RST TI Report Digest: 31 Mar 2025

This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 57 threat intelligence reports and compiled a brief summary of each, along with the relevant extracted metadata. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Operation FishMedleyLink: https://www.welivesecurity.com/en/eset-research/operation-fishmedley/Summary: ESET researchers have uncovered the activities of the FishMonger APT group, linked to the Chinese contractor ISOON, which has executed global espionage campaigns against governments and NGOs since 2016. The US Department of Justice indicted several employees of ISOON in connection with these espionage efforts, utilizing multiple malware tools such as ShadowPad, SodaMaster, and Spyder, with techniques involving advanced malware delivery and watering-hole attacks. Key highlights include the use of compromised high-privilege accounts for lateral movement, a new malware implant named RPipeCommander introduced alongside Spyder, and evidence of sophisticated command-and-control infrastructures, demonstrating a complex operational framework continually evolving with the group’s capabilities.Threats: fishmedley_campaign earth_lusca_group i-soon_leak_campaign shadowpad spyder sodamaster rpipecommander fscan_tool nbtscan_tool spyder_loader dll_sideloading_technique credential_dumping_technique minidump_tool impacket_tool winnti_group watering_hole_technique cobalt_strike biopass_rat funnyswitch_backdoor sprysock lolbin_technique sparklinggoblin_group homoglyph_technique stone_panda_groupIndicators of compromise:-------------------------ip: 213[.]59[.]118[.]124, 61[.]238[.]103[.]165, 162[.]33[.]178[.]23, 78[.]141[.]202[.]70, 192[.]46[.]223[.]211, 168[.]100[.]10[.]136domain: junlper[.]com, api[.]googleauthenticatoronline[.]comurl: http://45[.]76[.]165[.]227/wECqKe529r[.]png, http://5[.]188[.]230[.]47/log[.]dllhash: - sha1=d61a4387466a0c999981086c2c994f2a80193ce3, - sha1=3c08c694c222e7346bd8633461c5d19eae18b661, - sha1=3630f62771360540b66701abc8f6c868087a6918, - sha1=a4f68d0f1c72c3ac9d70919c17dc52692c43599e, - sha1=2ad82ffa393937a2353096fe2a2209e0ebc1c9d7, - sha1=918ddd842787d64b244d353bfc0e14cc037d2d97, - sha1=f12c8cec813257890f4856353abd9f739deed890email:Title: The ShelbyStrategyLink: https://www.elastic.co/security-labs/the-shelby-strategySummary: The REF8685 operation reveals critical details about the SHELBY malware family, which employs GitHub for its command-and-control activities to evade detection. Discovered through a phishing campaign targeting employees of an Iraqi telecommunications firm, SHELBY enters systems via a weaponized attachment that installs a benign application to facilitate the loading of a malicious DLL. The malware incorporates advanced anti-sandboxing techniques to avoid detection within monitored environments, establishes persistence by modifying the Windows Registry, and communicates with its C2 server through unconventional methods that leverage GitHub commits, raising significant risks of exposure. Furthermore, the backdoor functionality enables the collection of system data and the execution of commands from its repository, indicating a flexible and coordinated operational strategy. The analysis highlights the sophistication of the threat actor's tactics and the ongoing evolution of the SHELBY malware, suggesting an increased potential for future attacks.Threats: shelby ref8685_group seth_locker shelbyc2 shelbyloader de4dot_toolIndicators of compromise:-------------------------ip: 2[.]56[.]126[.]151, 2[.]56[.]126[.]157, 2[.]56[.]126[.]188, 172[.]86[.]68[.]55, 195[.]16[.]74[.]138domain: arthurshelby[.]click, redactedtelecom[.]digital, speed-test[.]click, redactedairport[.]cloud, redactedairport[.]pro, redacted-connect[.]online, portal[.]redactedairport[.]cloud, domainredactedairport[.]cloud, redacted-meeting[.]online, mail[.]redactedtell[.]comurl: https://portal[.]REDACTEDairport[.]cloud/Loginhash: - sha256=e51c6f0fbc5a7e0b03a0d6e1e1d26ab566d606b551c785bf882e9a02f04c862b, - sha256=0e25efeb4e3304815f9e51c1d9bd3a2e2a23ece3a32f0b47f829536f71ead17a, - sha256=feb5d225fa38efe2a627ddfbe9654bf59c171ac0742cd565b7a5f22b45a4cc3a, - sha256=0354862d83a61c8e69adc3e65f6e5c921523eff829ef1b169e4f0f143b04091f, - sha256=fb8d4c24bcfd853edb15c5c4096723b239f03255f17cec42f2d881f5f31b6025, - sha256=472e685e7994f51bbb259be9c61f01b8b8f35d20030f03215ce205993dbad7f5, - sha256=5c384109d3e578a0107e8518bcb91cd63f6926f0c0d0e01525d34a734445685cemail:Title: The Long and Short(cut) of It: KoiLoader AnalysisLink: https://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysisSummary: KoiLoader is a sophisticated malware loader delivered through a phishing campaign that uses spam emails with a link to a zip file containing a shortcut that exploits a Windows vulnerability. Once executed, KoiLoader downloads additional malicious JScript files, creates a scheduled task for persistence, and establishes a command and control channel using HTTP POST requests to communicate with its server, enabling it to harvest sensitive data. The malware employs various evasion techniques to avoid detection, such as checking for virtual environments and utilizing a mutex to prevent simultaneous instances, thereby ensuring continued access and operational stealth for the threat actor.Threats: koiloader uac_bypass_technique icmluautil_tool koi_stealer lolbin_technique process_injection_techniqueIndicators of compromise:-------------------------ip: 94[.]247[.]42[.]253domain: casettalecese[.]iturl: https://casettalecese[.]it/wp-content/uploads/2022/10/hemigastrectomySDur[.]php, https://casettalecese[.]it/wp-content/uploads/2022/10/bivalviaGrr[.]php, https://casettalecese[.]it/wp-content/uploads/2022/10/boomier10qD0[.]php, https://casettalecese[.]it/wp-content/uploads/2022/10/nephralgiaMsy[.]ps1, https://casettalecese[.]it/wp-content/uploads/2022/10, http://94[.]247[.]42[.]253/pilot[.]php, https://casettalecese[.]it/wp-content/uploads/2022/10/sd4[.]ps1, https://casettalecese[.]it/wp-content/uploads/2022/10/sd2[.]ps1hash: - sha256=123ec130beb175419b0e8c8b9c4d44a7f024f7c6e7e705718e2e07ab3dd083ad, - sha256=dbea0387cea59ca3fffda6aa56788cf6423374356c98abe74149a5890676c4ff, - sha256=6a79ced77846f964e877d404cb8a5c829ca6bac0b28bd161afd329685064c10e, - sha256=1c17f14563f55bccfb48f81882476b38887ee450126f6977f8550657ceb2e8ec, - sha256=1b8d49c9481293784859223356ac9c50dbd1a8db680d0f1d30d264dcceb8c3e3, - sha256=f827228165291851e5fdc5d06219bd30877050c7c7a17672066984487b3f1200, - sha256=c6373d61b5c4f12e2d88ce6a326f655b86393ed206ba710f8e67730667b5ff4e, - sha256=0779090496343e6365fd3a273600213e8fea9cf77d09d6fa551114fa5a3b23c5, - sha256=70835a8f7ea6c93942935a6f9fef1ae4591c22e873e3b06000ef01437f2090c1, - sha256=d3cdb6765d1d043cb78dbe520f4c678df37beba3b19b7f7e894f2a6fe29a821b, - sha256=a145f97523db8f8f7c83733c217d5af8f316fab356b86c559dd9c33b042c38e5email:Title: Arsenal Expansion: Shedding Zmiy uses PUMA-Rutkit in new attacksLink: https://rt-solar.ru/solar-4rays/blog/5400/Summary: In late 2024, the cybercriminal group Shedding Zmiy was investigated after an IT company reported connections to a command-and-control server associated with them, revealing their deployment of an advanced malware toolkit that included the PUMA rootkit and the Bulldog backdoor. The PUMA rootkit operates at the Linux kernel level using techniques such as process hiding and privilege escalation, and is capable of executing commands while maintaining stealth by replacing legitimate system files. The analysis traced the group's activities back to August 2023, showing a significant increase in operations by November 2023, where they exploited system vulnerabilities, used SSH access, and manipulated legitimate services to control compromised systems, highlighting the advanced and evolving nature of their cyber threats.Threats: shedding_zmiy_group pumakit pumatsune kitsune gsocket_tool netstat_tool bulldog_backdoor gored megatsune zarya_group powershell_shell_tool teleport_toolIndicators of compromise:-------------------------ip: 89[.]23[.]113[.]204, 89[.]23[.]113[.]59, 176[.]124[.]192[.]230, 168[.]100[.]9[.]214, 176[.]124[.]192[.]152, 45[.]87[.]246[.]5domain: rhel[.]opsecurity1[.]art, sec[.]opsecurity1[.]art, cddcvesfhfp1[.]wris[.]monster, deefveskiip2[.]wris[.]monster, pkg[.]dpkg-source[.]info, amd64[.]rpm-bin[.]link, qxpngendvvp1[.]wris[.]monster, cnhgenfhfp2[.]wris[.]monster, ccdertsfrp1[.]wris[.]monster, qdprtsorp2[.]wris[.]monster, cckitsfrp1[.]n3x1lo[.]pro, qdkitsorp2[.]n3x1lo[.]pro, edfrg2r1aa[.]dylibm[.]homes, edfrg2r2bb[.]dylibm[.]homes, juiyhg2p1cc[.]dylibm[.]homes, m0g1ck[.]beauty, leo[.]jython27[.]xyz, ocelot[.]jython27[.]xyz, tiger[.]jython27[.]xyz, sm4l1pp[.]online, tramways[.]xyzurl: https://lockn1t3[.]xyzhash: - sha1=188fcd6f3f8ebb363b14c195f3665f6359bd55fb, - sha256=facb3afcf5019040f586e0c08a6d32bdc96c93237bf594ba36e90f9385114063, - md5=833647d080f00e841efa705255466e28, - sha1=113c5f44318c230e9b913eb46592bdb4d3976b12, - md5=f38704d1350a890fb6141678f9e7fb20, - sha1=3b03e71d6e218b9ac533e4a769f3b0a1671420fa, - md5=cccfcca0ab1fed438447ada7c92e734d, - sha1=1165cb4066f488c67508a4d7b33b565e7c4a451a, - md5=2c33b3f6ad3fc93405c2aa305023773f, - sha1=f3eed8d4a478c9e30a25a8708e391fc5776f98ef, - md5=b3174394434523a1d7a877434706e301, - sha1=5fc3344e4f8fbe944d4028038a34bc2cd8a9e212, - md5=a8a7932df2ded22bcf87b848ed2f09b9, - sha1=98441981e297928c4f9652511aef324ffa8f36b3, - md5=7f6961556e33ffdc8cbb3497101b58f0, - sha1=cc007d94bbef29e935b45397401d2326ba012964, - md5=9e438793420d1ff37c095d2524c6d8f3, - sha1=1e47a07950e8b82b18d022fec3143f57f480b4f2, - sha1=85133b3f0ed8c1879bc92ce4ea8de98fd6df0e3f, - sha256=0266bc719241f4e475987d0e5feef31f88df74c3a879bb704f19fa918c02999c, - md5=336de312c267db96534dfa949bf365f5, - sha256=e5b7f38da062485d7e5c5adf8b40429ca919fd27bc5679f863ffef09a9aa7156, - md5=759083836561b5d405b4937a5b5360f4, - sha1=a0157028039122991cc4c84a2e57616f57d83a31, - md5=02cb8d5c25eef9f24f1137c367175ee4, - sha1=5d3489caf91e329e0741b4d4f0888156b3feccf7, - md5=27b8e293c88d007d45bd1c9cdad0cc44, - sha1=f1521b8f9c66cf86843194c02354ce429159e775, - md5=f69f43380efc4ccb5ce7e1a7e9cd16fc, - sha1=d84e959417f848d4962da27e336511bdbf110b75, - md5=89bb5b4436fbc6695e0586450363a753, - sha1=211e5efd98e9ae676ad106e5af467134b88718a8, - md5=13f6788e38d8854e3f8ef8a586c5dccb, - sha1=bb78cad91395b208ff1ee78bd1df643a5a55eaf6, - md5=7c59a35b815050421319746de2e3970b, - md5=ceef277d9a5ee3fe5957b3e9a8e95e3b, - sha1=42e8a02ee3fbdc41da81680f367621baec4e5b79, - sha256=0e7e5fba460da9ad628816bd64529a4f68d8ce63ea4fd9ce12456546573490ed, - sha1=00d19b8a9dd19d9190989799a1a19696979a9b00, - md5=00d19b8a9dd1979aa1a19696979a9b00, - md5=50466c4f8b923bddf101bfba753a7ca2, sha256=4c8666ecd657df0a1be250a4706c8eabcc7a2ac7356e721a8ab91b8aa17042dd, sha1=e495a0795b2221cb94ae67969ad4cfc0aa8a441b, - sha1=4d455bd037685acc652f626bbe4c38e44ea3aab2, sha256=83ba1f96668b81f117c329ae780637a56c172ba6cd057e0e1c9d462eb8ef44c2, md5=43cc7821de620f75ce1000780d0b2294, - sha1=0495eed74cf6c6be1684c3bc5b5671762c4305ca, sha256=280a14384bede3d7795028caba466055d76610f398785da10871a092da348717, md5=beeabdefdca013738561d736a355de1c, - sha1=2ddd44ca9be95c7c0fb362a1b3d2905b6fe143b5, md5=158afa2ed5ba7de6946562419ddca4a9, sha256=38a189981b9bf1348d8f02bc132d82c2fd629bc56d054be7b239b1cf7a3b3c6f, - md5=756aba7aa96990b39683cfe3a188ca82, sha1=b2b485f5f2c52c1eeec9e4464670887ce6219b9c, sha256=293e1c2fef7992bb07abec6645619ec3ce2ea74cd81e37076409a295b6e32734, - sha1=3b37fcd90caf6f77adf63cb43707821f138b5862, sha256=add5ae18db5d3db54791516cc684fc78e05776edcbfa468c847245abb7e83fc3, md5=7650ae541cbac33b34a9786b0481d628, - sha1=321d785116a2de162d482fd54070022c429cec8b, sha256=792e9a44a865232f11dbfd87a32e276662d041451848196896bc6bd4298d5b5f, md5=fdf4add35f92a1367ec82f4048740d61, - sha1=96773eb0da2f1cb6acad724384d7bea4f6bcc4f4, md5=d081323cf5aaf6d5efae1185efb55f2a, sha256=bb63425eb43edf7c14563a7fe4c32307a572c0258d8ac013e6fee1ec21d348da, - sha256=13ab61d1456097e874a939ff3360efce6c360d7c5b9e607b8f5c5852ed126b87, sha1=0b1ced4fbbbb4397b3585d2ca6e0c58b26b905ce, md5=9a179de6c53417e8f82b479455cf6c28, - sha256=68c3e3af3dec81275f07641f76f2aabe48340d35906014ac711c76710f85c081, md5=cf493672d8e9443ac43cffd16707b08b, sha1=cecd2d1a94e61afd1bb2662763716408f2509d94, - md5=2a1a49719f748daaf20bb3b4fd909b43, sha1=cfaf6554aea68cc107edb7fee927a946aec1d8e7, sha256=dd6c8861f706342e3ef7f1e8344c24b958e01a6e5b615d74dd9f16ca27e0d996, - sha256=c0d3c30ad03e408fc09976637a4b497bda98b8f6ad815df46d61ad825e003c3d, sha1=f33dd30ae8c44ed149ab9d01d602bb755472962f, md5=0eb642e34012b3ec00ff36ed9bafb959, - sha1=7ea6dad563b887813b823703709b319fdd22e357, md5=75ed5575bf7d93beaff8788b69da7fb1, sha256=6705c354ac07ee23bd5de20b00450d2b0efd6fd18cff75b00417ac45905e3929, - sha256=5c67c677b4d9aaca810545060766f2be1242cd559fe81a0381e856aaf113b66a, md5=052cd6faa775317030d0300087995bc3, sha1=72d36348991c837aa608a7f1c01260cd9845897b, - md5=872476eb903f76065028ea7ba65e25ef, sha256=0518a2f4aaf2d5f82514ced478381a4dd3353be7dc96c3ec9c62eb283a3bea09, sha1=ac337a0f3a7a34a86844a3bc1d2ec5a246f20ecc, - sha256=3034ff1b7ffcf2eaf1edb666b6aed69dbd51f46dc28d9abb7ff5c2768ccd1823, sha1=a8c8c0b06d957112974d99dc1afe26207a19d4d7, md5=c61a3cad0beabde867347bf6ee9ab6f3, - sha256=2c00ff2a7fd1ea6055aef8ae86c406dfa6f76f948c123920d18b93bbe0a32b8e, md5=237e42a872bb35406ad37b8a6d63906f, sha1=6f8a453273d3a514d4592750d0e2318a960b637c, - sha1=69cb1a5f457bc92db4deee100d28160b35b174e0, md5=63a54282ea7beb5948665f8ce501d03b, sha256=b9ccfc0b531064d4ec336b5f80512ccd852e4e666dc75bdf5059d0f454fba2ba, - md5=23f14ac8474b16ac033477653d88e42f, sha256=596a85122ee9c4d361a45fd0ba67639e2b0d260b2d208bb4264326d09914f1d0, sha1=ee2bc685f250d7ca604e789a70490d669d6e7a76, - sha256=389febbf2712ff9d88c1cab15ce6971f8ad724f59ce4b9788c8695872d7bba11, sha1=2a56b537a1d86860d2940f6509aef30f4bed0570, md5=983a7d60e3303831623a0d4385fe5125, - sha256=85975ea32b8047af55fb24372e2937a9958dd38c508bfcbbcb51b9f2e4a2dbf4, sha1=5cc5b7dee574df0e5f96e21c8c20369a9533f80b, md5=e380b9e5ffc4b688d5f39503aa92dbae, - md5=de4fb0d9198c834428a7b766cf90a96c, sha256=d7e2149e79914f6018d1aaebf346f52d150875b66e56ba1bf767d849885f5403, sha1=1f5b3bc8b4f8ee232ea53fdc5f1e5f476a196d9b, - sha256=4ef2fa24d4fab54468305eda5e5228bdaa141aff2e5956f9fd41096953c9d2ca, md5=ae90522065f5b7d5e82adc4280043e37, sha1=36807462e70c0c450506eea7c36bfde14f37f5f4, - sha256=7b3a5f8b5f7b2650aa532e9b6769fcdb322b3d81957843df8a6bd220fd2edf30, sha1=e2cd2303b75e4d921d170c21aabee83625b4f544, md5=ba16a44bde866871f667eb58945c9c3b, - md5=9dfd2a066223c4ed5c1e484619f495c0, sha1=cfec5d9eeffe72c5545594fe0aa8cc4ab2e9e008, sha256=792b30e260eb54f092e4e405e2077b097b3576eb258edcb64f320e8f57ad6cd7, - sha1=c2f586a9d2d7ecc8dd57514a1a3605be08b9fb64, md5=bd2f78ed6c43af6d3fef9bcae92443ef, sha256=d1a7d7b952976dd2642b0c4746a12b2937fb55b9d84bcf52502a18f9c8a93635, - md5=767e591f06018323fb3d7332f31e54ff, sha256=c2262c0e7117c2e50509071be2231a6f487024b1e0615f8035345125cd5e2a13, sha1=d8017f65f8cd3c5fba7d1e179f0d87cc883b4905, - md5=07128b9ad7c3b9124ae33618fda01d6d, sha1=614249d4af3489fd3a5d322ca8a7440266633f05, sha256=3f55c8c78be4966df390bb74d7296f449348cc607727facaf8abaad18a641cca, - md5=4bb908dcc60d8e6c494b95daeb985e46, sha256=cbce6ca1e4d974255b0ffb153cdc4c8716d84b11b26ddd34d127096b2870f3ef, sha1=48377d5bd98f3fe41820cfc9114af22da7fc271a, - sha256=622750ec03effb24d914c4cf865ff8ace914aa42d849f9fd3fa4415ea62b97fb, sha1=8cee0ab27878f6aad7401041634b3ba2703d393c, md5=eabec19c2f7e6b6057cd8759f8d9bf65, - sha256=8b1bcb03b54998d9995e7492b07571963c393ae2c17ec5ff4a4ad94a89a66914, md5=179cc887b8f36d09c0ea342e089839cd, sha1=8cca8a970afb65e36c1da134f98ac4acd3a126ca, - sha1=4e609d6bae367e3cd0bcd798e4cb83b3b8bc2577, md5=418b0aa71db25e47446f1d5f73320bd0, sha256=4e7e530551123af4c27862f84412528087b32edb581ce59b8f9e7efbcaa0309f, - sha1=0bcb0681e9dc3ed2b10cb04345dc0af6b089b2b4, md5=895bcf3c5160c5a016addcc049f0877a, sha256=8535374d460fcd4ba7175f445bb78f09c0db01490f7b904e94807e38a1c4b1af, - sha1=59a4a83b22fd7a0428576a29c6d8c4bd68a498dc, md5=2c34dd84ce5c720bc8ee15f77ca474ea, sha256=99e177803bbf97a0e3da861f468f8604d8ac8c466de3d2abaffe3aed95f869e5, - md5=fb8aadf3799e9f54a427e5360afc0155, sha256=a658c6acd649f8633bbcab93f3215548a490487b3613d49fc6c4939ffd567362, sha1=b00cfe01fec37dfdec84b8ea0ec240defed4cebd, - md5=6d1e90107c996328ebb15293f0014903, sha1=60493f4f147d063d6509d0605b76ff7ed44aee4f, sha256=0aed89abb0a34db7ac0a1b9b6eb3f1bfd4d2193a6017246d3b6324529a2bf5ab, - sha1=7dd3b34a8c9fcdabce08ecf3b7128bf088760c29, sha256=5e5142e683809d0abc0eaee270dd5da93f28fbc57205b62d8de09e3a64cfb160, md5=80330ee9c540ed0d001f1419be251638, - sha256=d68a18b028f5f7e2e1f87473c7e2aba0d12cb990236b30eb108bc2a7194a88bc, sha1=45c0a1e338a3d3f380ebcca4c696d10e3e2897c3, md5=c7e1846aa38769b093f89716dc681beb, - sha1=4768230b1eb77231e299a006f801a33b0c2e0c6a, md5=04a79d1b46953a94a4705e66f633c115, sha256=71603a5e29697fbb46bc546b2ea54a4edbbfc00426868bb5cde960c2a038b08cemail:Title: Application from Head Mare: New target newsletter with Phantompyramid backdorLink: https://securelist.ru/head-mare-attacks-with-phantompyramid/112164/Summary: In March, a notable cyber threat was identified, targeting Russian industrial enterprises through a malicious newsletter that included an attachment called Application_redacted_5_03.zip. This file cleverly utilized a Polyglot technique, appearing as a harmless ZIP archive but in reality containing a Python-based backdoor that allows remote command execution and the downloading of additional malicious components. The attack, which affected around 800 users across various organizations, was linked to the Awaken Likho group and involved the usage of the legitimate tool Meshagent, suggesting a shared infrastructure with other threat campaigns. The incident highlighted the evolving tactics of attackers by introducing new techniques and methodologies, indicating a dynamic threat landscape.Threats: head_mare_group polyglot_technique meshagent meshcentral_tool core_werewolf_group phantomjitterIndicators of compromise:-------------------------ip: 109[.]107[.]182[.]11, 185[.]130[.]251[.]101domain: updourlan[.]ru, nextcloud[.]soft-trust[.]comurl: https://dveriter[.]ru/dnsclient[.]ziphash: - md5=cb26c5d904b67f3cb3b2537753f8238a, - md5=ef9522c67eaf4363c7ccfa5124c1a3ba, - md5=37c0c0b253088c845aad2f36520eaba5, - md5=922201bedb77289e17478df2206a40fa, - md5=9f250a3163546ee22471390f32d5fed3, - md5=c10c6c61dd7807641c2ab22584b64bde, - md5=f556f60c9c3877fbf464975ccb58c3f5, - md5=2386baf319bc550a6468bf62e661ca48, - md5=50c8ac460c185f7ea8cec33f876bef02, - md5=e0aa78d9b915ff6cd1eb0bb18c73988e, - md5=68155b35a6f149a722ce0349a82edf58email:Title: From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025Link: https://www.intrinsec.com/wp-content/uploads/2025/03/TLP-CLEAR-From-espionage-to-PsyOps-Tracking-operations-and-infrastructure-of-UACs-in-2025-EN-1.pdfSummary: Russia-aligned cyber threat groups UAC-0050 and UAC-0006 are actively executing financially motivated and espionage-driven cyber operations, primarily targeting Ukrainian entities in various sectors including government, defense, energy, and NGOs. The Cyber Incident Response Centre of Ukraine has identified these groups as prominent threats, with UAC-0050 linked to the "Fire Cells Group" and recognized for its sophisticated malware strategies and rapid financial thefts, like illicit banking transactions within an hour. UAC-0006 has a history of targeting Ukrainian financial systems via phishing attacks to deploy SmokeLoader malware. Both groups exploit bulletproof hosting services and legitimate offshore companies to obfuscate their operations, revealing a complex cyber threat landscape that combines espionage, financial crime, and psychological operations.Threats: uac-0050_group ostap_loader remcos_rat lite_manager_tool netsupportmanager_rat uac-0006_group blackbasta cactus_ransomware ransomhub gamaredon_group systembc smokeloader hvnc_tool lockbit tusk_campaign putty_tool motw_bypass_technique doppelgnger_campaign noname057_group ddosia_botnet cactus_group cyclops_ransomware qakbot danabot tycoon_2fa storm-1747_group sectop_rat lumma_stealer mars_stealer darktrack_rat socgholish_loader pandora spear-phishing_technique smuggling_technique process_injection_techniqueIndicators of compromise:-------------------------ip: 109[.]71[.]247[.]168, 213[.]176[.]74[.]191, 101[.]99[.]91[.]150:5651, 147[.]45[.]44[.]255, 91[.]192[.]45[.]182, 94[.]156[.]177[.]51, 193[.]37[.]69[.]157, 193[.]37[.]69[.]205, 193[.]37[.]69[.]203, 193[.]37[.]69[.]206, 193[.]37[.]69[.]204, 193[.]37[.]69[.]108, 193[.]37[.]69[.]101, 193[.]37[.]69[.]27, 193[.]37[.]69[.]105, 193[.]37[.]69[.]104, 5[.]181[.]3[.]164, 89[.]185[.]80[.]86, 89[.]185[.]80[.]251, 92[.]118[.]112[.]143, 92[.]118[.]112[.]208, 94[.]154[.]35[.]28, 94[.]156[.]227[.]128, 94[.]156[.]177[.]202, 94[.]156[.]177[.]201, 94[.]154[.]35[.]24, 94[.]156[.]227[.]123, 94[.]156[.]177[.]178, 94[.]156[.]227[.]180, 94[.]154[.]35[.]33, 94[.]156[.]227[.]179, 185[.]157[.]23[.]71, 5[.]181[.]159[.]47, 11[.]90[.]140[.]65, 101[.]99[.]91[.]150, 91[.]222[.]14[.]225, 136[.]243[.]173[.]48, 78[.]26[.]143[.]39, 37[.]53[.]73[.]46, 178[.]215[.]224[.]74, 2[.]59[.]163[.]172, 188[.]34[.]188[.]7, 89[.]23[.]96[.]203, 77[.]105[.]161[.]194, 111[.]90[.]140[.]65:2404, 178[.]215[.]224[.]252, 147[.]45[.]47[.]98, 194[.]87[.]31[.]229, 2[.]59[.]163[.]71, 88[.]151[.]192[.]71, 66[.]63[.]187[.]50, 66[.]63[.]187[.]25, 94[.]156[.]177[.]172, 94[.]156[.]177[.]155, 94[.]156[.]177[.]166, 77[.]105[.]161[.]94, 66[.]63[.]187[.]150, 94[.]156[.]177[.]72, 147[.]45[.]44[.]200, 45[.]155[.]249[.]215domain: cyberfear[.]com, psb[.]hosting, constracionscity1991[.]lat, restructurisationservice[.]ru, connecticutproperty[.]ru, spotcarservice[.]ru, rinpack[.]com, systemkeitaro[.]ru, fileexportinc[.]ru, consultationoffice[.]ru, downloadmanager[.]ru, oncommigos[.]ru, metamask-security[.]info, constractionscity1991[.]at, 3-zak-media[.]deurl: https://bitbucket[.]org/rlumrerk/ertetqwv/downloads/AgFShda[.]txt, http://dc44[.]4sync[.]com/download/Jdu3NTaC/Payment_253[.]js, http://45[.]155[.]249[.]215/xxx[.]zip?mt=7317, http://185[.]157[.]213[.]7/fakeurl[.]htm, http://77[.]105[.]161[.]194/file/PDF[.]ico, http://188[.]34[.]188[.]7/555/amba16[.]ico, http://89[.]23[.]96[.]203/333/AmbaPDF[.]ico, http://178[.]215[.]224[.]74/v10/ukyh[.]php?jsop=35&xvgj=UmV2ZW5IZURldmljZXMuZXhl, http://147[.]45[.]44[.]200/z[.]zip?mt=6758, http://cansupeker[.]com/GBI[.]zip?rand=7403, http://spotcarservice[.]ru/fdjskf88cvt/yumbal/putty[.]exe, http://2[.]59[.]163[.]172/ukraine/invoice415[.]pdf, http://2[.]59[.]163[.]172/invoice415[.]pdf, http://spotcarservice[.]ru/fdjskf88cvt/invoce[.]pdf, http://cityutl[.]ru/download/pax[.]pdf, http://downloadmanager[.]ru/download/files/index/document[.]php, http://energy-licey[.]com[.]ua/media/media/documents/n5f7jh3f6Aw[.]htmlhash: - sha256=717184f8dcae50b9e8f35630bf645c78ece73b0d9b627df9b8601f34edce9e46, - sha256=e8b08cb0774145ac432406f5e579aabaddb485ad29ba7d1eb1c5fb3000c5eefa, - sha256=292bda20c71cc52f49c84f40160d5747ed2c6ab24ce7a027d2808888438b93a6, - sha256=dada50182ca98f75e0055f9b4a47d8ef3a6dda5c126cac309467c02257f3c1c0, - sha256=9833cbd22fd50181f8939114920e883bacf8d727337f5dcdf4450d0312eca188, - sha256=5403ad9cf461ca62d0720ce976abd0b8753926c20d84c48d1ddc711df89a3e71, - sha256=537d255c721e923b006c250aed480dca41d6f105ab09b9fdeff251e2475dbe87, - sha256=dadfea33048fa0b6f61fff85cf84dc039406716858184c2e6c0886b0be188b27, - sha256=62410e8399acf7834c74012783bde3fe9ff244e048141c4a96a65bec06895f37, - sha256=30ca62b5bc034d38f39b3507b052678ae4d00375ca934d647856006cf0d78e15, - sha256=08c87857828af2165bd0cfe495743fe3f22532effecebbfaf352e30bf71b3bd6, - sha256=2403a50cc8315a4bad375c20598d63fd3a3e0def08cecf05d7f00767d9740c90, - sha256=67f6fc03cd53fb2a5ab17b97caae29b4fd0e0afb7adf4c9c64cdb2f7f99d03d4, - sha256=87ee4b9a9ae1620227814dce5b70288a589dabc288f5ad80e0645fc382322160, - sha256=bc887fcd6805824ac58a107917c6d083056d688eef39e979da25d16eb388e798, - sha256=06561b823184eb243a781bdf8db1cbd36ab8ed1bf60fb9204d07557d077c9453, - sha256=12827c2f7f185495fd7d3b7f2e9fbad900f01c58b1f3ee8bb4a48b1365be6107, - sha256=d2e21fa6e31ba49ac7a607c59222114bbc6ae593b6a45c2cc0a5d497196571be, - sha256=1f26ea74fbc7fbdc4bde644d7795ffd38ae1f7d401a33e5b7c207f8fb1a83f2f, - sha256=d8d9641f29e7ecfe1a8d1d2b74ef03b8185481c8c78fec6051fbbd4051dd4323, - sha256=7055c4653f2baaf9f667e6cab7fe0de1bab7acb8d1944c788a063e788f632c3f, - sha256=15fee6c424e033b23cc973aca4e6ce8f08d93da467a91981d22826a144432ec3, - sha256=e27840f9a453144763cd936b82e5441ebf9fd39b0332f6d1ad161147fc3511f6, - sha256=5d5e67fb50030d44113ab3fff345319a7fc366957c7f9368e94264416de2dbf1, - sha256=18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d, - sha256=ea0a7467efc74d7a947774d83d440426510243bd4b443391f753902bf275c86c, - sha256=06fe27eb26975a1cb680fff55f815be29e440a0f2312dbc93171f6aa822fb441, - sha256=7722151293bdc50640c719a55438ffd663a3d2bccc70392cdce8052b651afea0email:Title: A Deep Dive into Water Gamayun’s Arsenal and InfrastructureLink: https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.htmlSummary: Water Gamayun, a suspected Russian cyber threat actor, is exploiting a zero-day vulnerability in the Microsoft Management Console (CVE-2025-26633) to deploy various malicious payloads and exfiltrate sensitive data. Utilizing custom payloads and advanced techniques, including the IntelliJ process launcher for executing PowerShell commands, this actor employs a range of backdoors such as SilentPrism, which maintains persistence through system modifications, and DarkWisp, which focuses on reconnaissance and data collection. Additionally, Water Gamayun leverages modified versions of the EncryptHub Stealer to gather sensitive information, frequently updating its command-and-control infrastructure to dynamic domains to evade detection while using obfuscation techniques to enhance malware functionality.Threats: encrypthub_group eviltwin_technique silentprism darkwisp lolbin_technique stealc rhadamanthys hvnc_tool kematian_stealer somali_devs_actor lumma_stealer amadey typosquatting_technique anydesk_tool agent_tesla encryptrat antivm_techniqueIndicators of compromise:-------------------------ip: 82[.]115[.]223[.]182domain: trojan[.]ps1[.]fickleshade[.]smurl: https://82[.]115[.]223[.]182/encrypthub/ram, https://malwarehunterteam[.]nethash: - md5=abaa46bc704842d6cc6f494c21546ae6, - md5=87792cf4bd370f483a293a23c4247c50, - md5=e59a025f9310d266190b91f5330fde8d, - sha1=87c46845f57dc9ca8136b730c08b5b5916ca0ad3, - sha1=a225bee48074feac53c7cb2f3929a41f7b4a71d3, - sha1=ffb72adff6e099a9deb418c5d40abd8cf9b12c42, - sha256=cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c, - sha256=725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f, - sha256=db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad, - md5=239e8a3ee1fafe452d0b59eadb32247b, - md5=99a80820ae6dc60c9e9307e6ed8ef211, - sha1=1377a69ae519d1cf000fa51869454e31ba92056d, - sha1=2e4ae2af76c6239eb4191853221b4a40139cc122, - sha256=0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f, - sha256=f381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a, - sha256=bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4, - sha256=079b7f03c727de92c3fcb7d3b9b9fea6d1e9ffdcd60dc9a360af90ce7b4b5cc6, - sha256=5752efa219c7e42cb104917f38c146e1f747d14230be0e64a5e87c20e82075bb, - sha256=2a5f9198f1e563688a2081b746bdaf48d897ec0ae96dfafc15cd5cd52c25e8f2, - md5=2f8bf3e5b6cbdb0c8e5935b078711867, - md5=1fbe357c26133a4b39b96fdd2c48f1ae, - sha1=ca4fea2deacb9665461eb74b6422b137326c0d76, - sha1=57ab6bdbb41289f3c8983d5b48fc98c08782ed1f, - sha256=b29e630b9c70b0daaba4f83489494444c04c7a470b9c24eb4ddffb6cd7cf05ff, - sha256=677601f72181c53541f850248dd0904153ea62458489d7aa782149b93399ebd8, - sha256=91aa7642a301ad6f46a6e466d89b601270aac64b7b6a5661436f7f9b5d804e89, - sha256=724aa4d5e3fb96be0a4a01a74324e7123d3281d7e3dce0f79ae717c5a7383ef1, - sha256=015f0fdf24a19b98447fab5fa16abf929c1cf9be33e9455ce788909dd5a8dbfe, - sha256=b1fa0ded2f0cc42a70b7a0c051f772cd6db76b15d50ec119307027e670998728, - sha256=5cc0d46909bd6733dd331e2dfcef5ef9b9a9efb709b104c1c9a9d49026715065, - sha256=7d9b41d7600c79b79e01f4e5100673bb134d5b4ea84ed8fcc9a2be6ccc1df4f7, - sha256=b1b3d27deb35dd8c8fed75e878adae3f262475c8e8951d59e5df091562c2779b, - sha256=7f8bd2d63bb95d61fcbdb22827c3a3e46655f556da769d3880c62865e6fde820, - sha256=43eab8488dce80c1086aafdf4594b1a438347e32275abeaa8b2bb14475fb3f98, - sha256=1b3309c7a4c3940eff1e1ab1905641b23ea743c4f11d82107ce36fa1ec2299e9, - sha256=2aeb9aeca5739ea1cb5a30d284d65e36fe18f47db9e5e504063d982b9c3bc3e9, - sha256=9b830c2979cbce45573aa21d765adda76f52db254155ae49648ef5050ceaf774, - sha256=4e6f35ab5eb9242335bee01d6df9b50f665043f9930a630df7e170b904f52a24, - sha256=d76c25e2761210783055b43349370253d794e94ee913a2be7596b9554eacf107, - sha256=5357279bad530c3af89713aaf6befe19a22e438f22952aed46097590130551fa, - sha256=413dea8ea8cb09cd3ac49531a8e0a13f767c09f78fb77856f4668377532a64ef, - sha256=0943b0f328282504c2661cd56e4bd83e3b3e5a4cce89e2e5523f83a2d535a07e, - sha256=f5c97f23543e904944120ef738f300049eae85c3b0bf8b86b346572f7bc6dec1, - sha256=9e9ca325f44eeff4087bb67052536ba565da18e70e5b29c79ed77c14c5548131, - sha256=6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933, - sha256=045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8, - sha256=cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe, - sha256=405d1dcdbba56bce99a308734c39ac8ca62ffb55dbd69565293a79b468e4dad1, - sha256=8833f2a6e84c91e31ae65e5ab269b362f7d4c2a2af63d760fe5b6452b9ecba96, - sha256=47dc344e945a0170c1f69caf1cf5d63bca22239e17f7df1a01e6235484fa0593, - sha256=590512bf29e2a4a006f8cc76a931f14778f599fa14c9f0a935a16d7394e08422, - sha256=1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1, - sha256=badb915188b5292cb1a22624aa386ab0ad8279d5bd2678926123560ecffe0e0c, - sha256=f3988f4c889e6ae79b7ebde97a677e2abfc89c53ffc800a8954b713d317232d3, - sha256=6df96984d5ba709282b6c92287262bd81f980811b58b0c03b9b421ba1e580c6b, - sha256=ad95786b2402c6a2cc36a513937a10503aff74e180ea1213cbfe40ca820d3b13, - sha256=b3ed3f2bc5334e54ca8d6020d37da0764f123fa5717638229422bd95a028097b, - sha256=20da5e4736a91eb6aa55892d1497c724fb16767da43ccf3227db5c9647bb0793, - sha256=e71e6b81c46aab4760840369e3ffe6ac80a9e6a2e62fc7e563265ed37efd695a, - sha256=b7b72d141ed56c8e5a924dfa959771548883b88e84646150447f85eb97f88e62, - sha256=60f5d8eadaba230b95339011daf4800f81e35ac721bf908f68ed8191388addcb, - sha256=9854322760307c04aacd78f136e4d1496950811ee2f24978915d7cd322ecb36c, - sha256=6ca1f674e54a2d2f12c387403cba885037ede153e16ec4f6e1ddd216ba897215, - sha256=105303ae231b9e2fee43c82afac59249593155bbf7bfdc51eda49cb50351857f, - sha256=86e4115111e88bbaf09fe73cfc8255a4aac64f7ffed4a3229bbc8d626566f0c8, - sha256=94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b, - sha256=97a766db470c44347b65a0bc282582f96a47d96ed8d7946f4da33775d384033a, - sha256=47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973, - sha256=cedf4589428ae05d3d2dca1d1bd7fa28f6cafe54a077a6090f873053e04fd5ce, - sha256=bb563180196989dcee91417aa56d6f1bfc9320b2427536c200dffcd784774906, - sha256=691087ec9b50022d3e23695c0b41e2927cb4c4825a1f5fd7e2f21ae3465e8973, - sha256=969c7ee8709a519c4a4878b230d4ba7f81fb9563320b5983f8f1f95d4d215ece, - sha256=ba195a227fb76e8820d6db36cd00c89095b88faf01471fcdd9c0c7de61a63a5d, - sha256=e31ce5803bb68222eeac117614ddb92ed3c137bcf129f873d44960ab9d8bab33, - sha256=cfafc9b2d6cbc65769074bab296c5fbacc676d298f7391a3ff787307eb1cbce0, - sha256=3761060c509b9444bdd3d0e65d7f68e39ff5c52fa87fdc59db02c1553e21e403, - sha256=e0ae6b6cfd6544a02517e91b74bda9d5cb98674dc04609743de012354c2cdf22, - sha256=af4d26b987093be6b442e655ffdafa8e1542e80f6a47a6895aa523f2f180025c, - sha256=9d2aaa8672d583af4c03c23127d6cac509799a49ff9293ed63628d5b710b7528, - sha256=761690343f0577df22e7130a5efdf54ea246214395cbc94ac91ae91aab78a76c, - sha256=ef8c99b57ff01d2267c6d946347f450bd4b92cea56fbd0bb36f0bc9de985ff83, - sha256=1a0103eb4ba83b978d6f006225d6b7b80c5b21948715c0d78d3643a306d4d2e0, - sha256=b9ea588642ea77d39ccafab329c2f10718f2c7771e2ee77a0c6deda285a48de8, - sha256=9637506691705b2ffa90ff6b46fb71f11125dffabb19f3e89fd1bfb1f4caa223, - sha256=57ba0a5be8b2dfa2a7da564f1c50fd277212743e33e392af924da6eeb997e5db, - sha256=f8a607e3214f4c98e7bff5f3822d0b0fffa0b9035d8e17acac3d51f862c80c5d, - sha256=6f07d75356b3698b885ff6070c338a7d96b9f761ab6350b385288842006dff24, - sha256=3009e864d40d67f803481fd7f4f8a38f46eb5dbf0c9a0b6922c11c2121ec50c6, - sha256=f4b5bf7a2501c26e1f7306ad78f7c6fb2637fde652aa303a3a51c53c98ed3c10, - sha256=c13fb67beec7f1737234483ad8d333ff77dfce804ec5c945b45fed448f272074, - sha256=90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd, - sha256=6ea8d7b27d2a6c0e08886f55ef810d66788d973739218270ae38c126a71ed530, - sha256=ecb7ee118b68b178e62b68a7e2aaee85bafc8b721cb9cee30d009a0c96e59cef, - sha256=97b6dc6f61b1eebb32a1e62a62680ad9814e535e40d8cd3d01583e7b1db127e8, - sha256=e2f5b088daeca178bf05464d05d33b365e315b53704655042847cf6db048f2d2, - sha256=ecc8e7e5353c814ff7f66c278a19723b5769d53c49f69c3487d495fbc882a8b9, - sha256=bbaba3d086a38405ef816d97c76a98fefb0e49d899f61de53c44f38142356f3a, - sha256=feab6172448d2a1db08a68cbe2f8bcf1876a1ed120a56c5913581c5e444e7b28, - sha256=17a916728f5bfa2af55565e0e73a04cbc52f4d872fb41e1a4cedcc43c5a7a7d3, - sha256=4a75b84c305f8e8fa98641e5a57f35cb3a51887a89d1291620359c2b60882f6a, - sha256=04a43023637cfdee72e1fdbf7dd38ac442bdf2779d0450e20966f68119fa5a6a, - sha256=e77423214cfc184f3b41bdd539024d466bd5a94c91cfaa65d4e831410a8a8f94, - sha256=cff9c5a87b3fb5961ddf59dfa0558c5b63503f89905e2a81ccd405e333408e72, - sha256=4ab440989c4130b4bdc183c8b2c878f0e1931dc38bbea5b8531c876202865b3e, - sha256=a04365c2804ed63ea0cadba4fa4ffc2e0541a09059abc0e046ee57ef1645ab64, - sha256=75b0971a19e9c80efd47b6197dce666955e1fb0a05c152d1fe37c7e511a01db1, - sha256=ee07759184ecaf4e0ef0a2981dccfc5b6c4da43a14a7beb002ae06c95a145dcc, - sha256=ca22e7b954277659a308ef321a67516689a24c51aea7ac3c5f2d76a583b11530, - sha256=1db9c8c816d6d5871c463da46c91864d780d933363b425983206b76c9df09e08, - sha256=95768bc40bb040d0c07c23f566cc20df0651fc14714e617b3f4b7ed3c6b7e5dd, - sha256=fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3, - sha256=b4f66a5e2876e04db93aae029049a07efed2d6dca05c89c393fe5aba03b949a7, - sha256=025cc7b328b7558d899677dd98e2d78a72da96be3b57d7ce437876ce85783ef5, - sha256=105cecd049c1be5820d6286611dfc37a8c7e511543b0edddbf74c6b6914b96ac, - sha256=7a51a25c1d451a37a28b08290149bed05d82ffa305a5c9a86576046a324a25dd, - sha256=54a30d5c66ab34e7d5f803d6d35316a42bcdd6bb0470fbe85979b31442a7c220, - sha256=d56afa4e4c8adb6232d0ebab0527b9fbc6b2619ebe1f39d06952877eeb2d195c, - sha256=bf3e01de4c7af551c4f39aaac09763a71d4bac03126ac9de426f0d51dc970eec, - md5=f0df469c3459a6a3b98b7b69b07bf61b, sha256=983506186590f7118cb507d29f12f163afb536a03e6d0f4fb441df8afe49ede1, sha1=b38a0478aefa9d9d77282dd82ada51d7a47fe6f5, - md5=42b55615cbaa014f246097bd904d7ff2, sha256=d150d8d8bfa651c0e08a10323ecb0bccf346a35bd1bad19f89a5338acd8a88b3, sha1=f16e0dac597de903a4c6842184770ba5618275a0, - md5=3371da6397159dbced2794c12aeb80c6, sha256=899d0b75e7eb3250246f709ad8aa32a8634f536153a3d2eaa3b5a9d9c2690168, sha1=291ed2eb864c95ba5495ca415efd1b071362ec7b, - sha256=49a552d3adbcad9f5ac70151b48a4edc2ae1d4094a1ea9d944785cee8b4319d7, sha1=d63a8c0a00fb1c68450da7cc19a08a6ed96791dc, md5=1c34b88280d660051b69ccb40660e71femail:Title: YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware AttacksLink: https://www.cloudsek.com/blog/youtube-creators-under-siege-again-clickflix-technique-fuels-malware-attacksSummary: The Clickflix campaign is a targeted malware threat primarily aimed at YouTube creators, utilizing social engineering tactics to deceive victims into executing harmful PowerShell scripts via phishing emails disguised as legitimate collaboration offers. The attackers employ crafted email content that leads victims to interact with fake Microsoft web pages, ultimately triggering obfuscated scripts that install Lumma Stealer malware. This malware is capable of exfiltrating sensitive data, including browser credentials and cryptocurrency wallet information, by connecting to various Command and Control (C2) servers and targeting data stored in popular web browsers.Threats: clickflix spear-phishing_technique lumma_stealer dns_tunneling_techniqueIndicators of compromise:-------------------------ip: 104[.]78[.]173[.]167, 172[.]67[.]199[.]240domain: flowers[.]what-is-game[.]xyz, cat-watches-site[.]xyz, cdn[.]findfakesnake[.]xyz, cdn[.]cart-newlocate[.]xyzurl: https://drive[.]google[.]com/file/d/1nm7Ch8qGMsd4yxSa9vUAGdQliC6zine1/view?pli=1, https://onedrive[.]office-edit[.]com/readinghash: - sha1=db09c5d403ea51f17baf53434e022aefddd4de93, md5=aa1c717fc5d58feecce6337b834a5c6b, sha256=cace23a661e2792804416147df9dcf3ef59ebf56cfaf9c20d0813aa5f0d95613email:Title: TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTANS YOUTH LAPTOP SCHEME TO TARGET INDIALink: https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/Summary: A recent report from CYFIRMA highlights the activities of APT36, a Pakistan-based advanced persistent threat group active since 2013, known for targeting Indian government entities, military, and educational institutions. The group has developed a fraudulent website mimicking India Post to distribute malware, primarily through an Android application that prompts users to enter sensitive bank details under the guise of a casino app. Analysis reveals that this application not only conducts data harvesting through a web view but also employs persistent capabilities to ensure its execution after device reboots. Moreover, when accessed from Windows devices, it facilitates system compromise by prompting clipboard access, potentially executing malicious commands through PowerShell. The report indicates that APT36 uses diverse malware strains and spear-phishing techniques, with their ongoing operations emphasizing espionage objectives against India's critical sectors.Threats: transparenttribe_group clickfix_technique sidecopy_campaign spear-phishing_technique crimson_rat poseidon elizaratIndicators of compromise:-------------------------ip: 88[.]222[.]245[.]211domain: email[.]gov[.]in[.]gov-in[.]mywire[.]org, postindia[.]siteurl: hash: - sha256=cbf74574278a22f1c38ca922f91548596630fc67bb234834d52557371b9abf5d, - sha256=287a5f95458301c632d6aa02de26d7fd9b63c6661af331dff1e9b2264d150d23email:Title: RedCurl’s Ransomware Debut: A Technical Deep DiveLink: https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-diveSummary: Recent analysis has identified a shift in the tactics of the RedCurl group, moving from corporate cyber espionage to deploying a previously undocumented ransomware known as QWCrypt. This campaign focuses on hypervisor-targeted attacks instead of traditional endpoint encryption, utilizing sophisticated methods such as social engineering and spear-phishing with misleading IMG file attachments that exploit legitimate Windows tools. The ransomware, identified as rbcw.exe, employs advanced techniques, including a custom batch execution strategy to disable security software, and uses the XChaCha20-Poly1305 encryption algorithm to partially encrypt files without attracting detection. Interestingly, RedCurl has not displayed typical ransom behaviors, such as public demands or data exfiltration, suggesting that they may employ a mercenary model aimed at private negotiations rather than overt extortion, raising questions about their underlying motivations and future operations.Threats: red_wolf_group wmiexec_tool shadow_copies_delete_technique cobra lolbin_technique qwcrypt spear-phishing_technique dll_sideloading_technique chisel_tool byovd_technique upx_tool lockbit hardbitIndicators of compromise:-------------------------ip: domain: fall[.]dropconnect[.]workers[.]devurl: https://my[.]powerfolder[.]com/webdav/utils/elzp[.]txt, https://mia[.]nl[.]tab[.]digital/remote[.]php/dav/fileshash: - md5=a806df529a111fb453175ecdcb230d96, - md5=f19542732c33f1b908365df02a86105c, - md5=fde874e8d442e3f0469b3d2f86a45739, - md5=bc469bcdb585d8e6576fc664a6404a82, - md5=ab2d6846430b8ea18fc08cb7804fce99, - md5=e58e5afa9a94ba474e465dbf919d2c51, - md5=fd3fd2f6cde9e38e92433c152892c03d, - md5=d00c86ea42958f919c702a9a416a24ce, - md5=ca1b05b97e934511a76a744b53b8eb92, - md5=27927a73b8273dc796ddfc309ec8ecaf, - md5=6495356afd05dbf8661af13ef72ab887, - md5=c41957f965f8c38b6cedf44b62b09298, - md5=09735d305b7d6f071173fe3b62b46d9e, - md5=4154c3553656e94575aeb7183969bfa0, - md5=5f2c5f7620b74d183e206817b723b555, - md5=8d56ac580c06baac327613202fdbf5eb, - md5=add1bfb2d4b4ad083dcee40d61a12780, - md5=9f7b1afce9c8c7d9282c5e791c69e369email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.