f626fd22a6f587f664a6b86ad3a8f344f1aae, - sha256=c3c4443c3fee858e71fb8017288d9f3b79b2ae0f3f37f93d373765261b299d46, - sha256=f13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7, - sha256=37949e1f0eabbf6726ba79a707a9b471ec1fa160080f9b1effd01ea35f795fd7, - sha256=19bbc2daa05a0e932d72ecfa4e08282aa4a27becaabad03b8fc18bb85d37743a, - sha256=5235fecd3e1449ba9f78a25ddb89948a638484411a7bf91af3bb4d1b159f255a, - sha256=24fabd3a74c6d24acb7c7f6ed254df0ba125b321772abacb692be5b6c687e651, - sha256=74096848382ffb86a5ff0c7811b9867ad97f83d3f406b2c5aa9f357e1619fe21, - sha256=827142f772c39bd7f4c468bcfc096ea857b4d2939c606460424af836a045f696, - sha256=2f2d4cc6266fe1671fa03737059622e03466a80d43a0342bff21b73c7aa5419a, - sha256=db600b0ae5f7bfc81518a6b83d0c5d73e1b230e7378aab70b4e98a32ab219a18, - sha256=1f22be2bbe1bfcda58ed6b29b573d417fa94f4e10be0636ab4c364520cda748e, - sha256=f3897381b9a4723b5f1f621632b1d83d889721535f544a6c0f5b83f6ea3e50b3, - sha256=1b08f1af849f34bd3eaf2c8a97100d1ac4d78ff4f1c82dbea9c618d2fcd7b4c8, - sha256=589d4a751e079ec6792ccabc39df36c3d43a3a34376d38d2eec2e36e32b2c7aa, - sha256=0f26a1042a74d0990e53587f97c63450763fba4af39d635e29ddcf6b0091d8eaemail:Title: From banks to battalions: SideWinders attacks on South Asias public sectorLink: https://www.acronis.com/en-us/cyber-protection-center/posts/from-banks-to-battalions-sidewinders-attacks-on-south-asias-public-sector/Summary: The Acronis Threat Research Unit (TRU) has unveiled a cyber espionage campaign orchestrated by the SideWinder Advanced Persistent Threat (APT) group, focusing on high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. Utilizing spear phishing techniques, the campaign employs geofenced payloads to precisely target victims, with initial infection vectors involving malicious Word and RTF files that exploit CVE-2017-0199 and CVE-2017-11882 vulnerabilities for remote code execution. The attack methodology incorporates multistage loaders and Shellcode-based payload delivery, culminating in the deployment of StealerBot for credential theft. Key lures, including a document mimicking the "Sri Lanka Customs National Imports Tariff Guide 2025," were crafted to enhance the chances of user interaction. The group demonstrates technical expertise through frequent updates to their command-and-control infrastructure and a targeting strategy that includes significant military and financial institutions, notably the Central Bank of Sri Lanka and the Sri Lanka Army's 55th Division.Threats: sidewinder_group spear-phishing_technique polymorphism_technique credential_harvesting_technique stealerbot dll_sideloading_techniqueIndicators of compromise:-------------------------ip: domain: advisory[.]army-govbd[.]info, army-govbd[.]info, updates-installer[.]store, dwnlld[.]com, viewdoc[.]online, dwnlld[.]info, net-co[.]info, vpdf[.]online, org-co[.]net, nic-svc[.]net, live-co[.]org, org-liv[.]net, net-src[.]info, info-lanka[.]org, onlinestatus[.]live, modpak[.]live, mail163[.]info, geninstr[.]army-govbd[.]info, advisary[.]army-govbd[.]info, amended[.]army-govbd[.]info, mail[.]army-govbd[.]info, emv1[.]army-govbd[.]info, www[.]army-govbd[.]info, pimec-paknavy[.]updates-installer[.]store, imec-paknavy[.]updates-installer[.]store, www-presidentsoffice-gov-lk[.]dwnlld[.]com, www-cbsl-gov-lk[.]dwnlld[.]com, email[.]sco[.]gov[.]pk[.]viewdoc[.]online, mod-gov-bd[.]dwnlld[.]info, moitt-gov-pk[.]dwnlld[.]info, mfa-gov-lk[.]dwnlld[.]info, www-cbsl-gov-lk[.]dwnlld[.]info, prison-gov-bd[.]dwnlld[.]info, bscic-gov-bd[.]dwnlld[.]info, cabinet-gov-bd[.]dwnlld[.]info, fa-gov-lk[.]dwnlld[.]info, infomfa-gov-lk[.]dwnlld[.]info, mofa-gov-bd[.]dwnlld[.]info, www-cbsl-gov-lk[.]dwnlld[.]infomfa-gov-lk[.]dwnlld[.]info, www-erd-gov-lk[.]dwnlld[.]info, xcfhg[.]dwnlld[.]info, mof-gov-np[.]dwnlld[.]info, 6441056b613c32a9[.]dwnlld[.]info, www[.]dwnlld[.]info, customs-gov-lk[.]net-co[.]info, postmaster[.]net-co[.]info, www[.]customs-gov-lk[.]net-co[.]info, jtops[.]milqq[.]info, dirsports[.]milqq[.]info, mail[.]ntc[.]net[.]pk[.]vpdf[.]online, pubad-gov-lk[.]org-co[.]net, a5936441-e402-41e3-b02b-75af112074b5[.]org-co[.]net, esxipubad-gov-lk[.]org-co[.]net, mof-gov-bd[.]nic-svc[.]net, lolsidewindersidewinder[.]nic-svc[.]net, wwww[.]nic-svc[.]net, www-erd-gov-lk[.]nic-svc[.]net, www[.]treasury-gov-lk[.]nic-svc[.]net, treasury-gov-lk[.]nic-svc[.]net, mail-mofa-gov[.]org-liv[.]net, pubad-gov-lk[.]org-liv[.]net, cabinet-gov-bd[.]org-liv[.]net, cirt-gov-bd[.]org-liv[.]net, gov-lk[.]org-liv[.]net, mod-gov-bd[.]org-liv[.]net, www-treasury-gov-lk[.]org-liv[.]net, pubad-gov-lk[.]live-co[.]org, mofa-gov-bd[.]live-co[.]org, mod-gov-bd[.]live-co[.]org, data-sob-gov-bd[.]live-co[.]org, 7ef1996f-c463-4540-936a-70d0fd477f98[.]live-co[.]org, mofa-gov-np[.]live-co[.]org, mofa-gov-np[.]org-liv[.]net, pubad-gov-lk[.]net-src[.]info, probashi-gov-bd[.]net-src[.]info, mofa-gov-np[.]net-src[.]info, modltr[.]info-lanka[.]org, www[.]info-lanka[.]org, mail[.]nepla[.]gov[.]np[.]onlinestatus[.]live, mail[.]ntc[.]net[.]pk[.]onlinestatus[.]live, mail[.]paf[.]gov[.]pk[.]onlinestatus[.]live, mail[.]pof[.]gov[.]pk[.]onlinestatus[.]live, paknavy[.]modpak[.]live, interior-gov-pk[.]mail-govt[.]org, www-cabinetoffice-gov-lk[.]mail-govt[.]org, probashi-gov-bd[.]mail-govt[.]org, gso2[.]mail163[.]infourl: https://advisory[.]army-govbd[.]info/ISPR/d81b2d23/Accept_EULA[.]rtf, https://advisory[.]army-govbd[.]info/ISPR/7201a146, https://ecility[.]xyzhash: - sha256=57b9744b30903c7741e9966882815e1467be1115cbd6798ad4bfb3d334d3523d, - md5=b0f2f200a69db71947578fca51d4ff94, - sha256=1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a, - sha256=e4afb43a13e043d99ff0fb0a0ac49e96a04932ba37365527914d6be779597edf, - md5=71b0774691ab8192af8ed8e816a1f475, - sha256=61132f15775224f8aae02499b90b6bc19d4b3b44d987e0323276dceb260cc407, - md5=648eb92f1125f0156880578cc64a53dd, - md5=b37522b69406b3f6229b7f3bbef0a293, - md5=9e3aaa68e88a604a7aba9cf83b49de6e, - md5=12a891501e271d32802495af88cfa247, - sha256=c62e365a6a60e0db4c2afd497464accdb783c336b116a5bc7806a4c47b539cc5, - md5=88af570ec4821aa762ed04f2549ad6c1, - sha256=725ded50e7f517addd12f029aeaf9a23f2b9ce6239b98820c8a12ea5cb79dbfa, - sha256=558de2a01fbd76be171561c3c82fd6a8e2d4c913444850af99d44a4cfb41b680, - sha256=f464ad5c6aba13b42aa903bda0add7c074d45388da379747c83f2c3756c9b658, - sha256=63f5445527c47e17b71e87eef4dd7a86883607a22830bcee5b1fabc5d03bab38, - sha256=65c9e15d9b916b193ce1d96bb99c1c1f3ade0273270b56cf6e476a21b31a3491, - sha256=7363887b6b0fe7cece3c21ad18515835922379c7d78c47cea745940a1061a6c4, - sha256=40712a087a8280425f1b317e34e265c0329ffb0057be298d519fc5e0af6cb58f, - sha256=69eee36642f274c724fadcfdf1f103ae0fd9b5f4bad7ac6a33b3c627d6114426, - sha256=2d92d24b3abed7acac165b002bd5922f8f17b6e4944e658938fe022902fe6a7e, - sha256=663a7b509db86ca498af57cc458139a76ee07c60d413d60a98921c7e901e0e3d, - sha256=5ec639facb2cb9503059d519790279f1b9f510d8d63a2a2c44637b1d1dd1e538, - sha256=0a7fce4e7456ecb12c95d28b6b4d263d9ca23a1de1e298234a904a319be6e708, - sha256=00877fcfb31fdc23ca6987e569090f761ed414bdee0546bdbd3ce3acc44cc293, - sha256=8d00c97d16e3733feee6b1bc6bd77b8423e0b79a812db55880f5b2d751a4bd47, - sha256=dc7066d972367f15c9b6e2e36a5c643ab87deed958cc27ac0fbf0ff1f4535a99, - sha256=8dd189e390b168bff6caa82d5077f4eda8902c251fe0a0120aa42bd78e56f9bc, - sha256=46785f7e5cd2966d30167cbd496333a5dd871b19e6a2833ab1a4157fc35e8ee5, - sha256=ac13697c19cf0b6767442fc001ca48d0d9e3c9340549d3e73539ea299e27015e, - sha256=32e2d29143f57335c6477dc764350fed13b7e3873fb06491d9863a95b8921e92, - sha256=ffebc5f8fc3a0346f9767c64b5b040d7679e1d3726024e59fe134825e31c8b8c, - sha256=208c335a3cccbdba6b1ec0c76ad3b751c6409712e493c24e2532a389d887e0af, - sha256=a90fd0e3d3be14b92b3dc809ddea9a0cc377b130ebb4c48a8891e4832a85c412, - sha256=fa5a3e215e4970b0c39b6bbfb9425aa6ee4a8bc1359d85f7052d99e663aee333, - sha256=bb9acc2d23afee3265b81326ce65cfddde3fc04648d3ba2d2ea22ec0e3d8f90e, - sha256=5b5a1833d4daaf05699a009316a4d866851130b258f424f066b867a534ba944d, - sha256=9b76d98c2641512c66e8f2f99b2d0bda86ec1a4809420b74feadfb8f4f7dbf48, - sha256=fb4695b45ac62e10f29e9a45c4190dce2fe6af71a96a2bd66e08c1a99416cc7e, - sha256=677b4d9efcfcae9cbbd39b2b2cdc0df69d4a55460814747f60f35ea2e81dad2e, - sha256=2be8ca1e2415b5ca1605977b2ff10ff9aef06e3be7eb39496bb18d3ba7772901, - sha256=1c68ca3ede75946568bb00c39b7054cb2ae4fcbe2805061e38ed15f4d526262c, - sha256=9700f9b614aa87c6137c4325951e59258cdb87f02df7a5ed4f4accea279ede26, - sha256=74111c9b0ed748fc6bfc025d13a2ed08663b988cb69c044f1c6f153f9020294c, - sha256=a61335c10cf98064761806af6451b3cddd66641ccb35a6d8b915a02d6279f46a, - sha256=1527cf10f00c798262b3347c00af8028fee3bc88a450bc2df7766b1118c62cd5, - sha256=5891f4dfa47d5b268c5d82366c312ecda715da91e148afa6064f3058f3c5a69b, - sha256=e33e74e3925bc3f287ef817a186807a38d411524984a5d0930939646022206b0, - sha256=1321fc1eefc3d3f5aae16a81ac139a31beaf2355935d94210abf69253d29b486, - sha256=96d429d67a2663ef2cf3f45ccd0619adf0cd030f7fe70f072af1ce1d67ec52a3, - sha256=22527dd1a62dc46dd4edd23a681657cf4c3477e9f90fb1ef63ef657608b9838c, - sha256=fb50c60c237ea00f29e4876b326f5f8e872f5ad6d1ca7c9925d9b901e573f788, - sha256=de54f8933f81f93652ab824e8f9e660197135e1064f0ca4ca9df8333a7a94e9d, - sha256=47d77499968244911d0179fb858578de00dbb98079e33f5ed5d229d03eb04d67, - sha256=ffd26019b21da5833caf2b6974cbc9ce79d911653cdfbb6e59a8ac7d4cc80f51, - sha256=15cf5271c7b9b8ad22c4c96bc8674d9835e8d419fc1a6077f3b59fbd7e59d112, - sha256=54c4641f709e51622531dc3d04fd2f4a3bad2a42dca287e2777c04d59cbca789, - sha256=d3fb61c0211bd379bf80f15cf072fdbc1187fe95546fdfcfcbdf8918004f05e2, - sha256=35cc327806ae0d760b94a5b3daedea9cdcb2ed0854a484c8ec3cded195e75037, - sha256=896ddb35cde29b51ec5cf0da0197605d5fd754c1f9f45e97d40cd287fb5a2d25email:Title: Cato CTRL Threat Research: Suspected Russian Threat Actors Leverage Tigris, Oracle Cloud Infrastructure, and Scaleway to Target Privileged Users with Lumma StealerLink: https://www.catonetworks.com/blog/cato-ctrl-suspected-russian-threat-actors/Summary: Recent investigations reveal that suspected Russian threat actors are using cloud infrastructure, including Tigris Object Storage, Oracle Cloud Infrastructure, and Scaleway, to distribute Lumma Stealer, a malware-as-a-service infostealer targeting Windows systems. The attackers employ social engineering tactics to deceive technically proficient users into executing malicious commands via the Windows Run dialog, utilizing fake reCAPTCHA pages to trick victims. Their evolving methods include DLL hijacking and using living-off-the-land binaries, while previous campaigns combined malvertising and impersonation of trusted platforms, such as mimicking Steam, to facilitate malware distribution. The analysis highlights a strategic use of cloud services for obfuscation and demonstrates the attackers' adaptive tactics, which are supported by embedded Russian comments in the code, providing insights into their origins and motivations without definitive attribution.Threats: lumma_stealer lolbin_technique dllsearchorder_hijacking_technique dll_hijacking_technique ballista mirai mozi hunters_internationalIndicators of compromise:-------------------------ip: domain: my-steamunlocked[.]online, amacys[.]shop, with[.]shop, wq24-1[.]g-site[.]store, fly[.]storage[.]tigris[.]dev, zuroxflweb[.]fly[.]storage[.]tigris[.]dev, wq24-1[.]g-site[.]siteurl: https://amacys[.]shop/sports[.]mp4hash: - sha256=91747f5254ccddee9de4a01f959236c1d1fda06f6ba2d2664f16dfb9e2db4175, - sha256=fa2ebe7df2fcf7e0b9991d411792e0cb78d149833b2d06102ab34d74ffc4a682, - sha256=1544ee1ab897a791b4c2eeb9a8936e5aae331de1308b08f74aadbc24856c73a2, - sha256=66b8074eb73353ad0a966e4a41016e0e6aa9a9fed697a0f98a1fb65db765a195email:Title: Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word DocumentsLink: https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabledSummary: From January to February 2025, Insikt Group identified a phishing campaign linked to the Russia-aligned threat actor TAG-110, known for its ties to APT28, targeting entities in Tajikistan. This campaign deviated from previous strategies by utilizing macro-enabled Word template files (.dotm) for initial access instead of HTA-based payloads like the HATVIBE malware, allowing for sustained exploitation through placement in the Microsoft Word STARTUP folder. The operation specifically aimed at Tajik government ministries and educational institutions, potentially aligning with significant events such as elections, and exhibited coordinated malicious activities linking back to a common command-and-control infrastructure, indicating a sophisticated evolution in TAG-110's cyber-espionage tactics.Threats: fancy_bear_group ghostwriter_group hatvibe spear-phishing_technique cherryspy downexpyer logpie pyplunderplug tsunami_botnetIndicators of compromise:-------------------------ip: 38[.]180[.]206[.]61, 188[.]130[.]234[.]189domain: url: http://38[.]180[.]206[.]61:80/engine[.]php, http://38[.]180[.]206[.]61/engine[.]phphash: - sha256=d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7, - sha256=8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7, - sha256=6ac6a0dd78d2e3f58e95fa1a20b3ab22b4b49a1ab816dcfb32fd6864e1969ac3, - sha256=6c81d2af950e958f4872d3ced470d9f70b7d73bc0b92c20a34ce8bf75d551609email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.